AI Agents in the Enterprise: Value, Governance & Liability

As of: June 2026 · Leon Lotz, business lawyer & developer

AI agents in the enterprise are AI systems that do not merely answer but plan and carry out tasks on their own - they book, write, research, and access your systems in the process. It is precisely this capacity for autonomous action that makes them valuable and risky at the same time: anyone who lets an agent act must first clarify what it is allowed to do, who controls it, and who is liable when it gets things wrong. Value and liability belong together here - and that is the common thread running through this guide.

What are AI agents? Distinguishing them from the chatbot and agentic AI

A chatbot talks; an AI agent acts. A chatbot answers a question and waits for the next one. An AI agent breaks a goal down into steps on its own, calls tools (email, CRM, database, API), evaluates the result, and keeps going - until the task is done. Autonomy is the core.

“Agentic AI” is the umbrella term for this paradigm: systems that act in multiple steps and in a goal-directed way, often as an ensemble of several specialized agents. The individual AI agent is the building block; agentic AI is the architecture above it.

This distinction is not academic but liability-relevant: a chatbot that gives a wrong answer creates, at worst, a communication problem. An agent that sends an incorrect invoice, triggers an order, or exports data performs an action with legal consequences. That is why law and governance are an entirely different proposition with agents than with a chatbot.

Real value: where AI agents actually create value in 2026

The market has moved beyond the demo phase. Gartner predicts that by the end of 2026 roughly 40% of enterprise applications will include task-specific AI agents - up from less than 5% in 2025 (Gartner, 26 Aug 2025). This is driven by models purpose-built for multi-step, tool-assisted work - for instance Anthropic’s Claude Opus 4.1, released on 5 August 2025 with a focus on agentic and long-horizon tasks (Anthropic, 5 Aug 2025). But value does not arise everywhere in equal measure.

Use case	Example	Value/effort	Maturity	Compliance sensitivity
IT service / ticketing	Triage tickets, resolve standard cases	High / low	Mature	Medium
Sales research	Enrich leads, build company profiles	High / low	Mature	Medium (PII!)
Marketing monitoring	Track competitors & mentions	Medium / low	Mature	Low
Document/contract pre-review	Scan contracts for clauses	High / medium	Growing	High
Internal knowledge research (RAG agent)	Answers drawn from your own documents	High / medium	Mature	High (internal data)

The honest caveat: when it comes to deep subject-matter expertise and judgment - legal subsumption, strategic decisions, final contract sign-off - agents are unreliable today. They are excellent first-draft workers, not final decision-makers. Anyone who uses them as final decision-makers buys into exactly the liability risk we describe below. The dependable rule of thumb: the agent researches and drafts, the human decides and takes responsibility.

AI agent with a tightly bounded access path to a single system, with a human approval gate controlling the critical action - conceptual image for least privilege and human-in-the-loop with AI agents

The value-creating agent is the tightly fenced one: scoped access instead of full access, a human as the approval gate before any action with external impact.

The real risks: technical and legal at once

Adoption is outpacing the controls. Microsoft’s Cyber Pulse report states: more than 80% of Fortune 500 companies use active AI agents - but only around 47% have meaningful security controls in place (Microsoft Security Blog, 10 Feb 2026). Each of the following risks has a technical answer - that is the point.

Over-permissioning: access rights that are too broad

The most common mistake: an agent that is only supposed to summarize emails is given full access to the CRM because that is faster to set up. Most companies lack a consistent way to grant, log, and revoke agent permissions (Atlan, 2026).

Technical answer: Least privilege. For the agent, that means in concrete terms a scoped, short-lived API token with exactly the rights the task requires - read access to the mailbox, no write access to the CRM. Rights are granted per tool call, not wholesale.

Prompt injection and manipulation

Indirect prompt injection is a real threat against production systems in 2026: attackers hide instructions in web pages, documents, or emails that the agent processes - triggering data exfiltration or unauthorized actions (TechRepublic, 2026).

Technical answer: treat input as untrusted, restrict tools via an allowlist, run agents in a sandbox, and do not let critical tool calls be derived from ingested third-party text.

Missing audit trails

Human actions leave logs behind. Agent actions often only become traceable if you log them from the very beginning - otherwise, after an incident, no one can say what the agent did and why.

Technical answer: an immutable audit trail covering every agent’s triggers, inputs, decisions, and actions. No logging means no traceability - and no traceability means no solid defense in a liability case.

Data protection: PII exfiltration and third-country transfer

As soon as an agent processes personal data and sends it to models outside the EU, Chapter V GDPR (third-country transfer) applies - often unnoticed, because the data flow is hidden inside the agent.

