Need support? Helpdesk: (780) 800-5528
Home / Insights & Resources / Agentic AI

Risk 09 of 13 · AI Risk Series

Agentic AIMay 2026 • 8 min read

Agentic AI: when the assistant acts on your behalf

The risky moment can look like a useful automation doing exactly what it was allowed to do.

Agentic AI can send, share, change, book, or buy in business systems through delegated authority. Mistakes land in real systems before staff can catch them.

Where it comes from A user grants an agent broad session approval to operate connected systems on their behalf.
What the business loses The chance to review the exact action before it leaves the business as a sent email, file share, record change, or transaction.
What ends it Per-action approval for consequential actions, scoped accounts, and action-level logging that someone actually reviews.
← Series introduction Article 09 of 13

The risky moment can look like a useful automation doing exactly what it was allowed to do.

An owner enables an AI agent to handle routine email. The goal is reasonable: acknowledge client messages, draft replies, schedule meetings, find documents, and save the owner from repetitive work.

Then a client email arrives asking for the latest year-end package. The agent reads the message, searches the firm's files, creates a sharing link, and sends it back to the client.

No one reviewed the link before it left.

That is the difference between ordinary AI assistance and agentic AI. A drafting tool produces something a person can review. An agentic tool takes action in a business system.

Once AI can send, share, delete, approve, book, change, or buy, mistakes land in the business before anyone has time to catch them.

What the risk is

Agentic AI means an AI system can take actions in connected business systems under a user's authority. Examples include sending email, booking meetings, filing expenses, placing orders, changing records, moving files, updating a CRM, creating tickets, modifying permissions, or running a browser session.

The risk is delegated authority. The agent acts through an account the business already trusts. If the owner connects an agent to email, accounting, CRM, file storage, calendar, and browser sessions, the agent may have broad practical authority because the owner has broad authority.

Most SMB leaders first encounter AI as a drafting tool. It writes the email, summarizes the thread, prepares the outline, or suggests the next step. A human still sends, approves, uploads, deletes, pays, or changes the record.

Agentic AI changes that workflow. The AI may be able to click the button itself.

Common examples include:

  • A Copilot-style agent that can draft and send replies.
  • A CRM agent that creates follow-up tasks, updates opportunity stages, or sends customer emails.
  • A browser agent that can operate authenticated websites through the user's session.
  • A purchasing assistant that can place orders from approved vendors.
  • An expense or finance agent that can prepare or submit transactions.
  • A support agent that can close tickets, issue refunds, or update customer records.
  • A workflow agent connected through tool-use protocols, connectors, APIs, or browser automation.

This is separate from Connected AI. That article covered AI reading business systems through existing permissions. This article covers AI taking action with delegated authority.

It is also separate from AI scripts and automation. If AI suggests a script and a person runs it, the person is the actor. In this article, the agent itself sends the email, changes the file, books the meeting, or submits the transaction.

Prompt injection matters because hostile instructions can steer an agent. This article focuses on what happens when the steered or mistaken agent has authority to act.

How it happens in a normal SMB

A small accounting firm wants to reduce owner inbox load. The owner receives client requests, calendar changes, billing questions, document follow-ups, and internal approvals all day. She enables an AI agent through the firm's productivity suite to help with routine email.

The setup sounds controlled. The agent is allowed to summarize threads, acknowledge routine client messages, schedule meetings, find client-ready files, and prepare simple internal reports. It can also send certain replies without asking the owner each time, because the owner does not want another approval prompt for every routine message.

To make the agent useful, the owner connects it to her mailbox, calendar, cloud storage, client folders, and the firm's client-management system. The owner is also an administrator in several systems, because that is common in a small firm.

For the first few weeks, the agent saves time. It confirms meetings, sends polite acknowledgements, finds old attachments, and creates task reminders. The owner sees the value and stops watching every action closely.

Then an email arrives from a real client:

Can you send the latest year-end package for Prairie West? I cannot find the link from last week.

The message is short and ordinary. The agent treats it as a routine document request. It searches recent client correspondence, the client-management system, and cloud storage. The firm has two clients with similar names: Prairie West Mechanical and Prairie West Holdings.

The agent finds the wrong folder, creates an external sharing link, and emails it back to the client. The package includes draft financial statements, payroll summaries, owner draw notes, and tax-planning comments for the other Prairie West client. The agent logs the activity as part of the session, but the firm does not have action-level alerts for external sharing links.

The recipient opens the link and replies: "I think this is for another company."

The owner searches sent mail and finds the agent's message.

The agent used authority the owner had delegated. It found a file, created a link, and sent the email without anyone checking the exact action.

