The government of Canada has come out with a ‘Guide on the Use of Agentic Artificial Intelligence’.

But is it any good?

I asked Claude, here’s its full review:

Here’s my accuracy and completeness review of the TBS Guide on the Use of Agentic Artificial Intelligence (published May 22, 2026).

Overall Assessment

The guide is well-structured and largely accurate for a government policy document aimed at a non-technical public servant audience. It reflects current thinking in the field (aligned with NIST AI RMF, EU AI Act principles, OWASP guidance). That said, there are several notable gaps and a few technical imprecisions worth flagging.

What’s Strong ✅

Conceptual framing is sound. The generative AI → agentic AI distinction (reactive vs. proactive; content vs. action) is accurate and well-explained for a lay audience.

The autonomy spectrum example is effective. The four-level scheduling scenario is a good didactic device and the levels map reasonably to how practitioners think about AI agent autonomy.

Bounded autonomy + recoverability are genuinely the two most important governance additions beyond standard generative AI guidance. Good choices.

Prompt injection coverage is appropriate. Calling it out explicitly, linking to OWASP and the Microsoft MSRC reference, and integrating it into the case study (Case Study 2) is a meaningful operational contribution.

The before/during/after structure is practical and the 13-point checklist is one of the most actionable parts of the document.

The glossary is clean and appropriately scoped for the intended audience.

Issues: Accuracy & Precision ⚠️

1. The “agentic AI” definition is slightly circular/imprecise. The glossary defines agentic AI as “systems composed of multiple coordinated AI agents,” but Section 2 correctly clarifies it includes “one or multiple” agents. A single AI agent with tool access and autonomous planning is already agentic. The glossary should be updated to match the body text.

2. The distinction between “agentic AI” and “AI agent” blurs unnecessarily. The guide defines an AI agent as a system that “perceive[s] and act[s] on their environment” and agentic AI as systems “composed of one or multiple coordinated AI agents.” In practice, many frameworks (NIST, Anthropic, Google DeepMind) treat a single autonomous tool-using LLM as an AI agent and as exhibiting agentic behaviour. The two glossary definitions risk confusing readers into thinking agentic AI always implies multi-agent orchestration, which isn’t accurate.

3. The four autonomy levels don’t map cleanly to established frameworks. The guide invents its own four-level taxonomy (Assistive → Semi-autonomous → High autonomy → Adaptive autonomy) without referencing or reconciling with existing frameworks like the NIST AI RMF’s autonomy continuum or OECD’s tiering. This isn’t wrong, but it risks creating GC-specific vocabulary that doesn’t interoperate with industry practice or international benchmarks the document itself cites.

4. “Automation drift” conflates two distinct phenomena. The glossary definition covers both system drift (the agent’s behaviour deviating from design) and user drift (over-reliance leading humans to treat suggestions as decisions). These are different failure modes requiring different mitigations. Merging them under one term and definition weakens the governance precision.

5. The “kill switch” framing is undersold. Section 5(j) mentions a pause/disable mechanism “external to the AI agent” — this is the correct design principle (the switch must be out-of-band from the agent itself). But the guide doesn’t explain why it must be external, which is the key insight: a compromised or looping agent cannot be relied upon to honour an internal stop command. A sentence of rationale here would strengthen practitioner understanding significantly.

Issues: Completeness 🔍

6. No guidance on multi-agent trust boundaries. Multi-agent systems — where one AI orchestrates others — introduce a specific and serious risk: a sub-agent may not be able to verify that instructions from an orchestrating agent are legitimate. The guide acknowledges that agents can have sub-agents (in the bounded autonomy section), but provides no concrete guidance on how trust is established between agents in a pipeline. This is a known attack surface (a compromised orchestrator can hijack sub-agents) and deserves at least a paragraph.

7. Procurement and third-party agentic AI is underaddressed. The guide focuses heavily on internally built or configured agents. But many GC departments will be procuring agentic AI capabilities from vendors (Microsoft Copilot agents, Salesforce Agentforce, etc.) where the ability to audit logs, set permissions, or add checkpoints may be contractually or technically constrained. The guide should acknowledge this scenario and direct readers to supply chain security and procurement due diligence obligations.

8. The Directive on Automated Decision-Making (DADM) connection needs more development. The DADM is referenced twice — at the top and in 5(a) — but the relationship is left vague (“consult on whether it applies”). In practice, agentic AI operating in regulatory, benefits, or administrative decision contexts will almost certainly trigger DADM impact assessment requirements. Given how much agentic AI expands what counts as an “automated decision,” more explicit guidance on when the DADM is triggered (vs. when it isn’t) would be highly valuable.

9. Memory and context persistence is not addressed. Agentic systems increasingly use persistent memory (vector databases, session state) to maintain context across interactions. This creates privacy, data retention, and IM/IT recordkeeping risks not covered under standard generative AI guidance. The guide is silent on this.

10. No guidance on model updates and version changes. When the underlying LLM powering an agent is updated (as happens routinely with cloud-deployed models), agent behaviour can change without any configuration change by the department. This is a real operational risk — a previously validated agent may behave differently after a silent model update. The guide’s “reassess when things change” section (5(l)) doesn’t address this specific scenario.

11. Accessibility and Official Languages are absent. For a GC guide on deploying systems that interact with citizens, the absence of any mention of Official Languages Act obligations or WCAG/accessibility requirements for agentic outputs is a gap. If an agent is drafting communications or routing service requests, bilingual and accessible output requirements apply.

Minor Issues 🔎

URL typo in the page address: The URL itself contains a typo — “antelligence” instead of “intelligence” — which could affect discoverability and link integrity. (guide-use-agentic-artificial-antelligence.html)

The FASTER acronym isn’t explained in this document. It’s introduced without definition and readers are pointed to the generative AI guide. At minimum a footnote defining the acronym inline would improve standalone readability.

Case Study 2 resolution is slightly hand-wavy. The “thoughtful design enabled the agent to complete its tasks without being manipulated” conclusion doesn’t specify what the concrete technical safeguards were beyond input sanitization and a short action list. Readers trying to replicate this in their own deployments need more operational specificity.

Summary Table

The document is a solid first version and meaningfully advances GC AI governance. The multi-agent trust boundary gap and the DADM integration gap are the two highest-priority items to address in a revision.