Get in Touch
2026-01-12

AI Systems and Risk Classification: Traditional vs Agentic vs Agentic RAG

𝐌𝐨𝐬𝐭 π€πˆ 𝐬𝐲𝐬𝐭𝐞𝐦𝐬 𝐚𝐫𝐞 𝐧𝐨𝐭 β€œπ‘π’π π‘-𝐫𝐒𝐬𝐀” 𝐛𝐲 𝐝𝐞𝐬𝐒𝐠𝐧.

Don’t be generic in risk assessment, rather the micro level dynamics of stack of an AI System needs to be focussed upon to have actual perspective of risk assessment.
Hence, if not taken care of, they become high-risk by architecture.
Traditional AI, Agentic AI, and Agentic RAG are being regulated very differently because control, memory, autonomy, and evidence now matter more than models.
This is where AI governance has quietly changed.

EU AI Act risk tiers

Unacceptable| High-Risk| Limited-RiskΒ 

(Prohibited) Risk depends on use-case and domain (e.g. employment, credit, biometrics)

India Governance: DPDPA + sectoral laws + government AI advisoriesIndia: Use-case impact classification (Internal)

  • NIST AI RMF, ISO/IEC 42001

Compute-related AI advisors

  • IndiaAI Compute

  • Sectoral laws RBI, SEBI, IRDAI

TRADITIONAL AI(Fixed Pipeline)

Fixed Pipeline High-Risk

  • Specify Task

  • Collect Data

  • Refine Data

  • Feature Store (offline)

  • Model Training (offline)

  • Deploy Model -> Evaluate Outcomes

Typical controls:

  • dataset governance, model testing, security + documentation, (model cards), audit logs

  • UPSICI

AGENTIC AI(Compounding Learning – Bridge)

Set Objectives Limited-Risk / High-Risk

  • Choose LLM Model

  • Integrate Tools & APIs

  • Embed Logic + Iterations

  • Reason – Plan – Act – Observe

    • Improve

Typical controls: IISG 42001

  • Tool-use controls, human oversight,

  • action logging, approvals, incident response

  • NIST AI RMF, ISO/IEC 42001

AGENTIC RAG(Memory + Retrieval – Individual & Collective)

  • India : Use-case impact classification Set Task Goal Limited-Risk / High-Risk

  • Fetch Useful Data (Vector Search/API)

  • Query Decomposition

  • Apply Iterative Logic (Apply RAG)

  • Write to Long-Term Memory (optional) (Query ACS)

  • Produce + Verify Results Apt for Future Use

Typical controls:

  • Data access governance, task goal logging, oversight, data minimization, retention/ deletion, maried logs, audit logs.

  • DPDPA 2023 + DPDP Rules 2025, GDPR

  • IndiaAI Mission, IT Act, IT Rules

This blog is an academic initiative brought to you by the Data Privacy Pro team of AMLEGALS. Subscribe – Stay updated, Stay compliant.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the β€œI AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree