The chatbot was always a transitional form. A useful one, but transitional. For two years, generative AI in financial services has mostly meant putting a conversational interface in front of a knowledge base. Ask it a question, get an answer. Sometimes the answer was right, sometimes it was not, but the loop was always the same: a human asks, the model responds, the human decides what to do next. The model was a passenger in the workflow. The human was still driving.
Agentic systems break that loop. The model is no longer responding to a question. It is pursuing an objective. It plans the steps, calls the tools, reads the results, adjusts, and continues. It writes to systems. It triggers actions. It does the work, and then it reports back. The conversation, if there is one at all, is the wrapper, not the substance.
For financial services, this is a more significant shift than most institutions have yet absorbed. The chatbot phase was contained. A misbehaving chatbot embarrassed you. An agentic system that has been granted write access to your ledger, your CRM, your compliance workflow, and your customer communications can do considerably more than embarrass you. The risk surface is not comparable. Neither is the operating model required to govern it.
What is striking, watching this unfold across the industry in 2025, is how fast the underlying capability has matured and how slowly the institutional response has caught up. The models can now plan multi-step workflows reliably enough to be useful. The tool-calling protocols have stabilised. The orchestration patterns are well documented. The constraint is no longer the technology. It is the question of what an organisation is willing to delegate, to a system whose reasoning it cannot fully inspect, in pursuit of outcomes whose failure modes it cannot fully anticipate.
The honest answer for most institutions, right now, is: less than the technology can do, and more than the governance is ready for. That gap is where the next two years of work sits. Agentic systems deployed safely require the same things that ungoverned automation has always required, plus several things that are specific to AI. Continuous monitoring of behaviour, not just outputs. Clear boundaries on what an agent can and cannot do without human approval. Audit trails that capture not just what an agent did but why it decided to do it. Escalation pathways for the cases the agent does not know it cannot handle. Recovery procedures for the cases it gets wrong.
None of this is exotic. Most of it is the same risk management discipline that financial services has practised for decades, applied to a new class of actor in the system. The difference is that the new actor is faster, cheaper, more scalable, and harder to interrogate than any operational process that came before it. That is the opportunity. It is also the risk. They are the same thing.
The chatbot phase is ending. The institutions that treat agentic AI as a more elaborate chatbot are going to spend the next few years wondering why their pilots will not scale. The institutions that treat it as a new operating model, with the governance and accountability structures that operating model demands, will be the ones writing the playbook everyone else eventually copies.
The interesting work has just begun.