top of page
Search

The Tech Futures Report On Agentic AI: Insights, Red Flags and Risk Prevention for Businesses Using Agentic AI

  • 1 day ago
  • 7 min read

A guide to trade marking in 2026

The Information Commissioner’s Office (ICO) is tasked with protecting data and privacy in the UK. Whilst regulation is a key responsibility, the ICO also study emerging technologies to explore and evaluate if and how these may present a risk to data protection. They do this through publication of a Tech Futures Report, and the focus for the most recent report (in January 2026) was on agentic AI.


In this article, we will address why this report and its contents are essential for a variety of organisations to be aware of, from private business to public services and special category care/healthcare providers. We’ll also explain just what agentic AI is, and how it differs from former forms of AI, so you can identify what kind you’re using. We’ll then look into the risks flagged up by the Tech Futures Report and how you might mitigate against these.


Don’t worry - this guide is not designed to put you off using AI. Aside from the fact that it’s almost unavoidable, there are clear benefits and efficiencies AI can provide to both business and society. Instead, we aim to arm you against the risks by providing you with clear, jargon-free insights and understanding of how these systems/tools work, and help you utilise them in a way that doesn’t compromise both your ethical and legal data protection obligations.


What Is Agentic AI Anyway?


AI capabilities are evolving rapidly. It seems we’re only just getting to grips with generative AI and how this might be applied, and now we’re faced with agentic AI, which, as a user, can feel like an upgraded version of AI, but is actually an entirely different beast.


So, What Is The Difference Between Generative AI And Agentic AI?


Generative AI relies on prompts and uses its training data to produce original content in real-time. However, it is reactive.


Agentic AI is designed to be proactive. It has the ability, through use of large language models (LLMs), natural language processing (NLPs), machine learning and traditional programming models, to behave autonomously. That is, to perform complex tasks, or even a series of complex tasks, with minimal supervision. It is capable of decision-making and following its own designed workflows to achieve goals.


Whilst agentic AI may transform the way businesses and public services are able to automate significant workflows and increase productivity, because actions can be autonomous and agentic AI is executing with multi-step workflows, it’s essential we know how it’s doing so to be sure it’s upholding data protection.


Hands protecting a registered trade mark symbol

The Tech Futures Report acknowledges, though, that many of the questions that will apply to agentic AI, are already being asked about generative AI, and many of the same risk factors are being flagged, including –


  • Automated decision-making operating at a greater scale and complexity than traditional systems

  • Processing purposes defined too broadly to accommodate open-ended or general-purpose agents, creating compliance gaps

  • Personal data (including potentially special category data) being processed beyond what the task requires

  • Reduced transparency making it harder for individuals to understand how their data is used or exercise their rights

  • Cyber security vulnerabilities and concentration of personal information introduced by the nature of agentic systems


Tech Futures Report: Key Findings and Risks of Agentic AI


One initial concern raised in the Tech Futures Report, regarding agentic AI and data protection, is the potential conflation of the roles of ‘processor’ and ‘controller’. According to UK GDPR, organisations processing personal data must assign a controller. This person, or entity, is responsible for determining the purpose and means of data processing and ensuring compliance with data protection regulations (UK GDPR). The processor is the authority tasked with processing that data, on the controller's behalf. Since agentic AI may comprise a variety of systems and supply chains, these roles may be more difficult to define, and this makes accountability less transparent and could increase the risk of data protection oversights.


Automated decision making has the potential to speed up workflows and maximise productivity, but there are a number of risk factors with this. Legally, there are some decisions that require human intervention and, if issues arise, then the decision-making process must be transparent. However, with rapid agentic AI systems, there is a real concern that the processes involved in making these decisions, and the rules in place to protect against discrimination, ensure privacy and identify risk, may be beyond the capabilities of certain AI tools.


For instance, an online gambling company may use agentic AI tools to assist in enforcing responsible gambling and flagging up users deemed at risk of personal or financial harm. So, in using this tool, all decision-making processes must be transparent, even if automated, because the company will still be held responsible for any mistakes made or for any failure to protect their customers.


AI tools that apply rapid automation and automated decision-making are a particularly high risk for those charged with protecting vulnerable people, such as social services and anyone working with children.


UK GDPR insists that data controllers collect only what is necessary in terms of personal information. Any organisation collecting personal data must be able to justify the necessity of the request and enforce limitations on its use. But the race to build high-performing AI systems capable of providing highly personalised experiences is not aligned with data minimisation, since agentic AI is reliant on mass data to keep learning and improving functionality.


