All research
Engineering Note

Performance Drift in Agent Systems

Your spec hasn't changed. Your business goal hasn't changed. The model underneath you did, and the whole system quietly moved.

Zhilin Wang
Abstract

Production agent systems can drift even when the functional specification and business goal remain unchanged. The shift may come from a model upgrade, a tool protocol change, a new evaluation standard, or the accumulation of long-context state. The result is an unintended change in end-to-end behavior relative to the historical baseline, often without a single obvious code defect.

This note frames performance drift as a structural property of agent systems rather than an incidental regression. It examines four layers where drift appears: prompt behavior, agent architecture, evaluation methodology, and context environment. These layers interact: a model change can force prompt changes, which alter tool behavior, which invalidates older evals, while context growth quietly changes model reliability over long trajectories.

The practical conclusion is that teams should manage drift as an engineering surface. Prompts, tool schemas, judge models, golden sets, context budgets, and deterministic fallbacks all need explicit versioning and review, because the agent's control unit is probabilistic and the surrounding foundation keeps moving.

A note before we start: this is written for engineers and researchers who have shipped production agent systems. It assumes you are comfortable with ReAct, function calling, MCP, LLM-as-a-Judge, and long-horizon agentic tasks, and does not re-introduce them.

The phenomenon, and a definition

Anyone who has done agent engineering has run into a version of this.

You upgrade the underlying model from Claude Sonnet 3.7 to Sonnet 4, and the tool-use ordering changes: steps that used to run serially get collapsed into several tool_use blocks in a single turn, and a downstream consumer falls over. A system prompt you'd polished for months starts emitting stray explanatory prose on the new model, breaking the regex that parsed it. Your eval scores keep climbing, and so does the complaint rate from support. And then the one that's hardest to explain: every component passes its unit tests, but the end-to-end run is simply wrong.

Put these isolated symptoms side by side and they point at one thing: performance drift in agent systems is structural, not incidental.

I define this drift as follows: with the functional spec and business goal both unchanged, an unintended shift in end-to-end behavior relative to a historical baseline, caused by a change in one of the underlying model, the protocol layer, the evaluation paradigm, or the context environment. It isn't a bug; no line of code is wrong. It isn't regression in the usual sense; some metrics may be going up. It is the native fragility of a system whose core control unit is a probabilistic model.

What follows works through four layers: prompt, architecture, evaluation, and context. The first three are the dimensions most teams already half-recognize; the fourth has become consensus in the research community across 2025–2026 but is still badly under-appreciated in engineering practice, and it has to be added. A closing section covers how to actually live with all of it.


1. Prompt drift: "configuration" coupled to a model's behavior distribution

The literature has a term for this: prompt brittleness. Multiple studies on benchmarks like MMLU and TruthfulQA have observed that merely changing the wording template of a prompt, without changing its meaning, can swing a model's score by more than 10%, and that this sensitivity does not vanish linearly as models scale (Ceron et al., TACL 2024; Sclar et al., ICLR 2024). This is a published empirical result, not folklore.

In production agent engineering, prompt drift takes shapes far messier than the variance you see on an academic benchmark.

1.1 The "semantic center of gravity" of instructions migrates

The same prompt, read by two different models, has different parts treated as hard constraints and others as mere stylistic suggestions.

A concrete, checkable example. In the Claude 3.7 era, developers routinely wrote "Think step by step before answering" into the system prompt to induce chain-of-thought, and the model would visibly emit its reasoning. By Claude 4, extended thinking became a native API capability (enabled via the interleaved-thinking-2025-05-14 beta header), so that same "think step by step" line now double-triggers against the built-in thinking mechanism: token cost doubles, and in some cases the model leaks thinking content into the final output. Anthropic's Claude 4 migration guide says it plainly: "Claude 4 models follow instructions more precisely." From the model vendor's side that's a capability improvement; from the prompt engineer's side it's the collective failure of every old prompt that relied on implicit leniency.

Subtler still is the difference between reasoning and non-reasoning models in their sensitivity to where an instruction sits. OpenAI's o-series treats the system prompt versus the developer message differently from GPT-4o; the same instruction placed in system versus user diverges far more than it did in the GPT-4o era. The official docs cover this in a single sentence, but for any prompt template that depends on that placement, it is a structural regression.

1.2 Structured-output failure modes move from explicit to implicit

On older models, when JSON output failed it usually failed wholesale: the model threw back a raw string and a try/except caught it. On newer models the more common failure is "looks valid, semantically misplaced": a field that should hold a URL holds descriptive text, a field that should return an array returns a single-element string, an enum field returns a synonym (in_progress becomes in-progress or running).

This migration from explicit to implicit failure is a side effect of models getting stronger. The former is caught by traditional validation; the latter pollutes downstream business logic and only surfaces at the level of user behavior. OpenAI shipped Structured Outputs in August 2024, and Anthropic and Gemini followed with strong-constraint modes, fundamentally the field's response to exactly this problem: if free-generated JSON gets ever more "plausible but inaccurate," you have to eliminate the degrees of freedom at the generation layer with constrained decoding.

1.3 Shifts in the "house style" of tool use

This is the most lethal class in agent settings. Given the same tool definitions and the same prompt, a new model may:

  • Reorder calls. An A→B→C chain becomes A→C→B, a disaster for any business workflow with strict state dependencies.
  • Change its parallelism. Steps that used to be serial get merged into multiple tool_use blocks in one turn. Sonnet 4.5 / Opus 4.5 lean harder toward issuing several parallel tool_use calls in a single assistant turn, which requires the client to correctly back-fill parallel tool_results, or it trips a protocol-layer exception.
  • Change argument-filling strategy. Fields that used to default conservatively start getting actively constructed, and the rate of hallucinated calls climbs.
  • Change the tool protocol itself. From Claude 3.7 to Claude 4, the text-editor tool's type identifier went from text_editor_20250124 to text_editor_20250728, the tool name from str_replace_editor to str_replace_based_edit_tool, and the undo_edit command was removed entirely. That's a breaking change at the protocol layer, but to the caller it feels exactly like "the prompt suddenly stopped working."

1.4 The transfer effect of few-shot ICL is degrading

In early agent engineering, stuffing a few demonstrations into context was a cheap way to calibrate behavior. But more strongly instruction-tuned models depend less on few-shot examples and more on natural-language instructions. A prompt that used to work by "showing three examples and letting the model imitate" not only loses its effect on a new model; it can actively lower quality when the example style clashes with the model's default preferences.

Anthropic's official prompt-engineering guide already lists "prefer explicit instructions over examples for Claude 4" as direct advice. This rule gets ignored at a remarkably high rate in production, because honoring it means re-auditing every prompt asset accumulated over the past two years.


2. Architecture drift: every paradigm shift resets your hard-won experience

The agent architecture paradigm has gone through several clear migrations in three years. Laid out straight:

ReAct was proposed by Yao et al. in October 2022 (arXiv:2210.03629), defining the think–act–observe loop. On June 13, 2023, OpenAI shipped function calling, lifting tool invocation from the prompt layer up to the API layer. On November 25, 2024, Anthropic released the Model Context Protocol (MCP), turning the model–tool connection into a protocol; it has since been adopted by OpenAI, Google, Microsoft, and AWS, and in December 2025 was donated to the Agentic AI Foundation under the Linux Foundation for neutral governance. By early 2026, the MCP ecosystem had more than 16,000 servers.

2022 · ReAct
Prompt-level loop
Think–act–observe in the prompt. Brittle parsing; unstable past ~5 tools.
2023 · Function Calling
Tools as API citizens
JSON-schema constraints. Models "over-select" when there are many tools.
2024 · MCP
Protocolized tools
Discoverable, composable. Version fragmentation; immature security model.
2026 · Harness
Infrastructure around the loop
Compaction, planning, subagents, observability, guardrails.
Figure 1 — Three years of architecture, and the core problem of each generation.

Each paradigm shift means part of your accumulated engineering experience stops being valid.

2.1 The displacement of control, and the spread of failure modes

From code-controlled flow (workflow), to model-led decisions (ReAct / function calling), to multi-agent collaboration and protocolization (MCP + harness): every step forward puts more judgment responsibility on the model inside the system.

That amplifies one thing: any wobble in model capability gets exponentially magnified by the architecture into systemic output variance. Under a workflow architecture, a model failing at one point affects one node; in an autonomous agent, a single wrong tool choice can throw the whole trajectory off course for dozens of steps.

τ-bench (Sierra, 2024) and τ²-bench (2025) give us quantitative evidence. τ-bench introduced the pass^k metric: the probability that an agent succeeds on the same task across all k independent trials. In the relatively controlled retail and airline domains, even the strongest model of the day (GPT-4o) scored below 25% on pass^8. In other words, a model whose single-shot success rate looks fine has a serious reliability deficit on long-horizon tasks, and that unreliability is completely invisible to single-shot evaluation. This is architecture drift echoing in the evaluation layer: the old single-task eval paradigm can no longer describe real behavior under autonomous architectures.

2.2 Abstractions break and get rebuilt

Tool calling has gone through three generations of abstraction:

Era Core abstraction Typical best practice Main failure mode
Prompt templates Describe tools in pseudo-code The more detailed the tool description, the better Brittle parsing regex; unstable once tools > 5
Function Calling API Tools as first-class API citizens Precise JSON-schema constraints Models "over-select" when many tools are present
MCP Tools protocolized, discoverable, composable Descriptions must be portable across hosts Protocol-version fragmentation; immature security model

Each generation's best practice can't simply be ported to the next. The clearest case: in the prompt-template era, "the more detailed the tool description, the better" was received wisdom; by the function-calling era, an over-detailed description gets used by the model to "over-infer" parameter meaning, producing hallucinated calls; by the MCP era, a description also has to account for cross-host portability (the same MCP server gets called by Claude Desktop, Cursor, Claude Code, and more, and host-specific assumptions baked into the description cause unintended behavior).

2.3 Long-horizon tasks introduce nonlinear problems

When Sonnet 4.5 launched, Anthropic disclosed that it lifted the OSWorld benchmark (computer-use tasks) from Sonnet 4's 42.2% to 61.4%, and could sustain "connected operation for hours while maintaining clarity." That qualitative jump simultaneously pushed the accumulation effect of errors from the old 5-to-10-step range out to dozens or even hundreds of steps.

A deviation in an early decision may not surface as a problem until 50 steps later. For debugging, attribution, and replay, that's a phase change. The traditional "check whether the final output is right" approach fails completely in long-horizon settings; you have to move to trajectory-level evaluation. This is why "agentic eval" became a research hot spot in the second half of 2025: the outcome validity of traditional benchmarks collapses at scale in agent settings.

A July 2025 study from UIUC and others ("Establishing Best Practices for Building Rigorous Agentic Benchmarks," arXiv:2507.02825) systematically reviewed 17 commonly used agentic benchmarks and found many had serious outcome-validity or task-validity problems. The most dramatic example: on τ-bench, a trivial agent that does nothing and returns an empty response reached a 38% success rate on impossible tasks, beating a GPT-4o-based agent. In the SWE-bench-Verified top-50 leaderboard, 24% of the positions were wrong because the unit tests didn't cover key edge cases. Kernel-bench's fuzzing strategy changed only tensor values, not shape or memory layout, overstating agent capability by 31%.

These aren't failures of the benchmark designers' competence. They're a sign that agents, as a system form, pose challenges to evaluation methodology that the workflow era never encountered.

2.4 The paradigm jump: from scaffolding to harness

Late 2025 into early 2026 brought a clear paradigm jump in engineering practice: from scaffolding to harness engineering.

The difference: scaffolding is "wrapping code around the model to compensate for what it can't do," fundamentally adding constraints to the model. A harness is "building a complete execution environment around the model so it can safely exercise its capabilities," fundamentally adding infrastructure to the model.

LangChain's Harrison Chase put it directly on a January 2026 Sequoia podcast: once model capability crosses a threshold, elaborate scaffolding actually constrains the model, and teams should go back to the simple pattern of "let the model autonomously choose context and plan inside a loop," but build a harness around that simple loop: compaction, a planning tool, a subagent mechanism, observability, guardrails.

One very concrete data point: in March 2026 LangChain's Deep Agents team moved a coding agent from 30th to 5th on Terminal Bench 2.0 without changing the underlying model; every gain came from harness optimization (trace analysis, failure-mode identification, context-management tuning). That figure is an excellent sample for observing the marginal returns of harness versus model.

Model loop
The probabilistic control unit. Keep it simple; let it plan and choose its own context.

The harness wrapped around it

Context management Compaction, summarization, tool-result hygiene
Planning Explicit plan tool and task decomposition
Subagents Isolated context; only summaries flow back to the parent
Observability & guardrails Tracing, inline eval, deterministic fallbacks on critical paths
Figure 2 — A simple model loop at the core, with the harness as the infrastructure wrapped around it.

3. Evaluation drift: the ruler itself is bending

Mainstream LLM benchmarks are saturating fast. HumanEval Pass@1 is near 99%, MBPP is above 94%, and on MMLU the top models are compressed within 2–4 points of each other. On MMLU-CF (a decontaminated version released by Microsoft Research in December 2024, arXiv:2412.15194), GPT-4o's 5-shot score is only 73.4%, a huge gap from the 90%+ scores on the "original" MMLU. This tells you benchmark contamination is an open secret: the training data contains the test set itself, and model scores reflect a substantial share of memorization rather than generalization.

Inside an agent system's own evaluation, this shows up in three more specific forms.

3.1 Point metrics lose discriminative power on long-horizon tasks

Early agent evaluation usually centers on point metrics: "did the tool call succeed," "is the output correct." As tasks expand from single-turn Q&A to multi-turn planning, long-term memory, and cross-tool collaboration, the coverage of those metrics decays rapidly.

τ-bench's pass^k is a methodological answer: instead of asking "was there ever a success," ask "did it succeed on every one of k independent trials." The former measures the capability ceiling; the latter measures the reliability floor, and they differ by orders of magnitude. In production, the reliability floor is usually what the business actually cares about. Sierra's τ²-bench (2025) went further with a dual-control environment (agent and user both hold control), and in 2026 added a banking knowledge domain and voice full-duplex extensions; the methodology has become a system.

3.2 LLM-built eval sets carry the cognitive fingerprint of their source model

When an evaluation dataset is generated by GPT-4 or Claude, it carries the preferences of whatever model built it: the phrasings it considers correct, the reasoning paths it favors, the formats it defaults to.

After a few iterations, a systematic mismatch opens up between the new model and the old eval set. The new model gives an answer that is actually more accurate but gets marked wrong because its style departs from what the eval set expects; the old-model biases baked into the eval set (a tendency toward verbose answers, particular sentence patterns) are abandoned by the new model, so the score drops while real quality rises.

3.3 LLM-as-a-Judge has its own drift and systematic biases

LLM-as-a-Judge is the de facto industrial standard, but the literature has already documented at least four classes of systematic bias, each with a corresponding paper:

  • Length bias: longer answers systematically score higher (Zheng et al., NeurIPS 2023).
  • Position bias: in pairwise comparison, the option shown first wins more easily (Wang et al., 2024).
  • Self-preference bias: judges favor outputs from same-lineage models (Panickssery et al., 2024).
  • Authority bias: answers with citations or formal phrasing get a premium.

2025 added a new concern: the rubric attack. Research from Stanford and others ("Rubrics as an Attack Surface: Stealthy Preference Drift in LLM Judges," arXiv:2602.13576) found that the rubric a judge uses can itself be tuned to covertly distort preferences, and that this distortion is hard to detect through traditional judge evaluation. Which means even if the judge model is unchanged, the evolution of the judge's configuration causes evaluation drift.

Trickier still is judge model drift: when the model acting as judge is itself upgraded, the scoring standard shifts systematically, and evaluation results from different points in time are no longer directly comparable. Tool vendors like Weights & Biases and Braintrust have already made "judge version management" and "periodic re-baselining" standard practice.

3.4 The disconnect between business goals and evaluation goals

This is the most fundamental class, and it can't be eliminated by technical means. Once an agent is in production, the real success criteria are user retention, task completion rate, unit cost, and complaint rate; but development-time eval metrics often stay parked on engineering-friendly measures like "output correctness." The evaluation system usually lags the deepening of business understanding by 6–12 months, and the result is eval scores going up while the business side complains.

This is fundamentally an organizational-collaboration problem, not an engineering one. But its engineering consequences are real: an agent team's technical direction gets systematically misled by misaligned eval metrics.


4. Context drift: the badly underrated fourth dimension

The original draft didn't cover this dimension, but in the 2025–2026 research community it has been identified as possibly the single largest cause of agent production incidents.

Chroma's July 2025 study, "Context Rot: How Increasing Input Tokens Impacts LLM Performance," systematically tested 18 frontier models (GPT-4.1, Claude 4, Gemini 2.5, Qwen3, and others) and found a counterintuitive fact: every model degrades as input length grows, even when the task itself is trivially simple.

The key findings:

  • A model with a 200K context window already degrades noticeably at 50K tokens.
  • The degradation is gradual, not a cliff, and begins far before the hard limit.
  • Degradation patterns differ by family: GPT-series degradation is erratic, Claude-series more predictable.
  • As the semantic similarity between the "needle" and the question drops, the degradation curve steepens markedly, and that is the normal case in real production distributions.
  • Even models built specifically for long context degrade noticeably when the relevant information sits in the middle (an extension of the "lost in the middle" phenomenon).

The implication for agents is direct: an agent is inherently a long-context system. Every tool call accumulates content into context; multi-turn planning, subagent calls, and tool-result back-fills all inflate input length exponentially. An agent that has run 20 turns may have piled up enough tokens to push the model well into the context-rot regime, and the developer usually has no idea.

The industry's answer is the context-engineering discipline that matured quickly across 2025–2026. In January 2026 Anthropic shipped the compact-2026-01-12 beta API, offering provider-native compaction. The academic side produced approaches like Memory-as-Action (arXiv:2510.12635) that fold memory operations into a unified policy optimization.

01  Anchored iterative summarization Cumulative compaction at fixed checkpoints; never summarize the task anchor away.
02  Failure-driven guidelines (ACON) Extract guidelines from failed trajectories and inject them into later context.
03  Tool-result clearing Use-and-discard for bulky results; keep only a summary in context.
04  Provider-native compaction Push context management down to the inference layer.
Figure 3 — The four patterns context engineering has converged on.

A rule of thumb: the current recommendation is to trigger compaction when context utilization reaches 70%, not when it approaches 100%, because context-rot degradation is already significant by that point.


5. How the four drifts cascade: a feedback loop

Put the four dimensions together and they aren't parallel problems; they're a closed-loop feedback system.

A model upgrade triggers a regression at the prompt layer. To contain the risk, the team adds architectural abstraction (adapters, fallback workflows). That architectural change introduces new tools and planning paths, and the existing eval set starts losing discriminative power. New eval standards get built (often using the new model), which in turn steer how developers optimize prompts and architecture. Meanwhile the whole system's context complexity is accumulating, and context rot is quietly lowering output quality without tripping any obvious alarm. One trip around the loop and the system's foundation has already moved, yet every individual step was a locally reasonable engineering decision.

Prompt drift Architecture drift Evaluation drift Context drift …and the new evaluation standard feeds back into prompt and architecture decisions; the loop closes.
Figure 4 — The four drifts form a closed feedback loop: each step locally reasonable, globally destabilizing.

The result is an agent system that enters a steady state of continuous drift. In that state, "performance improvement" in any absolute sense is nearly unmeasurable, and the team can only talk about "relative improvement against the current baseline." It's also why agent teams' status reports increasingly say "we improved by N percent" and increasingly avoid "we reached absolute level X." The latter can no longer be stated.


6. Engineering practice: from drift management to drift immunity

Once you accept that drift can't be eliminated, the question turns from "how do we avoid drift" to "how do we keep the cost of drift inside an acceptable range." Below is a directly actionable set of practices, ordered by priority.

6.1 Manage prompts as software artifacts

Version and bind. Put every prompt in version control, bound to a model version and a tool-schema version. A recommended structure:

prompts/
  customer_service/
    v3.2.1/
      system.md
      few_shot.jsonl
      manifest.yaml   # binds model=claude-opus-4-7, tools=schema_v12, judge=gpt-4o-2024-11-20

The manifest spells out which model version, tool-schema version, and judge version this prompt set was validated against; a change to any of them triggers a regression run.

A behavioral snapshot set. Low cost, high ROI. Size it at 50–300 cases, covering this distribution:

  • Happy-path main route (30%)
  • Known boundary cases (30%)
  • Historical incident cases (20%)
  • Adversarial perturbation cases (20%, à la BrittleBench's perturbation methods)

On every prompt or model change, run the snapshot and diff the outputs. The point isn't pass/fail (plenty of agent outputs have legitimate variance); it's the diff distribution. If the new and old versions diverge significantly on some cluster of cases, review it by hand immediately.

Automated prompt optimization. When prompt count grows past what the team can maintain by hand, bring in a prompt-optimization framework. In 2025, DSPy's GEPA (Genetic-Pareto, arXiv:2507.19457) showed that reflective prompt evolution can match or beat RL methods within 100–500 rollouts. Arize's Prompt Learning (July 2025) is another direction, doing feedback-driven optimization on production traces. Neither needs large-scale labeled data, which suits small and mid-sized teams.

6.2 A layered evaluation architecture

Split evaluation explicitly into four layers, each with its own update cadence, owner, and tolerance.

Layer What it evaluates Typical method Update cadence
L1 — Model capability What the model itself can do Public benchmarks + private capability eval Every model swap
L2 — Component A single tool / prompt / subagent Unit tests + behavioral snapshots Every component change
L3 — System End-to-end task completion τ-bench-style + pass^k Every release
L4 — Business Real user outcomes A/B tests + retention / conversion / complaints Continuous, online

L4 must exist independently of L1–L3. If L4's signal can't be aligned with L1–L3 metrics, that isn't L4's problem; it means the evaluation system hasn't yet found a proxy that truly predicts business outcomes. That alignment work is the shared responsibility of agent engineers and the business side.

6.3 Long-term maintenance of a golden set

The golden set is your anchor, comparable across time. It doesn't have to be large (100–500 cases), but it must:

  • Be human-annotated, or cross-validated by multiple models then human-adjudicated.
  • Be frozen: the data itself unchanged for at least six months.
  • Cover key business paths, with a distribution close to production.
  • Stay confidential: never enter any training or fine-tuning pipeline, to avoid contamination.

The golden set doesn't replace day-to-day evaluation; it provides an "absolute reference" for when every other metric is drifting. When the golden-set score drops significantly after an upgrade, you can be confident it's real regression; when everyone else is climbing but the golden set hasn't moved, be wary of pollution.

6.4 Operationalizing LLM-as-a-Judge

Manage the judge as a component as important as the system under evaluation:

  • Freeze the judge version: use a fixed judge model version within an evaluation cycle (at least one quarter recommended); don't chase the latest model.
  • Judge calibration: before upgrading the judge version, compare old and new judges' scoring distributions on the golden set to confirm the re-baselining offset.
  • Multi-judge ensemble: for high-stakes evaluation, take the intersection of 2–3 judges from different families to reduce single-judge bias.
  • Human spot checks: sample 5–10% per evaluation cycle for human audit to detect systematic judge drift.

6.5 Harness and observability

OpenTelemetry GenAI semantic conventions became the de facto standard for agent observability across 2025–2026. Every LLM call, tool call, and retrieval step becomes a child span, forming a complete reasoning-chain trace. Auto-instrumentation already covers OpenAI, Anthropic, LangChain, and LlamaIndex. Jaeger v2, released in 2026, treats agent traces as first-class.

A minimum viable observability stack:

  • Trace layer: OpenTelemetry + gen_ai.* attributes (model name, token counts, finish reason, tool name).
  • Eval layer: inline evaluation on production traces (Braintrust, LangSmith, Phoenix).
  • Cost layer: trace-level cost transparency, attributing token spend per trace.
  • Drift layer: statistical process control (SPC) alerting on key metrics (output-format conformance, tool-call success rate, mean trajectory length, judge score distribution) rather than simple threshold alerts.

SPC, not thresholds. Drift is rarely a sudden jump; it's usually gradual. Simple threshold alerts are either too sensitive (false-positive storms) or too dull (you don't hear about it until it's a business incident). A control chart plus moving average plus standard-deviation bands catches the "still inside the threshold but already departing from the historical distribution" case far earlier.

6.6 Context engineering as a first-class citizen

Promote context management from "implicit prompt tinkering" to an explicit engineering module:

  • Token budget: set an explicit token budget per agent task; exceed it and trigger compaction or abort.
  • Compaction trigger: fire at 70% context utilization, not near the ceiling.
  • Anchored summarization: preserve the "anchors" (task goal, key facts, recent working memory) and summarize the rest of the history.
  • Tool-result hygiene: bulky tool results (document reads, API responses) exist only while in use, then get cleared or replaced with a summary.
  • Subagent context isolation: a subagent's working context doesn't pollute the parent's; only a result summary passes back.

If you can use provider-native compaction (such as Anthropic's compact-2026-01-12), prefer it: it pushes context management down to the inference layer, which is more efficient and has more controllable lossiness than application-layer summarization.

6.7 Keep deterministic fallbacks on critical paths

A final principle: the flexibility of autonomous architecture and the predictability of the system are two ends you cannot optimize at once.

On high-stakes paths (finance, healthcare, customer service, compliance), the predictability of a pure agent isn't there yet in the near term. Keep a hybrid form of workflow + local agent: a deterministic workflow controls the trunk, and the agent handles branches the workflow can't model in advance. This isn't technical conservatism; it's acknowledging the cost of the paradigm itself.

Concretely: draw the business process as a state machine, and mark explicitly which state transitions can be delegated to agent judgment and which must be governed by deterministic rules. An agent's decision enters the workflow only as a suggestion; the workflow decides whether to adopt it based on the current state.


7. Closing: from agent engineering to an engineering discipline

2025 was the year agent capability crossed the usable threshold. The core question for 2026 is no longer "can the model do it" but "how do we get the model to do it reliably."

A consensus is forming fast: at one level the model layer is being commoditized. The differences between Claude, GPT, and Gemini on a given task are far smaller than the differences harness optimization makes. The real moat is in the engineering capabilities outside the model: harness engineering, context engineering, evaluation methodology. LangChain took GPT-5.2-Codex from 52.8% to 66.5% on Terminal Bench 2.0 without swapping the model, the single most persuasive sample of this trend.

Admitting drift exists does more for building a solid system than pretending it doesn't. Treat every performance wobble as a systemic phenomenon to be managed, rather than an individual bug to be chased, and a team's agent engineering finally enters its next maturity stage.

Models will keep improving; the foundation will keep moving. The teams that can build a stable product amid continuous change are the ones genuinely doing agents, not just demoing them.


References

Core architecture & protocols

  • Yao, S., et al. ReAct: Synergizing Reasoning and Acting in Language Models. arXiv:2210.03629, October 2022.
  • OpenAI. Function calling and other API updates. Official blog, June 13, 2023.
  • Anthropic. Introducing the Model Context Protocol. November 25, 2024. modelcontextprotocol.io
  • Anthropic. Migrating to Claude 4 / What's new in Claude 4.5. Official platform documentation, 2025–2026.

Prompt brittleness & optimization

  • Ceron, T., et al. Beyond Prompt Brittleness: Evaluating the Reliability and Consistency of Political Worldviews in LLMs. TACL, 2024.
  • Sclar, M., et al. Quantifying Language Models' Sensitivity to Spurious Features in Prompt Design. ICLR 2024.
  • Agrawal, L., et al. GEPA: Reflective Prompt Evolution Can Outperform Reinforcement Learning. arXiv:2507.19457, July 2025.
  • Arize AI. Prompt Learning: Feedback-driven LLM Optimization. Technical report, July 2025.

Agent evaluation

  • Yao, S., et al. τ-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains. arXiv:2406.12045, 2024.
  • Barres, V., et al. τ²-Bench: Evaluating Conversational Agents in a Dual-Control Environment. Sierra Research, 2025.
  • Zhou, Y., et al. Establishing Best Practices for Building Rigorous Agentic Benchmarks. arXiv:2507.02825, July 2025.
  • Cuadron, A., et al. SABER: Systematic Analysis of Benchmark Evaluation Reliability. 2025.
  • Jimenez, C., et al. SWE-bench: Can Language Models Resolve Real-World GitHub Issues? ICLR 2024.

Benchmark contamination & saturation

  • Zhao, Q., et al. MMLU-CF: A Contamination-free Multi-task Language Understanding Benchmark. arXiv:2412.15194, December 2024.
  • Detecting Benchmark Contamination Through Watermarking. arXiv:2502.17259, 2025.
  • Ahuja, S., et al. Contamination Report for Multilingual Benchmarks. arXiv:2410.16186, 2024.

LLM-as-a-Judge

  • Zheng, L., et al. Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena. NeurIPS 2023.
  • Panickssery, A., et al. LLM Evaluators Recognize and Favor Their Own Generations. NeurIPS 2024.
  • Rubrics as an Attack Surface: Stealthy Preference Drift in LLM Judges. arXiv:2602.13576, 2026.
  • Evaluating Scoring Bias in LLM-as-a-Judge. arXiv:2506.22316, 2025.

Context engineering & long-horizon

  • Chroma Research. Context Rot: How Increasing Input Tokens Impacts LLM Performance. trychroma.com/research/context-rot, July 2025.
  • Liu, N., et al. Lost in the Middle: How Language Models Use Long Contexts. TACL, 2024.
  • Modarressi, A., et al. NoLiMa: Long-Context Evaluation Beyond Literal Matching. 2025.
  • Wu, D., et al. LongMemEval: Benchmarking Chat Assistants on Long-Term Interactive Memory. 2025.
  • Zhang, Y., et al. Memory as Action: Autonomous Context Curation for Long-Horizon Agentic Tasks. arXiv:2510.12635, 2025.
  • Kang, J., et al. ACON: Failure-Driven Guideline Optimization for LLM Agents. 2025.

Harness engineering & production practice

  • Chase, H. Context Engineering Long-Horizon Agents (Sequoia podcast). January 2026.
  • Meng, X., et al. Agent Harness for Large Language Model Agents: A Survey. 2026.
  • Faros AI. Harness Engineering: Making AI Coding Agents Work in 2026. Technical guide, 2026.

Observability

  • OpenTelemetry. GenAI Semantic Conventions Specification. opentelemetry.io, 2025–2026.
  • Jaeger v2. AI Agent Observability via OpenTelemetry and MCP. CNCF, March 2026.
  • Braintrust. Agent Observability: The Complete Guide for 2026. braintrust.dev, 2026.
agent systemsperformance driftevaluationcontext engineeringLLM operations