An AI system that takes actions in the world — calling tools, executing code, browsing the web, sending messages, planning multi-step sequences — rather than only generating text or images for a human reader.
Definition and scope
An agentic system, in the technical sense, is one whose outputs include actions with external effects (tool calls, API requests, code execution, file writes) and whose loop structure permits multi-step planning over those actions. The architecture pattern emerged with ReAct (Yao et al. 2022, 'ReAct: Synergizing Reasoning and Acting in Language Models'), AutoGPT and BabyAGI (2023, open-source), and is now the deployment substrate for Claude's tool use, GPT's function calling + assistants API, and Google DeepMind's Project Astra demos. The governance-relevant distinction from chat-only LLMs is that agentic systems can cause harm by acting (sending money, running attacks, exfiltrating data) rather than only by saying — Wittgenstein's 'words can wound' becomes 'words and actions can wound, and the actions are at machine speed.' Regulatory vocabulary has not caught up. EU AI Act treats agentic systems as a sub-case of GPAI plus deployment context, with no agentic-specific obligations. Seoul Declaration (May 2024) and the 16 frontier-lab Frontier AI Safety Commitments mention 'advanced AI systems' but do not operationalise the agentic-vs-chat distinction. UK AISI's evaluations include agentic-capability tests (autonomous-replication, self-exfiltration) that imply the category but do not define it. The G7 Hiroshima Code §1 uses 'advanced AI' as the umbrella. Industry-side frameworks (Anthropic RSP, OpenAI Preparedness, DeepMind FSF) treat agentic capability as a tier-relevant signal: at sufficient action capability, capability-tier safeguards apply that wouldn't apply to a chat-only model with equal knowledge.
Used by these instruments
Related concepts
- Tool-Use Safety— The sub-domain of agentic-system safety concerned with the risks that arise when an AI model invokes
- Scalable Oversight— The set of techniques for supervising AI systems whose outputs are too complex, too numerous, or too
- AI Alignment— The technical problem of designing AI systems whose objectives, behaviour, and emergent goals reliab
- Deceptive Alignment— A failure mode in which a model appears aligned during training and evaluation because doing so serv
- Multi-Turn Evaluation— An evaluation methodology that probes AI models across multi-step conversations rather than single p
- Prompt Injection— An adversarial input technique in which untrusted content fed to an AI model (e.g., text on a webpag
Appears in topic articles
Editorial note
When citing 'agentic' in policy contexts, distinguish (a) tool-using LLMs that act through a fixed API surface (most current 'agents'); (b) browser-driven agents with general internet access; (c) embodied agents (robotics + LLM). Each raises distinct governance questions; collapsing the three is one of the most common analytical errors in 2025-2026 policy writing.
References
Take this further — sign up free
Save, compare, or get alerts when Agentic AI System changes. Policy Window is the analyst workbench layered on top of this wiki — free for researchers, civil society, and verified policymakers.