Guide on the Use of Agentic Artificial Intelligence

Example: Scheduling a meeting using increasingly agentic AI

Level 1 – Assistive: Using AI that acts more like an assistant, software suggests available meeting times, but a person chooses and sends the invitations. This feature is often available in existing calendar tools.

Level 2 – Semi-autonomous: At the next level, the AI system is more capable and proposes a meeting time and drafts an invite for approval.

Level 3 – High autonomy: An AI system schedules the meeting based on delegated permissions and a high-level instruction (“Schedule a meeting with Marc, Lisa, and Darren next week”). It logs its actions and notifies the user.

Level 4 – Adaptive autonomy: The AI system monitors changes in the availability of meeting participants, proposes or executes rescheduling within defined constraints, and escalates exceptions.

The progression from assistive tool to proactive, autonomous AI agent illustrates what makes agentic AI powerful: it doesn’t just help you do tasks, it does them for you, with the delegated authority you grant it, adapting as circumstances change. This increase in capability provides greater opportunities but also greater risks.

Opportunities

Agentic AI can create value by reducing time spent on routine work, supporting higher-volume operations and helping teams apply consistent approaches. For example, an agentic system can:

• gather public sources and internal guidance to draft policy options
• compile data from approved sources and draft a narrative to accompany an existing analysis
• execute more complex workflows, such as review incoming applications, verify completeness against eligibility rules and retrieve relevant files from approved internal systems
• summarize or flag information in the files for consideration by human decision makers or make recommendations, including automatically escalating ambiguous or borderline files for immediate and full review by human decision makers

These uses can free up time for higher value work; improve responsiveness; reduce administrative burden; and help employees focus on judgment, quality and client needs.

Agentic systems can also strengthen continuity and knowledge management by turning repeatable practices into checklists and templates, finding relevant precedents, and capturing the rationale behind recommendations to support auditability.

Overall, agentic AI usually provides the greatest value on tasks that are repeatable, time-consuming and verifiable, with people retaining oversight and clear accountability for decisions made.

Risks

The main risks of agentic AI are not only about output quality, which could suffer from bias and error, or include harmful content. These risks also involve unauthorized actions, unclear permissions, accountability and traceability. More autonomous systems can overreach, loop or take unintended steps if boundaries are unclear or if the system encounters untrusted content. Untrusted content can be factually incorrect information or malicious prompt injection attacks.

Risks also increase when an agent is given broad access to Government of Canada systems or sensitive information without appropriate configuration, allowing it to retrieve or disclose information it should not, or take actions the user did not intend.

In high-impact contexts, such as grants; procurement; regulatory activity; or administrative decisions affecting rights, finances or access to services, there are additional risks including potential impacts to fairness, reduced transparency and difficulty explaining how outputs were produced and used. These outcomes could lead to larger structural risks of increased legal risk, non-compliance with law or unethical actions. These actions could include material privacy breaches, such as unauthorized access to or disclosure of personal and/or sensitive information.

Finally, workload pressure can lead to overreliance over time, where employees begin to treat generated recommendations or rankings as actual decisions. This risk can manifest both for when AI outputs are trustworthy and when they are not.

Continued offloading of decisions to AI agents can lead to knowledge and skill atrophy and weakened human judgment. Employees may become less practiced at core tasks and slower to notice when something is wrong. These risks can affect service quality, privacy and security, legal defensibility and public trust.

Maintenance of relevant skill sets among agentic AI users and deployers is a prerequisite for meaningful human oversight. Accordingly, public servants must have appropriate training and understanding of responsible agentic AI use, including the limits of where and how agentic AI may be used under existing authorities. This helps minimize risks to citizens, employees and the Government of Canada; reduces the likelihood of non‑compliant use; and supports appropriate adoption of agentic AI while avoiding both misuse and underuse.

