The 2025 AI Agent Index: Technical and Safety Features of Deployed Agentic AI

Why the AI Agent Index Matters Now

The rapid proliferation of agentic AI systems has created an urgent need for systematic documentation of their capabilities, safety features, and deployment contexts. Unlike traditional AI models that generate text or images in response to prompts, agentic AI systems can autonomously browse the web, execute code, manage business workflows, and interact with external services — often with minimal human supervision. This fundamental shift from passive generation to active execution makes understanding the safety landscape of deployed AI agents more critical than ever.

The 2025 AI Agent Index, developed by researchers from MIT, Cambridge, Harvard, Stanford, and other leading institutions, addresses this gap by providing the most comprehensive documentation effort to date. Building on the inaugural 2024 index, this edition focuses on 30 highly agentic and widely deployed systems, examining them across six categories: legal compliance, technical capabilities, autonomy and control, ecosystem interaction, evaluation methods, and safety features.

The timing is significant. McKinsey & Company’s 2025 survey of nearly 2,000 companies found that 62% are at least experimenting with AI agents, and the consultancy estimates AI agents could automate $2.9 trillion in US economic value by 2030. Meanwhile, interest in agentic AI has surged — Google Scholar paper counts for “AI agent” or “agentic AI” in 2025 exceeded the combined total from 2020 to 2024 by more than twofold. As organizations rush to deploy these systems, the gap between capability advancement and safety oversight continues to widen, making tools like the AI Agent Index essential for responsible deployment.

Inside the 2025 AI Agent Index Methodology

The research team developed rigorous inclusion criteria to determine which AI systems qualified for the index. Rather than attempting to catalog every system that claims the “agent” label — a term that remains nebulously defined across disciplines — the researchers focused on systems demonstrating genuine agency through three required properties: autonomy in pursuing goals, real-world impact potential, and practical deployment at scale.

Each indexed agent was evaluated across approximately 100 information fields spanning six core categories. The data collection process combined systematic analysis of publicly available documentation with direct email correspondence with developers. This dual approach was essential because, as the researchers discovered, much critical safety information simply is not made public by developers.

The methodology draws on a rich history of AI documentation frameworks, including model cards, system cards, datasheets, and the Foundation Model Transparency Index. However, the AI Agent Index represents something genuinely new: the first comprehensive attempt to document the unique characteristics of agentic systems — their autonomy levels, ecosystem interactions, safety guardrails, and real-world behavioral patterns — that existing frameworks for static models do not capture.

Three detailed case studies complement the broader index, examining a browser agent, an agentic chatbot, and a customizable enterprise agent builder. These case studies illustrate the diversity of the agent landscape and the distinct safety challenges each paradigm presents.

AI Agent Safety Features Across 30 Deployed Systems

Perhaps the most concerning finding from the 2025 AI Agent Index is the state of safety documentation across deployed agentic systems. The researchers found that most AI agent developers share remarkably little information about their systems’ safety features, evaluation results, and potential societal impacts. This opacity is particularly troubling given that agentic AI systems can directly cause harm through autonomous actions, unlike traditional chatbots where a human user mediates between the model’s output and real-world consequences.

The safety category in the index examines several critical dimensions: whether developers conduct pre-deployment safety testing, what guardrails are implemented to prevent harmful actions, how systems handle edge cases and failure modes, and whether there are mechanisms for monitoring and correcting agent behavior post-deployment. Across all 30 systems, the researchers found significant variation in the maturity and transparency of safety approaches.

Some systems, particularly those from larger organizations with dedicated safety teams, demonstrated relatively robust safety frameworks including red-teaming exercises, capability evaluations for dangerous behaviors, and documented incident response procedures. However, even among these leaders, the researchers noted that safety documentation often lacked the methodological rigor expected in other safety-critical industries. The gap between the safety practices of leading developers and the rest of the field is stark and widening.

Notably, the index found that safety considerations specific to agentic systems — such as controlling autonomous web browsing, preventing unauthorized data access, and managing multi-step action sequences that could compound errors — remain largely unaddressed even in systems with otherwise strong safety credentials. This suggests the field has yet to fully reckon with the unique safety challenges that emerge when AI systems transition from generating outputs to taking actions.

Transparency Gaps in Agentic AI Development

Transparency emerged as one of the most significant themes in the 2025 AI Agent Index. The researchers identified substantial and systematic gaps in the information that AI agent developers make publicly available. While the tech industry has made incremental progress in documenting traditional AI models through initiatives like model cards and system cards, this transparency has not extended meaningfully to agentic systems.

The index reveals a concerning pattern: developers are generally more forthcoming about their agents’ capabilities — which serves marketing purposes — than about limitations, failure modes, safety evaluations, or potential societal impacts. This asymmetry creates a distorted picture of the AI agent landscape, where users and policymakers can easily learn what an agent can do but struggle to understand what could go wrong.

