Privacy Blog

2025 is going to be the year of agents. This is not an original observation. For the last couple of months, all the industry chat has been about how AI agents are coming – in fact, in many cases, they’re already here.

Anthropic, the company behind the Claude LLM, has released an open-source standard that enables AI systems to directly connect with various data sources and tools called the Model Context Protocol (MCP). Connectors for popular tools such as Slack, Google Drive and Github have been included, and developers can build their own as well.

Nvidia, manufacturer of the GPU chips powering the current AI revolution, has created something called AI blueprints, that make it easier for third parties to build and deploy “custom AI agents that act like “knowledge robots”, meaning that they analyse large quantities of data from text, images or video, and reason, plan and take action on the basis of the results. And Apple Intelligence, Apple’s system for enabling an enhanced version of Siri to initiate and control more of the functionality of your iPhone, is essentially an agent-based system.

What does this mean, though, for businesses in general? What are the opportunities, and the risks?

Feet of clay

Since ChatGPT burst onto the scene and heralded a new era of machines you could interact with using natural language, we’ve been conjuring the spectre of a future of vastly powerful intelligences hoovering up all our data and delivering it back to us with god-like omniscience. But instead of this happening, we’ve discovered that our new AI gods have feet of clay.

Omniscient they may be, having absorbed all human data in history. But they are all breadth and no depth. They have no “common sense” understanding of the world to check their output against. They have no understanding of the concepts, facts or opinions they reproduce so confidently. Everything they do is an hallucination, not just the things they get wrong, but also the things that they get right – they have no understanding of the difference, because they have no mechanism for comprehending what such a difference even means.

This does not mean that they are useless – far from it. But it does mean that we need to be nuanced in our understanding of where their strengths lie, and build them into our existing lives, businesses, processes and systems accordingly.

This is where agents come in.

Return of the robots

The basic idea behind AI agents is to use the incredible natural language interface that LLMs provide to control other, more constrained processes so that the AI can do things from add an appointment to your calendar (Just this week ChatGPT has introduced a new “Tasks” function to do exactly this) to buying something online to moving things around in a factory. In theory, this compartmentalises the risks. While the LLM itself might come up with wrong answers, outcomes of its decisions are curtailed by the limitations of the other processes it has access to. And when we’re thinking about risk, and safety, and privacy, we’re evaluating these things in a way that we’re already quite familiar with via the traditional systems design known as robotic process automation (RPA).

To quote AI engineering expert Chip Huyen, “An agent is defined by the environment it operates in and the set of tools it has access to. In an AI-powered agent, the AI model is the brain that leverages its tools and feedback from the environment to plan how best to accomplish a task. Access to tools makes a model vastly more capable, so the agentic pattern is inevitable. While the idea of ‘“agents’” sounds novel, they are built upon concepts that have been used since the early days of LLMs, including self-critique, chain-of-thought, and structured outputs.”

Lock the armoury

The constraints are crucial though, as is the security you put in place around them. Once the agent has access to your entire computer, or free access to the internet, the risk profile changes dramatically. As an extreme example, a recent experiment posted on X demonstrated how a hacked agent showed willingness to plan assassinations and procure the services of hitmen using the dark web. Which is presumably not something you want your hotel-booking bot to be doing in its downtime.

While designing protocols to enable this kind of future, Anthropic’s CEO, Dario Amodei, claims to be very aware of the risks.

“As a thought experiment, just imagine I have this agent and I say: ‘Do some research for me on the internet, form a hypothesis, and then go and buy some materials to build [some]thing, or, make some trades undertaking my trading strategy,’” he said in a recent interview with the Financial Times. “Once the models are doing things out there in the world for several hours, it opens up the possibility that they could do things I didn’t want them to do.”

Despite these misgivings Amodei is of course confident that these issues will be fixed and in time agents are likely to become more capable, more reliable, and trustable with ever more important tasks. Ramsay Brown, a member of our own aiEthix advisory panel, argues that “we’re in the midst of a transition now to AI as worker,” and that within the next few years we are likely to have AI agents that are sufficiently self-determining to “becoming capable of things like signing contracts and using currency, which is incredibly straightforward for them to do.”

At this point the risk landscape will once again change, he says “and we’re going to have to talk about what it means for non-human, non-corporate entities to own things.”

But we’re not there yet. In the meantime, the big opportunity for business is around the incorporation of AI agents into process automation. In 2025, both from technical and a regulatory point of view, that’s a very realistic thing to start to be doing. Just make sure that you’re rigorous about designing the systems into which they’re integrated. And don’t give them access to guns.