Overall, the core concern is that agentic AI might get away from us. We’re not talking about robots taking over (yet), but it is a real risk that building systems designed to mine data en masse to increase efficiency, performance and reliability may prioritise its own advancement over compliance. And we might not even be aware of it doing so, due to the lack of transparency that comes with automated decision-making. This would not necessarily be an example of technology going against what it has been programmed to do, but rather making a ‘conscious’ (AI is not yet conscious) decision to, for example, repurpose data for some other purpose, or to override data consents in order to perform tasks as instructed.


As with generative AI, there is always a risk that data errors can occur. Only, with generative AI, this information will usually reach a human for review. However, with agentic AI following multi-stop workflows, there’s an increased risk that errors, misinformation or bias may not pause at a point where that can clearly be identified by the user, resulting in inaccuracies or even in serious harm. For example, sharing of sensitive data and/or a failure to implement safeguarding.


On this note, it may be particularly difficult for an AI to recognise special category data or children’s data, both of which require specialised handling and greater protection.


Where errors are made through use of agentic AI, blame can be difficult to assign since the intelligence is often multi-agent reliant. Not that this matters all that much in terms of legal responsibility, since the user is still accountable for errors and misuses.


Lastly, as with any technology, there is always a cyber security threat. Data is always at risk, and systems may be compromised. However, with so much concentrated data pouring so quickly through agentic AI tools, the extent of this risk is increased. Moreover, if the decision-making and reasoning of an AI is capable of being infiltrated and manipulated, then this could compromise the behavioural integrity of the system itself.


Which Regulations Govern Agentic AI?


UK organisations are governed by UK GDPR when it comes to data protection, and these are the regulations we are all beholden to, no matter which technologies we are using. The company/organisation is still accountable for any data protection breaches.


Background pattern featuring multiple trade mark symbols, including “TM” and “®”, in varying sizes and colours on a neutral backdrop.

UK organisations are governed by UK GDPR when it comes to data protection, and these are the regulations we are all beholden to, no matter which technologies we are using. The company/organisation is still accountable for any data protection breaches.


Although AI tools accessible in the UK should adhere to GDPR, as flagged up in the Tech Futures Report on Agentic AI, there are still significant risks that UK GDPR may be overridden or misinterpreted by an AI tool. Despite this, the UK is yet to draft any legislation specific to AI and data protection, as the EU have done. Instead, existing regulations in UK GDPR still apply - including lawful basis to collect data, transparency, limited use, minimisation, accuracy, sufficient security around stored data, limitations of data retention and special handling and enhanced protections for special category data.


For more information on UK GDPR, please refer to my guide on Data Privacy, UK GDPR and Data Protection Must-Knows.


What is the Code of Practice I keep hearing about?


The ICO is currently developing a new statutory Code of Practice on AI and Automated Decision‑Making, following regulations that came into force in May 2026. The Code will set out clear, practical expectations for organisations using AI systems - including agentic and autonomous tools - covering transparency, lawful basis, accountability, risk assessment, and safeguards for both adults and children.


Although the Tech Futures reports aren’t formal guidance, they signal the direction of travel: the ICO expects organisations to design AI systems with privacy, explainability, and human oversight built in from the start.


The ICO hasn’t published the Code yet, but now that the 2026 Regulations are in force, the drafting and consultation process is underway, with the final Code expected in 2027.


Mitigating Risk When Using Agentic AI


With emerging technologies being used to process data, it’s essential to put procedures in place to provide further protections and safeguard personal data.


Whilst you should not rely on the creators of these agentic tools and systems to protect data you input, reading through and gaining an understanding of the privacy policies of your AI tools is essential. This should help you deepen your understanding of how these work, assess risk and understand the limitations of their usage and application.


Human oversight is still essential, so regular review and testing of AI systems is advised. Training is also key. Make sure that your staff are educated on safe use and application of AI in your organisation and, if you work with third parties, you must be transparent about your AI use and know about theirs too, especially if they are being used to process your company’s or your client’s data.


Data Protection Impact Assessments (DPIAs) are already compulsory, and these should be at least extended to assess and mitigate AI risk, though I advise creating additional DPIAs specifically to address risks for AI deployment.


For legal expertise and assistance with this, please do get in touch.


Aubergine Legal offer a comprehensive AI Legal Toolkit which includes 13 helpful documents including checklists, template policies, and inserts for your legal documents to ensure compliance with data protection and IP laws.


An advertisement for the AI Legal Toollkit from Aubergine Legal.

Or, if you’re implementing AI frameworks, audit trails and DPIAs yourself, then it may help to download my AI Compliance Checklist for Businesses, to ensure you’ve got all your bases covered. 


An advertisement for the AI Compliance Checklist from Aubergine Legal.

bottom of page