For the last two years the AI conversation in most organisations has been about questions: can we ask our data things in plain language? In 2026 it has changed shape. The question now is about actions - can AI do things with our data, on its own? That shift, from chatbots that answer to agents that act, is the most significant change in enterprise AI this year, and at VE3 we think most organisations are underestimating what it asks of them.

Here's the thing the demos don't tell you. An agent is only ever as good as the foundation it stands on - and unlike a chatbot, it doesn't just report the state of that foundation, it amplifies it. Point an agent at clean, governed, well-described data and it becomes genuinely useful. Point one at the sprawling, ungoverned estate most organisations actually have, and you've built a fast, confident way to make the same mistakes at scale. The appetite is real - by some measures around half of enterprises are already running agents in pilots or production - but the readiness lags badly behind it.

So, before anyone greenlights an agent, here's what we'd want them to understand about the foundation underneath it.

What changes when AI acts instead of answers

The leap from chatbot to agent is a leap in consequence. A chatbot that returns a wrong number is embarrassing; someone usually catches it. An agent that takes a wrong action - reprioritises a queue, adjusts a forecast, triggers a process - is an operational event, and it may take several steps before anyone notices. Agents plan and execute across multiple tools and workflows, often chaining decisions together. That autonomy is exactly what makes them valuable, and exactly why the data and the guardrails underneath them suddenly matter far more than they did in the chatbot era.

The uncomfortable truth: agents expose your data foundation

We'll be blunt, because it's the single most important point. Agentic AI doesn't have a quality problem so much as it has a foundation problem. The model is rarely the weak link now; the data beneath it is. Industry research bears this out - organisations report large jumps in LLM accuracy, in some cases several-fold, when AI works over properly governed data rather than raw tables. The corollary is the warning: an agent on ungoverned data produces fluent, confident, wrong outputs, and then acts on them.

This is why "let's bolt an agent onto our existing systems" is the wrong instinct. The agent will faithfully inherit every undocumented definition, every conflicting metric and every gap in your data - and it will do so at machine speed.

What agentic AI actually needs

In our experience, the agents that work in production are sitting on six things. Get this right and the agent is the easy part.

1. A certified semantic layer. Agents need to reason over meaning, not raw tables. A governed semantic layer - where "active student", "FTE" or "available capacity" has one agreed definition - is what lets an agent answer and act correctly rather than guessing. This is precisely the direction the platforms are taking: Microsoft Fabric's data agents are designed to be grounded on the semantic model, not pointed at raw storage. No semantic layer, no trustworthy agent.

2. Governance and security enforced at the data layer. An agent must only ever act within the permissions of the person it acts for. That means access control applied once, at the data, rather than hoped for in each tool - which is why platform-wide security models such as OneLake Security matter so much in an agentic world. An agent that can see data the user can't is not a feature; it's a breach waiting to happen.

3. Lineage and explainability. When an agent takes an action, you need to be able to answer "why?" - to trace the decision back through the metrics to the source data. Without end-to-end lineage, an autonomous system is a black box, and no regulated organisation can run a black box that takes actions.

4. Sovereignty and a clear boundary. This is one of the defining themes of 2026, and it matters acutely for public-sector and regulated organisations: AI should operate inside your tenant and your jurisdiction, with data never leaving the boundary. Sovereignty is no longer a hosting footnote - it spans where the data sits, where the inference runs, and which rules and jurisdiction the whole arrangement answers to.

5. Real-time, conformed data. Agents act on the world as it is now. A foundation that refreshes overnight and can't conform data across sources will have an agent acting on a stale, contradictory picture. Near-real-time, conformed data isn't a luxury for agentic use cases - it's a precondition.

6. Governance of the agents themselves. This is the gap that worries us most across the market: agent adoption is racing ahead while agent oversight lags, with only around one in five organisations reporting a mature model for governing autonomous agents. You need a defined pathway - human-in-the-loop where the stakes are high, clear accountability, monitoring for drift and bias, and alignment with emerging regulation such as the EU AI Act - before an agent goes anywhere near a live process.

The plumbing is maturing but the plumbing was never the hard part

It's worth saying that the connective tissue for agents is arriving fast. Open standards such as the Model Context Protocol and agent-to-agent communication have matured quickly into common foundations, and platforms are adding autonomous capabilities directly - Microsoft's move into self-healing, agentic data engineering is a clear signal of direction. That's genuinely useful.

But we'd caution against mistaking the plumbing for the project. Connecting an agent to your systems has never been the hard part. The hard part is making the data underneath it trustworthy, governed and explainable enough that you're willing to let the agent act. The organisations that struggle in 2026 won't be the ones that couldn't wire up an agent. They'll be the ones that wired one up to a foundation that wasn't ready.

How VE3 approaches it: foundation first, agents second

Our position is consistent and, we'll admit, slightly unfashionable: don't start with the agent. Start with the foundation it will stand on. In practice that means a governed lakehouse with clean, conformed data; a certified semantic layer so meaning is shared and consistent; security and lineage applied at the data layer; and a staged, human-in-the-loop pathway that takes an agent from sandbox to supervised rollout to certified production, with monitoring that never switches off. Build that, and agentic AI becomes a capability you can actually trust. Skip it, and you've automated your data problems.

The bottom line

Agentic AI is not a model decision or a tooling decision. It's a foundation decision. The agent will only ever be as trustworthy, as secure and as explainable as the data and governance beneath it - and because it acts rather than merely answers, the cost of getting that foundation wrong is higher than it has ever been.

So, the question to ask isn't "which agent should we deploy?" It's "is our data foundation ready to be acted upon?" In our experience, the organisations that answer that one honestly first are the ones that get value from agents - and the ones that don't are the cautionary tales everyone else learns from.

Thinking about agents? Talk to VE3 about an AI-readiness review that assesses whether your data foundation is ready to be acted upon - before you deploy a single agent.