Technical answer: data minimization before the model call, EU hosting or local models for sensitive data, and a proper data processing agreement (Art. 28 GDPR) with every provider.

Hallucination and faulty autonomous actions

An agent that invents a fact and derives an action from it produces an error with external impact.

Technical answer: human-in-the-loop at critical steps - the agent prepares, a human approves, before anything leaves the company.

Governance: steering AI agents responsibly

Governance and security are not the same thing. Governance clarifies ownership, roles, and oversight - who is responsible, who is allowed to approve what. Security delivers the controls by which those rules are enforced. Most incidents arise not from missing technology but from missing accountability.

The practical checklist - each item with its technical counterpart:

Clear accountability / owner for each agent - by name, not “IT.”
AI usage policy - what employees are allowed to do, and what requires approval.
Permission concept (least privilege) → scoped tokens, rights granted per tool call.
Human-in-the-loop rules → defined approval gates before critical actions.
Logging / audit → an immutable trail over every agent action.
Vendor and DPA contracts → data protection and responsibility allocated by contract.
Employee training → mandatory under Art. 4 EU AI Act (more on this below).
Inventory / register of agents → you can only govern what you know about.

The lever with the greatest effect is usually item 1: as long as no individual is named as responsible for an agent, it runs in no-man’s-land - technically permitted, organizationally ungoverned.

Liability: who is liable when an AI agent makes a mistake?

The basic rule first, because it surprises many people: the AI is not a legal person. It is not liable itself. Responsibility regularly lies with the deploying company - the operator - in the same way that a company answers for its tools and its employees.

The legal anchors in German law: in contract, § 280 BGB (German Civil Code; damages for breach of duty) applies; in tort, § 823 (1) BGB (infringement of protected legal interests). If the agent places a faulty order or deletes data, the law does not ask “What did the AI want?” but “Who deployed and controlled it?”

Three roles must be distinguished, because they apportion the liability:

the provider / manufacturer of the agent or model,
the operator - the company that deploys the agent,
the user - the person who acts.

How liability is apportioned among them is decided by the contracts: the data processing agreement (DPA), the Werkvertrag (German contract for work and services, sec. 631 BGB), the SLA. Anyone having an agent built should not copy from templates here but consciously regulate responsibility, liability for defects, and remediation.

Important for context: the EU AI Act is not a liability regime of its own - it does not create a claim for damages. But it is liability-relevant: a breach of AI Act obligations can carry through under civil law as a breach of duty. Technical documentation and the audit trail are therefore not merely compliance window-dressing but the most important safeguard in a dispute.

Special case: when does an AI agent become a high-risk system?

An agent does not become a high-risk system through its technology but through its purpose of use under Annex III of the AI Act - for example recruitment/personnel selection, creditworthiness/credit scoring, or critical infrastructure. Stricter obligations then apply: risk management, data governance, documentation, and, in particular, effective human oversight (Art. 14). An agent that pre-screens job applications is squarely here - even if it “only” pre-screens.

This is general information, not legal advice for an individual case. The classification of your specific agent may differ - when in doubt, have it reviewed.

The 2026 legal framework at a glance (as of June 2026)

The framework is in motion in 2026 - which is why it is set out here with dates and sources, not with fine-based scaremongering:

EU AI Act - Art. 4 AI literacy: the obligation to train employees in AI literacy commensurate with risk has applied since 2 February 2025; official enforcement at the national level starts from 2 August 2026. Art. 4 carries no fine of its own - costs arise indirectly, for instance when a lack of training is treated as a breach of the duty of care in a damages case (Skill-Sprinters, 2026).
High-risk obligations - in limbo: via the “Digital Omnibus,” the Council and Parliament reached a provisional agreement on 7 May 2026 to postpone the deadline for standalone high-risk systems from August 2026 to 2 December 2027 (embedded systems: 2 August 2028). This only becomes binding upon publication in the Official Journal - so as of June 2026 it is not yet final (White & Case, 2026; Gibson Dunn, 2026).
GDPR: a legal basis under Art. 6, where applicable a data protection impact assessment (Art. 35), a DPA (Art. 28), and transparency.
Product liability: the new Product Liability Directive (EU) 2024/2853 expressly captures software and AI-based products as “products” - transposition into national law is underway.
AI Liability Directive (AILD): withdrawn by the European Commission in February 2025. There is therefore no dedicated AI liability statute; general German liability law plus product liability apply (datenschutzticker, 2025; TCI Rechtsanwälte, 2025).

Many articles still get the last point wrong by citing the AILD as “coming.” It is not coming. Anyone planning their liability plans with the BGB and product liability - not with a withdrawn directive.

