Table of Contents
Executive Summary
Agentic workflows are not “just another AI model” – they are operational systems that can act, spend, and escalate at speed.
That means risk is shaped as much by design choices (ownership, boundaries, monitoring, and stop authority) as by the task the agent performs.
If you, as a risk manager, are asked to perform an agentic AI risk assessment, you will need a fast, defensible way to determine whether the project is sufficiently controllable to go live.
This article introduces you to 32 systematic, verifiable agentic AI risk flags you can test with evidence, so you can quickly translate findings into clear, proportionate risk treatment plans.
Agentic AI Risk Assessment for Agentic Workflows
An agentic AI risk assessment is an evidence-led review of whether an agentic workflow can be owned, constrained, monitored, and safely stopped.
Because an agentic workflow is much more than just an agent, risk managers should be involved from the design phase to help technologists control the end-to-end process: agent-human hand-offs, tool usage and costs, staff training and oversight, vendor dependencies, incident management, and potentially external disclosures.
Without this involvement, the gap between an impressive prototype and a successful operational process can become problematic.
But what if it does not happen that way? What if, as the risk manager, the project team only engages you after they have designed and trained the agent? Or, worse, after they have gone live?
How can you orient yourself and add value quickly while simultaneously protecting yourself from the disadvantages of late involvement?
De-risk your agentic transformation
Gartner predicts that over 40% of agentic AI projects will be cancelled by the end of 2027 – not because the technology fails, but because organisations cannot demonstrate that agentic workflows are sufficiently under control.
As agentic workflows become more common, risk managers may increasingly encounter this situation and, importantly, a low-risk task is not the same as a low-risk agent (see Methodology).
Those who are not ready will find themselves unable to produce defensible findings under pressure – blocked from go-live sign-off, exposed in an audit, or called to account when a live agent behaves unexpectedly.
Those who are ready will strengthen their professional credibility and help their organisations secure the benefits: productivity uplifts, greater consistency and quality, and faster decision support.
Succeeding requires three things: structure to identify risks, depth to verify controls, and speed to produce recommendations.
Systematic, Verifiable Agentic Risk Flags
To help risk managers run an agentic AI risk assessment quickly, Agentic Risks has summarised the controls in the Enterprise-Wide Agentic AI Risk Control Framework into 32 systematic, verifiable agentic AI risk flags.
On aggregate, they will check that your agentic workflow is owned, can be constrained, monitored, and safely stopped, fundamentally changing the conversation from “Could this go wrong?” to “Demonstrate how this is under control.”
Each flag is designed to surface evidence that a risk team can request and verify that vital controls are in place. So you can trace what you observed to what should exist and translate findings into a proportionate risk treatment plan, the flags map to the Framework’s categories, risks, and controls, as well as to a library of common evidence types.
Examples of the evidence types include audit logs, access controls, monitoring outputs, approval records, change tickets, incident procedures, and operational dashboards.
The flags underpin our Post-Deployment Agentic Risk Assessment service. See the example below, then see Section 5 for ways to leverage them.
| # | Agentic Risk Flag |
| A. Individual AI Agent Risks – an agent may act unpredictably or unfairly, drift from intent, or operate outside policy, causing errors, bias, or inconsistent outcomes. | |
| 1. | No clear human accountability across the agent’s full lifecycle. |
| 2. | Agent reached production without formal control points. |
| 3. | Objectives, risk appetite, and constraints cannot be traced to code-level controls. |
| 4. | No machine-enforced least-privilege on tool and data access. |
| 5. | Limits, safeguards, and risk controls were added after training or deployment. |
| 6. | Behaviour changes occur without a controlled release or update. |
| B. Multiple AI Agent Risks – agents may interact, replicate, or conflict in ways that undermine oversight, stability, and accountability. | |
| 7. | Agent or component identity cannot be uniquely identified or authenticated. |
| 8. | Multi-agent coordination was not tested before agents were allowed to collaborate. |
| 9. | No real-time constraint validation on chained actions. |
| 10. | Replication occurs without governance control. |
| C. AI Agent Security Threats – agents and their data pipelines may be attacked or misused, enabling unsafe behaviour, data exposure, or loss of control. | |
| 11. | No fast, authoritative mechanism exists to contain or reverse unauthorised data access or modification. |
| 12. | Malicious inputs could execute with real privileges. |
| 13. | Compromised state could persist after detection. |
| D. AI Agent Governance Failures – weak accountability and oversight can cause outages, compliance breaches, cost overruns, and reputational damage. | |
| 14. | External dependencies are unknown or unmanaged. |
| 15. | No authoritative view of live and retired agents. |
| 16. | Agent decisions cannot be reconstructed. |
| 17. | Kill-switch or stop authority untested. |
| 18. | No defined human approval points for agent actions with real-world impact. |
| 19. | Compliance knowledge is fragmented or undocumented. |
| 20. | Monitoring is periodic or static. |
| 21. | Monitoring focuses only on agent performance. |
| 22. | Claims about an agent are not traceable or provable. |
| 23. | Governance and oversight are not a priority. |
| E. Human Capabilities for AI Agents – insufficient training, inadequate risk and change management, misuse, or over-trust can stall adoption and weaken operational control. | |
| 24. | “Big-bang” deployment with no non-AI rollback. |
| 25. | Agentic workflow design was informal, undocumented, or siloed. |
| 26. | Platform chosen before control requirements identified. |
| 27. | No risk assessment of an agent's potential behavioural choices. |
| 28. | Adversarial testing did not take place. |
| 29. | Staff training and change support happens after an agent is deployed. |
| 30. | Users cannot evidence why agent decisions were made or accepted. |
| 31. | No evidence that staff challenge AI-generated outputs. |
| 32. | No proactive impact assessment on human rights for agent-driven decisions. |
Example: Flag #1
Each flag is designed to be tested with evidence, and your goal is to find evidence that no risk flags exist.
