Traditional software failures follow familiar patterns, a null pointer exception crashes a service, a race condition causes intermittent data corruption a deployment introduces a regression that surfaces in testing. These failures are deterministic: given the same inputs, they produce the same outputs. They can be reproduced, isolated, and fixed with relatively bounded effort.

AI agents break this model in several structural ways that most teams discover only after something goes wrong.

Non-determinism

Agents are probabilistic rather than deterministic. The same prompt with the same context can produce different outputs across invocations — or even across turns within a single session. This isn’t a flaw to be eliminated; it’s a fundamental property of generative systems, but it means that the “it’s working” verification you ran yesterday tells you nothing about what the agent will do tomorrow.

Context drift

As agents interact with users and systems over time, their context window accumulates. Early turns in a conversation can get diluted by later ones. Instructions given at the start of a session can lose salience by the end. An agent that started the day following your security policy may, by afternoon, have drifted into behaviours that are technically compliant with the letter but not the spirit of what you intended.

Tool-use failures

Agents are defined partly by their ability to use tools — APIs, databases, third-party services, but tool use introduces a layer of failure modes largely outside the agent’s own logic. A flaky API returns an error the agent misinterprets. A rate limit gets hit and the agent silently falls back to a less reliable path. A tool’s response format changes slightly, and the agent’s parsing logic breaks in a way that produces plausible-looking but incorrect data.

Prompt degradation

Instructions that seemed clear in the prompt engineering phase can become ambiguous when deployed against the full diversity of real-world inputs. Edge cases that weren’t anticipated get handled in ways that are technically “correct” according to the literal instructions but produce outcomes no human would endorse. The agent isn’t disobeying — it’s following instructions that turned out to be incomplete.

Reasoning errors

Perhaps the most difficult category: cases where the agent’s internal reasoning leads it to a wrong conclusion. The agent may have retrieved the right information, parsed it correctly, but drawn an incorrect inference. These failures are invisible from the outside — you see only the output, not the chain of reasoning that produced it. When the output is wrong, you have to reconstruct a reasoning path you never had visibility into in the first place.

The Observability Gap

The most dangerous property of agent failures is not their complexity — it’s the latency between failure and detection. In traditional software, failures tend to be obvious. A service goes down, an error rate spikes, a latency histogram shifts. You know something is wrong because the system tells you.

Agents don’t work this way. An agent can produce wrong outputs for hours or days before anyone notices. The finance team above didn’t discover the problem because the system alerted them — it discovered the problem because a human happened to check the dashboard at the right moment.

This is the observability gap: the space between “the agent did something it shouldn’t have” and “someone noticed.” In most organisations, that gap is wide enough to drive a truck through — and the truck is already moving.

The root cause isn’t technical ignorance. It’s that agents are doing work that previously required human judgment, but the observability infrastructure was built for systems that execute deterministically, not for systems that make probabilistic decisions. You can’t alert on what you can’t see, and you can’t see what you weren’t designed to measure.

A Framework for Classifying Agent Failures

To debug effectively, you need to know what kind of failure you’re dealing with. The debugging approach differs significantly depending on where in the agent’s execution chain the problem originated.

Input failures

The agent received malformed, ambiguous, or incomplete input and produced an output that is a plausible response to a poorly-specified question. The failure is in the input layer — either the user provided inadequate context, or the system failed to route the right context to the agent.

Debugging approach: Audit the input pipeline. Check what context the agent actually received at each turn. Look for cases where user intent was unclear or where system context was truncated.

Reasoning failures

The agent received adequate input but made an incorrect inference. The data was correct, the instructions were clear, but the agent drew the wrong conclusion.

Debugging approach: This requires decision tracing — the practice of logging the agent’s reasoning chain at each step. Without structured decision traces, you’re debugging a black box. With them, you can identify the exact point where the reasoning diverged from the expected path.

Tool failures

The agent attempted to use a tool and the tool either failed, returned unexpected data, or behaved in an edge case that the agent’s handling code didn’t anticipate.

Debugging approach: Instrument every tool call with request/response logging, status codes, latency metrics, and retry behaviour. The failure may not be in the agent at all — it may be in the tool’s contract changing without notice.

Output failures

The agent produced correct reasoning but the output was transformed incorrectly — whether by a formatting layer, a safety filter, or a downstream system that misinterpreted the response.

Debugging approach: Trace the output from the agent all the way to its final destination. Many “agent failures” are actually hand-off failures where the agent did its job but something in the delivery layer mangled the result.

Compounding loops

The agent entered a feedback loop where its output became its next input, causing the error to compound with each iteration. This is particularly common in agents that iterate on their own output or feed generated content back into generation pipelines.

Debugging approach: Implement execution limits and checkpointing. Every iteration should be logged, and the system should halt after a configured number of cycles. Without bounds on self-referential loops, you’re building a system that can run away.

Designing for Debuggability

The organisations that operate agents successfully in production share one characteristic: they design for debuggability from the start, not as an afterthought when something goes wrong.

Structured logging

Log every agent interaction with sufficient structure to reconstruct the full context. This means capturing not just the final output, but the input received, the tools called, the responses from those tools, and the intermediate reasoning steps. Treat agent logs with the same rigour you would apply to financial transaction logs — because in many cases, that’s exactly what they are.

Decision traces

Implement explicit decision logging: at each significant step in the agent’s reasoning, record what the agent considered, what it chose, and why. This is the single highest-impact investment you can make for debugging. Without decision traces, you’re debugging blind. With them, you can replay failures, identify the exact failure point, and determine whether it’s a one-off or a systemic pattern.

Checkpoints and rollback

Build checkpointing into your agent execution model. If an agent is taking multiple steps toward a goal, capture the state after each step. If step 7 produces a bad outcome, you need to be able to roll back to the state after step 6 and understand what happened. Without checkpoints, you can only observe failure — you can’t intervene or recover.

Human-in-the-loop boundaries

Define explicit boundaries where human approval is required — not as an afterthought, but as a deliberate architectural decision. The question isn’t whether to have human oversight; it’s where to place it. Identify the decision points where the cost of a wrong outcome exceeds the cost of the delay involved in human review, and architect your agent to request approval at those points. This connects directly to the governance principles in Building Decision Architecture in Complex Projects — the same logic that applies to human decision structures applies to agent ones.

Governing the Production Incident

When an AI agent fails in production, the incident follows a different arc than a traditional software failure — and most organisations aren’t prepared for that arc.

Triage is harder because the failure may not be immediately visible. The agent is still running, still producing outputs, still returning 200 OK. The signal that something is wrong is often subtle: a spike in approvals, a pattern in customer queries, a change in output distribution that doesn’t match expectations. This is why threshold-based alerting on agent *outcomes* — not just system health — is non-negotiable.

Escalation is more complex because it’s not clear who owns the incident. Is this a product issue? A data science issue? An infrastructure issue? The agent sits at the intersection of multiple domains, and when it fails, the question of ownership tends to fall through organisational gaps. The Accountability Architecture principle applies here with particular force: every agent in production needs a named owner before it ships, not after it breaks.

Containment requires more than stopping a service. You may need to reverse the agent’s outputs — undo the actions it took, revert the data it changed, compensate for the decisions it made. In the refund scenario above, containment wasn’t just “turn off the agent” — it was identifying which approvals were illegitimate, contacting affected customers, and absorbing the operational cost of recovery. Agents that take irreversible actions need rollback plans designed into the system architecture, not improvised during an incident.

Root cause analysis for agents is structurally harder because the failure may not be reproducible. Unlike a deterministic bug that can be triggered reliably in a test environment, an agent failure may depend on a specific combination of context, tool state, and probabilistic outputs that cannot be reconstructed exactly. This means post-incident analysis needs to focus on conditions that enabled the failure rather than reproducing the failure itself — a different investigative discipline than most engineering teams have developed.

The Governance Imperative

There is a temptation, when agents work well, to treat them as infrastructure — stable, reliable, not requiring ongoing attention. This is the same temptation that leads to[integration debt: the assumption that because something worked yesterday, it will work tomorrow, and that the work of governance is a one-time setup cost rather than an ongoing operational responsibility.

Agents are not infrastructure. They are operational staff — probabilistic, context-sensitive, capable of drift — and they need the same ongoing management attention that operational staff require. That means regular review of their outputs, clear accountability structures, defined escalation paths, and the willingness to intervene when behaviour diverges from intent.

The companies that will operate AI agents safely at scale are not necessarily the ones with the most sophisticated models. They’re the ones that treat agent governance as a first-class operational discipline — designed in from the start, maintained as the system evolves, and taken seriously enough to invest in observability infrastructure before something goes wrong rather than after.

If you’re deploying AI agents in production and want to explore how governance architecture can reduce operational risk, I work with senior leaders on decision systems that match the complexity of autonomous operations.