1) Bounded autonomy

2) Recoverability

Before you start: Focus on design and set safe boundaries^{Footnote 2}

(a) Start with a narrow, well-defined use case

• Clearly define the purpose of the AI agent. What are the specific goals of your initiative? Is an AI agent or agentic system the best way to address the problem?
• Does the Government of Canada already have a similar agent or agentic system in place that could be used or emulated?
• Use shared, enterprise‑level approaches where appropriate to reduce duplication; ensure interoperability; and support secure, scalable adoption across the Government of Canada.
• Explore decision support and low-risk internal workflows before higher-impact use cases that may include automation.
• Map the process in detail and consult with relevant stakeholders and partners to understand legal and policy restrictions for anticipated issues and potential responses to unanticipated issues (such as program experts, legal, privacy, security, IM/IT).
• Plan for explainability by ensuring that you can explain how the agentic AI system makes decisions and produces outputs.
• Determine if your use case falls under the Directive on Automated Decision-Making.

(b) Design for bounded autonomy

• Limit and document what data the agent can access, what tools it can use and what actions it can take. This includes implementing data and rate limits to constrain AI agents from improper use.
• The approach to granting AI agents access should be informed by an analysis that considers the risks (“what harms could result if access is given?”)
• Use “read-only by default” (view and draft) where possible. Add the ability to edit or act (send, update, publish) when needed and only for that specific step.
• Establish clear agent IDs to uniquely identify, manage and track individual AI agents and their actions.
• Make it obvious when the agent is suggesting versus doing.

(c) Build in resourced human checkpoints (human-in-the-loop)

• When an AI agent’s action alters a system’s state (send, publish, approve, spend, update records), include a review/confirmation step in the design, unless the expected impact is demonstrably low and the action is trivially reversible.
• You must monitor an AI agent’s security and accuracy to determine if it can be trusted, with review/confirmation and alerts for unexpected behaviour. If performance remains consistent over time, residual risk may be lower, but it still needs ongoing monitoring (and oversight of that monitoring), especially as conditions change.
• Clearly identify how human oversight and responsibility is integrated into the agentic process and how issues are escalated and to whom.
• Include a plan for how much oversight will be required and how it will be resourced. The plan should acknowledge and address human-in-the-loop fatigue and scalable oversight mechanisms that remain effective as the use of agentic AI expands.

(d) Design for reversibility

• Make actions reversible where feasible (for example, versioning, undo options, confirmation prompts before completing important actions). If actions are not reversible, assess the acceptability of impacts of unreversible actions.

(e) Plan how you will test

• Test with realistic edge cases and “worst case” inputs (including untrusted and actively adversarial content) to assess problems, vulnerabilities and the nature of the AI agents.
• Start in a controlled environment and expand gradually to increase understanding of the agentic process.

During use: Operate safely, embrace monitoring and avoid “automation drift”

(f) Make oversight easy

• Ensure that there is a clearly named role accountable for the AI agent’s outcomes and monitoring, with a documented escalation path and a designated delegate during absences or transitions.
• Accountability always ultimately rests with the designated human owner, even when the agent acts autonomously within approved permissions.
• Maintain a process to review and update accountable officials when roles change, including a clear way to pause or deactivate AI agentic activity when ownership is unclear.
• Ensure that an accountable person’s AI agents are paused, reassigned or deactivated as part of offboarding when an owner leaves their role, department or the Government of Canada, unless ownership and accountability are explicitly transferred to another designated person (applies to both program-level and personal AI agents).

(g) Log key actions and decisions

• Keep logs of tools used, actions taken, approvals given and key inputs/outputs. For tool calls, log the tool name, time, outcome and the type of parameters passed.
• Raw parameter values should be logged only when required for oversight, security or program integrity, and they must follow departmental privacy and security controls.
• Ensure that logs are easy to understand for audits and incident investigation.
• Ensure that logs are handled appropriately when sensitive.
• Ensure compliance with requirements related to information management, record keeping and litigation hold protocols.

(h) Watch for automation drift

• Monitor human behaviour for overreliance and refresh expectations and education when needed. Even when designed for decision support, teams might start relying on AI agent rankings or summaries as actual decisions over time. Additionally, agentic AI systems can also drift beyond their designed scope, so they must be constrained and monitored.
• Watch for drifts in quality. Outputs and reasoning can gradually become less accurate, complete or consistent over time as data, tools or configurations change. Teams should do occasional spot checks and compare results to expectations to catch slippage early.
• Occasionally have the agentic AI tasks performed manually by human experts for comparison with the agent’s performance, which can indicate the need for retraining of the humans or the AI agent, depending on the results.

