Use a deterministic workflow when the process is stable, rules are explicit and mistakes are costly. Add AI inside that workflow when one step needs interpretation, such as classifying an email or extracting fields. Choose an agent only when the system must decide dynamically which tools and steps to use. Start with the least autonomous design that solves the problem, then earn greater autonomy through evaluation, permissions and monitoring.
The architectural difference matters more than the label
A workflow follows a path defined in code: receive an invoice, validate required fields, request approval and post the approved record. An AI model can help inside one or more steps, but the surrounding system still controls the sequence. An agent receives a goal, selects tools, observes results and decides what to do next. That flexibility is useful when the correct path cannot be fully described in advance, but it also creates more possible failure paths.
Anthropic’s engineering guidance draws the same practical line: workflows use predefined code paths, while agents dynamically direct their own process and tool use. It recommends increasing complexity only when a simpler solution cannot deliver the required result. This is a useful antidote to buying an “agent” before defining the business decision it should improve.
Choose a workflow when predictability is a feature
Deterministic automation is usually the stronger baseline for repetitive, high-volume processes with clear inputs and approval rules. Think of synchronising records between systems, routing a support request by a controlled category, creating a standard report, or sending a notification after a verified state change. The process can still contain AI, but code decides when the model is called, what data it can see and what may happen with the output.
- The acceptable path can be expressed as rules and states.
- Every action must be reproducible and easy to audit.
- Latency and per-run cost need to stay predictable.
- A human approval is required before an external or irreversible action.
- Exceptions are rare enough to send to a person.
This design is not less advanced. It deliberately limits the number of decisions delegated to a probabilistic component. For many finance, HR, customer-data and operational processes, that constraint makes the system easier to test and operate.
Choose an agent when the path is genuinely variable
An agent becomes defensible when the task has a stable goal but an unstable route. Research across multiple sources, investigating a software incident, preparing a first draft from scattered documents, or coordinating tools across a changing environment can require the model to plan and adapt. The agent may need to decide which source to inspect, whether evidence is sufficient and which tool should be used next.
The key test is not whether an LLM can perform the task in a demo. Ask whether dynamic decision-making creates enough business value to justify more latency, cost, evaluation work and operational risk. If every successful run uses the same three tool calls in the same order, the learned agent loop may be better replaced with a visible workflow.
Use five decision dimensions before writing code
1. Variability
List the real variants of the process. A workflow suits a limited set of known branches. An agent is more useful when the relevant information, sequence and tools differ materially from case to case.
2. Consequence
Separate read-only analysis from actions that send messages, change records, move money or affect people. Higher-consequence actions need narrower permissions, explicit approval gates and stronger logging regardless of architecture.
3. Verifiability
Define what a correct outcome looks like before selecting a model. Structured fields can be checked against a schema; a research answer needs source validation; a proposed code change can be tested. If success cannot be evaluated, autonomy will magnify uncertainty rather than remove it.
4. Reversibility
Prefer autonomous execution for actions that are cheap to undo. For irreversible steps, have the system prepare a recommendation or draft and require a person to confirm it.
5. Operating economics
Compare the complete system, not only model token prices. Include retries, search calls, human review, observability, incident handling and the engineering cost of maintaining tool integrations. A fixed workflow often wins at scale when the task is stable.
A practical middle ground: bounded AI automation
The most useful first release is often neither a fully manual process nor a free-running agent. A bounded system can use AI for classification, extraction or drafting while deterministic code controls permissions and state transitions. For example, an intake workflow may let a model classify a request and propose missing questions, but only a validated rule can create the project record. A sales-research workflow may gather and summarise public information, while a person approves the message before anything is sent.
This structure creates evidence. Teams can measure disagreement rates, correction types, time saved and failure patterns. If the dynamic cases are frequent and the evaluation results are strong, a later version can safely give the model more control.
Governance and security are product requirements
NIST’s Generative AI Profile organises risk work around governing, mapping, measuring and managing AI risks across the lifecycle. That is directly applicable to agent design: document the use case and owners, map affected data and people, evaluate behaviour before and after release, and manage incidents and changes. Anthropic’s 2026 work on trustworthy agents similarly emphasises human control, transparency, secure interactions and privacy.
For teams operating in Europe, the EU AI Act’s obligations depend on the system’s role and risk category, not on whether marketing calls it an agent. The European Commission’s current implementation page notes that the Act becomes broadly applicable on 2 August 2026, while some high-risk rules follow later dates. Classification, transparency and human oversight should therefore be addressed during discovery, with legal review where the use case warrants it.
Two decision scenarios
- Supplier invoice processing: use a workflow. AI can extract fields and flag anomalies, but code should validate totals, enforce approval thresholds and control posting. Ambiguous documents go to a person.
- Technical incident investigation: a bounded agent may be justified. The route varies by symptoms, logs and architecture. Give it read-only diagnostic tools first, require evidence for every conclusion and keep production changes behind approval.
- Customer support triage: start with AI-assisted routing inside a workflow. Allow an agent to resolve only low-risk, well-evaluated request types, and escalate when confidence or permissions are insufficient.
Risks and limits
- Prompt injection can turn untrusted content into malicious instructions if tools and data are not isolated.
- Broad credentials let a small reasoning error create an outsized operational impact.
- A demo dataset can hide long-tail failures that appear in production.
- Autonomous loops can increase latency and cost without improving the business outcome.
- Human approval becomes performative if reviewers lack evidence or time to make a real decision.
Practical next steps
- Map one process, including inputs, decisions, systems, exceptions and irreversible actions.
- Define a measurable baseline such as cycle time, error rate or review effort.
- Mark which decisions are rules, which need interpretation and which require accountable human judgement.
- Prototype the least autonomous design that can improve the baseline.
- Create evaluation cases from real variations, including adversarial and failure scenarios.
- Expand permissions only after the evidence supports it.
FAQ
Is every automation that uses an LLM an AI agent?
No. A workflow can call an LLM for one bounded task while code still controls the sequence and actions. An agent decides dynamically how to pursue a goal and which tools or steps to use.
Are AI agents always more expensive than workflows?
Usually they have more variable cost because they may use multiple model calls, searches and tools. The relevant comparison includes review and maintenance costs as well as token usage.
Can an agent operate safely without human approval?
For low-consequence, reversible and well-evaluated actions, it can. External communication, financial changes, access control and other consequential actions should begin with explicit approval and narrowly scoped permissions.
How do we know when to increase autonomy?
Use production-like evaluations. Track success, corrections, escalation reasons, tool errors and business outcomes. Increase autonomy only for cases where performance and controls meet a predefined threshold.
Does the EU AI Act prohibit business AI agents?
No general prohibition applies to business agents as a category. Obligations depend on the use case, role and risk classification. Teams should assess classification and applicable requirements with qualified legal support.