Several specific transparency gaps stand out. First, most developers provide minimal information about how their agents are evaluated for safety, making it impossible for external researchers to assess the rigor of testing procedures. Second, documentation of agent behavior in real-world deployment — as opposed to controlled benchmark settings — is nearly nonexistent. Third, information about the data used to train and fine-tune agent behaviors, particularly regarding safety-relevant training, is almost universally absent.

The researchers argue that these transparency gaps are not merely academic concerns. As governments worldwide begin developing regulatory frameworks for AI, including the EU AI Act and proposed US legislation, the lack of standardized disclosure requirements for agentic systems creates a regulatory blind spot that could have serious consequences as these systems become more powerful and pervasive.

AI Agent Autonomy and Human Oversight Mechanisms

The concept of autonomy is central to what makes AI agents both powerful and potentially dangerous. The 2025 AI Agent Index provides a nuanced analysis of how different systems implement varying levels of autonomy and, critically, what mechanisms exist for human oversight and intervention. The findings paint a mixed picture: while most systems include some form of human-in-the-loop capability, the effectiveness and accessibility of these controls vary dramatically.

The index categorizes agent autonomy along several dimensions, including the scope of actions an agent can take independently, the types of approvals required for high-stakes actions, and the ease with which users can monitor and interrupt agent behavior. At one end of the spectrum are systems that require explicit human approval for every action, effectively functioning as advanced assistants rather than true agents. At the other end are systems that can execute complex multi-step workflows autonomously, with human oversight limited to reviewing outcomes after the fact.

A particularly important finding concerns the relationship between autonomy and safety documentation. Systems with higher autonomy levels generally have greater potential for causing harm through unanticipated actions, yet the index found no consistent correlation between autonomy level and the robustness of safety measures. Some of the most autonomous systems in the index had among the thinnest safety documentation, suggesting that the rush to deploy increasingly capable agents is outpacing the development of appropriate safety infrastructure.

The researchers highlight the importance of what they term “meaningful human oversight” — not merely the theoretical ability to intervene, but practical mechanisms that make oversight effective in real-world conditions. This includes clear interfaces for monitoring agent actions in real time, understandable explanations of agent reasoning, and accessible controls for modifying or halting agent behavior.

Enterprise AI Agents vs. Consumer AI Agents

The 2025 AI Agent Index reveals significant differences in safety approaches between enterprise-focused and consumer-facing AI agents. Enterprise agents, designed for business workflow automation, customer service, and data analysis, tend to operate within more structured environments with defined permissions and access controls. Consumer agents, including browser agents and general-purpose agentic chatbots, often face more open-ended and unpredictable deployment contexts.

Enterprise agent platforms like Salesforce’s Agentforce and Microsoft’s Copilot Studio typically implement role-based access controls, audit logging, and integration with existing enterprise security infrastructure. These systems benefit from the organizational context in which they operate — companies deploying enterprise agents usually have IT security teams, compliance requirements, and established governance frameworks that provide additional layers of safety beyond what the agent platform itself offers.

Consumer AI agents, by contrast, often operate with fewer structural safeguards. Browser agents that navigate the web on behalf of users face particularly complex safety challenges: they must interact with arbitrary websites, handle authentication credentials, and make decisions about which actions to take in unfamiliar environments. The index found that safety documentation for browser agents was especially thin, despite the obvious risks associated with autonomous web navigation including credential theft, unauthorized purchases, and exposure to malicious content.

The distinction between enterprise and consumer agents also has implications for transparency. Enterprise customers typically have more leverage to demand detailed safety information from vendors, and enterprise deployments often involve security reviews and contractual obligations around safety. Consumer users, however, must rely primarily on whatever information the developer chooses to make public — which, as the index demonstrates, is frequently insufficient for informed decision-making about the risks of using these systems.

Evaluating AI Agent Risks in Real-World Deployment

The transition from laboratory benchmarks to real-world deployment introduces a host of risks that the 2025 AI Agent Index attempts to document and categorize. While AI capability benchmarks like SWE-bench, WebArena, and GAIA have become standard tools for measuring what agents can do, the index highlights the critical gap between benchmark performance and real-world safety outcomes.

In controlled benchmark settings, agents operate within predefined parameters with known correct answers. Real-world deployment, by contrast, involves interacting with unpredictable environments, handling ambiguous instructions, managing competing objectives, and recovering from errors gracefully. The index found that very few developers document how their agents perform in these realistic conditions, or what specific risks emerge when agents encounter situations outside their training distribution.

The researchers identified several categories of risk that are particularly relevant to agentic systems. Compounding errors represent one major concern: when an agent takes a sequence of autonomous actions, a single mistake early in the chain can cascade into increasingly serious consequences. Scope creep is another risk — agents given broad objectives may take actions that technically serve the stated goal but violate implicit constraints or social norms that the developer did not anticipate.

