You wouldn't tell a first-year associate "do law" and expect good results. So why are attorneys doing exactly that with AI agents?
Daniel Katz's thermostat-to-AI-agent framework from Agentic AI in Law and Finance: Navigating a New Era of Autonomous Systems applies a simple insight: agents aren't magic. They're systems that need structure, supervision, and clear boundaries—just like junior associates. The difference is that agents won't ask clarifying questions unless you design them to.
The framework defines agency through six properties split across two levels. GPA—Goal, Perception, Action—defines the baseline. A thermostat qualifies. It has a goal (maintain 72 degrees), perception (temperature sensor), and action (turn heating on or off). That's an agent in the technical sense.
But professional work requires more. IAT—Iteration, Adaptation, Termination—separates tools from operational systems. Iteration means the agent loops through perceive-act cycles, checking its own work. Adaptation means it changes strategy based on feedback rather than following rigid rules. Termination means it knows when to stop.
The jump from GPA to GPA+IAT is where agents become capable enough to matter and dangerous enough to require governance. A single ChatGPT response is just GPA—it generates text and stops. An agent that researches case law, checks citations against databases, rewrites paragraphs when it finds errors, and terminates when the memo meets quality thresholds? GPA+IAT. And it needs supervision.
The framework's real value isn't the taxonomy. It's forcing attorneys to think about agents as systems requiring operational design, not as tools you just turn on.
The Intent Gap Creates Immediate Risk
When you tell a human junior associate "review this contract for risks," shared context does the heavy lifting. They know you mean legal risks to your client, not the risk that the paper might give them a paper cut. They understand your firm's risk tolerance. They know which precedents matter.
An AI agent has none of that context. The framework calls this the Intent Gap—the distance between your vague instruction and the specific, structured goal the agent needs to execute.
The gap creates two failure modes. First, the agent guesses. You say "fix the formatting" and it deletes half the document because it thought the text was the formatting error. Second, the agent proceeds confidently with the wrong interpretation. You ask it to analyze "risks to the lender" and it provides a thorough analysis of risks to the borrower.
Attorneys working with agents need to design for the intent gap. Build in clarification checkpoints. If the stakes are high and the instruction is ambiguous, the agent should stop and ask. "Did you mean risks to the lender or the borrower?" Just like a good junior associate would.
If your agent never asks questions, that's not a sign of intelligence. It's a liability.
Authority Hierarchies Don't Exist for Generic AI
The junior associate analogy gets technical when it comes to legal research. Understanding source authority is the foundation—a Supreme Court case from 1990 beats a District Court case from 2024. Unless the Supreme Court case was overturned. A circuit split means different precedent applies depending on jurisdiction.
To a generic AI trained on internet text, these are all just documents. A Supreme Court opinion, a blog post from 2015, and a tweet from last week all look like "information." The Retrieval-Augmented Generation (RAG) architecture addresses this by giving agents access to specific databases rather than relying on fuzzy memory. But RAG doesn't solve the authority problem.
Attorneys designing agent workflows need to build in source hierarchy. The agent's perception tools must understand that Circuit Court rulings beat District Court rulings. That subsequent cases can overturn prior precedent. That the date of a ruling matters for determining current law.
Training better models won't solve this. You need to engineer the tools agents use to perceive their environment. If the agent can't distinguish between authority and just data, you get well-formatted memos citing blog posts as if they were binding precedent.
Ethical Walls Need Technical Architecture
Law firms and legal departments already have ethical walls—strict rules preventing the team on Case A from talking to the team on Case B when the same firm represents adverse parties. Humans understand these boundaries. They know when they're crossing from one matter to another.
Now imagine one AI agent that serves the entire legal department. It learns from every document it reads. It helps the team on Case A, absorbs their strategy, then shifts to help the team on Case B.
Without compartmentalization, that agent accidentally uses Client A's confidential information to help Client B. That's not a hypothetical risk. It's an immediate malpractice problem.
Attorneys deploying shared agents need technical memory architecture that enforces ethical walls. The agent must literally forget what it knows about Client A when it logs in to work for Client B. You need strict isolation in how the agent's memory is structured.
The counterintuitive requirement: forgetting becomes a critical feature. Usually with AI, more data and more connections improve performance. But in legal practice, deliberately limiting what the agent can remember across different matters is a compliance requirement, not a limitation.
