The professional standard for production AI deployment
Verify a credentialFor organisationsMSP ProgrammeFor MSPs & partnersNonprofits & NGOsContact
Start HerePlain language · 12 min read

AI Agents Decoded
What managed agents actually mean for your business

Microsoft is putting AI agents in Teams. Anthropic is offering managed agents with plugins and connectors. Google is doing the same. Every vendor is using slightly different words to describe roughly the same thing: software that can think, plan, and act on your behalf — automatically, inside your business systems. This guide explains what that actually means, in plain English.

Who this is for:Business owners, IT managers, MSPs, and operations leads who keep hearing about "AI agents" and want to understand what's actually happening — without wading through technical documentation.

What is an AI agent?

Most people's first encounter with AI was a chatbot: you ask a question, it answers, you move on. That's useful, but it's fairly limited. An AI agent is something more ambitious — it's an AI system that can take actions, not just answer questions.

A chatbot is like a very knowledgeable colleague you can ask anything. An AI agent is like a colleague who can actually do things for you — log into your systems, draft documents, send emails, update records — without you supervising every step.

That distinction matters enormously. When an AI is just talking, mistakes are annoying. When an AI is acting, mistakes can be costly.

TypeAutonomyRisk levelWhat it actually does
💬
Chatbot / assistant
Responds to questions. Reads, but rarely writes. Examples: customer-facing chat, internal Q&A bots.
Low
Low
You ask it to summarise a document. It does.
🔧
Tool-using AI
Can call external tools — search the web, run code, query a database — but a human initiates each action.
Medium
Low–Medium
You ask it to find all invoices over £10,000. It queries your accounting system and returns results.
🤖
AI agent
Plans and executes multi-step tasks autonomously. Can take actions — send emails, create records, approve items — without a human approving each step.
High
Medium–High
You ask it to process new supplier applications. It reads them, runs checks, updates your CRM, and sends approval or rejection emails.
🕸️
Multi-agent system
Multiple AI agents working together, each with specialised roles, handing tasks between them. Complexity multiplies.
Very High
High
One agent monitors your inbox, another drafts responses, a third updates Salesforce, and a fourth flags anomalies to a manager.

The jargon, decoded

Every vendor uses slightly different terminology. Here's a glossary that cuts through the noise.

Managed agent

An AI agent provided and maintained by a platform vendor (Microsoft, Anthropic, Google) rather than built in-house. You configure and deploy it; they handle the underlying AI model.

Real example: Microsoft Copilot agents in Teams. Anthropic Claude agents via the API.
Plugin

An extension that gives an AI agent access to a specific tool or data source. Think of it like an app you install. The agent uses the plugin to do things it couldn't do on its own.

Real example: A Jira plugin lets your Copilot agent create and close tickets. A Stripe plugin lets it check payment status.
Connector

A pre-built integration that links the AI platform to another system. Similar to a plugin, but often managed at the platform level rather than per-agent.

Real example: Microsoft Power Platform connectors to Salesforce, SharePoint, Dynamics — giving Copilot agents access to those systems.
Orchestrator

The component that decides which agents to call, in what order, and what to do with the results. It's the manager of a multi-agent system.

Real example: In Copilot Studio, the main agent acts as orchestrator when it delegates to specialist sub-agents.
Tool call

When an AI agent reaches out to an external system (API, database, service) to do something — read data, write data, trigger an action.

Real example: Agent reads customer record (tool call 1), checks credit (tool call 2), creates contract draft (tool call 3).
Human-in-the-loop

A checkpoint where a human must approve or review before the agent continues. Critical for high-stakes actions.

Real example: Agent prepares an invoice for payment, but a human must click 'Approve' before money moves.

What the big platforms are actually shipping

To make this concrete: in 2025, Anthropic announced managed Claude agents with plugins and connectors for financial services. Microsoft is rolling out Copilot agents through Teams and Copilot Studio. Google has Gemini agents in Workspace. These are not demos — they are available to deploy today.

