Kurzbeitrag : Agentic AI and Risk Management : aus der RDV 3/2026, Seite 144 bis 147
Agentic AI verändert die Risikobewertung moderner KI-Systeme grundlegend. Anders als statische Systeme agieren autonome KI-Agenten dynamisch, passen Entscheidungen in Echtzeit an und reagieren kontinuierlich auf neue Informationen. Effektives Risk Management für Agentic AI erfordert daher präzise Kontrollmechanismen, kontinuierliches Monitoring und eine klare Governance-Struktur.
Introduction
My previous article on Semantic Risk Classification talks about the need for a dynamic approach to risk evaluation of an AI system based on context, intent, amongst others. If we further extend this thought process to current day AI systems, we now move into an Agentic AI design pattern to deal with.
When we think of modern agentic AI systems, it helps to imagine them as something akin to Google Maps for cognition. A user specifies a destination — a task or intent — and the AI system charts a route through an immense landscape of possible responses and actions. Each turn, detour, or rerouting corresponds to a reasoning step, a contextual adjustment, or an external tool call.
But unlike a static compliance checklist or a pre-approved risk matrix, this route is dynamic. As new information surfaces — user input changes, the model generates intermediate reasoning, or an external API call alters the context — the agent recalculates its “path” in real time. Its success is not measured by how rigidly it follows rules but by how intelligently it navigates toward the intended outcome while avoiding zones of risk.
The autonomous nature of Agentic AI can be represented through this diagram.
Some of the core challenges and systemic risks because of this autonomy / design pattern includes
As with previous articles, it is easier for a reader to understand the impact of the Agentic architecture, when we apply this to the 5 core high-risk concepts as defined in the AI Act.
Agentic AI properties
The Agent can be fizzled into the following variables to determine its complexity, quantitatively.
Qualitatively, the agent also has a “mind of its own” in tracing the path to a solution.
Technology Controls
The control coverage coefficient is determined by the following solutions we discussed in the previous article.
How to Use This Table
- Quantitative: Each control partially or strongly addresses the scope of an agent (A, D, U, E, T, L, plus overall coverage Ca).
- Qualitative: Each solution influences how the agent approaches its “route” to the goal (Goal Clarity, Context Fidelity, Decision Heuristics, Feedback Responsiveness).
- Combined Approach: Balancing both angles improves not just speed of problem-solving but the safety and compliance of the overall solution.
Summary
The Semantic Risk Classification article discussed risk evaluation based on criteria from the AI act, calibrated against an AI solution as a composite subsystem. Here, we have broken down the AI subsystem into Agents, with the need for a deeper understanding of how these agents navigate and the kind of Technology Controls we could introduce, to manage risk.
Administrators play a key role in determining the extent of autonomy vested with these agents and will need to request fine grained audit on the decision-making process to better manage a real-time ecosystem. Continuous monitoring and definition of qualitative and quantitative parameters specific to an organization are critical in running a sustainable solution.