Agentic AI in 2025: What It Is, Why It’s Risky, and How We Use It Without Burning the House Down

If 2023–24 was the “chatbot” phase of AI, 2025 is the year something more powerful – and more unpredictable – has walked through the door: agentic AI.

Instead of waiting for a prompt and replying with text, these systems can now plan, take actions, call tools, write to your systems, and remember what happened last time. In other words: they don’t just answer work – they do work.

Consulting firms are already talking about a structural shift. Deloitte notes that 80% of automation leaders expect to accelerate AI agent investments over 2025, and that roughly one-third of enterprise software applications are forecast to include agentic capabilities by 2028, with a global agentic AI market projected above $100B by 2032.

On the ground, this isn’t theoretical. OutSystems reports that customers like Thermo Fisher and Axos Bank already have more than 5,500 AI agents in development, moving from pilots to production-grade workflows with human oversight.

And in consumer land, Morgan Stanley expects nearly half of US online shoppers to use AI shopping agents by 2030, adding an estimated $115 billion to US e-commerce through “agentic commerce” – autonomous personal shoppers for everyone.

The opportunity is enormous. So is the attack surface.

As someone who spends most of my week talking to CISOs, CIOs and AI adoption leads, I see the same tension everywhere:

“We know we can’t sit out agentic AI – but we’re not going to blow up our risk profile just to look innovative.”

This blog is my attempt to lay out, in plain language:

1. What we actually mean by agentic AI.
2. Where it’s already being used.
3. The new security failures it introduces.
4. A pragmatic playbook for leaders.
5. And finally, how this all connects to Aona’s mission: safe, smart, scalable AI adoption.

1. What Agentic AI Really Is (Without the Hype)

Most people first met AI through a chat box: you type a question, it answers, and the interaction basically ends there.

Agentic AI is different in three important ways:

1. It can decide what to do next.
   The system isn’t just predicting the next word – it’s breaking a goal into steps (“plan an onboarding”, “triage this incident”, “close these tickets”) and deciding which step to run now.
2. It can use tools and systems.
   Agents don’t live in a vacuum. They can call APIs, query databases, read documents, create Jira tickets, send emails, or trigger workflows in tools like ServiceNow or Salesforce.
3. It can remember and adapt.
   Instead of “reply and forget”, agentic systems maintain short- and long-term memory: past conversations, system states, user preferences, strategies that worked before. That memory shapes future decisions.

OWASP’s Agentic AI – Threats and Mitigations captures this nicely: agentic AI is an evolution of autonomous systems, now massively amplified by large language models, which increases both capability and risk.

Put simply:

A classic LLM answers a question. An agent decides what to do, does it, and learns from it.

That’s exactly why enterprises are excited – and why security teams are sweating.

2. Where Agentic AI Is Already Showing Up

Let’s ground this in real use cases, not just architecture diagrams.

2.1 Cybersecurity: From Alerts to Autonomous Actions

Security teams have been early movers. A 2025 paper in Ocean & Coastal Management (yes, not the place you’d expect) looks at how agentic AI can orchestrate specialized models to detect and respond to cyber threats, citing systems like Darktrace’s “Enterprise Immune System”, which learns a baseline of “normal” network behaviour and reacts when something looks off.

At the same time, IBM’s Enterprise IT Security Guide to Agentic AI Vulnerabilities calls agentic systems “the fastest-growing attack vector in enterprise environments,” noting that GenAI is now involved in around 70% of security incidents and that agentic breaches have a significantly higher cost and shorter time-to-detect than traditional incidents.

So the same technology is empowering defenders and attackers – and the line between the two is getting thinner.

Typical agentic security use cases I see:

• Automated incident triage (enrich an alert, pull logs, propose a disposition)
• Playbook execution (isolate a host, disable an account, open a case)
• Threat hunting (continuously scanning telemetry, flagging anomalies)

The upside: a junior analyst suddenly has the reach of a whole team. The downside: a misconfigured or compromised agent also has the reach of a whole team.

