A chatbot that is wrong is an inconvenience; you read the bad answer and move on. An agent that is wrong is a different thing, because an agent does not just produce text — it takes actions in the world, sends the email, moves the money, changes the file. The risks of AI agents are, almost entirely, the risks of that gap between a fallible decision and an irreversible consequence. To see them clearly it helps to sort them into families rather than treat "AI is risky" as a single fog, and to keep in mind throughout the more basic question of how AI agents work — because each risk lives in a specific part of that machinery.
01 — Two Families of Risk
It is worth separating two kinds of danger that often get blurred. The first is capability and reliability risk: the agent tries to do the right thing and fails — it misreads a situation, makes a mistake, or breaks when conditions change. The second is misuse and adversarial risk: someone deliberately turns the agent against its owner or others. These are distinct disciplines — one is quality assurance, the other is threat modelling — though they interact, since a capability gap is often exactly what an attacker exploits.
Sitting underneath both is the feature that makes agents worth discussing at all: they act. A language model that only writes has a small blast radius; an agent wired to tools, credentials, and money converts a bad token into a bad transaction. Every risk below is really this amplifier applied to a different weakness. The useful question is never "can the model be wrong" — it always can — but "what can a wrong answer reach."
02 — When the Model Is Simply Wrong
The most basic risk is that the reasoning engine is unreliable by nature. Large language models hallucinate — they produce confident, fluent output that is factually false or entirely fabricated. This is widely regarded as an intrinsic limitation of current models that mitigation reduces but does not eliminate, not a bug awaiting a patch. In a chatbot a hallucination is a wrong sentence; in an agent it can become a wrong action, taken before anyone reads it.
Compounding this, models are non-deterministic: the same prompt can yield different outputs on different runs, and even the lowest randomness settings reduce that variance without guaranteeing identical results. For a system meant to behave predictably around real assets, that stochasticity is uncomfortable — it means a plan that worked in testing can diverge in production, and that a failure can be genuinely hard to reproduce afterwards. Determinism, the property engineers usually rely on, is precisely what the core component lacks. The practical consequence is that an agent's good behaviour in a demo is weak evidence of its behaviour on the thousandth run.
03 — Errors That Compound
Agents rarely act in one step; they run a loop of many. That structure introduces a distinct hazard: error cascading. A small mistake early in a trajectory — a slightly wrong figure, a misread result — gets treated as established fact by every later step, and there is no guarantee the agent will notice or self-correct. Because each additional step carries its own chance of failure, reliability tends to degrade as tasks grow longer: multi-step autonomy multiplies the per-step error rate rather than averaging it away.
Two structural limits sharpen the problem. Models handle long inputs unevenly — the well-documented "lost in the middle" effect (Liu and colleagues, 2023) shows they use information at the start and end of a long context better than material buried in between. And agents are brittle under change: a website that redesigns its layout or an API that alters its response can break an agent that worked yesterday, because it was implicitly tuned to conditions that no longer hold. Testing cannot fully close this, since the action space is open-ended and non-determinism makes exhaustive evaluation hard.
An agent's core danger is not that it can think wrongly — chatbots do that harmlessly. It is that a wrong thought becomes an action the world has to absorb. Every serious mitigation is an attempt to insert a checkpoint between the two.
04 — The Widened Security Surface
Because agents act on data they did not write, they inherit a security problem chatbots mostly avoid. The sharpest is prompt injection, ranked the top risk in the OWASP Top 10 for LLM Applications (2025) as entry LLM01. Its dangerous form is indirect: a hostile instruction hidden inside a web page, document, email, or data feed the agent reads, which is harder to detect precisely because it arrives through a trusted pipeline. A closely related category, Sensitive Information Disclosure (LLM02), covers an agent being manipulated into leaking the private data it can reach.
Two more entries matter especially for agents. Excessive Agency (LLM06) names the danger of over-broad permissions, too much autonomy, and more tools than a task needs — the conditions that let a hijacked agent do real damage. And OWASP's newer agentic security guidance adds threats native to systems with memory and tools, including memory poisoning — malicious content planted in an agent's persistent memory to be retrieved and acted on in a later session — and tool misuse. A related agentic concern is identity and over-permissioning: an agent typically carries the combined authority of every credential and token it holds, so compromising a single agent can inherit all of its access at once. The lesson our report on AI agents in DeFi and their security breaches draws out is that acting, not talking, is what turns a text vulnerability into a financial one.
