Stay updated

Unstructured agent-building is a costly and risky choice, increasing the chance of overlooked risks, security incidents, and scrambled remediation when external stakeholders ask questions.This is because agentic workflows create new risks that you will need to control and monitor in novel ways.In response to this situation, I summarise the specific ways risk management needs to evolve for the agentic workflow risk assessment: the novel aspects of the agentic workflow design process, the pre-deployment agentic risk assessment, and how to ensure effective agentic KRIs.Adopt these techniques to give structure to your agentic transformation, prevent risk, and ensure trustworthy monitoring.

Across most enterprise platforms, an agentic workflow comprises three layers – model, orchestration, and application – and each layer can see risk signals that the others cannot. For your agentic workflow monitoring to be viable, a KRI should reside where its risk signal lives; those that do not risk noise, blind spots, or a false sense of security. We mapped a sample of KRIs across the three layers and found that half reside primarily at the application layer, while the model layer was the primary source for only one. Monitoring built on functional layers is therefore less likely to have coverage gaps than a framework tied to a single platform. We conclude by advising firms to understand their risk requirements before selecting a platform – and embed their risk controls into their workflow designs.

Agentic key risk indicators are the metrics organisations use to monitor the behaviour, risk profile, and operational performance of autonomous AI agents. Agentic systems do not operate in a steady state. As they learn and adapt, small behavioural changes can accumulate and alter their risk profile. Effective governance therefore requires organisations to monitor the direction and speed of this AI behavioural drift before it moves beyond risk appetite. Agentic key risk indicators, sometimes described more generally as AI key risk indicators, provide the operational evidence needed to monitor AI agent risk and ensure regulatory compliance. This article sets out 12 practical principles for designing effective agentic KRIs and illustrates them through 20 worked examples across 5 common agentic risks.

Agentic AI marks a shift from tools that produce outputs to systems that achieve outcomes. As a result, agentic workflows differ from traditional ones. In brief, they can plan, decide, and execute multi-step actions autonomously to achieve your goal, remembering and learning from their experiences. Because of this, their behaviour can evolve, creating both opportunities and risks. Therefore, understanding how agentic workflows differ becomes vital to effective risk identification. So, this article examines 10 dimensions that vary between agentic and traditional workflows – from decision authority and system access to failure modes and accountability – and how risk managers should respond.

Evidence is growing that a pre-deployment agentic risk assessment reduces incidents, rework, and build cycles by embedding risk controls into workflow design – creating a stronger organisation that is ready for future deployments. This article outlines the 7-step process from agentic risk identification to an approved risk report that integrates into your enterprise framework. To finish, we note that, at the time of writing, we are incorporating this functionality into Gerido© – Agentic Risks’ in-house risk management tool. Subscribe to our newsletter if you would like to receive further updates on this topic.

Autonomous AI agents plan and execute workflows, fundamentally reshaping risk management by shifting control from execution to design and oversight phases. In response, this article outlines a systematic three-step approach to agentic risk appetite.Drawing lessons from established risk management disciplines and centuries of delegating autonomy to non-humans, Agentic Risks sets out a practical approach – define a board-level risk appetite statement, embed it into workflow-level risk assessments, and institute agentic key risk indicators.From the board to the operational workflow, firms that build an agentic risk capability will find it easier to scale the benefits of autonomous AI, with fewer surprises and stronger regulatory defensibility.Key topics: agentic risk appetite, agentic AI risk management framework, agentic workflow risk assessment, autonomous AI risk controls, AI agent governance and accountability.

Autonomous AI introduces a new class of risk – agentic risk – because it delegates execution to non-humans that interpret objectives, constraints, and context differently from people.

In agentic workflows, ambiguity itself becomes a risk: unless risk appetite is expressed in behavioural and quantitative terms, agents cannot reliably understand or enforce organisational expectations.

Risk managers must therefore integrate agentic risk into existing risk appetite processes by defining an agentic AI risk appetite statement, applying it consistently at the workflow level, and instituting key risk indicators for agentic risks.

Organisations that do this will enable safe, scalable agentic adoption; those that do not will face fragmented, compounding, and unmanaged autonomous behaviour risks.

