What is an AI agent? Definition, how it works, and why it is a security risk

An AI agent is software that uses a large language model to plan a goal and then act on it autonomously by calling tools, reading data, and making decisions in a repeating loop. The defining feature is autonomy through action: the model does not just answer, it decides what to do next and then does it. This page is about AI agents in the software sense, not human agents.

TL;DR:

• An AI agent is an LLM wrapped with tools, memory, and a control loop so it can take actions, not just produce text.
• This means a software or LLM agent. It does not mean a real-estate agent, an insurance agent, or a human support agent: those are people, and the shared word is a coincidence.
• It works on a perceive, plan, act loop: read the situation, decide a step, call a tool, observe the result, repeat.
• An agent differs from a chatbot (which only talks) and from a plain LLM (which only predicts text).
• Agents are a security concern because they take real actions, so a bad instruction can cause real damage. See excessive agency explained.

What does “AI agent” mean, and what does it not mean?

An AI agent means a software system that uses a language model to act autonomously toward a goal. It does not mean a human in a job titled “agent”. Because the word is overloaded, here is the explicit disambiguation:

• An AI agent (this page): software that uses an LLM to plan and call tools, such as a coding assistant that edits files or an email agent that triages an inbox.
• A real-estate or estate agent: a person who helps buy, sell, or rent property.
• An insurance agent: a person who sells or administers insurance policies.
• A human support or call-centre agent: a person who handles customer queries.

Throughout this site, “agent” always means the software sense. The security risks below only apply to that meaning.

How does an AI agent work?

An AI agent works by running a loop in which an LLM perceives its situation, plans a step, acts through a tool, then observes the result and repeats until the goal is met. The model supplies the reasoning; the tools supply the ability to affect the world. The core components are:

1. The model: the LLM that reads context and decides the next step.
2. Tools: functions the agent can call, such as web search, a database query, a file editor, or an email sender. Standards like the Model Context Protocol define how agents connect to these tools.
3. Memory: short-term context for the current task and, often, longer-term storage so the agent recalls earlier steps or past sessions.
4. The control loop: the orchestration that feeds tool results back to the model so it can decide whether to continue, change tack, or stop.

The Anthropic documentation describes this tool-use pattern in detail, where the model requests a tool, the system runs it, and the result is returned for the next decision. This loop is what separates an agent from a one-shot answer.

How is an AI agent different from a chatbot and a plain LLM?

An AI agent differs from a chatbot and a plain LLM because only the agent can take autonomous actions through tools. A chatbot talks, an LLM predicts, an agent acts. The table below compares all three.

Capability	Plain LLM	Chatbot	AI agent
Generates text	Yes	Yes	Yes
Holds a conversation	No, single call	Yes	Yes
Calls external tools	No	Rarely	Yes, central feature
Acts autonomously toward a goal	No	No	Yes
Can change external systems	No	No	Yes, via tools
Main risk	Bad output text	Bad output text	Real-world actions

A chatbot is often just an LLM with a conversation wrapper. An agent adds the tools and the loop that let model output trigger real effects, which is exactly where the security risk enters.

What are some examples of AI agents?

Common examples of AI agents include coding assistants, browsing agents, and email or workflow agents. Each follows the same plan-and-act loop, differing only in which tools it can call. Typical examples:

• Coding agents that read a repository, plan a change, edit files, and run tests.
• Browsing or research agents that search the web, open pages, and gather findings.
• Email and calendar agents that triage inboxes, draft replies, and schedule events.
• Customer-workflow agents that look up records and update systems on a user’s behalf.
• Data agents that query databases and assemble reports.

Each of these can act, which is useful, and also why each needs the same scrutiny applied to any system that holds real permissions.

Why are AI agents a security concern?

AI agents are a security concern because they take real actions through tools, so a manipulated instruction can produce real consequences rather than just a bad sentence. The danger is the action the agent takes, not the text it writes. If an attacker can influence what the agent reads, for example through prompt injection, the agent may call its tools in ways the user never intended: forwarding private emails, deleting records, or leaking data.

This is why agent security is treated as its own discipline. The OWASP GenAI Security Project catalogues these risks, with excessive agency and prompt injection ranking high in the OWASP LLM Top 10. National bodies such as the NIST AI programme likewise stress controlling autonomy and validating actions. The practical defence is least privilege: give an agent only the tools and permissions it genuinely needs. Read least-privilege for AI agents for how to scope that down.

Where to go next

Now that you know what an AI agent is, see how agents connect to tools safely in what is MCP and MCP security best practices. For the risks that follow from autonomy, read excessive agency explained and the OWASP LLM Top 10 hub. Browse more in the guides library and the tools directory.