AI agents are moving into real software and finance

AI agents are software systems that can plan, use tools, and act with limited human input.

AI agents are no longer a fuzzy idea tucked inside research papers. By 2025, they were showing up in coding tools, customer support, government pilots, browser workflows, and financial risk discussions, with regulators warning that more autonomous systems could create new problems if they start taking actions on their own.

What counts as an AI agent

The term does not have one strict definition, which is part of the problem. In the Wikipedia entry, AI agents are described as systems that pursue goals, use tools, and take actions with varying degrees of autonomy, usually inside human-defined objectives and constraints.

That broad definition matters because the label now covers a lot of different software. Some agents are little more than chatbots with tools attached. Others can search the web, call APIs, draft code, manage memory, and move through a multi-step task without waiting for every click from a person.

Common traits show up again and again: goal-directed behavior, natural-language input, external tool use, and multi-step execution. Many systems also include planning logic, memory, orchestration software, and a large language model as the control layer.

• Agents can book travel, answer support tickets, or query internal data.
• They often rely on tool calling and retrieval systems.
• They are usually built around a large language model such as ChatGPT-style systems or other foundation models.
• They can be wrapped in orchestration layers that decide which step happens next.

Why the finance crowd is paying attention

The sharpest warning in the source material comes from finance, not from consumer apps. Financial authorities have said more complex and autonomous agentic AI could become a channel for systemic risk, especially if the systems are allowed to initiate or execute financial actions with little oversight.

That concern is easy to understand. A human trader can be monitored, questioned, and stopped. An agent that chains together data access, analysis, and execution can move faster than a manual review process, and speed is exactly what makes mistakes spread.

“Autonomy is a spectrum, and the amount of human supervision matters.” — Financial Times reporting on AI agents and autonomy levels

The finance angle also splits into two risk buckets. One is internal: agents built inside a bank, fund, or insurer that can make bad calls, misread market data, or act outside policy. The other is external: tools sold by tech firms that can trigger financial actions after a user prompt, which creates a new attack surface and a new compliance headache.

Regulators, central-bank officials, and industry specialists have already discussed these risks in workshops. That matters because it shows the concern is not theoretical hand-wringing; it is becoming part of supervisory planning.

Where agents are already showing up

The most visible adoption is in software work. By August 2025, New York Magazine described software development as the most definite use case for AI agents, and The Information later said coding agents and customer support were the main business uses by October 2025.

That lines up with what developers are seeing in products from Cursor, OpenAI, Microsoft, AWS, and Google Cloud. The pitch is simple: let the model do the repetitive work, keep a person in the loop for the final decision, and ship faster.

But the rollout has been uneven. The Wall Street Journal reported in November 2025 that few companies deploying AI agents had seen a return on investment. That is a useful reality check for a field that often gets described as if every demo will become a business line.

• Salesforce Agentforce was used by Kyle, Texas for 311 service in March 2025.
• The IRS said in November 2025 it would deploy Salesforce AI agents for legal and taxpayer-support work.
• Windows 11 test builds in November 2025 included agents that could read and write personal files.
• ByteDance Doubao was integrated into smartphone operating systems in December 2025.

The technical stack is getting more formal

AI agents are moving from ad hoc demos toward more defined architectures. Ken Huang’s seven-layer reference model, cited in the source, breaks the stack into foundation models, data operations, agent frameworks, deployment, evaluation, security, and the agent ecosystem.

That layering matters because it shows where the hard work sits. The model itself is only one part. Data loaders, vector databases, retrieval-augmented generation, observability, and compliance controls can matter just as much when the agent is placed in a real workflow.

There is also a growing interest in orchestration patterns. Prompt chaining, routing, parallelization, sequential processing, and planner-critic loops all describe different ways to split a task across steps or across agents. In practice, these patterns are attempts to make an agent predictable enough to trust, which is still a high bar.

Multimodal agents add another layer of complexity. With vision-language models and other multimodal foundation models, an agent can inspect images, video, and interface elements, then act on what it sees. That is powerful for search, summarization, and robot control, but it also widens the number of ways the system can fail.

Why the autonomy debate is still unsettled

The Financial Times comparison to self-driving cars is useful because it gives a rough mental model. Most current agentic systems behave more like level 2 or level 3 automation, some specialized setups reach level 4 in narrow conditions, and level 5 remains theoretical.

That framing is helpful, but it should not create false comfort. A level 2 system that is wrong at scale can still generate expensive mistakes, especially when it has access to email, files, browsers, or financial tools. The issue is less “Can it think?” and more “What can it do before someone notices?”

Security work is starting to catch up. Threat modeling frameworks for agents now focus on prompt injection, tool abuse, bad memory writes, permission creep, and unsafe execution paths. Those are the kinds of failures that matter when a system can take action instead of just answering a question.

• Prompt chaining makes errors propagate from one step to the next.
• Routing can send a request to the wrong tool or specialist agent.
• Parallelization can speed up work while multiplying failure points.
• Planner-critic loops can improve quality, but they also add cost and latency.

What to watch next

AI agents are moving from hype vocabulary into procurement, product design, and policy debates. The most important question now is not whether they can do impressive demos. It is whether they can be audited, bounded, and measured well enough to survive contact with real systems.

If the next wave of deployments comes with clearer permissions, better logging, and stricter human approval for high-stakes actions, agents may become ordinary infrastructure. If those controls lag behind adoption, the finance warnings will look less like caution and more like early notice.

For readers tracking this space, the useful signal is simple: watch where agents are allowed to act, not just where they are allowed to talk. That is where the risk, and the value, will show up first.