How a foundational concept in computer science became a buzzword, a boogeyman, and a billion-dollar marketing opportunity โ€” all at once.

Somewhere between the Stanford AI Index and your CISO's last board deck, the word "agentic" became terrifying. Security vendors warn of "agentic AI attack surfaces." Trade publications name it the top threat vector of 2026. OWASP has published a dedicated Top 10 for agentic applications. A Dark Reading poll found that 48 percent of cybersecurity professionals now consider agentic AI the single most dangerous category of threat they face โ€” outranking deepfakes, ransomware, and everything else on the list.

The term shows up in threat briefings and keynote slides with the cadence of a horror-movie trailer: autonomous. goal-directed. acting without human oversight. It is spoken as though describing something that just escaped from a lab.

Here's the problem. "Agentic" is not a new phenomenon, it is not a mutation of AI, and it is not inherently dangerous. It is, in fact, the entire point of the discipline. And the growing inability of the media, the security industry, and even some AI researchers to distinguish between what makes AI useful and what makes AI risky is creating a fog that benefits no one โ€” except, perhaps, the people selling fog machines.

In 1995, Stuart Russell and Peter Norvig published Artificial Intelligence: A Modern Approach, the textbook that has since been adopted by over 1,500 universities worldwide and remains, three decades later, the standard reference in the field. Their definition of AI was not about chatbots or image generators or large language models. It was this: AI is the study and design of rational agents.

An agent, in their formulation, is anything that perceives its environment through sensors and acts upon that environment through actuators. A thermostat is an agent. A chess program is an agent. A self-driving car is an agent. The entire taxonomy of AI systems that Russell and Norvig laid out โ€” simple reflex agents, model-based agents, goal-based agents, utility-based agents, learning agents โ€” is a taxonomy of increasing agency. The field of artificial intelligence, from its earliest formal articulation, has been defined as the pursuit of systems that can perceive, reason, plan, and act.

That is what "agentic" means. It always has.

So when a 2026 security white paper warns that agentic AI systems are dangerous because they "can plan, decide, and execute multi-step actions toward a specific goal," it is not describing a novel threat category. It is describing what AI has been trying to be for seventy years. When a vendor warns that these systems "act autonomously in complex environments," they are restating the ambition that launched the entire field โ€” and that, until roughly 2024, was considered evidence that AI was working.

The question worth asking is: what changed? Not in the technology, but in the discourse.

What changed is that AI got good enough to actually do it.

For decades, agency was aspirational. The Russell and Norvig taxonomy described what we wanted to build but largely couldn't. Early expert systems were brittle. Reinforcement learning agents could master Atari games but couldn't generalize across domains. The systems were agents in principle but not in practice โ€” not in any way that mattered to enterprise infrastructure or geopolitics.

Then large language models arrived with enough general reasoning capacity to serve as the cognitive core of systems that could plan, act, use tools, and adapt. Suddenly the abstract concept of agency had an implementation path. And the moment that happened, the discourse fractured along predictable lines.

The AI industry started selling agency as the next trillion-dollar opportunity. NVIDIA's Jensen Huang declared enterprise AI agents a "multi-trillion-dollar" market at CES 2025. Every major cloud provider โ€” AWS, Google, Microsoft โ€” launched platforms for building and deploying agents. An MIT Sloan survey found that 35 percent of organizations had already adopted AI agents by 2023, and adoption has only accelerated since.

Simultaneously, the cybersecurity industry started selling agency as an existential threat. CrowdStrike's 2026 Global Threat Report documented an 89 percent year-over-year increase in AI-enabled attacks. Stanford's 2026 AI Index found that 62 percent of organizations cite security and risk as the primary barrier to scaling agentic AI. The OWASP Top 10 for Agentic Applications dropped in late 2025 with the explicit framing that these risks are "not theoretical" but "the lived experience of the first generation of agentic adopters."

Both of these narratives are, in isolation, true. Agency enables extraordinary capability. Agency also introduces new attack surfaces. The problem is that the two narratives have been collapsed into a single confused signal in which the word "agentic" functions simultaneously as a sales pitch and a warning siren โ€” and nobody seems to notice that these are incoherent positions.

Let's be precise about what the actual risks are, because they're real, and they deserve better than the treatment they're getting.

When an AI agent is given access to email, shell commands, APIs, and databases, it operates with the combined permissions of every integration it holds. A successful prompt injection that hijacks one tool call can propagate through every downstream action in the chain. Memory poisoning can corrupt an agent's long-term context, influencing every subsequent session. Tool definition manipulation can alter the behavior of an agent without triggering integrity checks. These are genuine architectural vulnerabilities, and the OWASP framework does useful work in cataloging them.

But notice what's actually dangerous in each of those scenarios. It's not agency. It's permission scope, input validation, and integrity verification โ€” the same categories of vulnerability that have defined application security since before AI existed. Prompt injection is a variant of injection attacks that OWASP has tracked since the original Top 10 in 2003. Privilege escalation through chained tool calls is a permission boundary problem. Memory poisoning is a data integrity problem.

The security risks of agentic AI are real. They are also, fundamentally, security engineering problems โ€” problems of architecture, access control, monitoring, and trust boundaries. They are made worse by the speed and autonomy of AI agents, absolutely. But they are not caused by agency itself. They are caused by deploying any powerful system โ€” AI or otherwise โ€” with insufficient access controls, insufficient input validation, and insufficient monitoring.

