Agentic AI:
From Chatbots to Autonomous Systems

In the beginning, there was the prompt. You typed something. The model responded. That was the entire interaction model for the first wave of large language model deployment. Input, output, done.

That model is obsolete. The defining architecture of AI systems in 2026 is the agent: a model embedded in a loop that allows it to take actions, observe their effects, and take further actions in pursuit of a goal. The difference is not merely technical. It represents a category shift in what AI systems can be asked to do — and in the risks they carry.

What makes a system "agentic"

The term agent in AI refers to a system that perceives its environment and takes actions to achieve goals within it. Classical AI agents date to the 1950s; what is new is the use of large language models as the reasoning engine of agents that operate in open-ended, natural-language-described environments.

An agentic LLM system has, at minimum, three properties beyond the base language model:

• Tool access — the ability to call external functions: web search, code execution, file read/write, API calls, browser control.
• Memory — some mechanism for retaining state across steps: in-context history, a vector database, a structured scratchpad, or a combination.
• Planning — the ability to decompose a goal into sub-tasks and sequence them, revising as observations come in.

The breakthrough paper that established the dominant paradigm for this is the 2022 ReAct paper from Yao et al. at Princeton and Google.^[1] ReAct (Reasoning + Acting) interleaves chain-of-thought reasoning traces with action calls — the model thinks aloud about what to do, does it, observes the result, and thinks about what to do next. The approach significantly outperformed prior methods on multi-step question answering and web navigation tasks.

Chain-of-thought as infrastructure

The ability of large models to reason through multi-step problems — chain-of-thought prompting, demonstrated at scale by Wei et al. at Google Brain^[2] — turned out to be the prerequisite for agency. A model that can only produce a single-step response cannot plan. Chain-of-thought gives the model a mechanism for externalising its intermediate reasoning, which is both a transparency property and a functional prerequisite for multi-step task execution.

Subsequent work extended this to tree-of-thought (exploring multiple reasoning paths simultaneously)^[3] and graph-of-thought architectures, allowing more sophisticated search through the space of possible plans. These are not theoretical improvements: they translate directly to measurable gains on benchmarks requiring multi-step planning and mathematical reasoning.

Tool use at scale

A language model without tools is a text processor. A language model with tools is a general-purpose computer. The practical implications of this distinction became clear with the release of ChatGPT Plugins in 2023 and, more consequentially, with the standardisation of function calling APIs across major providers.

The Toolformer paper from Meta AI^[4] demonstrated that models could learn to use tools — a calculator, a search engine, a translation API, a calendar — by being trained on examples of tool use embedded in text. Crucially, the model learns not just how to call tools but when: it develops a judgment about which queries benefit from external tool access versus which can be answered from parametric memory alone.

Current frontier models have extended this dramatically. Code execution environments allow models to write and run programs, observe their output, debug errors, and iterate — a capability that transforms the model from a code suggester into a software developer operating in a real environment.

Multi-agent systems

The next level of complexity is systems composed of multiple agents collaborating or competing. Multi-agent architectures distribute workload, enable specialisation, and allow parallelism — a research agent and a writing agent can operate simultaneously, with an orchestrator agent coordinating their outputs.

Park et al.'s 2023 paper on Generative Agents^[5] demonstrated that populations of LLM agents, each maintaining individual memory and planning capabilities, could produce emergent social behaviours — spreading news, forming opinions, holding elections — with striking fidelity to human social dynamics. The paper was widely cited not for its immediate applications but for what it suggested about the behavioural richness achievable by networks of agents operating over time.

More practically, frameworks like AutoGen (Microsoft)^[6] and CrewAI have made it straightforward to define multi-agent pipelines in which different models play different roles — researcher, critic, executor, reviewer — with explicit message-passing protocols between them.

The risks that come with action

A chatbot that gives bad advice is a nuisance. An agent with tool access that acts on bad advice can do real damage. The risks of agentic systems are qualitatively different from those of chat-only systems, and the field has been slow to develop commensurate safety tooling.

Key risk categories identified in the literature include:

• Prompt injection — malicious instructions embedded in tool outputs or retrieved documents that redirect the agent's behaviour. A web-browsing agent that navigates to an adversarially crafted page may execute the attacker's instructions rather than the user's.^[7]
• Irreversibility — agents with write access to filesystems, databases, or external services can take actions that cannot be undone. Unlike a human assistant who asks "are you sure?", a poorly designed agent may proceed without confirmation.
• Compounding errors — in a multi-step plan, early errors compound. An agent that misunderstands a goal in step one may spend fifty subsequent steps pursuing the wrong objective before any human review occurs.

The Anthropic model specification and similar documents from other labs represent early attempts to codify constraints on agentic behaviour — when to pause and verify, when to refuse irreversible actions, how to handle ambiguous instructions.^[8] These are necessary but insufficient: the deployment surface of agentic systems is so broad that no static policy document can anticipate all risk scenarios.

Where this is going

The trajectory is clear. AI systems are becoming more agentic — not as an end in itself but because the most valuable things AI can do for most people involve multi-step processes in the real world, not single-turn responses in a chat window. Writing code, conducting research, managing schedules, coordinating projects: all of these require sustained, multi-step action over time.

The unsolved problems are proportionally significant. Reliable long-horizon planning, robust tool use under adversarial conditions, safe multi-agent coordination, and interpretable agent reasoning are all active research areas without settled answers. The transition from chatbot to agent is the most consequential shift in applied AI since the transformer architecture. We are in the middle of it.