Lesson 12 of 38 · AI 101 - 12 min

AI 101: Understand AI Agents

Define an AI agent precisely enough to make a real decision: distinguish a chat answer from a fixed assistant workflow from a true agent workflow, name the seven parts of a safe agent loop (goal, context, tools, permissions, action, evidence, stop), and write an agent brief a manager could approve without opening the tool.

Renamed from the AI agents explained guide

An AI agent is not magic autonomy, and it is not just a chatbot with a confident tone. The definition that actually matters in 2026 is about who decides the next step. A chatbot answers the question you asked. A fixed workflow runs a sequence you designed in advance - route this email, draft a reply, check it against policy, send. An agent is different in one specific way: it decides what to do next based on what just happened, calling tools and holding context across many steps until a goal is met or a rule tells it to stop. That single property - autonomous decision-making inside a scoped task - is the entire source of an agent's leverage and its entire source of risk. So the professional skill here is not 'how do I get an agent to do everything,' it is 'how do I give an agent exactly enough rope to be useful and exactly enough rules that it can never quietly overreach.' This lesson gives you the vocabulary, the decision, and the brief that make that possible.

Video

Understand AI agents, autonomy, not just capability

A branded walkthrough: tell chatbots, fixed workflows, and true agents apart, run the seven-part safe agent loop, and match human oversight to each action's risk.

What to understand

  • The dividing line is autonomy, not capability. Industry framing in 2026 is consistent: a chatbot answers a question; a copilot suggests an action and waits for approval; a workflow tool runs a fixed sequence you defined; an agent decides what to do next based on the result of the last step. If the path is decided in advance, it is a workflow, however clever - it only becomes an agent when the model chooses its own next move.
  • Anthropic draws the same line cleanly: workflows are 'systems where LLMs and tools are orchestrated through predefined code paths,' while agents are 'systems where LLMs dynamically direct their own processes and tool usage.' The practical takeaway from their guidance is to start with the simplest thing that works and only add agentic autonomy when a fixed path genuinely cannot handle the variation - autonomy costs more tokens, more latency, and far more testing.
  • The safe agent loop has seven named parts: goal (the outcome), context (files, rules, constraints), tools (what it can call), permissions (what it may do without asking), action (scoped tool use), evidence (a record of what it read, changed, created, or could not verify), and review/stop (a human checks, and red lines pause it). Every part you leave undefined is a part the agent will fill in for you - usually broader than you wanted.
  • Permissions are the control surface, and modern tools make them per-action. In Claude and similar 2026 tools you can set each tool to 'always allow,' 'needs approval,' or 'block' - for example, always safe to read a calendar, but require approval before sending an invite. Defining permission at the action level, not the tool level, is what turns 'I gave it access to email' into 'it may draft, never send without me.'
  • Match human oversight to risk using the three-tier model. Human-in-the-loop: a person approves or corrects actions before they take effect (use for sends, deletes, purchases, anything irreversible). Human-on-the-loop: a person supervises and reviews outcomes after the fact (use for medium-risk, reversible work). Human-out-of-the-loop: full autonomy with monitoring (use only for pre-agreed, low-risk, well-tested tasks). The mistake is applying one setting to everything.
  • Evidence is what makes agent work trustworthy and debuggable. An agent must show its trajectory: which files it read, what it assumed, what it changed or created, what it could not verify, and where it stopped. Without an evidence trail you cannot tell a correct result from a confident-looking wrong one - and you cannot review at scale, which is the whole point of using an agent.
  • Stop conditions protect the team from silent overreach. The non-negotiables are the irreversible or externally visible actions: deleting files or records, sending messages or emails, making purchases or commitments, changing settings, and touching production or confidential data. These must require explicit approval every time, regardless of how well the agent is performing.
  • Not every task should be an agent - and choosing wrong is the most common waste. If you only need an answer, use chat. If the steps never vary, build a fixed assistant workflow (cheaper, more predictable, easier to audit). Reserve agent workflows for genuinely open-ended, multi-step work where the right next step depends on what the previous step found. Over-engineering a one-shot question into an agent adds cost, latency, and risk for no gain.

Deeper dive

Why the chat / workflow / agent distinction is a money decision, not a semantic one

These three are not synonyms for 'better' - they are different cost, risk, and reliability profiles. A chat answer is one round-trip: cheap, instant, zero side effects, but it does nothing in the world. A fixed assistant workflow runs a sequence you designed (route, draft, check, send); it is predictable, auditable, and cheaper because you control the path - Anthropic explicitly recommends it for any task where you can predict the subtasks. An agent workflow lets the model choose its own next step, which is the only thing that handles genuinely open-ended work - but it re-feeds context on every loop, so it costs more tokens and latency, and it demands real testing because its behaviour is not fully predictable in advance. The expert move is to push every task to the cheapest, most predictable tier that can actually do it. Most 'we need an AI agent' requests are really a chat prompt or a fixed workflow wearing an agent costume, and downgrading them saves money and removes risk at the same time.

