Be Careful When Contracting Agentic AI to Mitigate Serious Risks

Agentic AI systems independently plan, decide, and act across multiple steps without continuous human prompting, which creates “a potential insider threat” if improperly deployed, according to a post on Stoel Rives Global Privacy and Security Blog.

The blog post outlines agentic AI-associated legal and operational risks and offers up best practices for contracting the service.

Unlike tools that simply respond to prompts, agentic AI executes workflows, triggers real-world actions, and adapts dynamically. The technology works by autonomously invoking tools, Application Programming Interface (APIs), and external systems to complete tasks such as sending emails, modifying records, moving funds, or orchestrating other systems. This autonomy creates a distinct identity and an access management challenge.

Agentic AI must have a unique risk profile in the Identity and Access Management system. It requires unique credentials, least-privilege permissions, and strong authentication mechanisms.

It is important to assess five core security risks against the National Institute of Standards and Technology’s AI Risk Management Framework before deployment: excessive autonomy; prompt injection; data leakage; lack of accountability; and unmanaged supply chains.

Contracting for agentic AI is the sharpest challenge legal teams face. Technology is outpacing the law, and best-in-class contract provisions today may be obsolete soon. Strong contract language—such as compliance clauses and audit rights—only provides a false sense of security unless you actively dedicate resources to monitor and enforce those terms.

In-house counsel should be mindful that agentic AI contracts demand active lifecycle management, not a sign-and-file approach. Due diligence should cover integration risk, vendor dependencies, and model update protocols.

Contracts must include audit rights, termination triggers, logging requirements, and developer cooperation obligations. Kill-switch scenarios must be factored into business continuity planning.

Contract reviews are essential as the regulatory landscape evolves.