The rise of The foundation of effective regulation starts with businesses’ understanding of how AI will contribute to business functions. When ChatGPT was introduced back in November 2022, businesses were keen to utilise it as a major cost-saving tool which led to industry reports collectively forecasting Generative AI’s economic contribution to GDP to exceed $20 trillion and save 300 billion work hours per annum. However, as a consequence of Generative AI’s rapid uptake, Gartner is forecasting that at least 30% of Generative AI projects will be abandoned by the end of 2025 due to a combination of poor-quality data and inadequate risk management. With the uptake of Generative AI continually expanding and knowledge distillation facilitating the creation of new Large (and small) Language Models (S/LLMs), the question turns to how this new wave of AI, namely Agentic AI, will make its mark in the wider technological landscape. Do we need a new suite of regulations? To determine whether the risks of Agentic AI are suitably covered within existing regulations, policymakers and business leaders will need to assess their internal governance against the broader approaches specific to the jurisdiction(s) they’re operating in. There’s an array of existing literature covering Agentic AI within the EU’s AI Act, so for the purposes of this article, I will cover it within the context of the UK’s pro-innovation approach. Ultimately, the question on policymakers’ minds will stem from the fact that aspects of AI are moving in a direction where they take an arguably uncomfortable level of control. From the UK’s standpoint, Agentic AI has been referenced both in the 2025 AI Opportunities Action Plan and the prior 2024 independent report, highlighting its prominence as an area to watch from a regulatory perspective. Similar to the original Pro-innovation white paper published back in 2023, sector-specific regulators will monitor and issue guidance accordingly. One area that could affect how governments plan their Compute strategy is the recent passing of the Data (Use and Access) Act 2025. The act doesn’t replace the Data Protection Act 2018 or General Data Protection Regulation (GDPR), but instead introduces changes to the interpretation of certain aspects of data processing. Notably, allowing for a broader spectrum of processing without requiring a full balance test against an individual’s rights arguably “frees up” innovative practices that may have been prohibited in the past under the existing rules. However, on the contrary, concerns could arise with the level of flexibility and may ultimately, in certain scenarios, result in an increase in civil claims. As with the rest of the UK’s AI regulation, the regulators and government will likely need to see such cases arise and their outcome before determining what, if any, changes are required in the legislation. The challenges of a specific regulation The foreseeable future is unlikely to introduce Agentic AI-specific regulation. However, the Department for Science, Innovation and Technology (DSIT), back in January 2025, published the UK’s Code of Practice for the Cyber Security of AI, outlining how companies should, within the AI lifecycle, look out for use cases pertaining to increasingly autonomous agents. This guidance, in tandem with existing regulatory frameworks, will likely remain for some time unless there is a material shift in the Agentic AI landscape that would deem the current intersecting frameworks unsustainable from a legal perspective. The latter, however, does raise questions about the legal effectiveness of certain subsets of the UK’s GDPR, namely Articles 13 and 14, along with Article 22. Under Article 13/14 of GDPR (Transparency, Explainability and Right to Information), citizens are entitled to information on how their data will be used. However, when Agentic AI is introduced, this adds a layer of complexity. The benefits of increased autonomy also carry the risk of self-generated decisions that aren’t observable or foreseen during the deployment stage, leading to gaps in DPIA development and explainability in system output. The latter has always been a challenge with AI, but to manage these difficulties within the parameters of Agentic AI companies, they should describe in layman’s terms how far AI’s autonomy can extend. Whilst this won’t directly ameliorate any unintended consequences, it will go some way in outlining how actions may stem from model outputs that humans may not understand. More pressingly, the increased automation Agentic AI brings risks of Article 22 GDPR being invoked. Data subjects have the right not to have a decision made on and/or about them through an entirely automated means, and as a result, organisations will need to ensure they have, in amongst other scenarios, measures in place to allow for contestability of decisions in high-impact use cases. In the event of Agentic AI’s involvement in decisions in the likes of finance or employment, there’s a risk that automated recommendations could result in automated final outcomes, posing a significant risk to human rights without the requisite legal oversight. Conclusion Over the coming years, regulation of Agentic AI will present a significant challenge on top of the already-challenging regulatory arena. As the regulators, over time, start to see consequences of AI emerge across different sectors, existing compliance measures will be tested to determine how well Agentic AI responds to the UK’s approach, and what, if any, changes are required. Bibliography [1] oecd.ai. (n.d.). OECD’s live repository of AI strategies & policies. [online] Available at: https://oecd.ai/en/dashboards/overview/policy. [2] Wyman, O. (2024). How Generative AI Is Transforming Business and Society. [online] Oliver Wyman Forum. Available at: https://www.oliverwymanforum.com/global-consumer sentiment/how-will-ai-affect-global-economics.html. [3] Gartner. (2024). Market Guide for Generative AI Consulting and Implementation Services. [online] Available at: https://gcom.pdo.aws.gartner.com/en/documents/5752115 [Accessed 25 Jun. 2025]. [4] Legislation.gov.uk. (2025). Data (Use and Access) Act 2025. [online] Available at: https:// www.legislation.gov.uk/ukpga/2025/18/enacted [Accessed 25 Jun. 2025]. [5] for, D. (2025). AI Cyber Security Code of Practice. [online] GOV.UK. Available at: https:// www.gov.uk/government/publications/ai-cyber-security-code-of-practice. [6] GDPR (2013). General Data Protection Regulation (GDPR) – Final text neatly arranged. [online] General Data Protection Regulation (GDPR). Available at: https://gdpr-info.eu/ art-13-gdpr/.