PRIVACY IN AGENTIC AI SYSTEMS: POTENTIAL RISKS AND RECOMMENDATIONS

1- Introduction

On March 12, 2026, the Republic of Turkey Personal Data Protection Authority (the "Authority") published a document titled "Agentic AI" (the "Document") to address the qualitative transformations and increasing autonomy in artificial intelligence technologies, as well as to outline the measures that can be implemented to protect individuals' privacy during the use of these emerging technologies.

Going beyond traditional artificial intelligence applications, the Document evaluates the operation of systems capable of executing goal-oriented, multi-step, and autonomous processes, along with the associated risks and the precautionary measures that can be taken.

2- A New Conceptual Framework: Agentic AI and AI Agents

The Document defines three fundamental concepts: Agentic AI systems, AI agents, and Multi-agent systems. Although there are certain ambiguities regarding the usage of these concepts in the Document, establishing a conceptual framework and setting forth general principles for these emerging technologies is important in terms of practical application.

The Document defines Agentic AI systems as “AI systems composed of AI Agents capable of acting and interacting autonomously at varying levels to achieve specific goals.” "AI Agents," on the other hand, are described as “automated agents that perceive their environment, react to it, and take actions in line with defined goals,” emphasizing that these technologies are “a software component of Agentic AI systems.” The relationship between these two concepts is concretized through the analogy of "an executive chef of a restaurant and the cooks in the kitchen"; while AI Agents are the cooks performing specific tasks, the Agentic AI system acts as the executive chef planning the menu and coordinating the overall process.

The final concept introduced in the Document is "Multi-agent systems." Multi-agent systems are explained as “structures in which multiple AI Agents operate interactively within the framework of task sharing and coordination to achieve common tasks and goals.”

After providing examples regarding the current use of these three technologies, the Document examines the potential risks and the considerations to be taken into account regarding the protection of personal data through the lens of Agentic AI systems.

3- Points of Divergence from Traditional AI Systems

A portion of the risks addressed concerning Agentic AI systems overlap with the risks generally envisaged for AI systems; however, due to the inherent nature of Agentic AI systems, the risks posed by these systems must be specifically addressed.

Although AI systems initially emerged as "structures designed to perform specific and limited tasks of a pre-defined and repetitive nature," a need has arisen over time to use AI systems in more complex tasks and broader contexts. Therefore, over time, AI systems capable of operating autonomously at varying levels towards a specific goal have emerged. The Document indicates that Agentic AI systems differ from traditional AI systems in terms of "the manner in which tasks are handled" and "the structuring of decision-making processes."

In this context, particular emphasis is placed on the autonomy of Agentic AI systems, which manifests itself as the ability to define the tasks necessary for a specific goal, evaluate these tasks according to changing conditions, and interact with the environment.

The inherent goal-oriented, multi-step nature of Agentic AI systems, along with their varying levels of autonomous operation, renders the risks that traditional AI systems may pose more complex.

4- Potential Risks of Agentic AI Systems

The Document states that a significant portion of the risks is closely related to the level of autonomy possessed by Agentic AI systems. Because, as the level of autonomy increases, the relevant systems can initiate and sustain actions on their own without human intervention. In this respect, Agentic AI systems enable faster and more effective decision-making within the framework of pre-determined goals, and the execution of many operations and actions in a short time. However, this situation, due to the limited nature of human intervention, makes it difficult to notice the resulting impacts in a timely manner and to take the necessary interventions.

Due to the goal-oriented and multi-step operation of Agentic AI, the "black box" problem, which is frequently discussed in the context of traditional AI systems, also becomes more complex. As stated in the Document, which actions will be performed in what order within the systems, which tools or functions will be engaged at what stage, and the relationships between these choices are largely shaped within the framework of the system's own internal evaluation and planning processes; this further complicates the transparent explanation of decision-making and action processes.

In cases where transparency cannot be ensured as explained above, it also becomes difficult to notice errors and discrepancies in a timely manner, and if such unnoticed erroneous system outputs are used by different AI Agents within the operation of the Agentic AI system, erroneous evaluations may spread in a cascading manner, negatively affecting the final output.

A similar situation applies regarding the detection of bias and discrimination risks and the inability to intervene in these early on.

5- Fundamental Legal Risks Specific to the Protection of Personal Data

The Document emphasizes that assessments regarding the protection of personal data should be made by considering the holistic operation of the system rather than individual data processing activities. This is because a personal data processing activity that produces a limited impact when considered individually may lead to more serious consequences for the data subject when combined with other activities within the Agentic AI system.

