Enterprise AI agents

An AI agent is an LLM in a loop with tools. The model is given an objective, picks an action (search the web, run code, query a database, call an API, ask a human), observes the result, decides the next action, and continues until it has either achieved the objective or decided it cannot. The loop is the agent; the LLM is the brain inside it.

This is materially different from a chatbot. A chatbot answers a single question with text; an agent executes a multi-step task that may take minutes or hours and touch real systems. Examples in the wild today: a research agent that reads 200 papers and produces a literature review with citations; a coding agent that opens a pull request from a bug description; a back-office agent that reconciles invoices across three systems; a procurement agent that drafts and routes a contract.

• Capability is finally there: Tool use and long-horizon planning are no longer demos. 2026-class models can autonomously plan, call tools, and complete multi-step engineering and analyst tasks well enough to be genuinely useful inside an enterprise.
• Workflow fit: Most enterprise work is not single-turn Q&A. It is multi-step processes across multiple systems, exactly what agents are designed to automate.
• Economics: An agent that handles a category of work end to end displaces work, not minutes. The unit economics are different from per-seat copilots.
• Compounding: Agents learn from their own runs (success and failure traces) when those traces are kept inside the organisation, turning every executed task into training data.

• Data exfiltration risk: An agent with web access and access to your documents can be tricked, via prompt injection in a retrieved page or email, into sending sensitive data outward. This is the headline novel risk.
• Action risk: Agents call real APIs. A buggy or coerced agent does not just say something wrong, it does something wrong, sometimes irreversibly.
• Audit and attribution: When a model and a human collaborate over many steps, regulators (and incident responders) want to know who decided what. That requires structured logging of the full trace.
• Vendor lock-in on the model: Production agentic systems are tightly coupled to the model's behaviour. A vendor changing the model under you can silently break flows that are now load-bearing.
• Cross-border data flow: Agents make many model calls per task. On a hosted API, every step ships data abroad. Residency exposure scales with autonomy.

• Own the model: Agents amplify whatever the underlying model does. You want a model you can document, evaluate, and version, not one that can be swapped under you mid-quarter.
• Run inside your perimeter: Every step's prompts, retrievals, and outputs stay in your environment. This is the only architecture that keeps prompt-injection blast radius contained.
• Scope tools tightly: Each tool gets least-privilege credentials. The agent's web tool reads, it does not browse arbitrary internal URLs. Its email tool drafts, it does not send.
• Human-in-the-loop on irreversible actions: Payments, contracts, code merges, customer-facing communications, all require explicit human approval, gated by policy not by the model's judgement.
• Full trace logging: Every prompt, tool call, retrieval, and output is logged with stable IDs so a run is fully reconstructible months later.
• Evaluation, not just unit tests: Agents are evaluated on end-to-end task success against held-out scenarios, with regression suites that catch behaviour drift on model updates.

• Research and analyst workflows: Multi-document synthesis with traceable citations, lower irreversibility, large time savings.
• Software engineering: Bug triage, test generation, focused refactoring, scoped pull requests under human review.
• Operations and back-office: Invoice reconciliation, KYC pack assembly, contract redlining against playbooks, all systems-of-record work.
• Domain-expert assistants: Agents that combine retrieval over the firm's documents with reasoning the post-trained model has actually been taught, e.g. a legal agent that knows your firm's playbook, a clinical agent that knows your protocols.

Locai builds the substrate that makes agentic AI safe in regulated environments: a model you own, post-trained on your domain, deployed inside your perimeter, with a serving and application layer that supports tool use, retrieval, identity, and full trace logging. The principle behind the work is the same as for any Locai deployment, a smaller expert model trained on your data routinely outperforms a much larger generalist on the work you actually care about, and you own it. The result is sovereign AI agents: the autonomy you actually want, on infrastructure you actually control, under UK jurisdiction and built to fit GDPR.