The Reversibility Framework Maps Autonomy to Risk
The framework proposes a traffic light system for deciding what agents can do autonomously based on whether actions can be undone.
Green light: Fully reversible. Research. Drafting memos on your local drive. If the agent hallucinates or produces garbage, delete it. No harm done. Agents can operate fully autonomously here.
Yellow light: Partially reversible. Internal emails. Meeting scheduling. If the agent messes up, you send a "Sorry, ignore that" follow-up. It's embarrassing, wastes time, creates inefficiency. You probably want a human checkpoint—someone glances at it before it goes out.
Red light: Irreversible. Wire transfers. Filing lawsuits. Publishing press releases. Once that button is pressed, the damage is done. You cannot un-ring the bell.
The framework's guidance is absolute: never give agents autonomous authority over irreversible actions. The agent can draft the wire instructions. It can set everything up. But a human thumb must press the final send button.
Match autonomy to consequences. The same principle applies to junior associates—you don't let them file motions without review, even when you trust their work.
Idempotency Prevents Accidental Disasters
One technical detail becomes critical in deployment: idempotency. The concept is simple—doing the same thing twice shouldn't change the result.
The failure mode: You tell your agent "buy 100 shares of Apple." The agent sends the request to the stock exchange. The internet lags. The agent doesn't get a confirmation receipt. So it thinks the request didn't go through and tries again. Still no receipt. It tries again. Suddenly you own 300 shares of Apple. Or 3,000.
The "retry logic" problem. Attorneys designing agent workflows need to ensure that systems recognize duplicate requests. Even if the agent sends the same instruction ten times due to network issues, the system should execute it once.
Idempotency seems like a small technical detail. But it's the difference between an agent executing your instruction and an agent accidentally multiplying your exposure by an order of magnitude.
Circuit Breakers Stop Runaway Costs
Stock markets have circuit breakers—if the market crashes too fast, trading automatically stops. Agents need the same protection.
Imagine an agent gets stuck in a loop, calling a paid API a thousand times per second. You wake up to a $50,000 bill. Or an agent that keeps filing the same motion because it's not getting the expected response from the court's e-filing system.
Attorneys need to design spending limits and behavioral constraints into agent workflows. Maximum API calls per hour. Maximum dollar spend per day. Automatic shutoff when the agent repeats the same action more than X times.
Basic operational hygiene, not sophisticated AI safety measures. The same principle applies to credit card spending limits—you don't hand someone a card with no limit and hope they'll be responsible.
From Command to Intent Changes Everything
The framework ends with a provocative observation. For 50 years, we've lived in the era of Command. We tell computers how to do something: click this, type that, run this script.
Now we're moving to Intent. We tell computers what we want: "Get me the best deal." "Protect me from risks." "Find the relevant precedent."
But that shift raises a question attorneys need to confront: if the computer is finally powerful enough to execute your intent, are you actually capable of defining what you want clearly?
"Do the right thing" is not a valid line of code. "Review this contract" is not a complete instruction. Ambiguity was fine when humans could read between the lines. With agents, ambiguity is a bug.
What This Means for Legal Teams
The thermostats-to-agents framework provides attorneys with a practical mental model that moves beyond "AI will replace lawyers" hype and "AI is dangerous" fear.
Agents are systems. They need structure the same way junior associates need training. They need supervision the same way you review work product before it goes to court. They need clear boundaries the same way you don't give unlimited authority to any individual in your organization.
The GPA+IAT properties define what makes something agentic—not just smart text generation but a system that loops, adapts, and knows when to stop. The intent gap forces explicit instruction design. Authority hierarchies require technical implementation. Ethical walls demand memory architecture. The reversibility framework maps autonomy to consequences.
None of this limits what agents can do. It builds the operational infrastructure that makes agent deployment safe, effective, and defensible.
The attorneys who get this right will be the ones who think about agents as team members requiring management, not as tools requiring activation.
References
Based on Agentic AI in Law and Finance: Navigating a New Era of Autonomous Systems by Daniel Katz. The book provides frameworks for evaluating AI agent claims, design patterns for reliable agents, and governance frameworks for legal and financial settings.
Available on Amazon: https://lnkd.in/g8nGxZ9x
Digital access: https://lnkd.in/grqnrjC7
Additional resources: https://ai4lf.com/