When the discourse treats "agentic" as the threat rather than "poorly governed," it performs a subtle but consequential misdirection. It implies that the solution is less agency โ€” fewer autonomous systems, more human-in-the-loop checkpoints, slower adoption. And while human oversight is clearly important, the framing obscures the fact that the systems delivering the most value are precisely the ones with the most agency. An AI that can only respond to individual prompts without memory, context, or the ability to act on what it learns is not an agent. It's a search engine with personality. The capability and the risk share a root cause, and you cannot eliminate one without eliminating the other.

There is a different version of this conversation that matters enormously, and it's being drowned out by the buzzword noise.

The real danger isn't agency. It's misalignment combined with capability. A system that can perceive, reason, plan, and act โ€” and that is pursuing goals well-aligned with its operator's intentions โ€” is exactly the kind of AI you want running your infrastructure, your security operations, your research pipelines. Agency is the feature, not the bug. The question is whether the system's objectives are what you think they are, whether its behavior under novel conditions will remain consistent with its training, and whether you have sufficient observability to detect when it drifts.

These are alignment questions, not agency questions. And they apply to every AI system capable enough to matter, whether or not someone has slapped the label "agentic" on it. A non-agentic LLM that confidently hallucinates medical advice is more immediately dangerous than a well-governed agent that autonomously triages security alerts. The axis that matters is not autonomy versus human control. It's alignment and governance versus deployment without either.

Yoshua Bengio, the Turing Award-winning deep learning pioneer, warned at the 2025 World Economic Forum that "all of the catastrophic scenarios with AGI or superintelligence happen if we have agents." That's a serious claim from a serious researcher, and it deserves engagement. But even Bengio's framing implicitly acknowledges the point: the catastrophic scenarios require agents that are misaligned and powerful enough to resist correction. The agency is a precondition, not a sufficient cause. A gun is dangerous. A trigger is necessary for a gun to fire. But nobody writes threat reports about triggers.

So why does the confusion persist? Follow the incentives.

The cybersecurity industry has a well-documented pattern of adopting emerging technology terms and repackaging them as threat categories. Cloud computing was going to be the end of perimeter security. IoT was going to create an unmanageable attack surface. Both were partially true, both generated enormous vendor revenue, and both eventually settled into the mundane reality of security engineering โ€” the same access controls, the same monitoring, the same incident response, just applied to new architectures.

Agentic AI is following the same playbook. Gartner positions it at the "Peak of Inflated Expectations," which is analytically useful but commercially convenient โ€” every technology that passes through the hype cycle generates consulting revenue on both sides of the peak. The security vendors warning about agentic threats are the same vendors selling agentic threat detection. The reports quantifying the risk are sponsored by the companies selling the mitigation.

None of this means the risks aren't real. It means the discourse is structurally biased toward amplifying fear over precision, because fear is a more effective sales tool than nuance. And the cost of that bias is not just wasted budget. It's wasted attention. Every hour a CISO spends worrying about whether agentic AI is inherently dangerous is an hour not spent on the governance frameworks, access controls, and observability infrastructure that would actually make their agentic deployments safe.

The deepest irony of the current discourse is that it inverts the actual relationship between agency and safety.

The systems most likely to fail catastrophically are not the ones with the most agency. They're the ones with the most capability and the least governance. A powerful model deployed as a stateless, context-free API endpoint โ€” no memory, no planning, no persistent goals โ€” can still be prompt-injected, can still hallucinate, can still be used to generate malware or social engineering attacks. The absence of agentic architecture doesn't make a system safe. It just makes it less useful and harder to govern, because you lose the very mechanisms โ€” persistent context, goal tracking, observability hooks โ€” that make structured oversight possible.

Well-designed agentic architectures, by contrast, offer natural points for governance insertion. Checkpoints between planning and execution. Audit trails of tool calls. Approval gates for high-risk actions. Behavioral anomaly detection across sessions. The agent's plan is inspectable because it has a plan. A stateless model that generates one output per query offers no such surface for oversight.

This is not a hypothetical argument. Microsoft's Copilot Studio, whatever its commercial motivations, demonstrates the principle: agents built within constrained architectures that cannot modify their own logic without republishing, that run in isolated environments, that can be disabled immediately if concerns arise. The agency is the feature that makes governance architecturable.

The word "agentic" needs to be rescued from the people who are profiting from its misuse. It is not a threat category. It is not a synonym for "autonomous and therefore scary." It is the foundational concept in artificial intelligence โ€” the thing that distinguishes AI from a spreadsheet macro.

The risks are real. They are engineering problems. They have solutions, most of which look a lot like the solutions to every other category of software security risk: least privilege, input validation, monitoring, access control, and the organizational discipline to actually implement them.

The alignment problem is also real, and it is a genuinely hard scientific challenge that deserves far more funding and attention than it currently receives. But conflating alignment with agency โ€” treating the ability to plan and act as inherently dangerous rather than as the precondition for both usefulness and governability โ€” doesn't advance safety. It just sells product.

If we're going to have an honest conversation about AI risk, we need to stop treating a thirty-year-old computer science concept like it just crawled out of a horror movie. Agency isn't the monster. It's the motor. The question โ€” the only question that matters โ€” is who's driving and whether anyone bothered to install brakes.

Jonathan Brown for AetheriumArcana ~ เค“เคฎเฅ เคคเคคเฅ เคธเคคเฅ