Exploring how agentic AI differs from Gen AI, what it means for enterprise operating models, and what changes for these organizations overall.

Executive summary

Generative AI changed how organizations interact with software. Agentic AI changes what software is permitted to do on behalf of users, moving people from direct execution towards supervision, approval, and exception handling. This is first a question of operating model before it becomes a question of technology model, and it affects the CIO, CISO, and the board.

This first article maps what is changing in the human-AI relationship. It explores why the associated risk surface no longer fits the categories most enterprises already manage. The second article will set out the governance, security, identity, and control foundations required to respond to this evolution.

Two shifts, not one

Many enterprises experienced the first wave of generative AI primarily as an interface. A person asked, the model answered, and the human decided what to do next. Risk was often more bounded because humans remained responsible for that decision. The value it delivered in drafting, summarizing, searching, and analyzing was real. Any consequences stayed under human judgement.

Agentic AI changes that relationship. An agent not only answers, but can plan across steps, retrieve data from enterprise systems, call tools, generate and ship code, delegate to other agents, and take actions that carry consequences. In doing so, it moves the human from direct executor to supervisor, approver, or exception handler. Generative AI was largely an interface shift; agentic AI is closer to an operating shift, because an AI model moves from something an organization consults to something that operates within it.

That reframes the enterprise question. It is no longer only “Can the model answer well?” It becomes, “Can this system be trusted with real data, real infrastructure, real identity, and real consequences?” This scenario requires different controls, and in many organizations those controls do not yet have an owner.

An agent is not a chatbot: the accountability direction

The clearest way to see the change is through accountability. In February 2024, a tribunal found Air Canada responsible for honoring a policy that its chatbot had described incorrectly. The tribunal declined the argument that the chatbot was a separate entity answerable for its own statements. The case was not an agentic AI precedent in the technical sense, but it illustrates the direction of accountability: organizations own the consequences of the AI systems they deploy. As those systems acquire authority to act, the consequence shifts from an incorrect statement that a person can catch to an incorrect action validated by credentials, inside a fast-moving automated production system.

Four structural shifts to price in

1. From content to authority

 A generative model produces content. An agent can take action. Once an AI system can change a record, move a file, call an API, or trigger a workflow, it has acquired a degree of operational authority, and it needs the controls any privileged actor requires: identity, least privilege, audit, and a reliable way to be stopped.

2. From probabilistic output to systems that need deterministic rails

Language models are probabilistic by design. They do not retain facts the way deterministic software holds a steady state. That is acceptable when a person is there to review its activity, but far riskier when its output triggers an independent action. A widely reported 2023 incident, in which a car dealership agentic assistant was manipulated into apparently agreeing a vehicle sale for a nominal sum, illustrates the structural point rather than the legal one: a malicious actor manipulated a probabilistic system close to a commitment with little intervening routine checking. A more durable pattern allows the model to reason while routing execution through stages of typed interfaces, policy, validation, and approval.

3. From prompts to a supply chain

A modern agent is assembled from skills, which are packaged capabilities delivered by subagents, or delegated workers, via an integration layer. The layer connects agents to tools, data, and other agents. Each agent is a dependency, and dependencies can be compromised. The XZ Utils backdoor incident of 2024, in which a trusted open-source contributor built their credibility over a long period before introducing a backdoor, is a useful reminder of such a risk. Agent capabilities require the scrutiny applied to any production dependency: provenance, review, least privilege, and revocation.

4. From models to ecosystems

Frontier vendors are increasingly selling more than models. They offer convenient ecosystems of agents, memory, tooling, evaluation, and orchestration. That convenience creates dependency, and this dependence raises a question for sovereignty: who controls the cognition, data, and audit trail, and could the organization change provider if it had to? This is where interoperability standards begin to matter at board level. For example, Model Context Protocol (MCP) is a standardized way by which AI agents access external data, tools, and context. It is rapidly becoming a key standard for agentic AI architectures. Similarly, A2A, an agent-to-agent industry communication protocol is an open standard that enables agents to communicate with each other. protocol is an open standard that enables agents to communicate with each other.

Together these protocols signal the emergence of an agentic interoperability layer, but they also expand the governance surface. Anthropic donated MCP to the Linux Foundation’s Agentic AI Foundation in December 2025, while A2A is also governed and managed by the Linux Foundation with broad industry support.

The new shape of risk

Taken together, the shifts described create a risk surface that does not map cleanly onto the categories most enterprises already manage. It spans the agentic architecture, the software supply chain and integration layer it depends on, the security and identity of a system that can now act autonomously, an external regulated environment, often regulated, and a public web not designed for autonomous software. In our experience, the recurring pattern of compromised systems is not due to a single dramatic failure but diffuse ownership: each part is partially managed, but no single entity takes complete ownership.

The regulatory direction

The general direction of EU AI regulation is clear, despite recent easing of timelines. Under the current provisional agreement, the EU AI Act’s stand-alone high-risk obligations for AI providers are expected to come into force in December 2027, with product-embedded high-risk obligations to follow in August 2028, though formal adoption is still to be confirmed. Prohibited-use bans have applied since February 2025, and general-purpose AI obligations since August 2025. Also relevant, the Digital Operational Resilience Act (DORA) has applied to financial entities since January 2025. In Germany, legal commentary and sector reporting indicate that the registration deadline for the latest Network and Infrastructure directive, NIS2, registration deadline fell on 6 March 2026. Reported registrations were still materially below the estimated number of in-scope entities. The common thread in these regulations is that autonomous systems touching regulated data and critical operations will increasingly need to demonstrate structured governance rather than assume it.

Executive implications

The advanced state of agentic AI has three major implications for enterprise leadership. First, agentic AI cannot be governed only as a productivity tool. It is a new class of operational capability, closer to an actor within the environment than a feature within an application.

Second, that capability calls for the disciplines applied to any privileged actor: clear ownership, risk classification, identity controls, integration standards, alignment with data governance, security-by-design, and explicit autonomy boundaries.

Third, granting autonomy is a deliberate decision, not a default. Executives should decide where autonomy is permitted, where human approval is mandatory, and where automation is prohibited outright. Making that decision explicitly, and revisiting it as the capability matures, is itself a control.

From experimentation to trusted autonomy

The enterprises that lead the new agentic phase are unlikely to be those that experiment fastest. They are more likely to be those that can scale autonomy they can trust, govern, and defend, including in front of a regulator. That is a question of digital sovereignty in its practical sense: control over data, models, costs, and the ability to operate and, if necessary, exit on the organization’s own terms.

The next article in this series sets out the operating model: the governance, security, identity, and control foundations that turn this diagnosis into a path towards trusted autonomy.

Questions executives should ask now

  • Which agentic use cases already have the authority to act, even in pilot form?
  • Which identities, tools, and data sources do those agents use?
  • Which actions should require approval, logging, rollback, or outright prohibition?
  • Who owns the agentic control plane across IT, security, data, architecture, risk, and the business?
  • Could we evidence our controls to a regulator today?

How Capgemini helps

Capgemini helps organizations move from agentic experimentation to trusted autonomy by assessing maturity, defining the control-plane operating model, securing agent identities and integrations, mapping controls to regulatory obligations, and designing scalable architectures that balance innovation, sovereignty, and resilience.

To know more, click here