AboutBlogBusiness First AIFounder FreedomBook a conversation

When AI agents add risk rather than value

May 18, 2026
a business owner at a desk reviewing printed documents with a laptop open beside them
TL;DR

AI agents are a legitimate time-saving tool in the right context. When they handle high-stakes customer decisions, sensitive data, or regulated activities without governance, thresholds, and a named human owner, the regulatory and operational risk outweighs the commercial gain. UK GDPR, FCA Consumer Duty, and NCSC guidance set clear expectations for AI oversight. The practical question for any deployment is not whether to use agents, but where and with what boundaries.

Key takeaways

- AI agents produce genuine value when tasks are low-stakes, reversible, and well-governed with a named human owner; they create regulatory and operational risk when applied to high-stakes decisions, personal data, or regulated activities without thresholds. - UK GDPR, FCA Consumer Duty, and the UK government's AI Playbook all require human oversight for AI-influenced decisions with significant effects on customers; automated agents do not remove accountability from the business or its senior managers. - A practical governance model applies across many AI agent deployments: define monetary and data thresholds, name an owner who reviews a sample of outputs regularly, and document the lawful basis for any personal data processing before the agent goes live. - The ICO fined Clearview AI £7.5 million in 2022 for unlawful data processing; UK GDPR allows fines of up to £17.5 million or 4% of global turnover, making agent governance a commercial priority as well as a compliance one. - Before deploying any agent, answer six questions: worst-case outcome, data lawfulness, thresholds, named ownership, ability to evidence decisions, and rollback plan. If any answer would not satisfy your insurer or regulator, restrict scope before going live.

An owner-manager running a service business switches on an AI agent to handle customer queries and refund requests. The team saves four hours a week. Three months in, a complaint surfaces: the agent had approved a £300 refund on a dispute that should have been escalated to a manager. No threshold was set, nobody had reviewed a sample of outputs, and the business had no record of how the decision had been reached.

The agent worked exactly as designed. The problem was the context it had been placed in.

What choice are you actually making?

When you deploy an AI agent, you are deciding which decisions your business will hand over without a person in the loop. That is a manageable call on some workflows and a consequential one on others. The way to sort the two is straightforward: ask what happens when the agent gets it wrong, and whether you can reverse it quickly and cheaply.

The practical choice sits between deploying an agent with clear thresholds and a named human owner, and deploying one without those things. The first is a bounded deployment with accountability built in. The second is a liability with a friendly interface.

Owner-managed businesses often end up in the second category not because they are careless but because the vendor promise outran the governance conversation. A 2024 survey of UK businesses found that 54% of firms using AI cited time savings as the primary benefit, with 42% citing productivity gains and 42% citing cost savings. Those figures are real. They come from deployments where the agent’s scope was clear and someone was checking its work. Getting that clarity before you set the agent loose is the governance conversation many deployments skip.

When does an AI agent add risk rather than value?

Agents increase your exposure when the downside of an error is high, the data they touch is personal or regulated, or the process has no named owner. Five conditions reliably tip the balance towards risk: decisions with significant effects on customers, sensitive or poorly governed data, regulated activities, consumer-grade vendor terms with no data-location controls, and workflows where nobody has documented who is accountable.

The ICO’s guidance on AI and data protection expects organisations to have a lawful basis for any AI processing of personal data, and to conduct a Data Protection Impact Assessment for high-risk uses. The FCA’s Consumer Duty requires firms to avoid foreseeable harm, including harm arising from technology. An agent handling complaints, suitability decisions, or service terminations without validation and defined thresholds sits squarely in the territory both regulators are watching.

The UK government’s AI Playbook is direct on this: humans should validate any high-risk decisions influenced by AI and retain a meaningful ability to intervene. Letting an agent auto-adjust pricing, reject applicants, or resolve disputes above a defined value without a review step is a governance failure, not just a technology choice. Under FCA and ICO frameworks, accountability stays with the named person behind the decision. The Competition and Markets Authority has also indicated that AI-driven personalisation and pricing practices will face scrutiny where they create unfair consumer outcomes.

When does an agent genuinely earn its place?

Agents produce genuine value when the task is low-stakes, the data is internal and well-governed, and a named owner reviews outputs. These conditions bound the autonomy: errors are cheap to fix, impacts on customers or regulators are minimal, and the time savings arrive as intended. The clearest indicator is reversibility: if the agent gets something wrong, can your team catch and correct it before it causes harm?

Good candidates include appointment reminders, FAQ responses, internal status updates, and non-binding product queries. The NCSC’s guidance on AI security recommends defining clear performance metrics for deployed AI systems, including what normal looks like and how anomalies surface. Tracking first-response time, resolution rate, and hand-off rate to humans gives you early warning when an agent starts operating outside its intended range.

The threshold model makes this practical. UK SME guidance from 3L3C recommends monetary tiers: autonomous action below a defined amount, human review above it, manager sign-off above that again. The same logic applies to data categories, which customer records the agent may access, and which channels it can communicate through. Setting tighter thresholds gives the agent a genuine mandate rather than an open-ended remit, and that is what produces reliable value rather than unpredictable exposure.

What does it cost to get this wrong?

The costs run further than the immediate error. UK GDPR allows fines of up to £17.5 million or 4% of annual worldwide turnover for serious misuse of personal data. The ICO fined Clearview AI £7.5 million in 2022 for unlawful processing of biometric images. For owner-managed firms, the absolute exposure is lower, but a six-figure remediation bill alongside reputational damage can still end a business.

Beyond regulatory exposure, the operational costs accumulate. The UK government’s AI Playbook warns that generative models can produce plausible but incorrect information, and the NCSC identifies hallucinations as a documented, predictable behaviour of large language models. In 2023, a New York lawyer was sanctioned for submitting fabricated case law generated by ChatGPT. An unsupervised agent sending external communications is one confident but wrong output away from the same category of harm.