In parallel with this, the risks identified within the framework of general principles have been addressed within the scope of the activities of Agentic AI systems:

Purpose Limitation and Data Minimization: Determining the purpose for which personal data is processed defines the scope and limits of data processing activities. The goal-oriented and multi-step structure of Agentic AI systems may cause the scope of data processing activities to vary over time. In other words, the system may require new datasets during the process that were not initially foreseen. Therefore, the relationship between the purpose and the data processing activity must be observed throughout the operation of the system. Approaches aimed at determining the data requirement and limiting the usage should be adopted throughout the lifecycle of Agentic AI systems.
Exceeding the Legal Basis (Condition for Processing): Due to the autonomous processes in Agentic AI systems, the scope of the data processing activity within the system may expand, and in this case, the legal basis that was initially valid may no longer be applicable to all processing activities carried out within the system and may lose its validity. In this context, attention must be paid to maintaining compliance of the data processing activities carried out with respect to the entire Agentic AI system with the reasonable expectations of the data subjects and the initially envisaged processing framework.
Use of Inference-Based and Derived Data: Considering the breadth and multi-step nature of the data processing activities carried out by Agentic AI systems, data initially characterized as anonymous may be processed as personal data through the correlation of data obtained from different sources by the system. As a result of interaction with different data sets, data can be processed on a large scale, and detailed profiling of the relevant data subjects may come to the fore. This situation causes data processing activities to exceed the reasonable expectation of the data subject and reduces the predictability of the resulting outcomes.
Transparency of Processes: As explained in detail above, the decision-making mechanisms occurring in a manner spread across different stages and components in Agentic AI systems complicate the traceability of the processes. The inability to understand at which stages and how personal data is processed in this manner leads to difficulties in retrospectively tracking data processing activities and explaining these processes.
Ensuring Accountability: As in traditional AI systems, different actors such as developers and deployers may be involved in the process in Agentic AI systems. Therefore, issues regarding how the responsibility will be shared among these actors throughout the lifecycle of Agentic AI systems, against whom and how data subjects will exercise their rights, and who will be liable for any potential damage pose difficulties in practice.
Principle of Accuracy and the Hallucination Effect: The phenomenon of "hallucination," which refers to the generation of outputs that do not correspond with reality but often appear plausible and convincing, is also observed in Agentic AI systems. The transfer of unreal information generated by AI tools as input to other AI Agents in consecutive operations may lead to the erroneous processing of personal data in a cascading manner and permanent inaccuracies. In order to prevent such outcomes, the accuracy of personal data must be ensured, and the reliability of the resulting outcomes must be observed.
Security and System Resilience: In Agentic AI systems, which inherently operate in conjunction with multiple data sources, tools, and digital environments, the attack surface expands, and this situation leads to the emergence of new vulnerability points regarding attacks that may cause data breaches. In situations such as interacting with other information systems or automatically initiating certain actions, cascading effects of data breaches may occur. It is a necessity to take additional measures regarding these additional risks that arise in addition to traditional AI systems.
Compliance with the Purpose and Legal Framework: In the event that Agentic AI systems are used with ambiguous instructions, without their boundaries being defined clearly enough, and without addressing other deficiencies in the training and configuration processes, there is a risk of unforeseen or undesirable actions occurring initially. In this case, human oversight and intervention over data processing activities remain limited.

6- Corporate Compliance: Required Measures and Human Oversight

To manage the risks explained above, the Document proposes a risk-based and human-centric compliance framework:

Risk-Based Approach: Rather than eliminating risks, a framework focusing on appropriate technical and organizational measures should be established, taking into account the autonomy level, use case, and potential impacts of Agentic AI systems. This risk-based approach should be supported by mechanisms capable of adapting to risk profiles that may change over time, and by appropriate data governance practices.
Meaningful Human Oversight: Regardless of the system's autonomy level, mechanisms that will engage human oversight and intervention in decision-making stages harboring potential risks must be envisaged. Against the autonomy of Agentic AI systems, human autonomy—which can be expressed as "the abilities of individuals to make decisions, make choices, and have control over their own actions"—must be observed. While determining these mechanisms, at which stage and under what conditions human oversight will be engaged must be clearly defined. In this context, in accordance with the Document:

During the development phase, matters such as which data types the system can access and what kinds of decisions it can make must be clearly defined, and these boundaries must be tested;
During the deployment phase, mechanisms that can enable additional human oversight in high-risk processes must be in place; and
During the post-deployment phase, monitoring, feedback, and evaluation mechanisms must be established for system behaviors, decision-making processes, and other interactions.

Ensuring Transparency and Openness: In Agentic AI systems, which have a multi-layered and distributed structure, transparency should be addressed at different levels. To ensure transparency and openness, mechanisms must be established that reveal the interactions among the relevant system components with sufficient clarity and allow the monitoring of system behaviors. Said mechanisms will also assist in effectively ensuring human oversight and detecting negative outcomes at early stages.
Observing the Principle of Accuracy: In the event of using Agentic AI systems, the accuracy of personal data must be continuously observed at every stage of the process, and an approach aimed at preserving the currency and contextual appropriateness of the information and outputs used must be adopted.
Observing Privacy Throughout the Lifecycle: "Privacy by design" and "privacy by default" approaches must be observed at every stage, and "privacy-enhancing technologies" must be incorporated into the process.
Distribution of Responsibility and Impact Assessment: Legal roles between developers and deployers must be clarified; furthermore, mechanisms such as data protection impact assessments must be regularly utilized against potential risks. At this point, an understanding of cooperation based on the differentiation of roles among stakeholders and observing coordination must be adopted.

7- Conclusion and Assessment

This Document, published by the Authority, analyzes the evolution of autonomy in AI technologies and the potential repercussions of this evolution on the protection of personal data. It clearly demonstrates that, rather than prohibiting the use of autonomous systems, they should be established on a transparent and accountable ground within the framework of risk management and corporate governance. It is a necessity for data controllers to observe privacy requirements while determining the goals of the systems, to make the distribution of roles transparent, and to place human oversight at the center of the process, to sustain technological efficiency and legal compliance together.