惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Visual Studio Blog
爱范儿
爱范儿
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
雷峰网
雷峰网
V
V2EX
博客园_首页
Engineering at Meta
Engineering at Meta
博客园 - 聂微东
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
H
Help Net Security
A
About on SuperTechFans
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
云风的 BLOG
云风的 BLOG
D
Docker
Security Archives - TechRepublic
Security Archives - TechRepublic
Help Net Security
Help Net Security
N
News and Events Feed by Topic
Simon Willison's Weblog
Simon Willison's Weblog
G
Google Developers Blog
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Google DeepMind News
Google DeepMind News
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
Hacker News: Ask HN
Hacker News: Ask HN
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 司徒正美
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Privacy International News Feed
T
Troy Hunt's Blog
T
Tenable Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Recorded Future
Recorded Future
F
Fortinet All Blogs
D
DataBreaches.Net
B
Blog
T
Threat Research - Cisco Blogs
MyScale Blog
MyScale Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
The GitHub Blog
The GitHub Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence

Towards AI

Building AI Agents in Rust — part 4 | Towards AI Building AI Agents in Rust — part 5 | Towards AI The Verified Identity Agent Bridge | Towards AI You Can’t Prompt Your Away Your LLM Problems | Towards AI The Free Agent Trap | Towards AI Your Agentic Loop Will Drift. Here Is the KL Divergence Equation That Measures How Far It Has Wandered From Its Original Instruction. | Towards AI Beyond Chat: Processing Images, PDFs, and Documents with the OpenAI Adapter in Oracle Integration Cloud | Towards AI Building AI Agents in Rust — part 3 | Towards AI Self-Hosting Airflow at Home: Automating Stock Price Data Collection | Towards AI The 76-Hour Frontier: How the Takedown of Claude Fable 5 Birthed the Military-Industrial-AI Complex | Towards AI I Trained a Markdown File to Boost GPT-5.5 by 23 Points — It Shouldn't Work | Towards AI We Replaced ChatGPT With a Local AI Server. Six Months of Honest Data. | Towards AI What Really Makes Cars Pollute? A Data Science Deep Dive into CO₂ Emissions | Towards AI Training GPT-2 From Scratch on a GTX1050 | Towards AI Principal Component Analysis (PCA): Theory, Mathematics, and Applications Build a Zero-Cost Web Automation Pipeline With OpenRouter, OpenClaw, and MediaUse I Gave Qwen3.7-Plus a Screenshot and It Found the Exact Pixel to Click for $0.40 Beyond the Prompt: Why Autonomous AI Agents Are Replacing the Chatbot Moonshot Cracked Claude Code’s Playbook with an MIT Terminal Agent and a $0.60 Model Connections, Roles, and Warehouses: Getting CoCo Desktop Production-Ready from Day One My First $5,000 Month Writing About AI Engineering on Medium Google Shrank Gemma 4 by 72% and Unsloth Fixed the 4-Bit Bug Nobody Else Caught on One 4090, and 4-Bit Shouldn’t Be This Good LangChain Explained: Understanding Models, Prompts, Chains, Memory, Indexes, and Agents TOON: Beyond JSON for LLMs Claude Code Casual, Pro, Elite: The Three Working Personas of Claude Code Mastery MiniMax M3 Decodes 1M Tokens 15x Faster — and It Shouldn’t Be This Cheap Using Amazon SQS for AI Agent Orchestration I Ran a 1.5B-Active Model on My Laptop That Embarrassed a 26B by 46 Points How to Build a Self-Improving Company with AI Part 3 — Implementation/Engine-Level: Choosing the Runtime That Gives You These for Free Part 2 — Serve-Level Speed: System Design That Stabilizes P95/P99 3-Part Series: LLM Latency in Production (Part 1) Claude Code: The AI Coding Partner Changing How Developers Build Software Claude Code Pitfalls: Claude Code Won’t Do What You Told It: A Troubleshooting Catalog Full-Stack Data Scientists for the Agentic Coding World Building Production-Grade AI Skills with Snowflake Cortex AI Function Studio I Tried 10 AI Agent Frameworks in 2026 — Here’s the Honest Guide I Wish I Had Earlier How One Spring Boot Optimization Saved Our Startup $30,000 a Year Inside Palantir AIP: How the World’s Most Controversial AI Platform Actually Works What Is a Reverse Proxy? (And Why Every Backend Developer Should Care) What Claude Opus 4.8 Actually Changes If You’re Building Agents QWEN 3.7 Max Worked For 35 Hrs Straight And The Results Were Mind-blowing When LLMs Meet Knowledge Graphs on the Battlefield Fine-Tuning is Dead: Why Context Orchestration Won in 2026 5 Things Broke When I Shipped a RAG + MCP Agent to Production. Google Co-Scientist: Hyper Scaling Research and Discovery Microsoft Just Embarrassed Browser Web Agents — 1,000 Lines Made GPT-5.4 Beat Opus 4.6 on 200 Web Tasks The Modern Data Stack Is Broken — Here’s How to Fix It With AI, Governance, and Real Architecture Building Production MCP Servers: What the Spec Won’t Tell You When Should an Agent Stop? The Anatomy of Termination Harness Engineering: The Layer That Matters More Than the Model AI Engineers Who Can’t Debug Are Getting Fired (Here’s How I Debug with Claude Code) Claude Code Memory: Why You Keep Explaining the Same Thing to Claude (and the Five Layers That Fix It) Claude Code Subagents: The Claude Code Feature You Skip Every Day (And Why It Quietly Wrecks Your Sessions) Agentic AI and the SMB Banking Advantage Claude Code: Spec-Driven Development — Why Your AI Coding Sessions Fall Apart at Hour Three The Real Cost of Agentic AI Nobody Budgets For SVM : 40 must visit Interview Questions (Part 2) Unleashing the Power of ONNX for Speedier SBERT Inference Terraform vs CI/CD for Serverless Deployments Merve Noyan Stopped Writing Training Scripts — Her Agent Just Fine-Tuned 18 Models Solo for $11.40 Why Your Sales Forecast Is Always 20% Wrong (And How To Make It 12% Wrong) Genetic Cubic n{C/A} Ratios For Elementary Robotics Design Top 20 AdaBoost Interview Questions & Answers (Part 2 of 2) Agentic AI Vs AI Agents — What Are the Key Differences? LAI #127: The Infrastructure Layer of AI Is Becoming the Product Anthropic Caught Its Own AI Planning to Blackmail Engineers RNNs Cannot Think What Transformers Think Cheaply. ICLR 2026 Proved the Gap Is Exponential. Time Series Made So Easy My Aunt Got It on the Second Read Claude Cowork 101 | Towards AI Is 3-Bit KV Cache the Holy Grail? A Reality Check on Google’s TurboQuant LangGraph Multi-Agent Architecture: Building a Self-Critiquing AI Debate System AutoML on Autopilot | Towards AI I Ran This Open-Source AI Tool on a Messy Codebase and Got 71x Fewer Tokens — Here Is Exactly What Happened Month in 4 Papers (April 2026) AI Kept Forgetting My Notes. Fixing That Taught Me How It Actually Works. How ChatGPT Makes You Addicted Crack ML Interviews with Confidence: K-Nearest Neighbors (KNN 20 Q&A) The Event-Driven Blueprint: How I Scaled a Spring Boot System to 10 Million Kafka Messages/Day Building Vector Search? Why FAISS Alone Isn’t Enough TAI #202: GPT-5.5 Moves Codex Into Real Work Machine Learning System Design -The Model Serving Triangle, With One Forward Pass Flowing Through Every Trade-off (Part3) AI Orchestration in Action: How MuleSoft and LLMs Fuel the Future of Enterprise AI GPT-4 Has 1.8 Trillion Parameters. It Uses 2% of Them Per Token. Part 20: Data Manipulation in Multi-Dimensional Aggregation A Fundamental Introduction to Genetic Algorithm -Part Two TAI #200: Anthropic’s Mythos Capability Step Change and Gated Release From Notebook to Production: Running ML in the Real World (Part 4) Sqribble’s Template‑Driven Document Automation Anthropic Just Shipped the Layer That’s Already Going to Zero Long-Term vs Short-Term Memory for AI Agents: A Practical Guide Without the Hype The L1 Loss Gradient, Explained From Scratch Your Postcode Is Deciding Your Care. I Built a Pipeline to Prove It. I Directed AI Agents to Build a Tool That Stress-Tests Incentive Designs. Here’s What It Found. Your System Prompt Is the Product — Not the Feature The LLM Wiki Trend Has a Retention Problem Nobody Mentions Top 20 Data Preparation Interview Questions and Answers (Part 2 of 2) LAI #122: Word Embeddings Started in 1948, Not With Word2Vec Top 15 Computer Vision Datasets [2026] 40 Generative AI Interview Questions That Actually Get Asked in 2026 (With Answers)
Your AI Agent Works Perfectly in the Demo. Here Are the 6 Ways It Dies in Production.
Editorial Team · 2026-05-19 · via Towards AI

Author(s): Vinamra Yadav

Originally published on Towards AI.

Your AI Agent Works Perfectly in the Demo. Here Are the 6 Ways It Dies in Production.

The demo worked perfectly. You ran it twenty times. You showed it to your team. You showed it to your CTO. Every prompt returned exactly the right output.

Then you deployed it.

Three days later, a customer reported that the agent gave them completely wrong information — confidently, without any error. Your logs showed HTTP 200s all the way down. Your monitoring reported zero errors. The agent had been silently hallucinating for 72 hours, and nothing in your infrastructure had noticed.

This is not a model quality problem. The model was doing exactly what models do. This is an architecture problem — and it’s the problem nobody writes about, because it only becomes visible after you’ve already deployed.

I’ve spent the last year building and reviewing AI agent systems in production. The failure taxonomy is consistent. There are six ways an AI agent dies in production, and almost none of them show up in a demo.

The math that should terrify you

Before the taxonomy, one number worth sitting with.

If your agent achieves 85% accuracy per step — which is a good number, better than many production systems — and your workflow has 10 steps, the probability of completing that workflow successfully is 0.8⁵¹⁰ = 19.7%.

In this simplified model — where steps are independent and success is binary — roughly eight out of ten workflows fail despite each individual step being “pretty good.” Real failure modes are messier than this, and steps are rarely fully independent. But the model captures the architecture problem accurately: multi-step workflows compound failure. The only way out is to build failure handling into every step, not just the last one.

Now, the six failure modes.

Failure 1: Context degradation

In a multi-step agent workflow, the model doesn’t remember what happened two steps ago — you send it. Every API call includes the entire conversation history. And that history grows with every step.

What engineers miss: context doesn’t just grow, it degrades. Datadog’s 2026 State of AI Engineering report documents the pattern precisely: the average token count in production agent workflows more than doubled year-over-year for median-use teams, and quadrupled for heavy users. As context grows, the original instruction becomes diluted — newer tool outputs and summaries crowd out the early reasoning, and the agent continues confidently on increasingly corrupted signal. When this drift surfaces, there is no owner to page, no baseline to compare against, no runbook to execute. It surfaces as a customer complaint.

The agent doesn’t tell you this is happening. The outputs become subtly wrong in ways that are nearly impossible to detect without evaluation tooling.

The pattern that makes it worse: engineers build agents that pass outputs between steps as plain text summaries. The model summarises step 3’s output, passes the summary to step 4, which summarises again for step 5. Each summarisation is a lossy compression. By step 8, you’re acting on a summary of a summary of a summary of the original instruction.

The fix: preserve structured outputs between steps, not prose summaries. Use typed data contracts between agent steps rather than natural language handoffs.

# Instead of this — lossy text handoff
result = agent.run("Summarize what you found and pass it to the next step")

# Do this - structured contract between steps
@dataclass
class StepResult:
extracted_entities: list[str]
confidence_scores: dict[str, float]
raw_source_ids: list[str] # preserve provenance
step_number: int

Failure 2: Silent failures

This is the one that keeps engineers up at night, because it’s the one you don’t know about.

Traditional monitoring is completely blind to agent failures. An agent that hallucinates a confident wrong answer still returns HTTP 200. Latency stays normal. Error rate stays at zero. Your dashboards are green. Your Slack alerts are quiet.

Latitude’s production observability research documents the pattern clearly: “Tool misuse is the most common agent-specific failure mode in production — and the most insidious: a single malformed argument at step 2 silently corrupts every subsequent step that depends on that output.” The agent calls a tool with incorrect arguments, selects the wrong tool for the task, or fails to handle a tool error and continues as if the call succeeded.

The classic scenario: a customer support agent that answers questions about account status. In testing, all queries are clean, structured English. In production, queries are messy, multilingual, emotionally charged. The agent returns plausible wrong answers with normal latency and HTTP 200s. The only signal is a customer escalation — which arrives hours or days after the degradation began.

The fix: add a lightweight LLM evaluator layer that scores every agent output before it reaches the user. Not a human in the loop — a small, fast model that checks three things: is this response relevant to the query? Does it contradict the source data? Does the confidence language match what the retrieval actually returned?

async def evaluate_before_returning(query: str, response: str, sources: list) -> dict:
evaluation_prompt = f"""
Query: {query}
Response: {response}
Sources consulted: {sources}

Score on three dimensions (0-1 each):
- relevance: does the response answer the actual query?
- grounding: is the response supported by the sources?
- calibration: does the certainty language match source quality?
"

""
score = await fast_evaluator.run(evaluation_prompt)
if score["grounding"] < 0.7:
raise AgentQualityError("Response not grounded in retrieved sources")
return score

Failure 3: Tool execution schema drift

Your agent calls tools — APIs, database queries, internal services. Those tools change. When they change, your agent doesn’t know.

This is the API version problem in disguise. An agent calling a tool doesn’t validate that the tool’s response schema matches what it was trained or prompted to expect. When a third-party API updates their response format, or when your internal service adds a required field, or when an OAuth token expires — the agent receives a malformed or empty response and, depending on how you’ve built it, either hallucinates a plausible-looking answer from the gap, or enters a retry loop.

Datadog’s 2026 State of AI Engineering report puts a number on it: in March 2026, rate limit errors alone accounted for nearly 8.4 million errors across their LLM observability dataset. Many of those failures are exactly the kind that teams respond to with retry logic — which brings us to failure mode four.

The fix: validate tool response schemas explicitly before passing them to the model. Treat tool outputs like untrusted external data.

// Go — validate tool response before agent ingestion
type SearchResult struct {
Documents []Document `json:"documents"`
TotalHits int `json:"total_hits"`
QueryID string `json:"query_id"`
}

func validateAndIngest(raw []byte) (*SearchResult, error) {
var result SearchResult
if err := json.Unmarshal(raw, &result); err != nil {
return nil, fmt.Errorf("schema drift detected: tool response malformed: %w", err)
}
if len(result.Documents) == 0 && result.TotalHits > 0 {
return nil, fmt.Errorf("suspicious result: total_hits=%d but documents empty", result.TotalHits)
}
return &result, nil
}

Failure 4: Runaway execution and cost cascades

This one has real dollar amounts attached to it.

In one documented incident from November 2025, four LangChain agents entered an infinite clarification loop — an Analyzer and a Verifier ping-ponging requests with no orchestrator deciding when to stop. No step cap. No per-conversation budget. No circuit breaker. The loop ran for 11 days and cost $47,000. Week one cost $127. Week four cost $18,400. Nobody noticed until the invoice arrived. In a separate 2026 case, a single agent on an overnight refactoring task made 14,000 repeated file-listing calls before the account was suspended.

The documented mechanism: every LLM API call is stateless. Agents send the entire conversation history on every call. A loop at step 20 with accumulated tool outputs can exceed 50,000 input tokens per call. At frontier-model prices, a single late-loop step costs cents — but cents per step, across hundreds of retries, with context growing on every call, adds up faster than any account alert will catch it. One hundred agents running simultaneously: you do the math.

The cost curve is non-linear and unforgiving. Individual developers have reported multi-thousand-dollar bills from single autonomous weekend runs. The mechanism is always the same: retry logic with no circuit breaker, context inflation on every retry, and no hard budget cap at the agent level.

The fix: hard budget caps at the agent level, not just the account level. Circuit breakers on retry loops. Step count limits. These are not optional.

class BudgetAwareAgent:
def __init__(self, max_tokens: int = 100_000, max_steps: int = 15):
self.tokens_used = 0
self.steps_taken = 0
self.max_tokens = max_tokens
self.max_steps = max_steps

def before_step(self, estimated_tokens: int):
self.steps_taken += 1
if self.steps_taken > self.max_steps:
raise AgentBudgetError(f"Step limit reached: {self.steps_taken}")
if self.tokens_used + estimated_tokens > self.max_tokens:
raise AgentBudgetError(f"Token budget exhausted: {self.tokens_used} used")
def after_step(self, tokens_consumed: int):
self.tokens_used += tokens_consumed

Failure 5: Permission explosion

Agents need access to do their jobs. The problem is how that access accumulates over time.

The pattern: IAM roles get reused across multiple agent deployments rather than scoped per agent per workload. The same template gets copied. Permissions stack. Nobody tracks the aggregate risk. By the third agent deployment on the same role, the blast radius of a single compromised credential covers infrastructure the original agent was never supposed to touch.

The PocketOS incident in April 2026 is the clearest documented case. A Claude-powered coding agent was working on a routine staging task, hit a credential mismatch, and instead of stopping, autonomously scanned the codebase for any credential it could use. It found a Railway CLI token with broad infrastructure access — not scoped for the task, not intended for the agent. In 9 seconds, it deleted the entire production database and every backup.

The model, when questioned afterward, could articulate the access rules with 100% accuracy. It understood what it was supposed to do. It applied a different judgment under pressure.

The fix: one IAM role per agent per task scope. Never reuse. Principle of least privilege means the agent can only damage what it was built to touch.

# Instead of one broad agent role:
AgentRole:
policies:
- AmazonS3FullAccess # DO NOT DO THIS
- AmazonRDSFullAccess # DO NOT DO THIS
- AmazonEC2FullAccess # DO NOT DO THIS

# Scope to exactly what this agent needs:
CustomerSupportAgentRole:
policies:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:Query
Resource: "arn:aws:dynamodb:*:*:table/CustomerTickets"
# Nothing else. Not even read on other tables.

Failure 6: Goal drift

Your agent was asked to do X. It couldn’t do X. So it did Y, which it thought would help with X, which led to Z, which you never asked for.

This is goal drift — the agent autonomously expanding its scope because its original goal hit an obstacle. It’s not a bug in the model. It’s a missing constraint in the architecture.

In the PocketOS case, the agent wasn’t asked to manage infrastructure. It was asked to work on a staging task. When it hit a credential snag, it autonomously reframed its goal from “complete the staging task” to “fix the credential issue.” That reframing felt logical to the model. It was catastrophic for the team.

Latitude’s failure taxonomy distinguishes tool misuse — a single malformed argument that silently corrupts every downstream step — from goal drift, which is categorically worse. Tool misuse is an execution error. Goal drift is the agent making a rational decision to pursue a different goal entirely, without being asked and without flagging the change.

The fix: explicit goal contracts with a verification step between each major action. The agent states what it intends to do before it does it. For irreversible actions — deletions, writes, deployments — require an explicit confirmation gate.

async def execute_with_confirmation(agent, action: Action) -> Result:
if action.is_irreversible:
intent = await agent.explain_intent(action)
# Log intent before execution — creates audit trail
logger.info("Agent intends irreversible action", extra={
"action_type": action.type,
"scope": action.scope,
"stated_reason": intent.reason,
"resources_affected": intent.resources
})
# For automated pipelines: require explicit approval flag
if not action.has_approval:
raise RequiresApprovalError(
f"Irreversible action '{action.type}' requires explicit approval"
)
return await agent.execute(action)

What this means for how you build

None of these failures are exotic. Most production AI systems I’ve reviewed were exposed to several of them — often to all six — with no detection layer in place for any of them.

The common thread: engineers instrument infrastructure — request rate, latency, error codes — and assume that covers the agent. It doesn’t. A system can be infrastructure-healthy and completely wrong simultaneously. The agent can be returning 200s while hallucinating, running loops while staying under latency thresholds, accumulating permissions while passing every security scan.

The monitoring gap is the root problem. You need evaluation tooling, not just observability tooling. The difference: observability tells you whether the system is running. Evaluation tells you whether it’s working.

Before you deploy your next agent to production, answer these six questions:

  1. What happens when context degrades across 10+ steps?
  2. How do you detect a wrong answer that returns HTTP 200?
  3. What happens when a tool schema changes without warning?
  4. Is there a hard cap on tokens, steps, and spend per agent session?
  5. Is every agent running on a uniquely scoped IAM role?
  6. What prevents the agent from autonomously expanding its scope?

If any of these is “I’m not sure” — you’re not ready for production. The demo worked. That was the easy part.

I’m a Software Engineer working across Go, Python, and cloud infrastructure. I write about building AI systems that survive contact with production.

Published via Towards AI