AI agent vs chatbot: the difference is action
A language model, on its own, produces text. It becomes an agent when you give it three things: a goal, tools (the actions it can take) and the ability to decide which tools to use and in what order. A chatbot tells you how to issue a refund; an agent, with the right permissions, issues it. That is a leap in value, and in responsibility.
Where agents add concrete value
- Customer support that resolves, not just answers: the agent fetches the order, checks status, starts a return.
- Internal operations: routing requests, updating systems, generating documents.
- Analysis and monitoring: gathering data from multiple sources, summarising and flagging anomalies.
- Back-office: reconciliations, cross-checks, preparing case files.
The perimeter: the first security rule
An agent is as powerful as the tools you give it. So the first decision is not “what can it do” but “what can it NOT do”. We define a perimeter: which tools, with which limits, on which data. A support agent can read orders and open a return, but not access payment data. It is the principle of least privilege applied to AI.
Guardrails and prompt injection
Agents that read external content (email, web pages, uploaded documents) are exposed to prompt injection: hostile instructions hidden in the data that try to hijack behaviour. It is the number-one risk in the OWASP Top 10 for LLM Applications. The defence is a set of guardrails: input validation, output checking, privilege separation and human confirmation on the actions that matter. On these topics we also follow MITRE ATLAS, the knowledge base of threats to AI systems.
Human-in-the-loop: autonomy that is earned
We do not put an agent in full autonomy from day one. It starts under human-in-the-loop supervision: every sensitive action requires a confirmation. You observe, measure, fix the edge cases. Autonomy grows only once behaviour is verified and stable, and it always stays traceable and reversible. Autonomy is not assumed: it is earned with evidence.
How a reliable agent is built
An agent in production is not a demo. It needs the environment around it: integrations with existing systems, secret management, observability (being able to see what the agent decided and why), tests and, when it can act, guardrails and confirmations. This is exactly how we build: the application and its whole environment, with security designed in from the start.