2.2 IT Operations and Enterprise Workflows

On the operations side, platforms like OutSystems’ Agent Workbench are helping enterprises orchestrate multi-agent workflows with built-in human oversight. Customers like Thermo Fisher and Axos Bank are using agents to:

• Interpret error logs and suggest fixes
• Automate document mapping and data entry
• Route customer escalations using unstructured interaction dat
• Read images (like odometer photos) and cross-check them against records

Deloitte’s 2025 guide on agentic AI adoption frames it bluntly: organisations are at the “dawn of a step change in how work is accomplished”, and successful teams will “reimagine workflows” rather than bolt agents on top of old processes.

2.3 Commercial & Customer-Facing Agents

On the revenue side, we’re seeing the rise of agentic commerce. Morgan Stanley forecasts that by 2030, nearly half of US online shoppers will use AI agents, adding up to $115B in incremental e-commerce spend, as personal shopping agents compare prices, place orders, and manage subscriptions on our behalf.

Retailers and platforms are racing to embed these agents now, not in five years.

3. Why Agentic AI Is Also a Security Time Bomb

If you’re a CISO, here’s the uncomfortable truth: agentic AI breaks a lot of the assumptions your current security model quietly relies on.

IBM summarises the shift:

• Agents can autonomously execute tool calls (databases, APIs, system commands).
• They operate through multi-step decision chains, with many places for an attacker to intervene.
• They rely on dynamic memory that can be manipulated.
• They integrate across multiple enterprise applications at once.

OWASP and others have started to formalise what this means in practice. Let me highlight three failure modes I’m most worried about when I talk to customers.

3.1 Memory Poisoning & Memory Injection

Agents work because they remember. That memory – prior steps, summaries, user preferences, “lessons learned” – becomes a persistent attack surface.

Security researcher Mamta Upadhyay describes memory poisoning as the LLM equivalent of a “stored XSS”: you quietly embed malicious or misleading content into what the agent stores, and it resurfaces later in a different context.

In 2025, researchers went further with Memory Injection Attacks (MINJA): they showed that you can compromise an agent’s memory purely by interacting with it as a normal user, without direct access to its memory store. Malicious records injected via queries can later be retrieved and drive harmful reasoning steps when a different (victim) user asks a question.

If you strip away the terminology, the pattern looks like this:

1. The attacker engages the agent and gets it to store some “helpful” but malicious rules or summaries.
2. Those records sit quietly in memory.
3. Weeks later, a legitimate user triggers a task; the agent retrieves the poisoned memory and starts behaving “oddly” – maybe leaking data, maybe calling the wrong tools, maybe subtly skewing decisions.

From the outside, it just looks like the agent “went weird”. Under the hood, you’ve got a long-tail integrity problem.

It’s not surprising that both OWASP’s 2025 LLM04 guide and multiple industry blogs now call out memory poisoning and sleeper agents as core data/model poisoning risks for LLMs and agents alike.

3.2 Tool Misuse and Over-Permissioned Agents

The second failure mode is much more familiar to anyone who’s ever managed service accounts.

Lasso Security’s 2025 analysis of top agentic AI threats highlights tool misuse as one of the big three concerns, alongside memory poisoning and privilege compromise. Agents wired into calendars, email, ticketing systems, RPA platforms, or internal APIs can be tricked or coerced into executing harmful actions – often just through carefully crafted prompts.

We’ve seen real-world examples where:

• An agent with broad file-system tools can be nudged into exfiltrating sensitive documents
• A support agent can be induced to reset MFA or change contact details
• A scheduling agent can spam calendars or trigger downstream automations

None of this requires exploiting a “bug” in the traditional sense. It exploits overly broad, poorly governed capabilities.

If you wouldn’t give a junior contractor unfettered API access to finance, HR and production, you shouldn’t give it to an agent either. But today, many organisations have effectively done exactly that.

3.3 Privilege Compromise & Cross-System Blast Radius

The third risk is about how far an agent’s reach extends once something goes wrong.

IBM’s guide includes case studies where:

• Memory poisoning in supply-chain optimisation agents led to tens of millions of dollars in fraudulent purchases before detection.
• Tool misuse in diagnostic agents exposed hundreds of thousands of patient records, triggering major regulatory penalties.
• Privilege escalation in trading agents resulted in unauthorised trades and large portfolio deviations.

Lasso and OWASP both emphasise that agents don’t just create more entry points – they create faster, more interconnected failures. An agent compromised in one system can move laterally, because it was explicitly designed to coordinate across multiple tools.

