Skip to content
Markdown

Agentic systems

Scope: the application layer that runs on top of the served model, where an LLM is wrapped in a loop that calls tools, reads their output, and keeps going until a task is done. This section covers how to build that loop (foundations), the runtime that drives it safely (harness engineering), and the attack surface it opens (AI security). Reference index page; the focused pages carry the detail. The agent consumes the inference serving the cluster provides, and is trained with agentic and tool-use RL.

An agent is not a model. The model predicts tokens; the agent is the program around it that turns those tokens into actions and feeds the results back. That program (the loop, the tool dispatch, the context budget, the sandbox, the policy checks) is the engineering surface, and it is where most agents succeed or fail in production.

flowchart TB
  subgraph FND["Foundations"]
    LOOP["Agent loop"]
    TOOLS["Tools & function calling"]
    MEM["Context & memory"]
    PLAN["Planning & reasoning"]
  end
  subgraph HRN["Harness engineering"]
    ARCH["Harness architecture"]
    SELF["Self-improving harness"]
    ORCH["Orchestration & control plane"]
    OBS["Observability"]
    EVAL["Evaluation"]
    ECON["Loop economics"]
  end
  subgraph SEC["AI security"]
    THREAT["Threat model"]
    OFFENSE["Offensive AI"]
    PI["Prompt-injection defense"]
    SANDBOX["Sandboxing & isolation"]
    POLICY["Policy engine"]
    IDENT["Identity & access"]
    INTENT["Intent verification"]
    GOV["Self-modifying governance"]
  end
  FND --> HRN
  HRN --> SEC
  SEC -.->|"constrains"| FND

How to use this section

Pages here are concept pages: Overview, Core knowledge, a Don't-miss checklist, Failure modes, and References. They describe the engineering of agent runtimes and their security, not a single vendor's product. Code and configs are reference templates; pin versions and validate before relying on them.

The map

Foundations: building the loop

  • The agent loop: the perceive / plan / act / observe cycle, the ReAct pattern, termination and turn limits, and why the agent (not a vector store) is the retriever.
  • Tools and function calling: tool schemas, JSON-Schema-constrained arguments, the Model Context Protocol (MCP), tool dispatch, and error handling.
  • Context and memory: the context window as the working set, compaction and summarization, retrieval, and short- vs long-term memory.
  • Planning and reasoning: ReAct, Reflexion, Tree of Thoughts, Plan-and-Solve, and decomposition; when explicit planning helps and when it does not.

Harness engineering: driving it safely

  • Harness architecture: the runtime around the model: loop driver, tool registry, permission gate, sandbox, and durable state.
  • Self-improving harnesses: the harness as an optimization target (searched, ablated, self-edited) and control flow lifted into an explicit program graph.
  • Orchestration and control plane: multi-agent delegation, scheduling, concurrency, and the control plane that supervises long-running agents.
  • Agent observability: tracing the inference path, span and trajectory capture, and the signals that make agent behaviour debuggable.
  • Evaluating agents: trajectory-level evaluation, task success metrics, regression gating, and LLM-as-judge with its failure modes.
  • Agentic loop economics: why prefix and prompt caching dominate agent cost and latency, and the harness choices that preserve or break the cache.

AI security: the new attack surface

  • Agent threat model: the OWASP LLM Top 10, MITRE ATLAS, the "lethal trifecta," and how agency turns model flaws into system compromise.
  • Offensive AI and the arms race: the discovery-versus-construction split, capability that scales with inference budget, and the defensive response.
  • Prompt-injection defense: direct, indirect, and streaming injection; detection, content provenance, and the limits of filtering.
  • Sandboxing and isolation: running model-generated code and tool calls under containers, microVMs (Firecracker, gVisor), seccomp, and Landlock.
  • Agent policy engine: the in-process Cedar gate that decides, deny-by-default, whether an action may run.
  • Agent identity and access: a credential broker plus zero-trust, ABAC, and SPIFFE workload identity for the agent as a non-human identity.
  • Intent verification: out-of-band signed intent, because an in-chat confirmation can be forged by a poisoned channel.
  • Governing self-modifying agents: change contracts, two-track promotion, and a recursion floor when an agent edits its own harness.

Where this sits in the knowledge base

Agentic systems are the consumer of everything below them in the stack. They run on inference serving and its SLOs; their tool-use behaviour is trained with agentic and tool-use RL; their sandboxes reuse the isolation primitives from security and multi-tenancy; and they are operated with the same observability discipline as the rest of the platform.

References

  • Anthropic, Building effective agents: https://www.anthropic.com/research/building-effective-agents
  • Model Context Protocol: https://modelcontextprotocol.io/
  • OWASP Top 10 for LLM Applications: https://genai.owasp.org/llm-top-10/
  • ReAct: Synergizing Reasoning and Acting in Language Models: https://arxiv.org/abs/2210.03629

Related: Inference serving · Agentic & tool-use RL · Security & multi-tenancy · Observability · Glossary