The index also documents risks related to agent interactions with other agents and automated systems. As AI agents become more prevalent, they increasingly operate in environments where multiple automated systems interact with each other. These multi-agent interactions can produce emergent behaviors that no individual system was designed to exhibit, creating systemic risks that are difficult to predict or control. The NIST AI Risk Management Framework provides a starting point for addressing these challenges, but the index suggests that much more work is needed to develop risk management approaches specific to agentic systems.

AI Agent Ecosystem Interactions and Dependencies

One of the most novel contributions of the 2025 AI Agent Index is its systematic documentation of how AI agents interact with broader technological and social ecosystems. Unlike standalone models that process inputs and produce outputs in isolation, agentic systems are deeply embedded in networks of APIs, services, data sources, and human workflows. Understanding these ecosystem interactions is essential for assessing agent safety comprehensively.

The index maps several types of ecosystem dependencies. Foundation model dependencies are perhaps the most obvious — most deployed AI agents rely on underlying language models from providers like OpenAI, Anthropic, or Google for their core reasoning capabilities. This creates supply-chain risks: changes to the underlying model’s behavior, capabilities, or safety properties can cascade through all agents that depend on it.

Tool and API dependencies represent another critical dimension. Agents that can browse the web, send emails, modify files, or interact with enterprise systems derive their power from these integrations but also inherit the security vulnerabilities and failure modes of every service they connect to. The index found that documentation of these dependencies and their associated risks is generally poor, with most developers focusing on the capabilities enabled by integrations rather than the risks they introduce.

The social ecosystem around AI agents is equally important. The index documents how agents interact with human users, what expectations developers set about agent capabilities and limitations, and how failures are communicated. The researchers found significant variation in how developers manage user expectations, with some providing clear documentation of limitations while others implicitly encourage over-reliance through marketing language that overstates agent capabilities.

Building Safer AI Agents: Lessons from the Index

Drawing on the patterns and gaps identified across all 30 indexed systems, the researchers offer several concrete recommendations for building safer AI agents. These recommendations target developers, deploying organizations, and policymakers respectively, recognizing that AI agent safety is a shared responsibility across the entire ecosystem.

For developers, the index emphasizes the need for comprehensive safety documentation that goes beyond capability showcases. Specifically, developers should publish detailed information about pre-deployment safety testing methodologies, known limitations and failure modes, mechanisms for human oversight and intervention, and procedures for monitoring and responding to safety incidents post-deployment. The researchers propose an “agent card” framework — analogous to model cards for traditional AI systems — that standardizes the documentation of agent-specific safety features.

For organizations deploying AI agents, the index recommends conducting independent safety evaluations rather than relying solely on vendor-provided documentation. This includes testing agents in realistic deployment conditions, establishing clear boundaries for agent autonomy, implementing monitoring systems that can detect and flag unusual agent behavior, and developing incident response plans specific to agent failures.

For policymakers, the index highlights the urgent need for regulatory frameworks that specifically address agentic AI systems. Current AI regulations, including the EU AI Act, were primarily designed with traditional AI models in mind and may not adequately address the unique risks posed by autonomous agents. The researchers call for mandatory safety disclosure requirements, standardized evaluation protocols for agentic systems, and international coordination to prevent regulatory arbitrage.

The Future of AI Agent Safety and Governance

The 2025 AI Agent Index arrives at a pivotal moment for the AI industry. Companies are racing to deploy increasingly autonomous and capable agents, governments are scrambling to develop appropriate regulatory frameworks, and the research community is working to understand the safety implications of systems that can act independently in the real world. The index provides an invaluable snapshot of this rapidly evolving landscape and a foundation for future efforts to ensure that agentic AI development proceeds responsibly.

Looking ahead, several trends identified in the index suggest both opportunities and challenges. The rapid pace of agent capability advancement shows no signs of slowing, meaning that safety and governance frameworks must be developed and deployed quickly to keep pace. The growing economic incentives for agent deployment — McKinsey’s $2.9 trillion estimate for US economic value alone — ensure that market pressures will continue to favor capability over safety unless regulatory interventions create appropriate counterbalances.

The researchers express particular concern about the existential safety implications of agentic AI. As agents become more capable and autonomous, the potential for loss-of-control scenarios increases. Yet the index found that even the most safety-conscious developers have not articulated coherent plans for maintaining control over systems that approach human-level capabilities. This disconnect between ambition and preparedness represents perhaps the most critical finding of the entire index.

Encouragingly, the existence of the AI Agent Index itself represents progress. By creating a standardized framework for documenting and comparing agent safety features, the researchers have given the community a tool for accountability. Future iterations of the index will be able to track whether developers are improving their safety practices over time, creating a powerful incentive for continuous improvement in an industry that often prioritizes shipping over safety.

The message from the 2025 AI Agent Index is clear: the agentic AI revolution is here, it is accelerating, and the safety infrastructure needed to support it is dangerously inadequate. Closing this gap will require unprecedented cooperation between developers, researchers, policymakers, and civil society — and it must happen now, while there is still time to shape the trajectory of this transformative technology.