Agentic artificial intelligence (AI) is beginning to reshape risk and compliance functions in organizations, according to new research from Moody’s. The study, which surveyed 600 global risk and compliance professionals, examined the current level of awareness, adoption rates, and challenges related to agentic AI—defined as AI agents that search for information, make recommendations, or trigger actions across systems.

The survey found that approximately 40% of risk and compliance professionals are now aware of agentic AI in their field, with 26% actively using these models. While agentic AI lags behind other types such as generative AI (GenAI), large language models (LLMs), and natural language processing (NLP), its adoption is growing quickly as organizations seek greater automation in their workflows.

“The first three [AI types] are self-explanatory, but the last one [agentic AI] is a bit new, and I don't think a lot of organizations, especially within financial services, really use it at this point,” said a Risk and Governance Director in Banking for Europe, the Middle East, and Africa.

Organizations are applying agentic AI primarily to automate manual or repetitive processes—an approach identified by 34% of respondents. An equal percentage reported using agentic AI both for automation and augmentation purposes. Additionally, 32% said they use it to enhance human decision-making by providing analytical insights and recommendations. This indicates a shift toward leveraging agentic AI not only for routine tasks but also to support more complex judgments.

“It’s typical to start with the business case to automate something and then quickly realize we need to also bring in other information and human decision-making, so we quickly move to a mix,” said a Director of Professional Services in Europe, the Middle East, and Africa.

Despite these advances, most organizations remain cautious about allowing full autonomy for AI systems. Only 4.5% trust agentic AI to act independently; instead, 47% require that these systems make recommendations while humans retain final decision-making authority. Another 27% allow some degree of autonomy but maintain rigorous audits and monitoring controls.

“Ultimately it is the human beings that have to be accountable... You can't outsource accountability. That's a principle in regulation that will always stay, so I think human involvement has to be mandatory,” said a Head of Compliance in Professional Services for Europe, the Middle East, and Africa.

Concerns persist around overreliance on agentic AI—which could erode human expertise—and issues like data privacy and transparency. The lack of transparency can lead to what some describe as “black box” scenarios where neither inputs nor outputs are fully understood by users.

“The biggest risk that I see is that we're building a black box and that’s where we lose control... The risk is that we build this black box, and nobody understands what we put in and what comes out,” said a Director of Professional Services in Europe, the Middle East, and Africa.

Regulatory priorities identified by respondents include strong safeguards for data privacy (20%), clear frameworks for legal accountability (16%), transparency (13%), and formal governance processes (8%). These concerns highlight the importance of maintaining ethical standards while adopting new technologies.

“I think the most important part is promoting transparency because that will mitigate the risk of the black box scenario, and that's the key risk,” said another Director of Professional Services in Europe, the Middle East, and Africa.

As adoption accelerates—particularly among organizations seeking operational efficiency—Moody’s research suggests senior leaders must ensure accountability through robust governance frameworks, regular audits, staff training, and regulatory compliance. Widespread adoption is expected within one-to-three years for organizations prepared to address oversight, transparency, and regulatory challenges.

For further details on Moody’s study into AI-driven risk compliance practices or to contact their team directly, visit their website.