Introducing AI agents with legal certainty: in 6 steps

Determine the use case and risk class - what should the agent do, does it fall under Annex III?
Clarify data protection - legal basis, where applicable a DPIA, and map the data flows.
Governance and permission concept - name an owner, least privilege, human-in-the-loop.
Technical implementation - EU hosting, scoped tokens, audit trail, sandboxing.
Contracts and policy - DPA/Werkvertrag/SLA, AI usage policy.
Training and operations - Art. 4 literacy, ongoing monitoring, a review cycle.

It is precisely at this seam - translating law into code - that I work as a business lawyer and developer in one person. Anyone who wants not just to buy an agent off the shelf but to have one developed with legal certainty will find the starting point in the initial consultation on AI agent advisory. For those who want to structure things first: the AI governance checklist as an AI policy summarizes the eight points above as a template. To see how the agent-specific obligations mentioned here fit into the wider picture, read the overview EU AI Act & GDPR - what companies must do now.

FAQ

What is the difference between an AI agent and a chatbot?

A chatbot responds to inputs and waits. An AI agent acts autonomously: it breaks a goal down into steps, calls tools and systems, and carries out tasks. This capacity for autonomous action makes agents more useful - and more demanding in terms of liability.

Who is liable when an AI agent makes a mistake?

The AI itself is not liable - it is not a legal person. Responsibility regularly lies with the deploying company (the operator), in contract via § 280 BGB and in tort via § 823 (1) BGB. How the provider, operator, and user share the liability is governed by the contracts (DPA, Werkvertrag, SLA).

Not automatically - but they can be designed to be compliant. What is needed is a legal basis under Art. 6 GDPR, a data processing agreement with the provider, data minimization, and - for sensitive data - EU hosting or local models, so that no unvetted third-country transfer arises.

When does an AI agent count as high-risk AI under the EU AI Act?

When its purpose of use falls under Annex III - for example recruitment, creditworthiness assessment, or critical infrastructure. Stricter obligations then apply, including human oversight (Art. 14). The high-risk deadlines are, via the Digital Omnibus, expected to be postponed to 2 December 2027, but as of June 2026 this is not yet finally in force.

Do I need an AI usage policy for AI agents?

In practice, yes. A policy governs what employees are allowed to do and what requires approval, and it is part of the AI literacy obligation under Art. 4 EU AI Act, which has applied since February 2025. It also reduces liability risk because it documents due care.

As of: June 2026. The legal framework (in particular the AI Act’s high-risk deadlines) is in motion; this article is being maintained. General information, not legal advice for an individual case.

About the author: Leon Lotz is a business lawyer and developer. With MusketierSoftware he combines both in one person - AI consulting and custom software development, implemented with legal certainty and in compliance with the GDPR.

Sources — as of 07.06.2026

Gartner - 40% of enterprise applications with task-specific AI agents by 2026 (26 Aug 2025): https://www.gartner.com/en/newsroom/press-releases/2025-08-26-gartner-predicts-40-percent-of-enterprise-apps-will-feature-task-specific-ai-agents-by-2026-up-from-less-than-5-percent-in-2025
Anthropic - Claude Opus 4.1, release focused on agentic/long-horizon tasks (5 Aug 2025): https://www.anthropic.com/news/claude-opus-4-1
Microsoft Security Blog - 80% of Fortune 500 with active AI agents, ~47% with security controls (10 Feb 2026): https://www.microsoft.com/en-us/security/blog/2026/02/10/80-of-fortune-500-use-active-ai-agents-observability-governance-and-security-shape-the-new-frontier/
Atlan - AI Agent Risks & Guardrails (over-permissioning), 2026: https://atlan.com/know/ai-agent-risks-guardrails/
TechRepublic - Indirect prompt injection as a real threat, 2026: https://www.techrepublic.com/article/news-ai-agents-prompt-injection-data-security/
Skill-Sprinters - AI literacy / Art. 4: in force since Feb 2025, enforcement from Aug 2026, no fine of its own: https://skill-sprinters.de/blog/compliance/ai-literacy-pflicht-bleibt-august-2026/
White & Case - Digital Omnibus, provisional agreement on high-risk deadlines (May 2026): https://www.whitecase.com/insight-alert/eu-agrees-digital-omnibus-deal-simplify-ai-rules
Gibson Dunn - Postponed High-Risk Deadlines (2 Dec 2027 / 2 Aug 2028): https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
datenschutzticker.de - AI Liability Directive withdrawn (March 2025): https://www.datenschutzticker.de/2025/03/eu-kommission-vorerst-keine-ki-haftungsrichtlinie/
TCI Rechtsanwälte - European Commission withdraws AILD proposal (2025): https://www.tcilaw.de/eu-kommission-zieht-vorschlag-fuer-richtlinie-ueber-ki-haftung-zurueck/