Last week, as part of our team away days, the Jisc AI team held a mini roundtable on agentic AI.
The aim was simple: move beyond the hype and focus on the real questions colleges and universities are going to face as AI systems start doing more than just responding to prompts to making decisions and taking actions.
Mirroring our usual roundtable format we started with a presentation by Michael Webb based on Agentic AI Primer as a starting point, particularly the idea that agentic systems work towards goals through a think, act, observe loop, rather than responding to a single prompt. That shift, from answering to acting, is what makes governance urgent.
Two questions anchored the discussion, and I’ll share the things we discussed for each.
Question 1: What controls should define an AI agent’s autonomy, approval requirements, audit logging and whether it can act as a user?
The first question focused on institutional risk management and responsibility.
We noted that agentic systems differ from earlier AI tools because they can plan, take actions and adapt as they go. That means autonomy becomes one of the first governance decisions institutions will need to grapple with. What should an agent be allowed to do without asking? Where should human approval always be required?
In discussing what this might look like in practice, it felt likely that the boundary will sit between relatively low-risk activities, such as drafting or retrieving information, and higher-stakes actions, such as accessing sensitive data, changing records or triggering decisions with formal consequences.
There was a strong sense that autonomy cannot simply be left to vendor defaults. Even though most tools currently include guardrails and limits, institutions will still need to decide what level of autonomy is appropriate in their own context and design for that deliberately.
This led into a wider conversation about approval and oversight. Delegation cannot mean abdication. If an agent is acting without step-by-step instruction, institutions will need to define clearly where human oversight is mandatory and ensure that staff and students or learners understand where responsibility continues to sit with them.
Audit logging came up repeatedly. If agents can act independently, institutions will need visibility not only of outcomes but of the steps taken, the systems accessed and the decisions made along the way. Logging needs to support accountability and learning when things go wrong, not just exist as a technical trace.
One particularly difficult question was whether an agent should ever log in or act as a user. Granting full user access raises issues of identity, liability and academic integrity. A more cautious approach might involve tightly scoped service accounts or permissions models designed specifically for agents.
Across the discussion there was agreement on one point: institutions will need clear positions here. Silence creates risk.
Learners and Bring Your Own Agent
One of the most significant student and learner-focused issues raised was the prospect of students bringing their own agents.
The idea of Bring Your Own Agent mirrors earlier Bring Your Own Device policies, but we noted that it is more complex. A device provides access. An agent can initiate actions, make decisions and shape outputs.
The raised quite a few questions. Should personal agents be allowed to interact directly with institutional systems? If so, under what conditions? How do we maintain comparability in assessment if agent capability varies widely? What minimum standards might be needed around disclosure, security and transparency?
There was also a clear link to learning design. If agents begin to take on core cognitive tasks, institutions will need to be explicit about where support ends and substitution begins. Several colleagues pointed out that this is not just about policing misuse, but about ensuring students and learners still develop the knowledge, skills and judgement their courses are intended to build.
We discussed whether existing BYOD frameworks could offer a starting point, particularly for thinking about access control. However, there was agreement that BYOA would require additional safeguards because the risks are educational as well as technical.
Equity surfaced as a live concern. Uneven access to capable agents could widen existing gaps unless institutions think carefully about baseline provision and expectations.
Employees, personal agents and workforce implications
The discussion also considered the implications of staff building, or bringing, their own agents into employment.
We talked about how individuals may develop agents tailored to their roles, reflecting personal expertise, preferences and working style. Over time, that raises practical questions about portability and ownership. Can an employee bring an agent into a new role? Who owns what is embedded in an agent developed during employment? Would institutions allow an agent to leave with the individual?
We also discussed how recruitment and role expectations might shift. A person’s ability to design, supervise and refine an agent could become part of their professional profile. We may also see some roles evolve towards people acting as agent supervisors, setting goals, monitoring performance and intervening when needed.
These possible workforce shifts sit alongside a broader skills challenge. Several people noted that effective use of agentic systems depends on clear goal setting and structured delegation. Yet delegation is not a universal skill. Many staff who do not manage people have never had to develop it, and most students and learners have had little exposure to it at all.
Goal setting raised a slightly different issue. People often assume they are good at it because they do it frequently in other contexts. In practice, writing a broad intention is not the same as defining a bounded objective with clear success criteria. Agentic systems expose this gap quickly. If the goal is vague, the agent may confidently pursue the wrong thing.
A useful way of putting it was that agents do not compensate for weak task framing. They amplify it.
We agreed this is an area where further work is needed, and we plan to explore the skills implications in more depth.
Question 2: How should policies define agent types, ensure transparency for learners and staff, and scale governance as agents interact with external systems or other agents?
The second question shifted from internal controls to wider policy and educational implications.
A core theme was the importance of distinguishing between different types of systems. We noted that basic generative AI tools typically respond to prompts, automated systems follow predefined workflows, and genuinely agentic systems plan and act towards a goal.
Several participants emphasised that these differences matter. Governance requirements are unlikely to be the same, and policies that treat all AI as a single category risk breaking down as systems become more capable and autonomous.
Transparency was another recurring point. Learners and staff should be able to understand when an agent is acting on their behalf, what it can access and what it is permitted to do. This was framed partly as an issue of trust, but also as an educational one. If agent use becomes invisible, it risks bypassing understanding rather than strengthening it.
Multi agent and cross organisation implications
A further theme under this second question was what happens when agents do not operate in isolation.
Participants raised concerns about interoperability. Will agents from different providers work together, or will ecosystems deliberately restrict interaction in ways that lock institutions into a single vendor platform? We also noted that if interoperability is limited, third-party “translator” agents may emerge, which could add both complexity and risk.
Security and control also become harder in multi-agent environments. We discussed whether institutions may need ways to prevent their agents from communicating with agents they do not trust, in a similar way to how access is currently segmented across networks.
Several cross-organisational use cases were explored. One example was the Disabled Students’ Allowance process. In this scenario, a personal student agent could gather evidence and complete forms, an institutional disability services agent could verify information and add supporting documentation, and external Student Finance systems could process the application.
There was a sense that these kinds of workflows could create real efficiency. However, they also introduce questions about authentication, data sharing agreements, logging across systems, and where accountability lies if errors occur.
Overall, the discussion suggested that governance will need to extend beyond the boundaries of a single college or university if these multi-agent scenarios become common.
Final reflections
Agentic AI does not introduce governance from scratch. Colleges and universities already manage access controls, system permissions and data governance.
The difference now is that institutions are not just managing tools that respond. They are managing systems that think, act and observe.
The roundtable reinforced that clear autonomy boundaries, approval requirements, audit standards, transparency rules and positions on Bring Your Own Agent will be essential if the sector is to shape responsible adoption rather than react to it later.
Find out more by visiting our Artificial Intelligence page to explore publications and resources, learn more about our communities and sign up for our AI Literacy training.
For regular updates from the team sign up to our mailing list.
Get in touch with the team directly at AI@jisc.ac.uk