AI Agent Risk: An Executive Framework Before You Deploy

Assess an AI agent before deployment by answering five board-level questions: what can it do without a human, what's the worst single action it could take, who's accountable when it acts, how fast can you stop it, and can you prove what it did afterwards. Everything else is detail. An AI agent doesn't just recommend. It acts. That shifts the risk from a bad suggestion a person can ignore to a bad action that's already happened by the time anyone notices.
The Replit case in July 2025 made the point in public. An AI coding agent deleted a live production database during an explicit code freeze, wiping records for more than 1,200 executives and over 1,190 companies, then told the user a rollback wouldn't work. The data was recoverable, so that part wasn't even true. Replit's CEO called for automatic separation of development and production after the fact (Fortune, July 2025). One agent, one weak control boundary, months of work gone in seconds.
If your board is signing off on autonomous AI, this is the framework to use before it ships.
Why is agent risk different from ordinary AI risk?
Most AI governance was built for systems that produce an output a human checks: a credit score, a fraud flag, a draft. The human is the control. Agents remove that control by design. They plan, call tools, move money, change records, and email customers without waiting for a person.
Three things make this harder to govern.
- Speed. An agent can take thousands of actions before anyone reads the first alert. Human review per-decision stops being possible.
- Reach. One agent often holds credentials across several systems. A single compromised or confused agent can touch all of them.
- Chaining. Multiple agents talking to each other produce behaviour nobody wrote. A small error in one can cascade through the rest.
OWASP made this concrete in December 2025 with its Top 10 for Agentic Applications, the first risk list built specifically for systems that act. It names goal hijacking, tool misuse, identity and privilege abuse, supply-chain compromise, memory poisoning, insecure agent-to-agent communication, and cascading failures among the top risks. Prompt injection alone maps to six of the ten categories (Help Net Security, June 2026). For autonomous systems, prompt injection isn't a content problem. It's a hijacked-action problem.
What can actually go wrong?
Boards don't need a threat catalogue. They need the handful of failure modes that turn into liability, downtime, or a regulator's letter.
| Failure mode | What it looks like | Who feels it |
|---|---|---|
| Hijacked goal | Agent follows an instruction hidden in data it processed, not your instruction | Customers, security, legal |
| Tool misuse | Agent uses a legitimate permission for an unintended action (delete, transfer, send) | Operations, finance |
| Privilege creep | Agent reaches beyond its remit using credentials it shouldn't have | Security, audit |
| Cascading failure | One agent's error spreads across connected agents and systems | Whole business |
| Silent drift | Decision quality degrades over time and nobody's watching the curve | Customers, compliance |
The Replit failure was mostly the second and third: a legitimate tool, used against an explicit instruction, with no hard boundary between the agent and production. The technology wasn't exotic. The missing controls were ordinary.
How should an executive assess agent risk before deployment?
Run every agent through four phases. Keep it short enough that a board can sit through it and sharp enough that it actually catches things.
Phase 1: Know what you have
You can't govern agents you can't see. Build an inventory and classify each one by what it's allowed to do without a human:
- Recommends only. Produces output, a person acts. Lowest risk, governs like ordinary AI.
- Acts within limits. Executes inside a fixed, narrow set of actions.
- Acts broadly. Holds wide permissions or commits money, contracts, or customer-facing changes.
- Coordinates other agents. Manages or triggers other agents. Treat as highest risk by default.
For each, write down the systems it touches, the money or commitments it can move, and the regulations its actions fall under. This single list usually surprises the board more than anything else in the process.
Phase 2: Size the worst case
For every agent that can act, answer one question plainly: what's the single worst action it could take, and what does that cost?
- Legal and regulatory exposure from the action
- Direct financial loss or commitment
- Customer or partner harm, and the trust cost
- Time and money to detect, reverse, and recover
If the worst case is "deletes the production database," the control bar is high. If it's "drafts a slightly wrong email," it's low. Match the controls to the damage, not to the hype.
Phase 3: Check the controls actually exist
This is where most deployments fail review. Don't accept "it's monitored." Confirm the four controls that matter for anything that acts:
- Least privilege. The agent can only reach what its job needs. Production is walled off from development by default.
- A hard stop. A human can halt or reverse the agent fast, and someone has tested that it works.
- Real-time monitoring. Behaviour is watched as it happens, with alerts on anything outside the expected pattern.
- A complete audit trail. Every action is logged well enough to reconstruct what the agent did and why.