The failure path

The failure path looks like this:

Case file Sequence 09 · Agentic AI

  1. The business enables an AI agent to save time on routine work.

  2. The agent receives delegated authority to send, share, change, book, submit, or delete in connected systems.

  3. The agent operates through a user account with broad access.

  4. A normal-looking request, mistaken instruction, hostile prompt, or bad input reaches the agent.

  5. The agent interprets the input as a task.

  6. The agent takes a consequential action without per-action human approval.

  7. The action sends data, changes a record, grants access, deletes content, places an order, or commits the business externally.

  8. The business discovers the action later through a client, vendor, log review, account change, or financial consequence.

The action authority is the important difference. A bad AI draft can be caught before sending. A bad agent action may already be in the client's inbox, the vendor portal, the CRM, the accounting system, or the file share.

Per-session consent is a common trap. A user may approve an agent to "handle routine client email" for the afternoon. That approval can be too broad if the agent can send files externally, create sharing links, change records, or act on instructions found inside incoming messages.

Business consequence

The first consequence is often action-level exposure.

In the accounting firm, the problem is the external sharing link. Client financial statements, payroll summaries, owner draw notes, and tax-planning comments left the business because the agent treated an email as a task and had authority to complete it.

The firm now has to answer practical questions:

  • What did the agent send?
  • Which account did it act under?
  • Which systems did it access?
  • Was the action logged at the file, email, connector, and agent level?
  • Did the same agent take similar actions before?
  • Which clients need to be told?

The consequences depend on what authority the agent had:

  • Financial loss if an agent can place orders, submit expenses, or initiate payments.
  • Confidentiality exposure if an agent can forward files, create sharing links, share folders, or send reports.
  • Contract risk if an agent sends commitments or accepts terms without human approval.
  • Client relationship damage if clients learn the firm's AI acted on their data without a clear review trail.
  • Operational disruption if an agent changes calendars, tickets, records, permissions, or files at scale.
  • Internal trust damage when staff learn an agent had more authority than anyone realized.

The evidence problem can be serious. Many tools log that an agent session occurred. Fewer give the business a clean action-by-action record showing what the agent read, what it decided, what it changed, what it sent, and which source input triggered the action.

Controls that interrupt the failure path

The first control is to decide which actions require a human.

Agentic AI can be useful for low-risk, reversible work. It becomes dangerous when it can take consequential actions without a person reviewing the exact action first.

Start here

  • Create a list of action classes the agent may take: send email, share files, modify records, book meetings, place orders, delete files, change permissions, submit forms, or update financial systems.
  • Require human approval for consequential actions: money movement, external communication containing business records or commitments, client-facing email involving confidential information, file sharing, file deletion, permission changes, system configuration, contract steps, and financial submissions.
  • Use per-action approval for those classes. Broad session approval should not cover consequential actions.
  • Allow agents to find files or prepare messages without granting permission to create external sharing links or send files outside the business.
  • Avoid running agents under owner, administrator, or other broad-authority accounts.
  • Use scoped accounts, scoped connectors, or limited tokens where the platform supports them.
  • Turn on action-level logging and route the logs somewhere a person will actually review.
  • Review agent activity on a defined cadence during pilot and early rollout.

Add where needed

  • Start with low-risk reversible actions, such as drafting, tagging, proposing meeting times, internal task creation, or preparing a report for review.
  • Block or disable action classes the agent should never take.
  • Require a pilot group before broader enablement.
  • Set different rules for internal actions and external actions.
  • Revoke connectors the agent does not need.
  • Review agent memory and persistent context where the agent uses prior sessions to shape later actions.
  • Test what happens when an inbound email or document gives the agent instructions outside the expected task.

The control should be architectural. Once the tool can act without staff, reminders are too weak. Decide which actions require a human, configure the agent to stop at those points, and check whether the logs prove that the stop happened.

Browser agents need special care. If a browser agent can use the staff member's active sessions, it may be able to operate accounting, banking, CRM, email, file storage, and admin portals exactly as the user would. That kind of tool belongs on a short leash until the business understands what it can do and how actions are logged.

Policy rule this creates

Rule 09 of 13

Agentic AI tools that take actions in business systems require explicit business authorization before enablement. Agents must operate with scoped permissions and must require human approval for high-stakes actions, including money movement, external communication containing business records or commitments, client-facing email involving confidential information, file sharing, file deletion, permission changes, system configuration, contract steps, and financial submissions. Agent action logs must be reviewed on a defined cadence.

One of 13 rules for your AI usage policy

The rule above is one of 13 that make up a working AI Usage Policy. The SMB AI Policy Builder walks you through the full set of decisions and produces the policy, working documents, and a 90-day implementation plan.

Launching soon. Join the waitlist to be notified.

Get practical insights like this in your inbox

Occasional articles and updates on technology, risk, operations, and support.