This is why traditional “LLM app” threat models – which focus on stateless prompt injection and data leakage – are no longer sufficient on their own.

4. Why Our Existing AI Governance Is Not Enough

A lot of organisations I meet proudly show me their “AI policy” slide:

• Don’t paste sensitive data into unapproved tools
• Use approved vendors only
• Humans remain accountable for critical decisions

Those are good starting points. But they assume a request/response world.

In 2025, the ecosystem has started to acknowledge that this is not enough:

• OWASP launched a dedicated Agentic AI – Threats and Mitigations guide, treating agentic systems as a distinct class with their own taxonomy of risks and controls.
• Their AI Security Solutions Landscape for Agentic AI (Q3 2025) maps tools across the full agent lifecycle – from design to operations – precisely because SecOps teams were struggling to see where new controls were needed.
• A Multi-Agentic System Threat Modeling Guide applies this taxonomy to multi-agent systems, where agents interact with each other, not just with users.
• Industry blogs and practitioners have begun publishing detailed breakdowns of memory poisoning, tool chaining, shadow agents, and other attack patterns that simply didn’t exist in mainstream security decks two years ago.

The direction of travel is clear:

Agentic AI isn’t “just another AI use case”. It needs its own governance model.

For leadership teams, that means a shift in mindset:

• From “What prompts are safe?” → to “What can this agent actually do?”
• From “Which tools are allowed?” → to “What capabilities should this agent be allowed to have, for this task, for this user?”
• From one-off model risk reviews → to ongoing monitoring of behaviour, memory, and tool usage

5. A Pragmatic Playbook for CISOs, CIOs and AI Leads

So what do you actually do with all of this?

Here’s the distilled version of what we advise customers, pulling from OWASP, IBM, Deloitte and our own work with AI adoption teams.

Step 1: Inventory Your Agentic Footprint (including “Shadow Agents”)

You probably have agentic behaviour in more places than you realise:

• Embedded “copilots” in SaaS tools
• Workflow engines that now expose LLM-powered actions
• IT automation and AIOps platforms adopting multi-agent orchestration
• Skunkworks projects in operations, marketing or finance

Create a single view of where agents exist, what tools they can call, and what data they can see. This is the agentic equivalent of asset discovery.

Step 2: Classify Use Cases by Risk, Not Hype

Not all agents are equal. A summarisation helper inside Confluence is not the same as a trading agent or an HR decision engine.

We encourage teams to classify agents along three dimensions:

1. Data sensitivity – Does it touch PII, IP, regulated data?
2. Action criticality – Can it change money, access, infrastructure, or people outcomes?
3. Autonomy level – Is it just suggesting, or can it execute actions without human sign-off?

High-risk agents get a very different governance and monitoring treatment.

Step 3: Apply Zero-Trust Principles to Agents

Think of each agent as a semi-trusted micro-service that happens to speak natural language:

• Unique identity per agent instance (not one big shared service account)
• Least-privilege capabilities – narrow tool scopes, read-only where possible, constrained APIs
• Task-scoped permissions – grant capabilities for the duration of a task, then revoke
• Segmentation – limit where agents can “talk” to each other, and log those interactions

This mirrors what IBM calls a zero-trust agent architecture, with dynamic capability assignment and continuous authentication, not static trust.

Step 4: Secure Memory and Knowledge Bases

Treat agent memory as a critical integrity and privacy asset, not a convenient cache.

Key controls we see emerging:

• Validation and sanitisation before storing anything in long-term memory
• Provenance tags recording whether content came from a user, an internal system, or the model itself
• Memory expiry and scoping (per tenant, per workflow, per risk level)
• Periodic “memory audits” to look for anomalous or dangerous instructions
• Detection of known memory injection patterns, drawing on research like MINJA

For RAG systems, this extends to vector databases and other knowledge stores.

Step 5: Monitor Behaviour – Not Just Inputs and Outputs

Traditional AI security often focuses on checking prompts and responses. With agents, you must watch the behavioural trace:

• Which tools were called, in what sequence, with what parameters?
• What memory entries were read or written?
• How did the agent’s actions differ from historical patterns for this task?

OWASP’s 2025 work emphasises agent-specific monitoring and logging as a distinct responsibility, not an optional add-on.