🪟
Microsoft Copilot agents

Available through Microsoft 365 (Teams, SharePoint, Outlook). Built with Copilot Studio. Can read and write to Microsoft 365 data, Power Platform, and hundreds of third-party systems via connectors.

Requires M365 E3/E5 + Copilot licences
🤖
Anthropic Claude agents

Deployed via the Claude API using the Agent SDK. Managed agents can be given plugins (tools) and connectors to specific systems. Anthropic hosts the model; you control the configuration and deployment.

API access + Claude Pro / Teams / Enterprise
🔷
Google Gemini agents

Available through Google Workspace and Vertex AI. Agentspace provides a hub for enterprise agent deployment. Connects to Drive, Gmail, Calendar, and third-party systems.

Google Workspace Business / Enterprise
The common pattern:Each platform gives you a managed AI model (they handle the infrastructure and model updates), plus a way to connect it to your business systems. The question is always the same: what can this agent access, what can it do, and who's watching?

What can go wrong — and why it matters

Every capability is also a risk. An agent that can read your email and take actions is useful — and it's also a very powerful thing to get wrong. The PAI Production Safety Framework (PSF) organises these risks into 8 domains. Here are the ones most relevant to a first agent deployment.

D1 · Input Governance

What data is being fed into the agent? Sensitive customer data, financial records, health information — all could be processed by AI models hosted outside your jurisdiction.

Do you know what data your agents are processing, and are you allowed to process it that way?
D2 · Output Validation

Agents can confidently produce wrong answers — hallucinated numbers, wrong names, incorrect calculations. If outputs are acted on automatically, errors propagate.

Who or what checks agent outputs before they become actions?
D4 · Observability

When an agent does something unexpected, can you find out what happened? Without logging, you're flying blind.

Do you have audit logs of what your agents did, when, and why?
D5 · Deployment Safety

Rushing to deploy without testing failure modes. What happens when the agent gets an unusual input? Does it fail gracefully or do something catastrophic?

Have you tested what the agent does when it's wrong, confused, or manipulated?
D6 · Human Oversight

Agents that act without any human checkpoint on consequential decisions. Automating the wrong thing at the wrong time.

What decisions require human approval, and is that enforced in the system?
D8 · Vendor Resilience

Your business process now depends on a third-party AI service. What happens if it goes down, changes its pricing, or gets acquired?

What's your fallback when the AI service is unavailable?

These aren't theoretical concerns. The PAI incident database already contains dozens of real cases where automated AI actions caused data exposure, incorrect financial entries, inappropriate communications sent to customers, and system state corruption. The good news: all of these were preventable with the right controls in place before deployment.

How to get ready

You don't need to wait for perfect conditions — but you do need to ask the right questions before you deploy. Here's a quick readiness checklist:

Data inventory
Know what data your agents will touch. Personal data? Financial records? Health information? Each category has different rules.
Access scope
Apply least-privilege. Give agents access to what they need — nothing more. Don't give a customer service agent access to payroll systems.
Human checkpoints
Define which actions require human approval. Start conservative. Automate more as confidence builds.
Logging plan
Decide now how you'll log what agents do. You need this for debugging, for compliance, and for trust.
Failure plan
Decide now what happens when the agent gets it wrong. Who finds out? What do they do? What gets checked?
Vendor dependency
Understand what happens to your workflow if the agent platform goes offline or changes pricing.
Next: MSP Playbook
Microsoft 365 Agent Deployment
Ready to actually deploy? Step-by-step guide for MSPs and IT teams deploying AI agents in M365 environments.
Read the playbook →
Certification
CAOP — Certified Agent Operator
The certification track for professionals deploying and operating AI agents in production environments.
Learn about CAOP →
The Standard
The Production Safety Framework
The open standard underpinning all PAI guidance. 8 domains, actionable controls, and a maturity model.
Read the PSF →
From reading to credential

You understand the gaps.
Get the credential that proves it.

The AIDA examination tests applied PSF knowledge across all eight domains — exactly the gaps and strengths covered in this assessment. 15 minutes. No charge. Ever.

Start AIDA — free →CPAP practitioner credential
The Production AI Brief