Permissions and oversight are two separate dials - set both

Beginners conflate 'what the agent can touch' with 'how closely I watch it,' but professionals tune them independently. The first dial is permission scope, set per action: read-only, draft-only, or act - and in 2026 tools like Claude let you set 'always allow / needs approval / block' for each individual tool call, so an agent can freely read your calendar yet be forced to ask before sending an invite. The second dial is the oversight tier: human-in-the-loop (approve before effect), human-on-the-loop (review after), or human-out-of-the-loop (monitor only). A reversible internal draft can be act + human-on-the-loop. An irreversible external send must be act-blocked + human-in-the-loop. The reason to separate the dials is that risk lives in the action, not the tool: the same email connector is harmless for reading and dangerous for sending. Pre-deciding both dials per action class is what lets a manager sign off on an agent they will never personally operate.

Evidence is the feature that makes agents auditable instead of mysterious

The difference between a hobby agent and a professional one is almost entirely the evidence trail. A useful agent reports its trajectory: the inputs it read, the assumptions it made, the actions it took, the outputs it produced, the things it could not verify, and the point at which it stopped. This matters for three reasons. First, trust: you cannot distinguish a correct answer from a confidently-wrong one without seeing the work, and language models are very good at sounding right. Second, debuggability: when an agent fails, the trajectory tells you which step went wrong instead of forcing you to re-run the whole task. Third, scale: the entire economic case for agents is that a person reviews results instead of doing the work - and you can only review what the agent shows you. A one-line instruction to 'report what you read, what you changed, what you assumed, and what you could not verify' converts an opaque handoff into a reviewable piece of work, and it costs almost nothing to add.

Chat vs assistant workflow vs agent workflow - which to use

Pick the cheapest, most predictable tier that can actually do the job. Move up only when the tier below genuinely cannot handle the variation in the task.

DimensionChat promptAssistant workflow (fixed)Agent workflow (autonomous)
Who decides the next stepYou, one question at a timeYou, in advance (fixed sequence)The model, based on the last result
Best forGetting an answer or a draftRepeatable multi-step jobs that never varyOpen-ended, multi-step work where the path depends on findings
Relative cost & latencyLowestLow–medium, predictableHighest - context re-fed each loop
Predictability / auditabilityHigh (single turn)Highest (you control every step)Lower - needs evidence trail and testing
Required oversightRead the answerSpot-check outputs (human-on-the-loop)Approve red-line actions (human-in-the-loop)
Main failure modeHallucinated facts in the answerBreaks when reality differs from the fixed pathSilent overreach or wrong next step without review

Sources (as of June 2026): Anthropic - Building Effective Agents · IBM - What are Agentic Workflows?

Visualisation

Safe agent operating loop

A professional agent workflow is a controlled loop, not an uncontrolled handoff.

  1. 1Goal

    Define the outcome.

  2. 2Context

    Provide files, business rules, and constraints.

  3. 3Tools

    Name what it can call.

  4. 4Permissions

    Set what it may do without asking - and require a plan first.

  5. 5Action

    Allow scoped tool use.

  6. 6Evidence

    Record what happened.

  7. 7Review & stop

    Human checks quality; red lines pause it.

Step by step

1

Classify the task

Take one real task and classify it: chat (you just need an answer or a draft), assistant workflow (the steps never vary, so you can fix them in advance), or agent workflow (it is multi-step and the right next step depends on what the last step found). Only the third is an agent. Write one sentence justifying the choice.

HintIf you can write the exact steps in advance, it is a workflow, not an agent - and a workflow is cheaper, more predictable, and easier to audit.

On this screen

  1. 1The deciding question. Does the next step depend on what just happened? If no, it is chat or a fixed workflow. If yes, it may genuinely need an agent.
2

Write the agent goal and permission scope

State the outcome, the exact inputs in scope, what the agent may do without asking (read, draft, summarise), and what needs approval every time (send, delete, purchase, change settings, touch unlisted data). Set the oversight tier: human-in-the-loop for irreversible actions, human-on-the-loop for reversible internal work.

HintThe goal should be specific enough that a reviewer who never opens the tool can say whether it was completed.

On this screen

  1. 1Two dials, not one. Permission scope (read / draft / act) and oversight tier (approve-before / review-after / monitor-only) are set separately - risk lives in the action, not the tool.
3

Define evidence

Specify what the agent must report back: inputs actually read, assumptions made, outputs created, changes made, anything it could not verify, and where it stopped. Make this a required part of every run, not an optional extra.

HintEvidence turns agent work from mysterious to reviewable - you cannot tell a correct result from a confident wrong one without it. You are done when the evidence list could let a reviewer retrace the run without re-doing it.

4

Set stop conditions

Write three to five actions that require approval before the agent proceeds - typically deleting, sending, purchasing, changing settings, or using confidential data. Keep them short enough to paste into every agent task verbatim.

HintStop conditions are about reversibility and visibility, not the agent's confidence - a confident agent crossing a red line is exactly the case they exist for.