Professional services firms face additional exposure. The Solicitors Regulation Authority has reminded law firms that AI use must still respect confidentiality duties and client supervision obligations. Professional indemnity insurers are beginning to ask how firms govern AI tools. An agent that passes client documents to a consumer AI service without a data processing agreement may invalidate cover before anyone realises there is a problem.

What do you need to ask before you deploy?

A pre-deployment checklist does not need to be long to be useful. Six questions cover most of the ground: what is the worst realistic outcome if the agent gets it wrong, does this touch personal data or a regulated activity, what monetary and risk thresholds will cap autonomous action, who owns this agent’s behaviour day-to-day, can you evidence key decisions if challenged, and what is your rollback plan?

The threshold question is the one most often skipped. Explicit monetary limits are what separate bounded deployments from open-ended ones. FTI Consulting’s governance framework for AI agents identifies three roles every deployment needs: an owner accountable for the agent’s mandate, a reviewer who samples outputs regularly, and an approver who sets and signs off on thresholds and scope. If you cannot name a person for each role before you deploy, the agent is not ready to go live.

If the six questions produce answers you would struggle to defend to your insurer, your regulator, or a dissatisfied customer, the signal is to restrict scope before you commit to the upside. Book a conversation if you want to work through the pre-deployment checklist against your specific workflows.

Sources

- UK Government (2024). Artificial Intelligence Playbook for the UK Government. Stresses human validation of high-risk AI decisions and a meaningful ability to intervene. https://assets.publishing.service.gov.uk/media/67aca2f7e400ae62338324bd/AI_Playbook_for_the_UK_Government__12_02_.pdf - ICO. AI and data protection: Guidance on how to comply with data protection law when using AI. Sets out lawful basis and DPIA requirements for AI processing of personal data. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/ai-and-data-protection/ - ICO. Guide to the UK General Data Protection Regulation (UK GDPR). Covers fines of up to £17.5 million or 4% of global turnover for serious data misuse and obligations for automated processing. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-uk-gdpr/ - ICO (2022). ICO issues £7.5m fine to Clearview AI Inc. Documents unlawful processing of biometric data and the regulatory enforcement response. https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/05/ico-fines-clearview-ai-inc-7-5m/ - ICO. Data protection impact assessments. Sets out when DPIAs are required for high-risk AI processing before deployment. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-impact-assessments/ - FCA (2022). FG22/5: Final non-Handbook Guidance for firms on the Consumer Duty. Requires firms to avoid foreseeable harm in technology-assisted decisions and ensure fair customer outcomes. https://www.fca.org.uk/publications/finalised-guidance/fg22-5-final-non-handbook-guidance-firms-consumer-duty - NCSC (2023). The security of artificial intelligence: NCSC perspective. Warns that AI outputs depend on data quality and that hallucinations are a documented, predictable behaviour of large language models. https://www.ncsc.gov.uk/whitepaper/security-of-artificial-intelligence - CMA (2023). AI foundation models: initial review. Identifies risks from AI-driven personalisation, pricing, and recommendations in UK consumer markets. https://www.gov.uk/government/publications/ai-foundation-models-initial-review - FTI Consulting. AI Agents: How to Capture Value While Maintaining Control. Outlines a decision-rights framework for agentic AI including owner, reviewer, and approver roles for SME deployments. https://www.fticonsulting.com/insights/articles/ai-agents-how-capture-value-while-maintaining-control - 3L3C. AI Agents and Human Judgement: A UK SME Playbook. Provides a threshold-based governance model for agent deployments, including monetary limits for autonomous and escalated actions. https://www.3l3c.ai/uk/blog/technology-innovation-and-digital-economy/ai-agents-uk-smes

Frequently asked questions

What types of decisions should an AI agent never make without human oversight?

Decisions with significant effects on customers, including credit decisions, complaints resolution, service termination, and employment-related decisions, should always include a human reviewer. The ICO and FCA Consumer Duty frameworks both expect appropriate safeguards and a meaningful ability to intervene for decisions with legal or similarly significant effects. A practical rule: if a customer could reasonably escalate the outcome to a regulator, a human needs to be in the loop.

Do I need a DPIA before using an AI agent in my business?

A Data Protection Impact Assessment is required under UK GDPR when AI processing of personal data is likely to result in high risk to individuals. The ICO's AI and data protection guidance expects organisations to complete a DPIA before high-risk deployments go live. For low-risk uses on internal, non-personal data a DPIA may not be mandatory, but documenting the lawful basis for any personal data processing always is.

What is a practical way to limit what an AI agent can do on its own?

Threshold-based governance is the most direct approach. Define the maximum value the agent can act on autonomously, the customer or data categories that always require human review, and the data sources it may access. UK SME guidance from 3L3C recommends monetary tiers: autonomous below a defined amount, human review above it, manager sign-off above that. Pair each threshold with a named owner who reviews a sample of outputs regularly.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business owner reviewing a document at a desk with natural daylight, pen in hand

Using AI without letting quality slip in client work

A practical guide for owner-managed services firms on keeping quality high when the team uses AI: the review steps, one-page policy, and training that actually make the difference.

two people sitting at a meeting room table, reviewing a document on a laptop together

Practical workplace guardrails for safer AI use

How to put simple, practical AI guardrails in place before your team starts experimenting with client data.

Two people reviewing a laptop screen together in a small office

How visual regression testing protects AI product changes

Visual regression testing catches layout breaks before your customers do, protecting AI-enabled products from silent failures that can cost you bookings, credibility, and compliance standing.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd