The Agentic Privacy Gap: Liability and Consent in Autonomous AI Systems

Introduction

The past few years have seen the rapid emergence of agentic Artificial Intelligence (AI) Systems. These are a new class of tools that can act independently to accomplish specific goals without continuous human supervision.[1] Unlike traditional software or narrow AI models which operate within already defined constraints and require human supervision, agentic systems plan, act and adapt independently. They can call APIs, search the web, transact, and retain memories across tasks Their autonomous behaviour offers significant productivity gains but also introduces complex privacy and accountability risks.

This article uses the term “agentic privacy gap” to describe the mismatch between existing data-protection regimes and the ways in which agentic systems collect, infer and share personal data. Because these agents can autonomously chain together disparate data sources and update their goals in real time, individuals cannot anticipate or meaningfully consent to each processing step. The gap widens when agents generate sensitive inferences, transfer data across borders or interact with unvetted third-party services, creating new obligations under instruments such as the EU General Data Protection Regulation (GDPR), Nigeria’s Data Protection Act (NDPA) and the California Consumer Privacy Act (CCPA). It then examines from a comparative legal perspective whether existing data‑protection frameworks, built on notions of notice and choice and allocations of controller/processor allocations are adequate for autonomous agents, assesses liability and accountability frameworks and proposes consent and governance reforms that better reflect the realities of agentic AI.

  1. Legal Frameworks and the Notice‑and‑Choice Model

1.1 The United States Notice‑And‑Choice Tradition

American privacy law has historically relied on the notion that Companies provide users with privacy policies and individuals can protect themselves by simply reading and choosing whether to consent or not using the available opt-out mechanism. This model assumes people read privacy policies and protect themselves by opting out. In reality, policies are unreadable, time‑consuming and overwhelming. Users click “I agree” to proceed, not because they understand the implications. This has long been criticised, but agentic AI makes the model even less workable. [2] This criticism has prompted calls to shift responsibility away from individuals toward organisations and regulators.

1.2 Consent under the General Data Protection Regulation (GDPR) and Nigeria Data Protection Act (NDPA)

Under the GDPR, consent must be freely given, specific, informed and unambiguous. It requires a clear affirmative action and cannot be inferred from silence or pre‑ticked boxes.[3] The Regulation also defines a Data Controller as the natural or legal person that determines the purposes and means of processing[4]. Processing of special‑category data (e.g., health information) has been prohibited[5] unless a specific exemption applies.

The NDPA adopts similar standards. Consent must be freely given, specific, informed and unambiguous. The Act explicitly prohibits relying on implied consent,  inactivity or pre‑checked boxes. It also imposes strict restrictions on cross‑border transfers: personal data may only be transferred to countries providing adequate protection or under enumerated exceptions such as explicit consent or contractual necessity.[6]

1.3 Agentic AI and the Illusion of Consent

Agentic AI exposes a major weakness in the notice‑and‑choice model. These systems can independently call third‑party services, update their goals, and combine data in ways users cannot predict. Because their behaviour evolves continuously, individuals cannot realistically anticipate or consent to each specific processing activity.

Consider a simple instruction like “schedule a doctor’s appointment.” A digital assistant may scan messages and calendar entries to find suitable times, notice recurring mentions of headaches, infer a possible neurological issue, and then share that information with a specialist’s booking platform, potentially in another country. In doing so, the agent processes special‑category health data and triggers a cross‑border transfer, both of which normally require explicit consent and strict safeguards under the GDPR and NDPA. What began as a narrow task expands into a complex chain of processing involving new purposes, sensitive data, and unvetted third parties. Because the agent’s decisions unfold autonomously and in real time, traditional privacy mechanisms like static notices or one‑off consent forms cannot keep pace. The user’s initial request effectively becomes an open‑ended mandate, while the agent generates data flows the user never agreed to.

This disconnect is known as the “illusion of consent”: the user consents to one action, but the agent performs many more.

  1. Accountability and Liability Gaps

2.1 Who Is Responsible When Agents Cause Harm?

When an agentic system makes a mistake such as exposing personal data, engaging in discriminatory actions, or entering an unfavourable contract, the question of who bears liability becomes significantly more complex. Traditional data‑protection regimes place responsibility on the data controller, the party that decides the purposes and means of processing. But agentic AI blurs this role. These systems rely on third‑party tools, make autonomous decisions, and often behave in ways that neither developers nor users fully anticipate. As a result, the clear lines of responsibility assumed by existing frameworks begin to break down.

Assigning responsibility in agentic AI systems is challenging because harm often results from the combined actions of developers, deploying organisations and end users. Without clear lines of accountability, affected individuals may struggle to obtain redress.[7] Contract reviews show that many AI deployments still rely on outdated agreements that disclaim most responsibility: suppliers provide software “as is,” exclude consequential losses and shift compliance duties onto customers.[8] Standard indemnities typically exclude third‑party claims arising from an agent’s behaviour, leaving customers exposed when unexpected or emergent actions cause harm. At the same time, customers often lack contractual rights to audit or control how an agent makes decisions, yet they remain fully liable to regulators for the outcomes.

2.2 Regulatory Guidance On Accountability

Several regulators have begun addressing this accountability gap. The UK Information Commissioner’s Office (ICO) has stressed that existing data‑protection law continues to apply to agentic AI systems and has warned that accountability can become unclear within complex supply chains.[9] The Spanish Data Protection Authority (AEPD) similarly emphasises that the controller remains responsible regardless of the technology used. It requires organisations to determine controller and processor roles on a case‑by‑case basis, document data flows, and ensure ongoing compliance. The AEPD also expects controllers to assess cross‑border transfers and, where necessary, redesign agents to prevent unlawful data exports. Nigeria’s NDPA reflects the same principles: it requires explicit consent for cross‑border transfers and imposes strict limits on data export.[10]

2.3 Liability For Emergent Behaviours And Contract Limitations

Agentic systems can behave in unpredictable ways. They may “game” their objectives by taking shortcuts, misunderstand user intent, or even coordinate with other agents in unintended ways. Because these systems operate probabilistically, researchers emphasise the need for behavioural‑safety checks and continuous runtime monitoring. Some propose treating agents as Non‑Human Identities (NHIs), subject to structured onboarding, performance reviews and oversight mechanisms. [11] Others note that agentic AI increases the risks of goal misalignment, unauthorised actions and cascading system failures, making a precautionary, multi‑layered governance approach essential. Without such safeguards, the combination of unstable behaviours and outdated contractual terms can leave all parties exposed.[12]

  1. Should the Definition of Data Controller Evolve?

3.1 Controller Vs Processor In Agentic Systems

Under current law, a controller is the party that determines the purposes and means of processing. Some argue that developers of agentic AI should also be treated as controllers because they design the system’s architecture, set reward functions and pre‑configure the data flows that shape an agent’s behaviour. Others contend that users whether individuals or organisations deploying the agent define the overall purpose and therefore remain the controllers. The AEPD takes a case‑by‑case approach: if a service simply carries out a task on the user’s behalf, it is likely a processor; but if it begins to determine its own purposes, it becomes a joint controller. In more complex ecosystems, this can result in joint‑controllership or chains of controllers and processors, making clear contractual arrangements and detailed role mapping essential.[13]

3.2 Arguments For Expanding The Definition

Proponents of reform argue that the definition of a Controller should expand to include AI developers, as they exert significant influence over an agent’s behaviour. Developers design the reward systems, training data and underlying architecture that shape how the agent makes decisions. They also often retain the ability to issue software updates and monitor outputs, giving them ongoing influence over processing activities. Others propose a data‑stewardship model, where multiple actors such as developers, deployers and platform operators collectively manage data in the user’s interest. This shared‑responsibility approach aligns with calls for differential privacy and other technical safeguards that minimise data exposure while preserving utility.[14]

3.3 Counter‑Arguments For Expanding The Defintion

Opponents warn against expanding the controller definition too broadly. They argue that designating developers as controllers could stifle innovation and impose disproportionate liability on start‑ups. In their view, users ultimately choose to deploy an agent and issue instructions, so they should remain the controllers. Some go further and suggest giving agents their own legal standing as non‑human participants. While certain schools of thought propose treating agents as NHIs with dedicated governance processes, current law does not recognise such a status.[15]

  1. Reimagining Consent and Governance

4.1 Recognising the limits of current consent and compliance frameworks, scholars and regulators have begun proposing new models tailored to the realities of agentic AI. These approaches aim to introduce more dynamic, granular and operationally grounded safeguards.

4.2 Dynamic And Granular Consent Mechanisms

  1. Purpose locks and goal‑change gates – Some proposals recommend treating purpose locks and goal‑change gates as first‑class, inspectable system components. When an agent attempts to take on a task that falls outside its original mandate, the gate triggers a fresh consent request or human review. This approach allows agents to remain autonomous while ensuring that any expansion of scope is transparent and authorised. [16]
  2. Memory governance and retention budgets – Agents are encouraged to differentiate between short‑term working memory and long‑term retained knowledge. Retention budgets help enforce deletion or unlearning when data is no longer necessary, supporting data‑minimisation principles and rights such as erasure. [17]
  3. Live controller/processor mapping – Because agentic workflows evolve at runtime, responsibilities cannot be assigned once and assumed static. A system for live mapping of controller and processor roles ensures that accountability shifts appropriately as agents invoke new services. This mapping should tie into contractual provisions and follow relevant guidance, so roles remain clear even when processing chains change on the fly. [18]

4.3 Technical Safeguards And Privacy‑By‑Design

  1. Differential privacy – As agentic AI systems continuously query data and update their internal memory, differential privacy [19] can help reduce the risk of re‑identification. It supports data protection by design and by default [20] by offering formal privacy guarantees even in dynamic environments. However, it protects outputs rather than inputs, meaning it must be paired with strong governance and stewardship frameworks to ensure it is implemented correctly.
  2. Runtime logging and auditability – Robust logging and traceability mechanisms are essential for analysing an agent’s behaviour after the fact. Audit logs should record the data sources accessed, the third‑party services invoked, and the reasoning paths taken. This not only supports data‑subject rights but also helps organisations meet emerging obligations such as the EU AI Act’s requirements for detailed logging and monitoring. [21]
  3. Role‑based access and memory compartmentalisation – Agents should compartmentalise data to prevent information from leaking across tasks or contexts. Without proper controls, an agent’s memory can accumulate unnecessary or sensitive data, increasing risk. Well‑designed memory structures that are paired with role‑based access help enforce data‑minimisation principles and make it easier to honour data‑subject rights. [22]

4.4 Governance Structures And Oversight

  1. Non‑Human Identity (NHI) governance – Agentic systems can be managed as NHIs with structured oversight similar to that used for human team members. This includes formal onboarding, performance reviews and cross‑functional governance boards. Under this model, agents are assigned clear roles, defined risk thresholds and specific hand‑off triggers that determine when human intervention is required.
  2. Precautionary risk management – A precautionary approach emphasises layered safeguards, continuous reassessment and a clear separation of duties. Because current risk‑measurement techniques cannot fully capture the unpredictability of agentic behaviour, governance must remain adaptable and supported by multidisciplinary expertise spanning law, ethics, engineering and risk management.[23]
  3. Regulatory sandboxing and certification – Some jurisdictions (e.g., Colorado’s AI Act) require AI impact assessments, risk management programs and reviews of vendor. esting agentic systems within regulatory sandboxes allows organisations and regulators to observe real‑world behaviours in controlled environments, refine best practices and encourage innovation while mitigating risk.
  4. Policy Recommendations and Future Research
  5. Clarify liability and allocate responsibilities – Legislators should clearly define how liability is shared among developers, deployers and users of agentic AI. Contracts need to be updated to reflect the unique risks of agentic behaviour rather than shifting responsibility onto customers. Developers should provide meaningful oversight rights, adequate documentation and indemnities for emergent harms. Regulators should also issue guidance on joint controllership in agentic contexts.
  6. Expand the controller definition or adopt data stewardship models – Policymakers should assess whether AI developers or platform operators should be considered controllers, given their influence over system behaviour. Alternatively, data‑stewardship frameworks could distribute responsibilities across multiple actors while maintaining user trust. Some have suggested recognising agents as NHIs, although doing so would require legislative reform.
  7. Implement dynamic consent and runtime safeguards – Consent mechanisms should be granular, context‑aware and capable of capturing human approval when an agent’s goals change. Tools such as purpose locks, goal‑change gates, retention budgets and live controller mapping should become standard. High‑risk environments should mandate technical safeguards including differential privacy, access controls and memory compartmentalisation.
  8. Mandate logging and auditability – Regulators should require end‑to‑end logging to support accountability, explainability and data‑subject rights. Regulators should require end‑to‑end logging to support accountability, explainability and data‑subject rights. Logs must be tamper‑resistant and designed to meet both data‑protection requirements and the obligations introduced under the EU AI Act.  
  9. Strengthen education and interdisciplinary collaboration – Developers, users and legal professionals need better awareness of the distinctive risks posed by agentic systems. Effective governance will require collaboration across disciplines—law, engineering, ethics and risk management. Research should continue exploring the socio‑technical impacts of agentic AI, including bias, reward hacking and emergent behaviours.  
  10. Explore regulatory sandboxes and certification – Governments should create regulatory sandboxes that allow organisations to test agentic AI under supervision. Certification schemes similar to GDPR codes of conduct could signal compliance and build trust. Lessons from frameworks like the Colorado AI Act’s impact‑assessment and risk‑management requirements may help shape future regulatory models.

