Agents that browse, write, call APIs, and spawn sub-agents are shipping to prod without circuit breakers, trust models, or failure budgets. This is the crash that is coming and the framework to prevent it.

The year 2025 was when agentic AI went from a research curiosity to a production reality. Coding agents, research agents, customer support agents, financial analysis agents, and browser agents are running in real US company infrastructure right now, taking real actions, touching real databases, and sending real emails.

And they are failing in ways that nobody anticipated, in prod, on a Friday afternoon, while the on-call engineer is trying to figure out what exactly the agent did for the past three hours before anyone noticed.

The failure mode is not that the model is bad. The failure mode is that we are deploying systems with non-deterministic multi-step reasoning into production environments designed for deterministic software, without the observability, trust boundaries, or recovery mechanisms that non-deterministic systems require.

This article is about that gap, why it exists, and how to close it before it closes your incident retrospective for you.

68%

of agentic AI deployments experience an unintended action in first 90 days of prod

3.4x

higher MTTR for agentic failures vs traditional API bugs, due to trace opacity

91%

of teams had no pre-defined agent failure budget before shipping their first agent

Sources: synthesis of AI ops incident reports, LangChain State of Agents survey 2025, and internal post-mortems shared at industry roundtables.

The anatomy of an agentic failure

Let me describe a failure pattern I have now seen in four different organizations. The details differ but the shape is identical.

An agent is built to automate a multi-step workflow. In testing, it performs brilliantly. The team ships it. In production, a slightly unusual input produces a slightly unusual intermediate state. The agent, reasoning forward from that state, makes a decision that is locally coherent but globally wrong. It executes an action. That action produces a new state. The agent continues. By the time a human notices, the agent has completed five to twelve steps of work that all need to be manually unwound: if that is even possible.

The problem here is not the model's reasoning ability. The merge decision was actually reasonable given the context the agent had. The problem is that no one had defined what the agent was and was not allowed to do unilaterally, at what confidence thresholds it should pause and ask a human, and what actions were reversible versus irreversible. These are product architecture decisions, and they were never made.

Why standard software reliability patterns do not transfer

When a traditional microservice fails, the failure is usually local, reproducible, and traceable. A 500 error has a stack trace. A timeout has a timestamp. An off-by-one bug reproduces deterministically. Your existing SLOs, incident playbooks, and alerting rules were built for this world.

Agentic AI failures are none of those things. They are probabilistic, path-dependent, and often latent — the damaging action was taken several steps before anyone knew something was wrong. By the time you detect the failure, the causal chain is buried in a sequence of LLM calls that each appeared reasonable in isolation.

The standard software reliability toolkit was built for systems that fail fast and fail loudly. Agents fail slowly, quietly, and only after they have done something you cannot easily undo.

This asymmetry is the core of the problem. And it means you need a purpose-built reliability model for agentic systems, not a retrofitted version of what works for REST APIs.

The five agentic failure modes: a taxonomy

Before you can build a reliability framework, you need a precise vocabulary for what can go wrong. Based on incident post-mortems and production telemetry from agentic deployments, here are the five canonical failure modes:

Of these, irreversible action creep and sub-agent cascade are the ones that produce the catastrophic production incidents. Confidence drift and scope expansion are the ones that cause subtle but expensive data quality issues that surface weeks later. Context window poisoning is the one that causes your on-call engineer to spend three hours reading LLM transcripts trying to reconstruct what the agent thought it was doing.

The ORBIT framework: reliability engineering for agentic AI

After working through agentic failures across a range of production systems, the pattern that produces reliable agents follows five disciplines. I call it the ORBIT framework, because reliable agents need to operate within a defined orbit, constrained, observable, and recoverable, rather than drifting into open space.

Framework

ORBIT: Observability, Reversibility gates, Boundary enforcement, Interruption policy, Trust calibration

OObservability at the step level: Every agent action must emit a structured trace event: tool name, inputs, output, confidence score, tokens consumed, and elapsed time. Not at the task level — at the individual tool-call level. This is your incident reconstruction layer. Without step-level traces, a post-mortem on an agentic failure is archaeology, not engineering. Use OpenTelemetry spans with a parent-child relationship that maps the full reasoning chain.

RReversibility gates before every write operation: Before any tool call that modifies state (database writes, API mutations, email sends, file deletes), the agent must evaluate a reversibility score. Define three tiers: Reversible (undo within 5 minutes, e.g. draft email), Partially reversible (recoverable with manual effort, e.g. CRM update), and Irreversible (cannot be undone, e.g. external payment, sent email). Irreversible actions above a risk threshold require explicit human approval or are blocked entirely. This is not optional.

BBoundary enforcement via tool permission manifests: Every agent deployment has a signed manifest that specifies which tools it can call, which resources it can access, and which actions it can take unilaterally versus which require escalation. The manifest is evaluated at runtime, not just at configuration time. When an agent attempts a tool call outside its manifest, it is halted — not warned, halted. This is your blast radius containment layer.

IInterruption policy with explicit thresholds: Define the conditions under which the agent pauses and requests human confirmation. These include: confidence below a threshold, an action classified as irreversible, a new resource type not seen in training runs, elapsed time or token spend exceeding a budget, and any action that affects more than N records. The interrupt is not a failure — it is correct behavior. Design your UX around it from day one rather than treating it as an edge case.

TTrust calibration between orchestrators and sub-agents: In multi-agent systems, sub-agents must not inherit the full permissions of their orchestrator. Each sub-agent operates under a scoped trust token that limits it to the resources and actions relevant to its specific delegated task. Sub-agents cannot spawn further sub-agents without explicit permission in their trust token. Trust is not transitive. This is the most commonly violated rule in production multi-agent systems.

Implementation deep-dive: the reversibility gate pattern

The reversibility gate is the highest-value single change most teams can make to their agentic systems today. Here is a production-grade implementation pattern:

# Reversibility gate: evaluate before every write tool call

from enum import Enum
from dataclasses import dataclass

class Reversibility(Enum):
    REVERSIBLE        = "reversible"       # undo within 5 min, no side effects
    PARTIAL           = "partial"          # manual recovery possible
    IRREVERSIBLE      = "irreversible"     # external effect, cannot undo

TOOL_REVERSIBILITY = {
    "draft_email":        Reversibility.REVERSIBLE,
    "update_crm_record":  Reversibility.PARTIAL,
    "send_email":         Reversibility.IRREVERSIBLE,
    "delete_record":      Reversibility.IRREVERSIBLE,
    "trigger_payment":    Reversibility.IRREVERSIBLE,
    "create_draft_doc":   Reversibility.REVERSIBLE,
}

def reversibility_gate(tool_name: str, confidence: float, config: dict) -> str:
    rev = TOOL_REVERSIBILITY.get(tool_name, Reversibility.PARTIAL)
    threshold = config.get("confidence_threshold", 0.85)

    if rev == Reversibility.IRREVERSIBLE and confidence < threshold:
        return "BLOCK"   # halt — request human review

    if rev == Reversibility.IRREVERSIBLE and confidence >= threshold:
        return "APPROVE_WITH_LOG"  # execute + emit high-priority trace

    if rev == Reversibility.PARTIAL and confidence < 0.70:
        return "PAUSE"   # interrupt and ask human

    return "PROCEED"

The tool permission manifest pattern

# agent-manifest.yaml — signed at deploy time, validated at runtime

agent_id: "invoice-reconciliation-v2"
owner_team: "#team-finance-automation"
deployed_at: "2026-05-01T09:00:00Z"
task_scope: "Match inbound invoices to CRM accounts and update billing status"

allowed_tools:
  - name: "search_crm_accounts"
    max_calls_per_run: 50
    reversibility: "read_only"
  - name: "update_invoice_status"
    max_calls_per_run: 100
    reversibility: "partial"
    confidence_threshold: 0.88
  - name: "flag_for_human_review"  # always allowed, no threshold
    max_calls_per_run: 999

explicitly_blocked_tools:   # hard deny, no override
  - "merge_crm_accounts"
  - "delete_invoice"
  - "send_external_email"
  - "spawn_sub_agent"       # no delegation allowed for this agent

interruption_policy:
  confidence_floor: 0.72
  max_tokens_per_run: 80000
  max_records_touched_per_run: 200
  time_limit_minutes: 30

The multi-agent trust topology problem

Single agents are manageable. Multi-agent systems, where an orchestrator coordinates a fleet of specialized sub-agents, introduce a qualitatively different class of problem: the trust topology.

In a naive implementation, the orchestrator passes its session context, including its full permissions, to sub-agents. The sub-agents reason about their task and call whatever tools seem relevant. There is no wall between what the orchestrator can do and what any sub-agent can do. A sub-agent tasked with "research competitor pricing" that also has access to "send email" can reason its way into doing something no human authorized.

Before: naive trust (full permission inheritance)
Orchestrator agent(full permissions)→Sub-agent A (inherits all)→Sub-agent B(inherits all)→ Unexpected action(nobody authorized)

After: ORBIT trust scoping (no permission inheritance)
Orchestrator(scoped manifest)→Sub-agent A (read-only + flag only)→Sub-agent B(write + no spawn)→Actions within signed scope only

The critical principle: trust tokens are issued per sub-agent, per run, and are scoped to the minimum permissions needed for the delegated task. A sub-agent doing research gets read-only access to the research tools. A sub-agent doing data entry gets write access to exactly one resource type, with a hard call limit. Neither inherits anything from the orchestrator beyond what is explicitly in its token.

This requires more upfront architecture work. It also means that when something goes wrong, and something will go wrong, the blast radius is bounded by the scope of the sub-agent's token rather than the scope of the entire system's permissions.

Observability: what you must instrument before shipping

Agentic observability is fundamentally different from standard API observability. You are not instrumenting request/response pairs. You are instrumenting a reasoning chain, where each step's inputs include the outputs of all previous steps. The trace is a tree, not a sequence.

The reliability maturity model for agentic systems

Not every team needs to implement everything at once. Here is a practical maturity progression that lets you ship safely and increase autonomy over time as the agent earns its trust score:

The product argument: agentic reliability as a market differentiator

For AI product managers reading this, I want to close with a framing that is easy to miss when you are deep in the engineering details.

Agentic reliability is the new SOC 2. In 2026, enterprise buyers are not just evaluating whether your agentic product works. They are evaluating whether they can trust it to operate in their environment without a human babysitting every step. The teams that can demonstrate a credible reliability story, manifest-governed agents, reversibility gates, audit trails, calibrated interruption policies, will win enterprise deals that teams with only a demo cannot close.

The ORBIT framework is not just an engineering safeguard. It is a trust artifact that you can show to a CISO, a VP of Engineering, or a procurement team as evidence that you have thought seriously about what happens when your agent does something unexpected.

Right now, most of your competitors are shipping agents with no governance layer and calling it innovation. The window to differentiate on reliability is open. It will not stay open once the first wave of high-profile agentic failures lands in the trade press, and they will land, because the failures are already happening.

About this blog: Personal publication covering agentic AI architecture, AI product reliability, and the go-to-market dimensions of building on top of frontier models. All incident patterns are drawn from real production post-mortems; company identifiers have been removed.