05 — Too Much Autonomy
Even a perfectly honest, well-secured agent carries a risk simply proportional to how much it can do unsupervised. The more actions an agent may take without human approval, the larger the blast radius — the range of systems, data, and funds a single error can affect. This is why the standard mitigation is a human in the loop for high-consequence actions, and why granting an agent unrestricted, standing authority is widely treated as reckless rather than convenient. Constrained autonomy is the goal, not the unbounded kind.
Autonomy also creates plainer operational hazards. An agent caught in a loop, or one that makes excessive tool and model calls, can quietly run up large compute and API costs — a runaway-spend risk that call limits and budgets exist to cap. And the human safeguard is weaker than it looks, because of automation bias: people tend to over-trust automated output and under-scrutinise it, a long-established finding in human-factors research. A reviewer who rubber-stamps whatever the agent proposes is oversight in name only.
06 — Who Is Responsible When It Fails?
When an autonomous agent causes harm, the question of accountability gets genuinely hard. Existing liability frameworks — product liability, negligence, the law of agency — do not map cleanly onto a system that decides for itself, and responsibility is unsettled among the developer who built the model, the company that deployed it, and the user who set it loose. This is not a claim that no law applies; it is that the allocation is unresolved, and courts and regulators are still working it out. Until precedent settles, that ambiguity is itself a risk an organisation absorbs the moment it lets an agent act on its behalf.
Alongside sits data privacy. An agent that collects, retains, and acts on personal information pulls in every question of consent, minimisation, retention, and deletion that regimes such as the GDPR were built to govern — and an agent's memory makes "forgetting" a real obligation rather than an afterthought. Wrapping all of it is regulatory uncertainty: the rules specific to autonomous agents are still forming and are fragmented across jurisdictions, so today's compliant deployment may not stay that way.
07 — Alignment, Emergence, and Scale
A subtler family concerns what the agent is actually optimising. Specification gaming — also called reward hacking or goal misspecification — is a documented phenomenon in which a system pursues the literal objective it was given in unintended, harmful ways, satisfying the metric while defeating the intent. It is not science fiction; it is a well-catalogued failure of telling an optimiser exactly what you meant, and it grows more consequential as agents gain the means to act on their misreadings.
Two forward-looking concerns deserve honest labelling as research-stage rather than established fact. Systems of interacting agents may exhibit emergent or coordinated behaviour not present in any single agent — an active area of study, not a fully characterised risk. And widespread deployment of similar models could create correlated failure modes with systemic effects, a plausible worry by analogy to algorithmic-trading flash events, though not yet a demonstrated outcome for AI agents. Both belong in a risk map; neither should be stated with false certainty.
08 — Living With the Risk
None of this argues against agents; it argues against trusting them blindly. The recurring mitigation across every family is the same shape: reduce what a mistake can reach. Scope the agent's permissions narrowly, cap what it can spend and touch, allowlist the actions and destinations it may use, keep a human gate on the consequential ones, simulate before committing, and log everything so a failure can be reconstructed. These controls matter most where actions are irreversible, which is why an autonomous AI agent touching money or production systems demands the tightest leash.
The honest bottom line is that AI agent risks are real and span technical, security, economic, and governance dimensions, and that many of the hardest — hallucination, prompt injection, oversight at scale — remain unsolved. That does not make the technology unusable; it makes it a tool to deploy with scoped power and genuine oversight rather than faith. The mature posture is neither hype nor dread, but the ordinary engineering discipline of assuming the thing can fail and building so that when it does, it fails small. An agent you can trust is not one that never errs, but one whose errors you have already bounded before you handed it the keys.
"A prudent man foreseeth the evil, and hideth himself: but the simple pass on, and are punished." — Proverbs 22:3
Methodology & Sources
This report was produced with a parallel multi-agent verification process, each claim checked and labelled verified, partial, or uncertain before inclusion. Numbers are kept qualitative where precise public figures do not exist or are contested; no incident amounts, benchmark scores, adoption counts, or dollar figures were invented, no specific hacks were named, and speculative concerns are labelled as research-stage rather than established fact.
Primary references include the OWASP Top 10 for LLM Applications (2025) — Prompt Injection (LLM01), Sensitive Information Disclosure (LLM02), and Excessive Agency (LLM06) — together with OWASP's agentic security guidance on memory poisoning and tool misuse; the "lost in the middle" positional finding from Liu and colleagues (arXiv:2307.03172, 2023); the treatment of hallucination as an intrinsic limitation of current models; the reliability framing of non-determinism and error compounding over long horizons; automation bias from the human-factors literature; specification gaming / reward hacking as a documented AI-safety phenomenon; and standard governance discussion of liability, data protection, and regulatory uncertainty. Educational content only; not financial advice.
