The Loop
AI language models, on their own, don't do things. They generate text. The text might be an answer, a summary, a plan — but it's still text. The model doesn't read your email; it reads a representation of your email that something else fetched and handed to it. It doesn't query a database; it generates a query, and something else runs it.
That "something else" is the harness. The harness is whatever infrastructure wraps the model: the code, the orchestration layer, the runtime that takes the model's output and decides what to do with it. When the model says "I need to look up the contract status for this vendor," the harness is what actually calls the contract system, retrieves the result, and feeds it back.
The sequence goes: the model receives a task, decides it needs information or needs to take an action, signals that need in a structured format the harness understands, and the harness executes it against a real system. The result comes back. The model decides what to do next: another action, or a final answer. Repeat until done.
This is the model-harness loop. Every "agentic" feature your buyers describe is this loop running against different tools. Reading email is the loop calling a mail API. Querying a database is the loop calling a query interface. Editing a file is the loop calling a write operation. Vendors package these as distinct capabilities. Under the hood, it's the same pattern with different endpoints.
Why This Matters Before the Meeting
The seller who understands the loop can ask questions the buyer hasn't thought to answer yet. What systems does the agent need to reach? Who authorized that access, and under what conditions? Does the agent act autonomously, or does a human approve before the harness executes? What happens when a task requires access to three systems and the agent's permission covers two of them?
These aren't gotcha questions. They're the questions that determine whether a deployment actually works. Buyers who are excited about "agentic AI" have usually thought carefully about what they want the agent to accomplish. They've thought less carefully about what the agent needs to be allowed to do, and how that allowance gets established, scoped, and revoked.
The loop is where those questions live. A seller who can name the loop can have a different conversation — one that surfaces real requirements instead of circling around a capability description that sounds like a press release.
What "Agentic" Actually Means
The word "agentic" has absorbed a lot of meaning in a short time, not all of it consistent. In some vendor contexts it means the model can call tools. In others it means the model can spawn sub-agents, run multi-step tasks, or operate with minimal human oversight. The definitions are still forming, and the spec writers and the marketing teams are not always working from the same document.
For the purposes of this section, "agentic" means one thing: the model-harness loop runs more than once, and the model decides when to stop. A single tool call is a tool call. A sequence of tool calls, where the model plans and re-plans based on intermediate results, is an agent. The distinction matters because the number of loop iterations determines the scope of what the agent can affect — and therefore the scope of what needs to be governed.
Note: In identity, a delegated authorization (an OAuth token, a service account credential) works like a scoped permission: a principal was granted access to a resource under defined conditions. The closest AI equivalent is the credential the harness uses when it executes a tool call on the model's behalf. It diverges here: in a standard OAuth flow, a human is present at authorization time, consenting to the scope being granted. In the model-harness loop, the human may have authorized the agent's access hours or days earlier. The model decides, at runtime, when to use that access. The credential looks the same. The decision-making structure around it is different. That gap is what the rest of this section is about.
What This Section Covers
The pieces that follow unpack the loop's components in sequence. Tool calling first: what it is, how the model signals a tool invocation, and what the harness does with that signal. Then agents: what it means for the loop to run autonomously across multiple steps, and what that changes about the questions you need to ask. Then the Model Context Protocol — the emerging standard for how tools get registered, described, and called — and why it's worth understanding even if your buyers haven't mentioned it yet.
Each piece covers one concept, completely resolved. The goal is a seller who walks into a conversation about "agentic AI" and knows exactly what's being described when someone says "we want our agent to access our HR system" — and knows which question to ask next. Not an AI engineer. Just the most useful person in the room.