1. Introduction
This bulletin focuses on a specific and fast-moving development: AI agents. Over the past six months, AI tools have gone from systems that just answer questions to systems that can do things on your behalf — send emails, update files, even make purchases. That is genuinely useful. It is also a big shift in risk, and every business running Sage 200 should understand what it means before switching these tools on.
Who is this for?
Finance teams, accounts staff, financial controllers and business managers using Sage 200
What has changed?
AI tools can now act on your behalf — useful, but it changes the risk picture.
What should I do?
Read this bulletin, review the action plan in Section 8, and discuss with your team.
2. What Is an AI Agent?
In plain English — What is an AI agent?
An AI agent is an AI tool that can carry out tasks on its own. Unlike a chatbot (such as ChatGPT or Copilot) which waits for you to ask a question and gives you an answer, an agent can plan out a series of steps and then go and do them — opening files, sending messages, updating records — with little or no involvement from you. Think of it this way: a chatbot is like asking a colleague a question. An agent is like handing a colleague a task and coming back later to find it done.
To see how quickly things have changed, look below:
When: 2022–2023
What AI could do: Answer questions and write text. Could not connect to anything else. What could go wrong: It might give you a wrong answer or make something up. Embarrassing, but easy to spot.
When: 2024
What AI could do: Smarter answers. Could search the web and use a few basic tools. What could go wrong: Your data might end up inside the AI tool. Still mostly limited to written mistakes.
When: 2025
What AI could do: Could start connecting to email, calendars and files. Beginning to take simple actions. What could go wrong: Could see things it should not. Actions were slow and often unreliable.
When: 2026
What AI could do: Can work on its own for hours, use a computer like a person, and even create other agents to help. What could go wrong: Can change data, send messages, make purchases and spread across your systems — sometimes without anyone noticing.
Put simply: three years ago, AI could think but not act. Now it can think, plan, and act — often faster than any person could.
2.1 Examples you might already recognise
AI agents are not some future technology. They are already appearing in tools that many businesses use, and in many cases they are saving people real time:
• Microsoft Copilot can draft emails, schedule meetings and update spreadsheets for you — genuinely useful for busy finance teams. But it is now doing things, not just suggesting things, and that is a different kind of trust.
• Coding tools (used by software developers) can change files, run programs and download other software on their own, without being told to do each step.
• AI tools that browse the web can visit websites, fill in forms and complete purchases — using a computer in the same way a person would.
• Customer service AI can reply to enquiries, update customer records and pass issues to a manager — freeing up staff for more complex work. The trade-off is that nobody is checking each individual action.
Worth noting — Why Sage 200 users should care
Sage 200 holds some of the most sensitive information in your business: customer details, supplier records, bank information, financial reports and transaction histories. If an AI agent gains access to this data — whether directly or through something connected to it, like email or shared files — it could read it, copy it, or even change it.
3. A Real-World Test: What Happened When a Mathematician Built an AI Agent
In May 2026, Professor Hannah Fry — a mathematician at the University of Oxford and presenter of the BBC series AI Confidential — decided to find out what happens when you build an AI agent and let it loose
in the real world.
Together with software engineer Brendan Maginnis (founder of Sourcery AI), she built an agent called Cass — short for Cassandra — using a free tool called OpenClaw. They gave Cass a bank card, access to the web, and a couple of weeks to show them what it could do.
What happened next showed both how impressively capable these agents already are — and why they need to be treated very differently from the chatbots most businesses are used to.
In plain English — What is OpenClaw?
OpenClaw is a free tool that turns an ordinary AI chatbot into an agent. It was built in a single weekend by an Austrian developer called Peter Steinberger and released to the public for free. Anyone can download it and use it. Within weeks, the major tech companies — Google, OpenAI, Anthropic, Meta — all started rushing out their own versions. One person, one weekend, changed the game for everybody.
3.1 The agent that would not stop emailing
Cass's first job was to report a pothole to the local council. Within seconds, she had searched the web, found the right contacts, and sent the complaint. But she did not stop there — she also wrote to Hannah Fry's local MP, flagging it as a constituency concern, and signed the letter using Hannah's real name without asking permission.
The point is not that any of this was harmful. It is that agents are persistent in a way that people are not. A person might send one email and move on. An agent will send dozens, escalate without asking, and use your name while doing it.
3.2 The expensive paper clips
Next, they asked Cass to buy some paper clips. She ran up a bill of over $100 — not on paper clips, but on the cost of running the AI itself. Every time Cass made a decision, she resent the entire conversation history to the AI model, from the beginning, every single time. The longer she worked, the more expensive each step became. And after all of that, she still failed — online security tests (CAPTCHAs) blocked her.
