Deep dive · course-wiki · bilingual
How to build agentic systems for real
I ran a multi-agent pipeline that read the state of the art on AI agents (2025–2026), checked it against the primary sources, and organized it into 16 modules. This is that research, rewritten in my voice and fact-checked again. No claim appears without a source and an honest credibility grade.
- 16
- modules
- 8
- phases
- ~32k
- words
- ~3h
- read
- 145
- sources
The substrate and the unifying mental model
- What an LLM really is: stochastic, stateless, finite-window The engine under every AI agent is a stochastic, stateless next-token function over a finite context window. Memory, sessions, HITL, and evals all exist to compensate for those three properties. Foundation
- What an AI agent really is: a decision-maker acting on partial information The mental model that unifies RAG, memory, HITL, and evals: an agent is a policy acting on a partially observed world (a POMDP). Workflow vs agent is a control-flow choice, and compounding error is what forces the architecture. Foundation
The two atoms of composition: context and tools
- Context engineering: curating the belief state every turn Context is not a bucket you fill, it's a finite attention budget you spend each turn. Just-in-time retrieval, compaction, and the four context pathologies that make an agent get dumber as the conversation grows. Core
- A tool is UX for an LLM, not an API wrapper A tool is the action space of the agent's POMDP, designed for a reader that is stochastic, stateless, and token-bounded. Schema and naming quality shape the policy; tool metadata is an attack surface. Core
The control loop and knowledge retrieval
- The control loop: Agent = Model + Harness An agent is a model plus a harness. Control flow lives in deterministic code, the model is a stateless reducer that decides one tool per turn, and every iteration only earns its keep by injecting ground truth from the environment. Core
- Retrieval: agentic search vs RAG as an asymmetric-cost decision Retrieval isn't a component you install. It's an architectural choice between two paradigms with opposite cost structures. For navigable, bounded corpora, agentic search wins on freshness and exactness. Embeddings stopped being the default. Core
Reliability: human control, security, evaluation
- Human-in-the-loop is a control system, gated by reversibility HITL isn't 'ask the user when unsure.' It's a deterministic control system that intercepts irreversible, high-blast-radius actions before they run, and guarantees that what the human approves is byte-for-byte what executes. Reliability
- Agentic security is architectural: the model is an untrusted reducer Prompt injection has no fix at the model level, so the trust boundary has to live in code. Default-deny, least privilege, RLS for tenant isolation, and separating control from data are the real defenses, not a better system prompt. Reliability
- Evaluation is the control loop, not the final exam The eval is where fuzzy intuitions about 'correct' become a signal you can optimize. Build it from real error analysis, measure trajectory and pass^k, and remember the same verifiable function that grades also trains and self-improves the agent. Reliability
Reasoning as budgetable compute
Production: observability and durable systems
- Observability for non-deterministic agents: reconstruct the trajectory, don't trust the narration You can't debug what you can't reconstruct. Observability for agents is the discipline of rebuilding a non-deterministic system's actual decision trajectory from structured traces (the tools it called, the args, the results, the decisions), not the model's story about what it did. Production
- Production agents are durable distributed workflows A demo agent is a function call. A production agent is a long-running, non-deterministic distributed workflow where every step has costly and irreversible side effects. Durability, idempotency, and a database as source of truth are what make it operable. Production
Frontier: multi-agent, post-training, the future
- Multi-agent is a context-engineering decision, not a smarter architecture Sub-agents buy you clean, isolated context windows and parallel read-heavy exploration. The price is coordination overhead, and a single agent often wins. Orchestrator-worker and the read/write asymmetry decide when fan-out helps. Production
- Post-training and RL: why the model behaves the way it does Pretraining gives the base distribution; SFT, preference optimization, and RLVR shape it into an agent. The recipe (GRPO + verifiable rewards) explains the model's priors and its reliability frontier, and your eval graders are the same object the labs train on. Frontier
- The frontier: task time-horizon, self-improvement, and where this goes The credible frontier metric isn't model IQ — it's the task time-horizon METR measures, doubling roughly every seven months. Self-improvement works only when bolted to a verifiable grader. The rest is speculation, marked as such. Frontier
Nine ideas that reorganize the field
If you take only one thing from here, take these. They are the connections the traditional order (start with frameworks, or with "how to call a tool") hides.
- 01
The whole field derives from three substrate properties. An LLM is stochastic, stateless, and runs on a finite window. Memory exists because it forgets; evals run pass^k because it is stochastic; context engineering exists because the window is finite. Learn the root and sixteen topics collapse into one tree.
- 02
Eval, reward, and grader are the same function wearing three hats. The verifiable function that scores a training rollout is the same one that grades your evals and shapes self-improvement. Master writing un-hackable verifiers and you master training, evaluation, and self-improvement at once.
- 03
Security and human-in-the-loop are not a separate pillar. They fall straight out of compounding error and partial observability. Prompt injection has no clean fix, so the trust boundary has to live in deterministic code, not in the prompt.
- 04
Memory is coupled to security more tightly than to context. The write-path is where untrusted input becomes trusted knowledge. A poisoned memory is a persistent, multi-session attack — strictly worse than a one-turn injection.
- 05
Teach reasoning after the loop and evals, not before. Chain-of-thought is not faithful to the internal computation, so it is no audit trail and no injection defense. That lesson only lands once you already understand graders and architectural defense.
- 06
The return is in five decisions, not sixteen pillars equally. Do I even need an agent. Does control flow live in code or get delegated to the model. Is reversibility the gate for human review. Did error analysis come before writing evals. Is the defense architectural or behavioral. These five carry most of the reliability ROI.
- 07
Start from the mental model and the raw API, not from a framework. Heavy agent frameworks hide the loop and the policy and quietly push you toward over-engineering. Understand the POMDP first and you can reason about any framework instead of being trapped in one.
- 08
You learn security by breaking things, not by reading about them. A system whose weak spots you have exploited and then patched teaches the principle far better than a clean example that was never wrong.
- 09
Retrieval, memory, and context are one triangle. Three ways to manage the finite belief state of the POMDP: retrieval loads knowledge on demand, memory persists state across turns, context curates what enters the window now. Traditional teaching fragments them into RAG, memory, and prompting silos.
Start at the beginning: What an LLM really is: stochastic, stateless, finite-window →