Agentic AI from First Principles
Agentic AI from First Principles
- Understand why Mandaitor distinguishes access from delegated authority.
- explain what makes an AI system agentic rather than merely conversational
- identify planning, tool use, memory, and autonomy as authorization-relevant features
- describe why prompt intent alone is not enough for safe business action
An AI agent is software that uses a model to pursue a goal through reasoning, planning, context use, and actions. A simple chatbot answers a message. An agent may decide which information it needs, select tools, call APIs, revise its plan, and report a result. This difference is powerful, but it also changes the trust problem.
The Model Context Protocol specification describes a pattern for LLM applications to connect with tools and external context providers.1 That kind of tool access makes agents useful in real workflows. It also means that user intent can become external action. Mandaitor exists because external action should be governed by verifiable authority, not only by prompt text or broad credentials.
The agent forms a plan
The model decomposes a goal into steps and may revise that plan as new context appears.
The plan becomes action
The agent calls APIs, tools, or workflows that can change external systems rather than merely produce text.
Mandaitor verifies the boundary
Before sensitive execution, Mandaitor checks whether the proposed action is inside a mandate and records evidence.
What changes when an AI system becomes agentic?
- It may transform high-level intent into external actions through tools.
- It automatically becomes trustworthy because it can reason.
- It no longer needs authorization because the user typed an instruction.
Reveal answer
Agentic systems can turn goals into tool calls. That is useful, but it means runtime authorization must evaluate the specific action, resource, principal, delegate, and context before execution.
The basic agent loop
Most beginner-friendly explanations of agents can start with a loop: observe, plan, act, and evaluate. The agent receives a goal and context, decides what to do next, uses a tool or produces an answer, observes the result, and continues until the task is complete or blocked.
| Loop stage | What happens | Authorization question |
|---|---|---|
| Goal | The user or system gives an objective. | Is the objective within the user's role and intended delegation? |
| Observe | The agent reads context or retrieves data. | May the agent access this data for this purpose? |
| Plan | The agent chooses intermediate steps. | Are planned steps within authority or do they need approval? |
| Act | The agent calls a tool, API, or workflow. | Is this concrete action covered by a mandate? |
| Evaluate | The agent checks results and continues. | Did evidence capture the decision and outcome sufficiently? |
Why agentic AI needs boundaries
Agents are useful because they reduce friction between intention and execution. The same property creates risk. A broad instruction may produce unexpected steps. A tool description may be misunderstood. External context may be incomplete. A model may be overconfident. A workflow may combine low-risk steps into a high-impact outcome.
Mandaitor's answer is not to block agentic AI. The answer is to place enforceable authority boundaries around actions. The agent can still reason and plan, but sensitive tool calls are checked before execution.
| Risk pattern | Example | Mandaitor response |
|---|---|---|
| Over-broad goal | “Handle supplier payments” could include many actions. | Require mandates for concrete payment actions and thresholds. |
| Tool overreach | A tool can update more fields than the user intended. | Verify action, resource, and field category before use. |
| Hidden delegation | A service account acts for many users. | Bind actions to principal and delegate identities. |
| Missing evidence | A task completes but no one can explain authorization. | Record verification decision and proof reference. |
| Drift from intent | The agent pursues a plausible but unintended path. | Use constraints, approvals, and runtime review points. |
Human approval still matters
Agentic systems should not remove humans from authority decisions where human judgment is required. The better model is layered. Low-risk actions may be automated. Medium-risk actions may require a valid mandate and evidence. High-risk actions may require fresh human approval, dual control, or escalation.
| Risk level | Typical action | Recommended control |
|---|---|---|
| Low | Retrieve public information or draft a document. | Lightweight policy and ordinary logging. |
| Medium | Update internal records or read sensitive project data. | Mandate verification and audit evidence. |
| High | Send payment, submit legal filing, change contractual data. | Mandate verification, human approval, and evidence pack. |
| Forbidden | Act outside role, jurisdiction, or explicit user boundary. | Denial and escalation or policy review. |
The Mandaitor interpretation of agentic AI
Mandaitor treats agents as delegates. The agent may be powerful, but its authority must still be bounded. The product model therefore connects agent identity, mandate scope, runtime verification, and evidence. A useful agent is not only capable. It is capable inside an accountable authority model.
| Agentic AI concept | Mandaitor concept |
|---|---|
| Goal | User intention that may require delegation. |
| Plan | Sequence of proposed actions to be checked as needed. |
| Tool call | Concrete action request against a resource. |
| Memory or context | Data access that may require purpose and scope controls. |
| Autonomy | Ability to act within pre-approved boundaries. |
| Trace | Evidence stream that helps reviewers reconstruct behavior. |
What to read next
Read Agentic Authorization and Runtime Evidence to understand how Mandaitor sits in the tool-action path. Read Mandate Policies and Policy Enforcement to learn how boundaries are expressed. Read Evidence Packs and Audit Events to see how runtime decisions become reviewable artifacts.
Save your learning progress
Mark this lesson as complete to update the Academy overview without requiring an account.