AI Agents and Agentic Systems
AI agents: from assistant to autonomous action
An AI agent is a language model that plans, calls tools and observes the result in a loop until a goal is reached. That is the step from a chat that only answers to a system that acts.
A chatbot answers a question and is done. An agent is given a goal and works toward it: it breaks the goal into steps, calls tools, checks the result and corrects itself until the goal is reached or a limit is hit. This page describes what that loop is made of, which patterns have proven themselves in practice, what the tooling landscape looks like in 2026, and why the growing value brings the very blast radius that a control framework has to get a grip on.
From prompt to agent
The difference between a clever prompt and an agent is the loop. With classic prompt and context engineering one input is shaped and one answer returned, a single pass. An agent turns the same mechanism in a circle until the goal is reached. Anthropic puts it plainly: an agent is, at its core, a language model that uses tools in a loop based on feedback from its environment. The loop has four stations:
flowchart TD
G["Goal<br/>set by a human"] --> P["Perceive<br/>context, tool results, history"]
P --> PL["Plan<br/>next step, tool choice"]
PL --> A["Act<br/>call a tool or API"]
A --> O["Observe<br/>check the result, judge success"]
O -->|"goal open"| P
O -->|"goal reached or limit"| H["Halt<br/>result or handover to human"]
The loop runs top to bottom: a human sets the goal, the agent perceives its context, plans the next step, acts through a tool and observes the result. It either turns another round or halts and hands over. It is exactly this observe step that separates an agent from a rigid script: it reacts to what actually happened instead of replaying a fixed path.
This autonomy is a spectrum, not a switch. At one end sit fixed workflows where a human defines the paths and the model only fills in individual steps. At the other end the model directs its own process and chooses its own tools. The further right on this spectrum, the greater the value and the greater the blast radius of a mistake. For many tasks the fixed workflow is the more robust and cheaper choice.
The patterns that have proven themselves
Agentic systems build on a few recurring patterns:
- Tool use. The foundation. The agent calls defined functions, from web search through a database read to writing a file. How the agent discovers and addresses these tools is increasingly standardised by the Model Context Protocol (MCP), which turns tool integration from a piece of tinkering into an interface.
- Human in the loop. Before a consequential step, such as sending an email or making a booking, the agent halts and asks for approval. This is not a comfort feature but a control: it draws the line between a proposal and an executed action.
- Multi-agent systems. Instead of one all-rounder, a lead agent coordinates several specialised agents, much like a team with roles. A reference architecture by Cisco authors, published on the LangChain blog, describes exactly this split into worker agents under a leadership layer that provides traceability and accountability. More agents mean more capability, but also more coordination overhead and more places where something can quietly go wrong.
A variant of its own is agentic RAG: instead of looking up once, the agent decides for itself when and what to retrieve, and refines its search across several rounds. That is the bridge to GenAI and RAG, where the retrieval layer is described in detail; here it is enough that retrieval becomes one of the tools in the loop.
The tooling landscape in 2026
The market of agent frameworks is dense and fast-moving in 2026. A Firecrawl comparison sets a good dozen open frameworks side by side, among them LangGraph, plus CrewAI, AutoGen, the agent kits from OpenAI and Google, and Mastra. They differ mainly in how much structure they impose: from free graph orchestration to role-based team templates. Frameworks like LangGraph emphasise long-running, stateful workflows with built-in human-in-the-loop and resumption after a crash.
Because this landscape shifts monthly, the framework choice is the most volatile decision in the whole undertaking. The underlying concepts are more durable, the loop and the patterns that all frameworks share. Anyone deploying agents in a concrete project is best off placing the tooling inside AI Development, where the agent is thought of as part of a development and operations process. For day-to-day work on code, tools like Claude Code are a concrete example of the loop in action, and Vibe Kanban shows how the work of several coding agents is coordinated.
Where agentic systems break
As autonomy grows, so does the blast radius, and with it what can go wrong:
- Cost runaway. A loop that never reaches its goal keeps turning and calls a paid model on every pass. Without a budget cap and a step limit, a failed task becomes an open invoice.
- Tool permissions. An agent is only as safe as the weakest tool it is allowed to reach. A write access or a shell tool in the wrong loop is a real blast radius, not a theoretical one. This is why the MCP security model makes explicit consent before every tool call a ground rule.
- Silent failure. An agent that does not judge its success cleanly reports a task as done that it only half solved. Without observability across the individual steps, this stays invisible until the result causes trouble.
- Data leakage. Every tool call and every model call is a point where data can leave the house. This is exactly where agentic systems meet the sovereignty question.
Governance and self-hosting keep the agent in-house
The obvious reaction to this blast radius is to ban agents outright. That only repeats the mistake that AI Governance already describes for AI as a whole: a ban pushes usage underground instead of steering it. The workable path runs through the same five surfaces, models, data, access, oversight and evidence, applied to the agent loop. Precisely because an agent acts autonomously and operates tools with real access, governance and self-hosting become more important, not less.
Self-hosting is the most direct lever against data leakage. An agent that runs an open-weights model on its own Swiss infrastructure keeps every model call in the house, while its tool access goes through a controlled layer. That architecture, sovereign AI, is a field of its own in this cluster. The ongoing assessment of which models and which tools an agent may use at all is the Tech Radar and AI Governance service; connecting an agent to an in-house knowledge base held in Switzerland, without data leakage, is covered by the Sovereign RAG Switzerland service. The systematic measurement and safeguarding of agentic workflows, from judging success to defending against prompt injection, belongs in the separate fields of AI evaluation and guardrails as well as LLMOps and MLOps, which complete this cluster.
References
- LangChain LangGraph, orchestration of stateful agents. Open-source framework for long-running, stateful agents as a graph, with built-in human-in-the-loop and resumption. (2026). github.com/langchain-ai/langgraph
- Firecrawl The best open source frameworks for building AI agents in 2026. Comparison of open agent frameworks (LangGraph, CrewAI, AutoGen, OpenAI Agents SDK, Mastra) with metrics and fit recommendations. (05.06.2026). www.firecrawl.dev/blog/best-open-source-agent-frameworks
- LangChain Agentic Engineering (guest post by Cisco authors). Reference architecture for a multi-agent system of worker agents under a leadership layer with end-to-end traceability. (17.04.2026). www.langchain.com/blog/agentic-engineering-redefining-software-engineering
- Anthropic Building Effective Agents. Foundational guidance that defines agents as language models using tools in a loop, and orders patterns from tool use to multi-agent systems. (19.12.2024). www.anthropic.com/engineering/building-effective-agents
Related topics
- GenAI and RAG, the retrieval layer that agentic RAG uses.
- AI Development, the process that agents enter as a tool.
- MCP (Model Context Protocol), the standard that unifies tool integration.
- AI Governance, the frame that steers the blast radius of autonomous agents.
- Claude Code, the agent loop as a concrete tool on code.
- Sovereign RAG Switzerland, the service counterpart for agents on in-house knowledge.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.