Agentic AI

Agentic AI is the next step up from generative AI. Agentic AI is a more autonomous form of artificial intelligence, that can plan, decide and act on tasks, with less human prompting than traditional AI. Think of it like this; generative AI can help you put a shopping list together after you’ve told it your food preferences. Theoretically, agentic AI will help you put the shopping list together but then take the next step and place the order with your local supermarket and arrange a delivery time that best suits you according to your phone calendar. Agentic AI goes beyond just answering questions and can interact with other software and do real-world tasks. Autonomy is the key difference – agentic AI can act, not just suggest.

On 8 January 2026 the Information Commissioner’s Office (“ICO”) published a research report (“the Report”) that explores what agentic AI is, how it might develop in the next 2-5 years and the data protection implications for organisations and individuals developing and deploying agentic AI. The Report considers agentic AI to be at an early stage of development at present, but points to future use across a range of activities such as:

• research;

• coding;

• planning; and

• executing transactions;

and potential applications of such agentic AI systems include in the commerce sector, government, workplace, in cybersecurity, medicine, consumer space and as a foundation for powerful personal assistants.

The development of agentic AI clearly offers an increase in the potential for automation across the board, but the ICO emphasises in their Report that organisations remain responsible for the data protection compliance of the agentic AI that they develop, deploy or integrate. Simply using an agentic AI tool with no considerations of its data protection implications on the assumption that it will be safe to do so is not good enough, and any data breaches committed by the AI will be the organisation’s responsibility.

It is therefore important that organisations proposing the use of agentic AI are familiar with the potential risks. The Report sets out the novel data protection risks arising from the use of agentic AI the ICO is expecting, including but not limited to:

• issues around determining controller and processor responsibilities;

• rapid automation of increasingly complex tasks resulting in a larger amount of automated decision making;

• purposes for agentic processing of personal information being set too broadly;

• agentic systems processing personal information beyond what is necessary to achieve instructions or aims;

• potential unintended use of inference of special category data (i.e. types of sensitive personal data which data protection law affords greater protections);

• increased complexity (of the AI systems) impacting transparency and the ease with which people can exercise their information rights

• new threats to cyber security resulting from the nature of agentic AI; and

• concentration of personal information facilitating personal assistant agents.

The Report goes on to explain that one of the ICO’s key findings is that the specific design and architecture of the agentic AI system has a big impact on how data protection law applies / is triggered.

Ultimately, the ICO have flagged that poor use and implementation of agentic AI will be a key data protection risk. Agentic systems with no clear purpose, which are connected to databases that they don’t strictly need access to for their tasks (a data minimisation issue) or have no measures in place to secure access, monitor or stop activity / control the further sharing of information can all pose a risk.

The ICO states in the Report that it intends on running workshops within the industry to better understand how agentic AI is being developed, it will update guidance on automated decision making and profiling in light of the Data (Use and Access) Act 2025, starting with public consultations in 2026, will work with other UK regulators through the Digital Regulation Cooperation Forum to understand the cross regulatory implications as well as international partners through the G7 Data Protection Authorities Emerging Technologies Working Group. The ICO also offers support for stakeholders working on agentic AI application by the provision of the Regulatory Sandbox (a free service developed by the ICO, to support organisations who are creating products and services which utilise personal data in innovative and safe ways). All this goes to demonstrate that the ICO is abreast of the risks posed by agentic AI and is doing its best to provide organisations with the best advice.

However, it is for organisations proposing the use of such agentic systems to ensure that the right privacy and data protection measures are in place before going ahead with the use or development of any agentic AI systems.

Our specialised commercial team are able to advise your organisation on any aspect of data protection should you have any queries or require any further information.