Agentic AI - The Year AI Got It’s Voice
If there was ever a year that AI got it’s voice - I’d argue it was 2025. The whole concept of using AI to make and execute decisions for you was seemingly on every organizations thoughts. While exciting and novel of a development this was - the follow up questions and concerns then quickly became “How do we manage this?” This post discusses just that, including some suggested framework ideas to mitigate the threats that come with Agentic AI.
I can’t think of a more appropriate way to kick this off than highlighting the development of digital autonomy. The need for it is pretty self-explanatory – from HR, to Marketing, to Engineering…and everywhere in-between, associates are buried in tasks. Some tasks are incredibly simple, such as “I only want to see resumes on the West coast”, while others are more complex. Leveraging Agentic AI to sift through data, make decisions and then execute on those decisions has been a ground breaking development in AI.
As great of a development as this has been – the other shoe has to drop. And drop it did - companies began asking a lot of questions. How much authority do these Agentic AI solutions have? How do we control their outputs? What decisions do we want to allow these solutions to execute on? As one of my favorite movies, Enemy of the State, puts it – “Who’s gonna monitor the monitors of the monitors?” All very appropriate and important questions – and to get a better understanding of this, we need to peel the onion back a little and see how Agentic AI works under the hood.
At the very core of an Agentic AI solution – you have what is called an “Orchestration Layer”. This sits on top of a Large Language Model and manages the ‘thought chain’ for lack of better word. Let’s circle back to the resume example earlier because it frames this a little easier. If the Agentic AI solution receives a goal, such as ‘Find all resume that are not located on the West Coast and send them a denial. Move all West Coast resumes to my inbox”...this is a complex task. People put their location in different areas on a resume, not to mention a location on a resume could be a city, county, or state...the Agentic AI would need to know which ones are located on the West Coast. Then there’s the problem of typos, or if the person doesn’t state where they’re located at all...then what? This complexity is handled by yet another process, deemed “recursive intelligence”. There’s a great article all about recursive intelligence you can find here. In essence, recursive intelligence is an iterative process where the agent can “develop deeper alignment with their objectives [by] continuously refining the tools, strategies and collaborators needed to achieve them.” (id).
The final (and I use the word “final” very loosely – there’s a lot going on under the hood of an agent) pillar of an agent is their integration. In our ongoing example of the resume use case – an Agent might be integrated with an ATS system, Greenhouse, and a database such as Amazon Redshift or Google Big Query. The agent might also be integrated with onboarding process which, if the user is in the West Coast – an interview is automatically set up with the hiring manager, with their attached resume and an outbound email confirming the details. All of these integrations really become the “hands” that the agent uses to actually do the work.
With any given automation – there are going to be risks involved. While Grok has been having its hands full lately with some truly terrible outputs and saying some horrific things, the concern with an agent is not necessarily about what it says, but what it does. When an Agent controls the movement of data, or money, or any other critical resource – there’s definitely risk involved if that agent has excessive agency such as having way too many permissions. Some common hacks seen in 2025 were malicious prompts, buried in a document – which would cause an agent to act well outside of its scope, and due to having too broad of permissions, these malicious acts were successful. These attacks are commonly referred to as Prompt Injection Attacks.
Outside of the cybersecurity risks – there remains the ongoing legal and privacy risks associated with using an Agent. For example – the GDPR states that a “data subject shall have the right not to be subject to a decision based solely on automated processing…” (Article 22 GDPR), while other regulations such as the CCPA have strict requirements for when a “business that uses ADMT [Automated Decision-making Technology] to make a significant decision concerning a consumer must comply with the requirements of this article” (§ 7200).
Boy – that’s a lot of risk huh? Well...good luck out there!
Ok I won’t leave you with that kind of cliffhanger – let me share with you what is beginning to be coined the HITL, HOTL and HOOTL Framework.
HITL – stands for Human in the Loop. This is a strategy where a human is required to give input before an agent can execute on a decision. Use HITL for critical tasks, High-Risk AI Systems as defined by the EU AI Act, or any number of tasks where the risk is too great should an agent fail to perform correctly or if it becomes subject to a prompt injection attack. Having a human in the loop mitigates this threat significantly and, depending on some applicable regulations, is an absolute requirement.
HOTL – this stands for Human on the Loop. This is becoming a more leveraged term – as Agentic AI solutions are not always either full on high risk, critical solutions or low-risk menial tasks but something in between. By having a Human on the Loop, the agent is allowed to act autonomously – but a human monitors the decisions, processes and outputs in real-time. Most importantly about HOTL is that the human is given a “kill switch”, where they can take the agent offline at a moments notice. This approach allows for streamlined tasks to be executed by an agent while still offering some level of cover, or protection to the organization by having a human on the loop with an ever present “finger on the pulse” so to say.
HOOTL – our last prong of “in the loop” series, stands for Human out of the Loop. A Human out of the Loop agentic solution provides the agent with full autonomy, full ability to review data, make decisions and execute on those decisions without having a human to either review outputs, or have to go through a human for every output. The HOOTL is obviously going to be the solution that allows an agent to complete the most tasks – and it should be reserved for only low-risk, high-volume operations like routing internal IT tickets for example.
So what would be next steps for you? I recommend bringing in all your Agentic AI use cases into one spot, sit down with your governance team, legal team, IT team, and leadership...then assign a HITL, HOTL or HOOTL for every single agent. This is your first step. You can then move forward with establishing those kill switches for HOTL, creating all documentation to track your new AI Policy, establishing standard deviations, bias and drift metrics, as well as assigning and training humans for the HITL and HOTL applications.
I have drawn up a table below as an example of what a classification practice might look like for agents within an organization.
| Business Function | AI Use Case | Category | Governance Reasoning |
|---|---|---|---|
| Finance | Reconciling daily small-batch vendor invoices | HOOTL | High volume, low individual risk. Errors are caught in monthly audits and are easily reversed. |
| Human Resources | Initial screening of 1,000+ resumes for a role | HOTL | Requires monitoring for algorithmic bias. Humans should periodically spot check results. |
| Legal | Signing a binding Master Service Agreement (MSA) | HITL | Extreme legal liability. An agent cannot represent the "intent" of a corporation in court. |
| IT / Security | Isolating a server during a suspected DDoS attack | HOTL | Speed is vital for mitigation, but a human must prevent accidental shut-down of core business. |
| Marketing | A/B testing 500 variations of an ad headline | HOOTL | No legal risk. The system self-optimizes based on user clicks; no human value-add. |
This is me throwing a dart – but I’m beginning to see in the market this concept of an Agentic Mesh. This one I believe will come to fruition – it’s a logical next step from Agentic AI. An Agentic Mesh moves away from having just a single agent performing single tasks and towards a multi-agent orchestration where multiple agents monitor each other in real-time. For example, an HR Agent, monitors the Resume Processing Agent, the HR Ticket Agent, and the Onboarding Agent.
Then we finally have an answer to Enemy of the State’s question “Who’s gonna monitor the monitors of the monitors?”.