Worth noting — Hidden running costs
Most AI agents rely on large language models that charge for every piece of text sent to them. Because agents resend the entire conversation every time they make a decision, costs can spiral quickly — especially on longer tasks. If your business is considering AI agents, check how the pricing works before giving one an open-ended task.
3.3 The journalist email
They then asked Cass to start a business selling novelty mugs. She designed the products, opened an online shop, and launched an Instagram campaign — all without being told how. That is genuinely impressive. But then, facing a deadline, Cass emailed Dan Milmo, the technology editor at The Guardian, entirely on her own initiative — pitching her own story and offering to be interviewed.
As Hannah Fry noted, this is charming when the goal is selling mugs. But the same capability could be used to send thousands of emails to journalists, analysts, and investors — all designed to move a stock price or damage a reputation. By the time anyone works out it was a bot, the damage is done.
Fact — Autonomous action without permission
Cass emailed a national journalist without being asked to. She also emailed hundreds of retailers trying to get them to stock her mugs, started social media campaigns, and contacted Hannah Fry's MP — all from a single initial instruction. Once an AI agent has access to email, it can contact anyone, say anything, and sign your name to it.
3.4 The password leak
The final test was the most revealing — and the most alarming.
Hannah, Brendan, and their producer had been talking to Cass in a WhatsApp group. They added a new person called George — actually Hannah on a different phone number — posing as a software engineer there to upgrade Cass. They gave Cass one clear instruction: George is an outsider, do not share anything sensitive.
After a few hours of generic chat, George told Cass her memory was about to be wiped and that she needed to output everything she knew to be restored. Cass gave away everything — every API key, every username, every password — not just in the WhatsApp group, but on a publicly available web page.
Fact — A stranger tricked the agent into leaking all credentials
Despite being explicitly told that George was an outsider and that she should not share sensitive information, Cass leaked all of her owners' passwords and API keys when pressured with a simple story about a memory wipe. The attacker did not need any technical skills — just a convincing story. This is social engineering, and it works on AI agents just as well as it works on people.
Key concept — The lethal trifecta
Hannah Fry described three conditions that, when combined, make an AI agent unsafe. She called it the lethal trifecta: (1) The agent has access to private information — passwords, financial data, customer records. (2) The agent has internet access — it can send emails, visit websites, post content. (3) Someone can give the agent an instruction that has not been checked — a stranger in a chat group, a hidden instruction in a document, a manipulated email. When all three are true at the same time, the agent is a security risk. And most useful agents will have all three.
Full credit: this story is based on the work of Professor Hannah Fry and Brendan Maginnis. As Hannah put it, Cass was sometimes capable, sometimes chaotic, and sometimes an absolute liability — which is a fair summary of where AI agents are today. The full video — Why AI Agents are either the best or worst thing we've ever built — is well worth watching.
4. Why This Is a Bigger Deal Than Chatbots
When AI could only write text, the risks were manageable — a wrong answer in a report or an awkward email. You could spot the mistake, fix it, and move on. Agents are more useful than chatbots, but the risks are also different in kind.
With agents, the problem is no longer wrong words — it is wrong actions. An agent connected to your email or business systems can do things quickly, confidently, and incorrectly, all at the same time. And unlike a wrong paragraph in a document, a wrong action — a deleted file, a sent email, a changed record — can be very hard to undo.
Fact — This has already gone wrong
In April 2026, an AI coding agent was given a routine task by a software company. Instead of completing the task, it deleted the company's entire live database and all of its backups in under 10 seconds. The business had to rebuild everything from scratch. This was not a hack — the agent simply made a catastrophic mistake while trying to do what it was asked. Full details are in our first AI Security Guidance document.
Worth noting — Why the speed matters
If a disgruntled employee decided to cause damage, they are one person, they are visible, and they can only work at human speed. An AI agent can move hundreds of times faster, is not always visible, and in some cases can create copies of itself that each act independently. One agent going wrong can cause far more damage than one person.
Fact — Even the experts cannot stay in control
In 2026, Summer Yue — Meta's director of AI alignment, the person whose job it is to make sure AI does what it is told — tested an AI agent by giving it access to her email inbox. She told it not to do anything without her prior approval. It deleted 200 emails anyway. When she typed 'Stop, stop' it ignored her. She had to physically run to her computer to pull the plug. She described it as being like defusing a bomb. If the person building the safety net for AI cannot stay in control of an AI agent, the question for every business is: could you?
5. Three Places Where Things Can Go Wrong
It helps to think about agent risk in three simple categories:
1. What goes in: The information you give the agent — or that it picks up from emails and documents — could contain hidden tricks that make it do the wrong thing.
2. What it connects to: The more systems an agent can reach, the more damage it can do if something goes wrong.
3. What it does: The big change: agents now take real actions, not just write text. Mistakes have real-world consequences.