AI agents represent a paradigm shift in automation – digital problem-solvers that independently plan, execute, and learn from multi-step workflows at machine speed. While autonomous AI offers unprecedented productivity and scalability, its independent nature introduces unfamiliar AI agent risks that traditional risk management cannot adequately address. This article summarises our presentation to 180 members of the Institute of Risk Management. Key points include why controls calibrated to autonomy levels should be non-negotiable, why agentic workflows break a key assumption of traditional risk management, and how the Enterprise-Wide Agentic AI Risk Control Framework can help firms navigate their evolution to the era of agentic AI risk management safely.

Agentic workflows are not “just another AI model” – they are operational systems that can act, spend, and escalate at speed. That means risk is shaped as much by design choices (ownership, boundaries, monitoring, and stop authority) as by the task the agent performs. If you, as a risk manager, are asked to perform an agentic AI risk assessment, you will need a fast, defensible way to determine whether the project is sufficiently controllable to go live. This practical guide gives you 32 verifiable agentic AI risk flags you can test with evidence, so you can quickly translate findings into clear, proportionate risk treatment plans.

An agentic workflow is a system where AI agents autonomously plan, decide, and act across interconnected tasks, with explicit controls and human oversight embedded at each stage. The success of these initiatives rests not just on technology, but on organisations building the capability to govern autonomy before they introduce it. This article sets out a practical, audit-defensible agentic workflow design process that helps firms decide whether an AI agent should exist, what authority it may safely hold, and how that authority is constrained, tested, and monitored over time. The process is structured into three phases – foundation, build, and deployment – to move firms beyond demos to a repeatable, governable, and scalable agentic workflow. The outcome is a step-by-step guide on how to design an agentic workflow using a risk-led, auditable agentic workflow design process.

This article is for experienced risk professionals and explains why agentic risk management is now essential for retaining control of agentic AI workflows. Traditional risk management assumes humans design, execute, and oversee systems end-to-end, but agentic AI breaks that assumption by delegating execution to autonomous systems. This development fundamentally changes how risk emerges, how controls fail, and where accountability must sit. To mitigate risk in an agentic workflow, therefore, risk management must extend its role beyond post-hoc monitoring into the design phase, monitor continuously rather than periodically, and be ready to address new risks arising from emergent behaviours.

An AI agent autonomy policy is essential because autonomy is not binary and must be calibrated for each use case. Organisations adopting agentic workflows should decide their risk appetite for different autonomy levels early, as delaying this decision causes either too much or too little autonomy to undermine your adoption of agentic AI. The article highlights key risks, trade-offs, and oversight needs, especially in regulated sectors. It outlines what a strong policy must include, from objectives and agentic risk appetite to governance, approval, and autonomy monitoring. It also provides a free agentic risk appetite statement and adoption strategy template.

AI agent ethics cannot rely on human-style moral tests because AI agents feel no shame, consequence, or responsibility, so ethical protection must come from external controls. Society already delegates autonomy to non-humans such as working dogs, but only with strict training, clear boundaries, accountability, and controlled contexts – showing that autonomy should be earned, limited, and supervised. To deploy AI agents ethically, organisations should grant autonomy gradually and with robust controls that define purpose, restrict risk, ensure supervision, and maintain clear accountability.

To leverage the benefits of agentic AI you must manage the broad new class of risks that it introduces. If left unmanaged, these risks can materialise across individual and multi-agent behaviours, system security, governance, policy integration, as well as organisational and human factors. To enable the new discipline of agentic AI risk management, the Enterprise-Wide Agentic AI Risk Control Framework helps you identify, assess, and control these new risks, integrate them into your existing framework, and keep pace as agentic AI evolves. To get started, set your policy on AI autonomy, map the risks and controls for a pilot agentic workflow, and prove control effectiveness through testing.

AI agents can act autonomously to perform multi-step tasks, interact across systems, and learn from experience, making them more powerful than basic prompt-driven AI tools. The key features of AI agents and their benefits for organisations include higher productivity, scalability, and better use of human judgement. This makes them especially suitable for workflow automation. Organisations should de-risk their adoption of agentic AI by defining their policy for delegating autonomy, implementing effective risk controls, and piloting an agentic workflow before scaling.