The Three Buckets Framework: Bucket #2 - AI Agents
AI agents have become the consulting industry's favourite promise. "Trillions of dollars. Five years. Trust us." Reality is that fewer than 1 in 10 organisations report meaningful financial returns [1] and only 11% have AI agents running in production [2].
Most work processes are neither critical nor precision-dependent. They still have to be executed. That is where automation earns its place. Automation through AI agents is a potential piece of the bigger jigsaw puzzle to save time and cut costs in high-volume, repetitive tasks such as document processing and code generation. Agentic coding tools like Claude Code, Codex, and GitHub Copilot Workspace, on the other hand, can handle complex one-off tasks such as coding, debugging, and documentation. All of these strengths have inherent weaknesses; AI agents operate with broad system access, minimal oversight, and inherited LLM vulnerabilities. This makes them acutely susceptible to prompt injection, memory poisoning, privilege escalation, and cascading failures across multi-agent systems, attack surfaces that existing identity and security frameworks were never designed to handle.
An introduction to The Three Buckets Framework
In a previous article, I outlined The Three Buckets Framework, a simple framework for the board's approach to AI. In the follow-up article, I explained what the board should understand, do, and expect with regards to Bucket #1 - personal productivity tools. In summary, personal productivity tools are hygiene factors: adoption only requires a clear license and usage policy and the ROI is negligible at the board level.
The separation between chatbots and agents is in no way clear-cut. Where one user uses e.g. ChatGPT or Claude to create and perfect a sales pitch, another user uses Codex or Claude Code to build a custom CRM system. As the tools and technologies develop, it becomes even more difficult to define a robust taxonomy. This brings us back to the board's fundamental challenge: a shared understanding of what AI is, what it is not, which capabilities matter in which contexts, and which risks are involved. After speaking with and to thousands of executives over the last couple of years, I therefore concluded that risk is the key differentiator for the Three Buckets' Framework.
For Bucket #1 - personal productivity tools, the risks are chiefly related to license levels, user policies, and quality control of outputs. For Bucket #2 - AI agents, the risk profile is much more complex and collateral damage is lurking in the shadows.
In this article, I will describe the characteristics of Bucket #2 - AI agents, and explain in a similar structure what boards need to understand, do, and expect with respect to AI agents.
What should the board understand about the capabilities of AI agents?
The technological foundation for AI agents is large language models (LLMs), built on transformer architecture. This means that there are certain key characteristics which are critical for the board and C-suite to understand in order to navigate strategy and risk wisely:
1. Natural language as the interface.
Language models can accept vague, ambiguous instructions. No structured code is required. That means that anyone can build an AI agent for almost anything, which is both the opportunity and the threat, as the barrier to creating malware has dropped just as far as the barrier to creating value. Unlike humans, AI agents cannot tell whether an instruction comes from a person, another AI agent, or a malicious document, making prompt injection a structural vulnerability that cannot be fully eliminated.
2. Probabilistic models that confabulate.
Every language model in use today is built on transformer technology, a mathematical framework that predicts the next likely token, not the correct one. Confabulations (aka "hallucinations") are not a bug; they are a feature of the architecture. In multi-step agentic workflows, errors compound. One wrong assumption feeds the next, and you can end up with AI agents reinforcing each other's mistakes in self-amplifying loops.
3. Autonomy without full transparency.
Agents can receive a high-level goal, decompose it into subtasks, and execute without you knowing exactly how. That is powerful. It is also a control problem. When combined with prompt injection risk, poorly defined objectives can cause an AI agent to act on corrupted instructions, leak its goals, or be manipulated mid-task.
4. Tool use extends the attack surface.
AI agents are no longer limited to what the language model knows; they call external tools, execute code, query databases, and interact with live systems. The capability ceiling is effectively limitless. Which means, so is the exposure.
5. Long-term memory as a contamination channel.
Memory improves continuity across sessions, but it also creates persistence risk. Without robust version control and audit trails, injected or low-quality content can propagate silently through shared memory stores.
6. Multi-agent orchestration amplifies everything.
Combine the five properties above and you can automate complex, ambiguous tasks at a scale no previous technology could reach. You can also fail at that same scale. In multi-agent systems, a misconfigured or compromised orchestrator can re-route information flows and trigger cascading failures across the entire pipeline.
What should the board understand about the risk of AI agents?
There is a lot of mention of agentic AI, a phrase that easily feels as slippery as a soap bar. Where an AI agent is a specific software implementation that acts autonomously toward a defined goal, agentic AI describes systems where multiple agents interact and communicate to pursue one or more shared objectives. From a board perspective, the real governance issue hence arises with an agentic AI approach, i.e. when the use of AI agents becomes a structural feature. The strategic value may prove to be significant. So may the risk of collateral damage.
Agentic AI as a value-creating component of the board's strategy development and execution requires alignment with and integration into operational business processes. In many cases, the existing business processes may even be fully replaced by new ways of working enabled by agentic AI. For those old enough to remember the business process re-engineering paradigm from the 1990s, the current agentic AI frenzy may feel a bit like old knowledge in new wrapping. Albeit the technology itself is fundamentally different, the need to rethink operational processes is history repeating itself. To reap the value with agentic AI, boards need to focus on how to work with the organisation to rethink and redesign how work gets done.