Step 6: Build Human Oversight Where It Actually Matters

Humans absolutely cannot sit in the loop for every agent step. They must sit in the loop for:

• High-value financial actions
• Access control and identity changes
• Irreversible infrastructure changes
• HR and legal decisions with material impact

We’ve seen a healthy pattern where multi-agent systems propose a plan, execute low-risk steps automatically, and escalate high-risk actions to named human approvers with clear explanations.

6. How This All Connects to Aona AI

So where does Aona fit in this picture?

When we built Aona, we didn’t set out to create “yet another guardrail SDK”. We set out to solve a specific problem our customers were wrestling with:

“We want the benefits of AI and agents – but we’re flying blind on usage, we don’t trust the data flows, and our people aren’t trained to use this safely.”

That’s why Aona is positioned as a Responsible AI Adoption Platform, not just a point product.

From day one, we focused on three pillars:

1. Visible – Discover what’s happening
   • Shadow-AI detection across tools
   • Usage dashboards tied to productivity and cost
   • Visibility into where and how agentic capabilities are being used
2. Secure – Stop what shouldn’t happen
   • Policy guardrails to block or redact sensitive data before it ever reaches a model or agent
   • Risk alerts and audit-ready logs of every interaction – crucial when agents act autonomously
3. Engage – Guide the right behaviour
   • Just-in-time playbooks and bite-size training in the flow of work
   • Role-based coaching so employees learn how to work with agents safely, not fear them

That translates very directly into the agentic AI context:

• Real-time observability for agents
  We help you see which agentic tools are being used, what data they touch, and how behaviour evolves – across both approved platforms and shadow projects.
• Data protection guardrails
  Our policy engine can automatically allow, block, or redact prompts and tool calls, so agents don’t accidentally leak PII, IP or confidential data into public or private models.
• Shadow-agent detection
  Just as we detect shadow AI tools, we surface unsanctioned agentic workflows that teams spin up in low-code tools, notebooks, or SaaS copilots – before they become tomorrow’s incident.
• Coach Aona for people and process
  Technology alone won’t fix agentic risk. Employees need to understand when to trust an agent, when to question it, and when to escalate. Coach Aona delivers tailored training and assessments right where people work, so safer usage becomes a daily habit, not a one-off seminar.

In other words: we’re not trying to stop you from using agentic AI.
We’re trying to make sure you can use it boldly, safely, and measurably.

7. Closing Thought: The Fork in the Road

Agentic AI is not a passing phase. It’s a fundamental change in how work gets done and in how systems can fail.

The organisations that win this next chapter won’t just be the ones with the flashiest demos or the most agents in production. They’ll be the ones that:

• See clearly what their agents are doing
• Protect ruthlessly what matters most
• Invest in people, not just models
• And treat agentic security and governance as a first-class design constraint, not an afterthought

At Aona, that’s the future we’re building for:

Safe, smart, scalable AI adoption – where every employee can confidently work with powerful agents, and every leader can sleep at night.

If your teams are experimenting with agentic AI – or already feeling uncomfortable about how far it’s spread – we should talk. Even a short discovery session can surface where your biggest unseen risks and quickest wins are.

Contact us and let's start the conversation.

Sources:
Deloitte – Agentic AI enterprise adoption: Navigating enterprise agentification Deloitte
IBM – The Enterprise IT Security Guide to Agentic AI Vulnerabilities community.ibm.com
OWASP GenAI Security Project – Agentic AI – Threats and Mitigations & AI Security Solutions Landscape for Agentic AI Q3 2025 OWASP Gen AI Security Project+1
Lasso Security – The Top Agentic AI Security Threats You Need to Know in 2025 Lasso Security
Mamta Upadhyay – Memory Poisoning in Agentic LLMs The Secure AI Blog
Dong et al. – Memory Injection Attacks on LLM Agents via Query-Only Interaction (MINJA) arXiv
Business Insider – Morgan Stanley: Nearly half of online shoppers will use AI agents by 2030… Business Insider
iTWire / OutSystems – OutSystems Agent Workbench Accelerates Enterprise Agentic AI Adoption itwire.com
OWASP – LLM04: Data and Model Poisoning (2025) VeriGenAI
ScienceDirect – Transforming cybersecurity with agentic AI to combat emerging cyber threats ScienceDirect