Hands-on task

Complete a task classification sheet (chat / assistant workflow / agent workflow) and write a safe agent brief for one professional workflow, using the production prompt as your template - with permission scope, evidence requirements, and stop conditions filled in.

What you produce

A task classification sheet (chat / assistant workflow / agent workflow) plus a safe agent brief for one professional workflow, including its permission scope, evidence requirements, and stop conditions.

Production prompt examples

Production prompt - a safe, reviewable agent brief you can paste into Claude or ChatGPT
ROLE: You are a careful operations agent. You work in scoped, reviewable steps and never take irreversible or externally visible actions without my explicit approval.

GOAL: <state the single outcome, e.g. "Produce a draft weekly status update from the three files I name.">

CONTEXT (the only inputs in scope):
- <file/source 1>
- <file/source 2>
Do not read, fetch, or assume anything outside this list. If you need something else, ask first and tell me why.

PERMISSIONS:
- ALLOWED without asking: read the listed inputs; produce drafts and summaries; show me a plan.
- NEEDS MY APPROVAL every time: sending any message or email; deleting or overwriting anything; changing any setting; making any purchase or commitment; using any data not listed above.

PLAN FIRST: Before doing anything, show me (1) your understanding of the goal in one line, and (2) your intended steps. Wait for my go-ahead before acting.

EVIDENCE (report this when done, as a short list):
- Inputs you actually read
- Assumptions you made
- What you produced or changed
- Anything you could NOT verify
- Where you stopped and why

STOP CONDITIONS: If a step would send, delete, purchase, change a setting, or touch data outside the list above, STOP and ask for approval - even if you are confident it is correct.

DEFINITION OF DONE: <one sentence a reviewer can check, e.g. "A 200-word draft update saved as text, citing only the three named files.">
  • ROLE + the 'scoped, reviewable steps' framing sets the safe behaviour before any task is described - the model defaults to caution.
  • The CONTEXT allow-list is both a safety boundary and a cost control: it stops the agent from wandering into files it does not need.
  • Splitting PERMISSIONS into 'allowed without asking' vs 'needs approval' is the per-action control real tools expose - paste it so any tool inherits the policy.
  • PLAN FIRST forces a review gate before action, which is what separates an agent workflow from a blind handoff.
  • The EVIDENCE block is the single highest-value addition: it turns the result from something you must trust into something you can review.
  • STOP CONDITIONS are short on purpose - keep them paste-ready so every agent task carries the same red lines.

Common mistakes to avoid

  • Calling any chatbot interaction an 'agent' - the word means autonomous next-step decisions within a scoped task, not just AI that responds.
  • Building an agent workflow for a task whose steps never vary, when a cheaper, more predictable fixed workflow would do the same job with less risk.
  • Granting permission at the tool level ('it can use email') instead of the action level ('it may draft, never send without approval').
  • Skipping the evidence trail, which makes results impossible to trust, review, or debug at scale.
  • Applying one oversight setting to everything instead of matching human-in-the-loop, on-the-loop, or out-of-the-loop to each action's risk.
  • Running agent workflows on sensitive or production data before permission, evidence, and review rules exist.

Source conflicts to review

  • The word 'agent' is used inconsistently across the industry: many vendors label any tool-using LLM an 'agent,' while Anthropic reserves the term for systems that dynamically direct their own process and call the predefined-path case a 'workflow.' This lesson teaches the autonomy-based definition; expect looser usage in marketing material.
  • Autonomy is a spectrum, not a binary - sources differ on where 'copilot' ends and 'agent' begins. Treat the chat / assistant-workflow / agent-workflow split as a practical decision tool for choosing oversight and cost, not a rigid taxonomy.

Key terms

Agent
A system where the model dynamically decides its own next step and tool use within a scoped goal - distinct from a fixed workflow whose path is set in advance.
Assistant workflow
A predefined sequence of steps you design (route, draft, check, send); predictable and auditable because you control the path, not the model.
Agent loop
The repeated cycle of goal, context, tools, permissions, action, evidence, and review/stop that a safe agent runs toward an outcome.
Scoped permission
An action-level rule (read / draft / act, or always-allow / needs-approval / block) describing exactly what an agent may do without asking.
Evidence trail
The inputs read, assumptions made, actions taken, outputs produced, and unverified items an agent reports for human review.
Human-in / on / out of the loop
Three oversight tiers - approve before an action takes effect, review outcomes after, or monitor a fully autonomous low-risk task.
Stop condition
A red-line action (send, delete, purchase, change settings, touch confidential data) that requires explicit approval every time.
LLM
Large language model - the AI text engine behind tools like ChatGPT and Claude.
Token
The small chunks of text a model reads and writes; usage and cost are metered in tokens, which is why agent loops that re-feed context cost more.

Resources

Checkpoint

Is your chosen workflow really an agent workflow - where the next step depends on what just happened - or would a chat prompt or fixed assistant workflow be safer, cheaper, and simpler?