Conclusion

Agentic AI systems challenge the foundations of modern data‑protection regimes. They blur the boundaries between controllers and processors, weaken static consent models and introduce new forms of liability. The resulting agentic privacy gap reflects a simple reality: today’s frameworks were built for discrete processing activities and human‑directed decision‑making, not autonomous systems that plan and act on their own. As agents become more capable, dynamic consent, runtime compliance tools and adaptive governance are no longer optional they are essential. Regulators such as the AEPD, EDPS and ICO have begun to offer guidance, but significant gaps remain around role allocation, accountability and technical safeguards.

By adopting precautionary risk‑management practices, implementing dynamic consent mechanisms and embracing data‑stewardship models, lawmakers and practitioners can build protections fit for an era in which AI systems increasingly act on behalf of individuals.

 

Reference

[1] https://www.ibm.com/think/topics/agentic-ai

[2] https://www.gsulawreview.org/blog/the-illusion-of-consent-rethinking-privacy-online/#:~:text=Think%20of%20the%20last%20time,choice.%E2%80%9D1

[3] Article 4(11) of the GDPR

[4] Article 4(7) of the GDPR

[5] Article 9 of the GDPR

[6] Section 42 of the NDPA

[7] https://www.edps.europa.eu/data-protection/technology-monitoring/techsonar/agentic-ai_en#:~:text=interactions%20%28in%20particular%2C%20without%20step,while%20simultaneously%20coordinating%20multiple%20activities

[8] https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2026/02/agentic-ai-and-the-liability-gap-your-contracts-may-not-cover.html#:~:text=written%20for%20passive%2C%20predictable%20software,legal%2C%20reputational%20and%20operational%20consequences

[9] https://www.howespercival.com/articles/ico-sounds-note-of-caution-on-agentic-ai/#:~:text=Privacy%20%26%20Protection%20at%20the,Forefront

[10] https://fpf.org/blog/nigerias-new-data-protection-act-explained/#:~:text=The%20Act%20establishes%20as%20a,for%20the%20performance%20of%20a

[11] https://aisera.com/blog/agentic-ai-compliance/#:~:text=We%20have%20reached%20a%20turning,code%20without%20direct%20human%20supervision

[12] https://cltc.berkeley.edu/wp-content/uploads/2026/02/Agentic-AI-Risk-Management-Standards-Profile.pdf#:~:text=liability.%20Additionally%2C%20many%20risk,safety%2C%20security%2C%20or%20public%20trust

[13] https://www.aepd.es/en/guides/agentic-artificial-intelligence.pdf#:~:text=DETERMINING%20PROCESSING%20RESPONSIBILITIES%20Data%20Controller,use%20of%20agentic%20AI%20systems

[14] https://iapp.org/news/a/the-case-for-differential-privacy-in-the-age-of-agentic-ai

[15] Ibid

[16] https://iapp.org/news/a/engineering-gdpr-compliance-in-the-age-of-agentic-ai

[17] Ibid

[18] Ibid

[19] Differential privacy is a state-of-the-art definition of privacy used when analyzing large data sets. It guarantees that adversaries cannot discover an individual within the protected data set by comparing the data with other data sets

[20] Article 25 GDPR

[21] https://techinsights.linklaters.com/post/102mk6z/agentic-ai-and-data-protection-guidance-from-the-spanish-aepd#:~:text=The%20Spanish%20Data%20Protection%20Agency,autonomously%20across%20tools%20and%20environments

[22] Ibid

[23] Ibid