Designing agents you can actually operate

“Give the model some tools and let it figure it out” makes a fantastic demo. It also makes a system that’s nearly impossible to operate: non-deterministic, hard to debug, and prone to expensive or unsafe actions when it improvises in a direction you didn’t anticipate.

Production agents are different. The best ones aren’t the most autonomous — they’re the most operable.

Explicit control flow beats open-ended autonomy

Open-ended agent loops are seductive and fragile. We favor explicit structure — planner / worker / reviewer patterns — where the flow of work is something you designed, not something the model improvises each run. The model still does the hard cognitive work; it just does it inside rails.

This makes behavior predictable: the same shape of input produces the same shape of output, and you can reason about what the system will do.

Typed tools and bounded autonomy

Tools are where agents touch the real world, so they’re where discipline matters most:

• Typed interfaces — inputs and outputs are validated, not free-form.
• Permissioning — an agent can only call what it’s explicitly allowed to.
• Sandboxed execution — actions run safely, with limits and reversibility where it counts.
• Human-in-the-loop checkpoints — high-stakes steps pause for approval.

Autonomy isn’t the goal. Bounded autonomy is — enough to be useful, never enough to be dangerous.

If you can’t trace it, you can’t run it

Every agent run should be fully traceable: what it planned, which tools it called, what they returned, and what it cost. When something goes wrong — and it will — you need to replay the run, not guess. Traceability is what turns an agent from a black box into a system your team can debug, improve, and trust.

Design for operability first, and the impressive autonomy takes care of itself.