Cliff de Wit, Chief Innovation Officer at Accelera Digital Group (ADG), says businesses need to be careful not to treat agentic systems as harmless extensions of chatbots and to start recognising the new risk surface they create.
By giving AI the power to act, for example, processing data or approving transactions, enterprises open up a dangerous new risk surface. In South Africa, early exploits in help desk and ticketing agents are already creating compliance vulnerabilities under POPIA.
“We’re no longer dealing with tools that only give you information. Agentic AI can take action, which means that it can also take the wrong action if it’s not designed and secured properly,” he explains.
Real-world incidents highlight the risks
Recent examples highlight how easily agentic systems can be manipulated. In one case, a user tricked a commercial AI system into approving the purchase of a car for one dollar. In another, attackers trained an AI model to interpret Morse code, bypassing its English-language guardrails and triggering an unauthorised cryptocurrency transfer.
De Wit points out that incidents like these should be a wake-up call for enterprises rolling out agentic AI systems. “Language is a powerful tool. People are already finding creative ways to coerce agents into doing things they were never meant to do. If organisations don’t take this seriously, they will get caught out,” he says.
He notes that help desk and ticketing agents have already been exploited to reveal sensitive information or to access internal systems. In South Africa, this raises direct concerns around compliance with the Protection of Personal Information Act (POPIA). “If guardrails aren’t properly implemented, an agent can leak personal data without even realising it,” he warns.
A fundamental shift in responsibility
De Wit stresses that the biggest misunderstanding in the market is the belief that read-only prompts like Gemini and agents are essentially the same.
“People conflate the two because they both fall under the AI umbrella. But there is a fundamental difference between a read-only prompt that only gives you information and an agent that can take action. When you go agentic, you’re handing over some of the keys to the castle,” he says.
This new status quo means organisations must rethink oversight, governance and risk management. At the same time, guardrails and defined human review are no longer optional, they are essential.
The benefits are real, but only if risks are managed
Despite these dangers, agentic AI does offer meaningful advantages when deployed responsibly. Agents can automate repetitive tasks, fetch and process data, and carry out routine actions that would otherwise consume hours of human time.
“Automating menial tasks frees people to focus on more complex, high-value work. That’s where the productivity gains come from. But you only get those gains if you’ve done the hard work upfront to secure the system,” states de Wit.
The Google Cloud AI Agent Trends 2026 report reinforces this point, noting that 65% of organisations cite "unexpected agent behaviour" as their top emerging risk. That said, 78% still expect agentic systems to automate at least a quarter of operational tasks within three years.
Early adopters are already seeing improvements in service responsiveness and operational throughput, but only where governance is strong.
As agentic AI becomes embedded in business operations, de Wit says two principles must guide every deployment – firstly, be clear about what the agent is allowed to do, and, secondly, ensure it can only do that.
“The productivity benefits are enormous, but with great power comes great responsibility. Organisations must understand the difference between prompts and agents, and they must prioritise security when granting systems the power to take action,” de Wit concludes.