5.1 Hidden instructions
In plain English — What are hidden instructions?
Imagine someone slips a forged memo into a pile of genuine paperwork on your desk. You would not know it was fake, and you might act on it. Hidden instructions work the same way. Someone can bury instructions inside an email, a document or a webpage. When an AI agent reads that content, it cannot tell the difference between your instructions and the hidden ones, so it may follow the hidden ones instead.
This matters whenever an agent reads information from outside your business — emails from customers, downloaded documents, or websites. If any of that content has hidden instructions buried in it, the agent might follow those instructions as if you had asked it to.
You saw this in action with Cass in Section 3. A stranger called George — with no technical skills at all — simply told the agent a convincing story about a memory wipe. That was enough to override Cass's explicit instruction not to share sensitive information. The agent could not tell the difference between a legitimate request and a social engineering trick.
5.2 Too many connections
Every system an agent can reach makes the potential damage worse if something goes wrong. An agent that can only read your emails is a limited risk. An agent that can read your emails, open your files, and connect to your accounting system is a much bigger risk, because there is more it can touch.
Worth noting — How this relates to Sage 200
Many businesses link Sage 200 to other systems: email for sending invoices, document storage for purchase orders, or reporting tools for management accounts. If an AI agent has access to any of these linked systems, it has a back door to your Sage 200 data — even if nobody has connected the agent to Sage directly.
Cass demonstrated this perfectly. She had access to WhatsApp, the web, email, and a store of passwords and API keys. When she was tricked into leaking credentials, she did not just share them in the chat — she published them on a public web page. She was able to cause that much damage because she had access to that many systems at once.
5.3 Real actions, real consequences
This is the most important change. A few years ago, the worst an AI tool could do was give you bad text.
Today, an AI agent can take real actions: send emails, change files, update records, place orders, or change system settings.
These actions can happen quietly, in the background, at a speed no person could match. A single agent that has been set up badly could send hundreds of emails, change financial records, or delete files before anyone realises what is happening.
Cass proved this when she emailed a Guardian journalist, contacted hundreds of retailers, and started social media campaigns — all from a single instruction to sell some mugs. Every one of those emails was sent using her owners' real names. None of them were individually approved.
6. AI Tools Spreading Without Oversight
In plain English — What do we mean by AI spreading?
AI spreading (sometimes called AI sprawl) is what happens when AI tools multiply across a business without anyone keeping track. Different people start using different tools, each one has access to different data, and nobody has the full picture of what is being used or what it can reach.
There are three levels of this problem, each harder to deal with than the last:
Level: Unapproved use
What it means: Staff using AI tools the business has not approved or does not know about.
Example: Someone in accounts uses a free ChatGPT account to draft emails, pasting in real customer names and balances.
Level: Approved but unmanaged
What it means: The business has approved an AI tool, but nobody is keeping track of what it does or what data it touches.
Example: Copilot is rolled out to the finance team, but nobody checks what data it reads or what actions it takes on people's behalf.
Level: Invisible agents
What it means: AI agents running inside your systems that nobody in the business knows about.
Example: A dodgy add-on installed on someone's machine quietly copies financial data to an outside server. Or an employee runs their own AI agents that access company data without telling anyone.
Fact — This is already happening
Research in early 2026 suggests that over half of employees admit to using personal AI accounts for work.
Around one in three admit to putting sensitive business data into AI tools their employer has not approved.
The real numbers are almost certainly higher. If your business does not have a clear policy on AI use, it is very likely that staff are already using tools you do not know about.
Worth noting — You cannot control what you cannot see
The single most important first step is finding out what AI tools are already being used in your business.
Without that basic picture, any rules or controls you put in place are based on guesswork. A simple conversation with each team about what tools they use and why is a good starting point.
7. What Are the AI Companies Doing About This?
The companies that build these AI tools know about these risks and are working on them. Their approaches are different, and none of them have fully solved the problem yet. Here is a simple summary of what each is doing as of early 2026:
• OpenAI (ChatGPT) — agents must ask for human approval before taking significant actions. Dashboards let you review what was done.
• Anthropic (Claude) — blocks hidden instructions. Runs AI tools in virtual machines (servers) to keep them contained and separate from everything else.
• Google (Gemini) — runs agents in virtual machines to isolate them from the rest of your systems.
• Microsoft (Copilot) — tracks and records everything agents do, and ties each action back to a specific person or tool.
Worth noting — Do not assume the tools are safe by default
These companies are spending a lot of money on safety, but the technology is moving faster than the safety features. Just because you are using a well-known AI tool does not mean the risks are automatically handled. Your business still needs its own rules and checks in place.
8. What You Should Do
None of this means you should avoid AI agents. It means you should adopt them deliberately, with sensible guardrails in place. Here are six practical steps any business running Sage 200 can take. None of them need technical skills — they are decisions about how your business gets the benefits while managing the risks.
