Risk classification is done at the system level, not the model level. And agentic systems can drift out of their classification at runtime if boundaries are not enforced in code.
A static model is relatively easy to classify. It has fixed inputs, fixed outputs, and fixed capabilities. An agent is none of those things.
An agent calls tools, invokes sub-agents, and can acquire new capabilities as its configuration changes. A document review agent classified as limited risk today can cross into high-risk territory tomorrow — not because anyone decided to change its classification, but because someone added a tool that lets it initiate contract amendments. The classification doesn't update automatically. Your obligations do.