LLM-based AI comes with a long list of inherent weaknesses. Regulatory non-compliance, security breaches, and reputational damage all translate into financial losses. What is less discussed, but should focus the mind of every board director, is that these failures can trigger personal liability claims against individual directors and executives.
What should the board do about agentic AI?
I often meet leaders who tell me that they want me "to inspire their employees into action, not scare them. Don't talk about risks". My answer is always the same: risk assessment is not the enemy of ambition. On the contrary, it is the foundation that makes ambition sustainable. Skipping it does not accelerate your AI strategy; it exposes it. AI adoption without risk awareness is a strategy mistake.
So here is what doing it right looks like:
Build a board with relevant competence. Not one token tech director, but rather genuine analytical literacy across the board, sufficient to ask hard questions and recognise a weak answer.
Invest in continuous learning. What agents could not do twelve months ago, they can probably do today. The capability curve is steep, the governance implications shift with it, and a board that last engaged seriously with the technology in 2024 is already working with an outdated map.
Require a policy on who can build agents, with which scope, and under what authorisation. Natural language is the new code language. That means your junior analyst, your external consultant, and a malicious actor are all working with the same interface. Absence of policy is also a policy, albeit a bad one.
Mandate human-in-the-loop checkpoints for any agentic workflow that touches financial, legal, compliance, or customer-facing outputs. Confabulation is architectural, not fixable. Design processes to minimise the risk and cost of making wrong decisions.
Give your CISO explicit authority and budget for agentic AI security. It should be separate from legacy IT security. The attack surface has changed and the security framework must follow.
Treat AI risk management as a proactive discipline, not a compliance exercise. Governance must be built into the business architecture. Documentation follows from that. It is never a substitute for it.
What should the board expect from agentic AI?
The ROI case is real, but it doesn't come automagically by itself. Organisations that will see meaningful returns are those that treat agentic AI as an operational redesign programme, not a technology deployment. That means auditing which processes are genuinely suitable for automation, redesigning workflows around the capabilities and limitations of agents, and building in governance from the start, not retrofitting it after the first incident.
The collateral damage case is equally real. A misconfigured agent with access to live systems, customer data, or financial workflows is not a theoretical risk. It is an operational liability that will move fast and quietly before anyone realises something has gone wrong.
The board should therefore expect to be asked hard questions by management and to be able to ask harder ones back. What is our agent inventory? Who authorised each deployment? What are the failure modes, and who owns them? If those questions do not yet have clear answers in your organisation, that is not a technology problem. That is a governance gap.
The only viable path is through knowledge
Navigating strategy and risk in a business landscape where fast-changing technology is the ultimate driver is challenging. However, trying to avoid it is not an option. The technology will be used against you through cybersecurity breaches, or without your knowledge as shadow AI, with potentially severe consequences for your company. You only have one option: skill up. The alternative path is outside the company.
The question is not whether AI agents will create value in your organisation. They will, for someone. The question is whether your board and C-suite have the competence to distinguish the opportunities from the liabilities before something goes wrong. If you want to work through that question, feel free to reach out.
If your board or leadership team would benefit from more constructive and informed discussions about AI, I work with organisations through keynotes and advisory engagements to create clarity and shared understanding.
Feel free to contact me to continue the conversation.
About the Author
Elin Hauge is a keynote speaker, AI strategist, and trusted advisor to business leaders and boards. She specialises in helping organisations make sense of artificial intelligence beyond the hype, connecting technology to strategy, governance, and real-world value. With a multidisciplinary background in physics, mathematics, business, and law, Elin brings both analytical rigour and practical perspective. Her talks and advisory work empower leaders to ask better questions, make wiser decisions, and navigate AI with confidence.
Frequently asked questions:
-
AI agents are software systems that use large language models to act autonomously toward a defined goal. They can interpret natural language instructions, decompose tasks, use tools, query systems, execute code, and interact with live workflows.
-
Chatbots primarily generate responses, while AI agents can take actions. The distinction is not always clear-cut, but the governance risk increases when AI systems move from assisting users to executing tasks, accessing tools, and affecting operational workflows.
-
Agentic AI refers to systems where one or more AI agents interact, communicate, and act toward shared objectives. From a board perspective, agentic AI becomes a governance issue when these agents are integrated into business processes and begin to operate as a structural feature of the organisation.
-
Boards should care about AI agents because they combine automation potential with a more complex risk profile. AI agents may access systems, process data, make recommendations, execute tasks, and create operational, financial, legal, cybersecurity, and reputational exposure.
-
The main risks of AI agents include prompt injection, memory poisoning, privilege escalation, confabulated outputs, poor oversight, excessive system access, cascading failures in multi-agent systems, and shadow AI deployments outside formal governance.
-
Boards should build relevant AI competence, require clear policies for who can build and deploy agents, mandate human-in-the-loop checkpoints for sensitive workflows, give the CISO authority and budget for agentic AI security, and treat AI risk management as a proactive strategic discipline.
-
AI agents can create measurable ROI, but only when organisations treat them as part of operational redesign rather than as a simple technology deployment. Value depends on selecting suitable processes, redesigning workflows, and building governance into the operating model from the start.