To use them, review each one and request the minimum evidence to confirm that the relevant controls are in place. Record the outcomes as: Controlled, Flag present, or Unknown (evidence missing).
If you cannot find evidence that the flag does not exist, you do not have an acceptable control position.
The outcome is a fast, consistent and defensible risk assessment – see the example below for Flag #1:
- Agentic Flag #1: no clear human accountability across the agent’s full lifecycle.
- Description: the agent has no single accountable owner who will authorise its design, testing, deployment, operation, update, escalation, and shutdown. As the agent moves through lifecycle stages, ownership may be fragmented, implied rather than explicit, unclear, or disputed.
- Potential Impact: without clear ownership, intervention during an incident may be delayed or disputed, allowing harmful or unsafe behaviour to persist; risk of regulatory escalation.
- Control Framework References:
- Risk 01: Agent Lifecycle Management.
- Risk 22: Accountability, Explainability, and Monitoring.
- Risk 24: Regulatory Risk.
- Evidence sought:
- Agent ownership register or RACI matrix.
- Signed deployment authorisation record.
- Escalation and incident contact list for the agent.
- Risk Treatment Plan: as the risk manager, you will be able to target your application of the Framework by drilling-through into the references and constructing a risk treatment plan from the appropriate controls, which you can then discuss with your colleagues. In practice, a proportionate risk treatment plan usually falls into one of three options: 1) add control points and monitoring, 2) redesign the workflow to reintroduce safe human hand-offs, or 3) delay go-live until evidence of control is available.
In many organisations, unresolved accountability gaps eventually surface as a failure to manage AI agent accountability, human approval points, or a tested kill switch when behaviour becomes unsafe.
Ways to Leverage the Agentic AI Risk Flags
With these flags, if you are engaged early to perform an agentic AI risk assessment, you can now prevent foreseeable oversights by making risk expectations explicit. And if you are engaged later, you can focus immediately on the highest-impact risks and produce defensible findings fast.
The flags underpin our Post-Deployment Agentic Risk Assessment – a structured review delivered through Gerido©, through which we determine whether your agentic workflow is sufficiently controlled across ownership, behaviour boundaries, and stop authority.
It is designed for three situations: when a live agentic workflow is displaying issues, and you need a fast, defensible risk treatment plan; when you need assurance that your agentic controls are effective, for example, in preparation for an audit; or when you need to include a live agentic workflow within a documented risk framework, such as DORA compliance.
The output is an audit-ready report of risk flags discovered, potential impact, and prioritised recommendations, giving you a fast, defensible basis for action.
If your risk team needs to build capability before commissioning an assessment, we also offer a training workshop that equips your team with the skills to identify risk flags, test for evidence of controls, and translate findings into clear recommendations. It is also a natural precursor to running assessments independently going forward.
Methodology
If an agent is performing well on a relatively low-risk task but you cannot constrain, track, or stop it, it is not a low-risk agent – it is a high-risk agent that is currently occupied on a low-risk task.
But small errors can compound, either changing its activity volumes (raising a high cost risk), pushing on its boundaries (a high scope risk), or leaving an attack surface undefended (a high security risk).
As a result, whether an agent is high-risk relates as much to the strength of its controls as to the task it has been given.
To reflect this, the primary filters focus on evidence of identity, ownership, boundaries, safety, explainability, and stop authority.
Secondary filters related to ensuring the agent effectively completes its approved task, that staff know how to use and oversee it, and that change teams know how to redesign end-to-end procedures into agentic workflows, in which humans and agents collaborate.
The result is a set of verifiable risk flags rooted in a comprehensive agentic control framework. This lets you:
- Evidence the controls that prevent each risk flag.
- Justify why it does not apply (consistent with the ISO 42001’s ‘statement of applicability’).
- Construct an appropriate risk treatment plan (consistent with the NIST AI RMF’s governance / measurement expectations).
Put simply: the flags help you build a clear “show me the evidence” assessment that stands up to internal audit, regulators, and incident review.
FAQs
A risk flag is a high-signal indicator that controls may be missing or ineffective. Controls are the specific measures that prevent or mitigate the issue. The flags help you find control gaps quickly and prioritise what to fix first.