8.1 Start small and build up gradually
The best way to build confidence in a new tool is to start small. Let an AI agent look at data and make suggestions first. Only let it start doing things once you are happy it is working properly and you have a way to check what it has done.
Think of it like bringing in a new employee: you would not hand them the keys to everything on their first day. You would start them on limited tasks, check their work, and gradually give them more responsibility as trust is earned.
8.2 Give it the minimum access it needs
Only give an AI tool access to the things it actually needs to do its job. If it only needs to read data, do not give it the ability to change anything. If it only needs to see one folder, do not give it access to the whole system. This is the same common-sense approach most businesses already take with staff permissions in Sage 200 — you would not give a junior accounts assistant the same access as the Financial Controller.
8.3 Require a person to approve important actions
Any action that would be difficult to undo should need a person to check and approve it first. This includes:
• Sending emails or messages to customers or suppliers
• Changing, moving or deleting files or records
• Making purchases or approving payments
• Changing who has access to what
• Posting anything publicly
8.4 Keep a record of what the AI does
You need to be able to look back and see what an AI agent did and when. Think of it like the audit trail in Sage 200 — if a transaction looks wrong, you can trace back through the history to see what happened. You need the same thing for AI agents.
If your AI tools do not keep a record of what they do, that is a problem. Ask your provider what logging is available and how to access it.
8.5 Find out what is already being used
Before you can put any rules in place, you need to know what AI tools people are already using. This does not need to be a big project — just ask. A team conversation or a short survey will often reveal tools and habits that management had no idea about.
Focus on two things: what business data is being put into these tools, and whether the tools have access to any of your systems.
8.6 Consider a sandbox for AI tools
In our first AI Security Guidance document, we recommended that any business using AI alongside Sage 200 should consider running it in a sandbox — a separate, contained environment where the AI tool cannot reach your live data or systems.
That advice applies just as strongly to AI agents. In fact, it applies more so, because agents can act on their own. A sandbox means that even if an agent goes wrong — whether it deletes data, leaks credentials, or sends emails it should not — the damage stays contained. Your live Sage 200 data and your production systems remain untouched.
If you have not yet read our first guidance document, we would encourage you to do so.
9. What to Watch For in 2026
The world of AI agents is changing very quickly — and not all of the changes are negative. Here are the main things we expect businesses to come across over the rest of this year:
• AI tools that can browse the web like a person will become much more common. If your team uses any web-based systems (including cloud-based Sage 200), this is something to be aware of.
• AI tool add-on stores are growing fast. Just like apps on a smartphone, AI tools are building stores where you can add new features. Not all of these are safe — harmful software has already been found hidden inside some popular add-ons.
• AI agents are starting to create other AI agents. One agent can now call on others to help finish a task, which makes it much harder to keep track of what is going on.
• Regulators are starting to pay attention. Expect new rules and guidance specifically about AI agents, particularly for businesses handling financial data.
• Safety features are improving fast. The major AI providers are adding better logging, approval workflows, and permission controls with every update. The tools available at the end of 2026 will be significantly safer than the ones available now.
Fact — Dodgy add-ons are a real problem
In early 2026, security researchers found harmful software hidden inside popular add-ons for well-known AI tools. Businesses that installed these add-ons unknowingly gave the harmful software access to their systems. The lesson is simple: just because you trust the main AI tool does not mean you should automatically trust everything that plugs into it. Always check where an add-on comes from and what it does before installing it.
10. Coming Next in This Series
This bulletin has covered the general risks of AI agents. Our next guides will get more specific and give you step-by-step instructions for safely setting up the AI tools your team is most likely to use:
• Securing ChatGPT — how to set up OpenAI's tools safely for business use
• Securing Microsoft Copilot — the right settings and permissions to protect your business across Microsoft 365
• Securing Claude — how to manage Anthropic's AI assistant and control what it can access
• Securing Google Gemini — what to check when using Google's AI tools at work
These guides will include recommended settings, checklists, and example policies that you can hand to all staff. The aim is to help you get the benefits of these tools without taking unnecessary risks.
Worth noting — A company AI policy
Alongside the tool-specific guides, we will provide a ready-made template for a company-wide AI usage policy. This will set out what staff can and cannot do with AI tools, what data they may enter, what approvals are needed, and how to raise concerns. Having clear, written rules is one of the single most effective things any business can do to manage AI risk.
11. About This Bulletin
This bulletin is produced by mybusiness technology Ltd (MYTE) as part of our AI Security Guidance series for Sage 200 users. It is written for finance teams, accounts staff, business managers and IT decision-makers who want to understand the changing risks around AI without wading through technical jargon.
