Bill Tanker
Crazy Unicorns
AI agents — systems that can plan, use tools, and take actions autonomously — represent a significant step beyond simple chat interfaces. But with autonomy comes risk. An agent that can query databases, call APIs, and send emails can also leak data, trigger unintended actions, or enter infinite loops. Building production-grade agents requires a systematic approach to safety and observability.
We think about agent safety in four layers: input validation (what the agent is asked to do), planning constraints (what strategies the agent can consider), action boundaries (what tools the agent can invoke and with what parameters), and output verification (what the agent returns to the user or downstream systems). Each layer provides defense-in-depth, so a failure at one level is caught by another.
The most common agent architecture gives the LLM a list of available tools and lets it decide which to call. This works for prototypes but creates problems at scale. We use a structured approach: tools are organized into capability groups with explicit permission levels. Read-only tools (database queries, search) are available by default. Write tools (sending emails, updating records) require explicit confirmation or elevated permissions. Destructive tools (deleting data, revoking access) are gated behind human-in-the-loop approval.
Each tool invocation is wrapped in a policy layer that validates parameters against predefined schemas and business rules. For example, a 'send email' tool might enforce that the recipient is within the organization's domain, the content doesn't include sensitive data patterns, and the send rate doesn't exceed a threshold. These policies are defined declaratively and enforced at runtime.
You can't manage what you can't see. Agent observability goes beyond traditional logging. We capture the full decision trace: the agent's reasoning at each step, the tools it considered, the parameters it chose, and the results it received. This trace is structured and queryable, making it possible to audit any decision after the fact. We also track aggregate metrics: tool usage patterns, error rates, latency distributions, and cost per interaction.
Agents fail in ways that traditional software doesn't. They can enter reasoning loops, make increasingly expensive API calls, or pursue strategies that are technically valid but practically useless. We implement circuit breakers at multiple levels: maximum steps per task, maximum cost per interaction, maximum time per execution, and anomaly detection on tool usage patterns. When a circuit breaker trips, the agent gracefully degrades — either asking for human guidance or returning a partial result with an explanation.
Testing agents is fundamentally different from testing deterministic software. We use a combination of scenario-based testing (does the agent handle known situations correctly?), adversarial testing (can the agent be tricked into unsafe behavior?), and regression testing (do changes to prompts or tools break existing capabilities?). Each test scenario includes expected tool calls, expected guardrail activations, and expected outputs. We run these tests against every change to the agent's configuration.
Building safe, reliable AI agents requires treating safety as a first-class engineering concern — not an afterthought. If you're designing an agent system and need help with architecture and guardrails, let's talk.
We build production-ready AI systems. Book a strategy call to discuss your requirements.
Hello! How can I help?