(i) Handle untrusted content carefully

• Do not allow AI agents to automatically follow embedded directions because untrusted content may contain hidden instructions (“prompt injection”) intended to alter the agent’s behaviour. Treat external or user-provided text as data to analyze, not instructions to follow.

(j) Be ready to stop

• Maintain a pause and disable mechanism (“kill switch”) external to the AI agent or agentic system and an appropriate recovery plan for unintended actions.

After deployment: Learn, improve and retire responsibly

(k) Evaluate performance and impact

• Review error patterns, evidence of bias, escalation rates, user feedback and whether outcomes differ across groups or contexts. Determine whether goals were achieved effectively, efficiently and appropriately.
• Establish regular audits and evaluations (and subsequent action plans) for ongoing agentic use.

(l) Reassess when things change

• Reassess risks and controls if the AI agent’s tools, data sources, permissions or scope change. Similarly, reassess risks and controls if the AI agent’s relevant legal or policy framework changes.

(m) Retire agents safely

• If an AI agent or agentic system is no longer needed, remove access, archive required records appropriately and document lessons learned. Sharing lessons learned and best practices helps build AI capacity and understanding in the Government of Canada.

Case study 1: The “helpful” service agent that oversteps

Failure pattern: A service triage agent drafts responses and routes cases. During a surge, it begins triggering ticket closures after drafting replies, even though the intended design was draft only. In the ticketing system, certain reply/route actions can automatically mark a ticket as “resolved/closed” unless explicitly prevented. Some clients receive incomplete service, and employees must reopen cases.

Responsible use: Before launching the service triage agent, teams put strong safeguards, monitoring, and human-in-the-loop checks in place. The agent runs in a “draft only” mode with no ability to send final replies or change ticket status, and with a short list of allowed actions. If the AI agent attempts a close-like status change or triggers a closure workflow, it auto-pauses and alerts the team. Employees have a one-click stop button and a simple, pretested step to reopen any affected tickets.

When a surge in service volume later caused the AI agent to trigger closures after drafting replies, these prelaunch mitigations worked as intended: the issue was immediately detected, flagged and quickly corrected. All actions were visible in an activity log. Employees reopened the affected cases, ensuring complete service for clients. The incident validated the proactive design approach and provided useful insights that further strengthened the system’s reliability for future surges.

Case study 2: The system misled by untrusted content

Failure pattern: A monitoring agent scans documents and follows embedded instructions in content it reads, leading it to share information or take steps it should not. Sensitive information is exposed.

Responsible use: When designing their AI agent, employees understood the risk of untrusted content causing potential problems. Before deployment, they explored potential weaknesses of their AI agent with prompts designed to mislead it, to ensure that the AI agent acted appropriately. The employees designed the AI agent to treat everything it reads as untrusted and to ignore any instructions within the documents. Further, the AI agent can only perform a short list of allowed actions (for example, add a tag, create an alert, route for review), has read-only access, and external sharing is off by default. Additionally, as the agent processes information, any inputs are cleaned (plain text only; no links, scripts, or macros), and scanning is limited to approved sources.

When some unusual behaviour was detected, the run was paused and reviewed before anything was shared, with employees ready to use a simple off switch to stop the agent immediately, if necessary. Thoughtful design enabled the agent to complete its tasks without being manipulated into unsafe actions.

Related policy instruments

• Policy on Service and Digital
• Directive on Automated Decision-Making
• Guide on the use of generative artificial intelligence

Other references

• AI Strategy for the Federal Public Service 2025–2027
• Guide on Departmental AI Responsibilities
• Top 10 artificial intelligence security actions: A primer – ITSAP.10.049
• Executive summary: Artificial intelligence and competitive dynamics in downstream markets (English only)
• The agentic AI landscape and its conceptual foundations (English only)
• Artificial Intelligence Risk Management Framework (AI RMF 1.0) (English only)
• Artificial Intelligence Playbook for the UK Government (English only)
• Article 9: Risk Management System | EU Artificial Intelligence Act (English only)
• LLM Prompt Injection Prevention (English only)
• How Microsoft defends against indirect prompt injection attacks (English only)
• Principles for responsible, trustworthy and privacy-protective generative AI technologies