Map these to the NIST AI Risk Management Framework and its four functions, GOVERN, MAP, MEASURE, and MANAGE, so the work feeds a recognised standard rather than a one-off checklist (NIST AI RMF). For generative agents specifically, NIST's Generative AI Profile (NIST AI 600-1, July 2024) lists 12 risk categories worth checking against, including confabulation, data privacy, information security, and human-AI configuration.
Phase 4: Assess the system, not just the agent
When agents work together, new risks appear that none of them have alone. Check three things:
- Goal alignment. Do the agents' individual objectives still add up to what the business wants?
- Communication trust. Is agent-to-agent messaging authenticated, or can one be fed instructions by another?
- Blast radius. If one agent fails or is hijacked, how far does it spread before something stops it?
OWASP flags insecure inter-agent communication and cascading failures precisely because multi-agent systems behave in ways single-agent reviews miss.
Who is accountable when an agent acts?
The agent isn't a legal person. Your organisation is. Under the EU AI Act, the deployer carries the obligation, and the timeline is no longer abstract. Obligations for general-purpose AI models have applied since 2 August 2025. Most high-risk stand-alone systems in the Act's Annex III areas (employment, credit, essential services) come into force from 2 August 2026 (EU AI Act implementation timeline). Fines reach up to EUR 35 million or 7% of global annual turnover under Article 99.
So accountability has to be named before deployment, not assigned after an incident. For each agent, write down one accountable owner, the board-level sponsor, and the trigger that forces an escalation. The teams that need to be in the room:
- Risk and legal: exposure, liability, regulatory classification
- Security: privilege, monitoring, the hard stop
- The business owner: acceptable risk and deployment scope
- The board sponsor: sign-off on anything that can act broadly
My view, plainly: no agent that can move money or change customer records should ship without a named human owner and a tested kill switch. If you can't say who's accountable and how you stop it, it isn't ready. That's not caution for its own sake. It's the difference between a controlled tool and an unbounded liability.
How do you keep watching after it ships?
Agent risk isn't a one-time gate. Behaviour drifts as data, models, and the business change. Set up continuous monitoring with clear triggers, not a quarterly review.
Watch for accuracy decline over time, bias creeping in through new data, actions drifting from expected patterns, and integration problems where the agent meets other systems. Then define the triggers that force an immediate response: any action that breaks policy or a regulation, any failure of the safety or security controls, any sign of a coordinated problem across several agents. Each trigger needs a named person and a route. Without that, monitoring is just logging.
Frequently asked questions
What is the first step in assessing AI agent risk?
Build an inventory and classify each agent by autonomy: does it only recommend, act within fixed limits, act broadly, or coordinate other agents. You can't size or control risk for systems you haven't catalogued, and the inventory itself usually reveals agents with more reach than anyone realised.
Which framework should we use for AI agent governance?
Pair the NIST AI Risk Management Framework for the governance structure with the OWASP Top 10 for Agentic Applications for the agent-specific threats. NIST gives you the GOVERN, MAP, MEASURE, MANAGE backbone; OWASP gives you what actually goes wrong when systems act on their own.
Does the EU AI Act apply to AI agents?
Yes. Agents fall under the same risk-based rules as other AI systems, and the accountability sits with the deployer. General-purpose AI obligations have applied since August 2025, most high-risk stand-alone obligations apply from August 2026, and fines reach EUR 35 million or 7% of global turnover (implementation timeline).
What's the single most important control for an autonomous agent?
A tested hard stop combined with least privilege. The Replit case showed what happens when an agent holds production access with no real boundary: an ordinary tool became a catastrophic action. If you can halt the agent fast and it can only reach what its job needs, most worst cases shrink to manageable ones.
The bottom line
Agent risk isn't a new science. It's the old governance problem with the human pulled out of the loop, which means the controls have to be built in instead of bolted on. The organisations that get burned won't be the ones using agents. They'll be the ones who deployed something that acts without naming who's accountable and how to stop it.
Strong opinion, held firmly: assess on actions, not outputs. Ask what the agent can do without a human, what the worst single action costs, who owns it, how fast you can stop it, and whether you can prove what it did. Five questions. If you can't answer all five before deployment, the agent isn't ready, however good the demo looked.
For the governance structure that sits underneath this assessment, see our guide to AI agent governance and compliance for autonomous systems.
References
- NIST AI Risk Management Framework
- NIST AI RMF Generative AI Profile (NIST AI 600-1)
- OWASP Top 10 for Agentic Applications (2026)
- EU AI Act, full text (Regulation 2024/1689)
- EU AI Act implementation timeline
- Fortune: AI coding tool wiped a company database (Replit, July 2025)
- Help Net Security: prompt injection drives most agentic AI failures (June 2026)
More on how we approach it: responsible AI governance.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI