Agentic AI

Traditional AI applications produce outputs that humans then act on. Agentic AI systems act directly: they are given goals and tools, and they determine and execute the steps required to achieve those goals. This shift from AI-as-advisor to AI-as-actor is one of the most significant changes in enterprise AI deployment, and one of the most significant for data governance.

Agentic AI systems typically have access to a range of enterprise tools and data sources: email, CRM systems, databases, APIs, and document stores. In the course of executing tasks, they read, generate, and sometimes transmit data at machine speed and scale. This creates data governance challenges that don't exist for traditional software. The same agent that drafts a sales email might also query a customer database, store conversation history, and pass information to a downstream service, all within a single automated workflow.

For organizations with privacy obligations, agentic AI raises specific questions:

  • Is the data the agent accesses covered by consent or a valid legal basis?
  • Does the agent's data handling comply with purpose limitation and data minimization principles?
  • Can the organization audit what data the agent accessed, stored, or transmitted?

These questions are increasingly the subject of regulatory attention, particularly in the EU, where Article 22 GDPR requirements for human oversight of automated decisions are directly relevant.