AI agents — autonomous systems that take actions in the world — are one of the hottest interview topics in 2026. The hype has cooled into hard engineering realities: failure modes are subtle, costs are real, and the line between “demo magic” and “production reliability” is wider than it looks.
What an agent actually is
A loop where:
- The agent receives a goal (from a user or another system)
- It plans actions
- It executes one (often by calling a tool)
- It observes the result
- It updates its plan and continues until the goal is met or it gives up
The “thinking” is done by an LLM. The “acting” is done via tool calls (functions exposed by your code). The loop continues until done or a budget is exhausted.
Common architecture patterns
Sequential agent
Plan → Execute → Observe → Repeat. Single thread of execution. Simple to reason about.
Multi-agent
Multiple specialized agents, each with their own role. A coordinator dispatches subtasks. More complex; harder to debug.
ReAct
Interleave reasoning and acting. The model writes out its reasoning between actions, which improves quality on complex tasks.
Tool-use only (no agent loop)
Single model call with tool definitions. The model decides if it needs to call a tool. Simpler than full agent; works for single-step tasks.
Failure modes to know
Infinite loops
The agent keeps trying the same approach. Mitigation: max-iteration budget, repetition detection.
Hallucinated tool calls
The model invents tools that do not exist. Mitigation: strict schema validation; reject invalid calls and surface to the model.
Cost runaways
Each iteration burns tokens. A 50-iteration loop on a hard problem can cost $5+ per request. Mitigation: per-task budgets, monitoring.
Latency
Each iteration is a network round-trip. 10 iterations × 2 seconds = 20-second response. Mitigation: async, partial output, caching.
Tool calls with side effects
The agent sends the email twice because it retried. Mitigation: idempotency keys on every external action.
Prompt injection
User input or fetched data tries to redirect the agent. Mitigation: strict separation of system/user/tool messages, dangerous-action confirmations.
Observability
Production agents need:
- Per-task tracing (every model call, tool call, with input/output)
- Cost tracking per task and per user
- Latency dashboards
- Failure-mode classification (hallucination? loop? tool error?)
- Human review queues for borderline outputs
Tools: LangSmith, Helicone, Langfuse, custom infrastructure on top of OpenTelemetry.
Evaluation
Evals are critical for agents. Approaches:
- Trajectory evaluation: was the path the agent took reasonable?
- Outcome evaluation: did the agent achieve the goal?
- Cost evaluation: how expensive was the trajectory?
- Human-in-the-loop scoring for ambiguous cases
Build evals before scaling the agent. Without evals you cannot tell if changes are improvements.
Production patterns that work
- Bounded scope: agents do well on narrow, well-defined tasks. Customer support triage. Code refactor in a single file. Document review.
- Human approval for high-stakes: agent drafts; human approves before action.
- Determinism where possible: for repetitive subtasks, hard-code the logic.
- Fallback to non-agent: if the agent fails, route to a human or a deterministic system.
What is not working yet
- Long-horizon coding tasks (most still struggle past a few hours)
- Open-ended research
- Multi-system orchestration without strong scaffolding
- Reliable agents in security-sensitive contexts
Frequently Asked Questions
What is the best framework for agents?
LangChain and LlamaIndex are mature but heavy. Many teams build their own thin orchestration on top of model APIs. The framework matters less than the eval discipline.
How do I prevent prompt injection in agents?
Treat user/external content as untrusted. Use system prompts that explicitly instruct the model not to follow instructions in user content. Confirm dangerous actions with the user.
How do agents differ from chatbots?
Chatbots respond to messages. Agents take actions in the world (call APIs, write files, send emails). The latter has higher stakes for failure.