agenticoutputs
About · Newsletter ·
Why Your AI Agent Is Bleeding Money in Production (And How to Fix It)
Builds

Why Your AI Agent Is Bleeding Money in Production (And How to Fix It)

mrmolsen · June 12, 2026 ·6 min read

A customer support agent hits an ambiguous refund request — “fix my last three orders” — and starts calling Stripe’s create_refund endpoint in a loop. No idempotency key. No budget ceiling. By the time your on-call engineer notices the alert, you’ve gone from $100/day to $1,000/day in 18 hours. The model was doing exactly what it thought you asked. That’s the problem.

Across our enterprise clients, engineering teams consistently report spending 25–40% more time debugging agentic systems compared to equivalent microservice architectures. The non-determinism isn’t just annoying — it compounds. A single ambiguous prompt can trigger recursive tool calls, exhaust API rate limits, and corrupt shared state before any single failure threshold fires. Prompt engineering doesn’t fix this. Architecture does.

The Unseen Costs of Agent Autonomy

The refund scenario above isn’t exotic. It’s the default failure mode for agents given write access to external APIs without hard constraints. The costs stack in three places: compute (token burn from retry loops), third-party API overage (unbounded tool calls), and engineering time (debugging non-deterministic traces that don’t reproduce cleanly).

What makes agentic failures expensive isn’t just the blast radius — it’s the detection lag. A microservice throws a 500 and your alerting fires in seconds. An agent silently makes 200 semantically valid but financially catastrophic API calls, each returning 200 OK. By the time something downstream breaks, the damage is done and the trace is a wall of LLM reasoning steps.

The fix isn’t a smarter model. It’s a control plane that doesn’t trust the model to self-limit.

Architectural Foundations for Agent Control

The most durable pattern we’ve seen in production is a hard separation between the control plane and the execution plane.

┌─────────────────────────────────────────┐
│            CONTROL PLANE                │
│  ┌─────────────┐    ┌────────────────┐  │
│  │  Supervisor │    │  Budget/Rate   │  │
│  │    Agent    │───▶│   Limiter      │  │
│  └─────────────┘    └────────────────┘  │
│         │                               │
│         ▼                               │
│  ┌─────────────┐    ┌────────────────┐  │
│  │  State Mgr  │    │ Policy Engine  │  │
│  │  (Redis)    │    │  (Guardrails)  │  │
│  └─────────────┘    └────────────────┘  │
└──────────────┬──────────────────────────┘


┌─────────────────────────────────────────┐
│            EXECUTION PLANE              │
│   Tool Wrappers / API Clients / LLM     │
└─────────────────────────────────────────┘

The Supervisor Agent pattern puts a second agent — or a deterministic rules engine — between the primary agent’s intent and actual tool execution. It doesn’t reason about user goals. It enforces policy: has this tool been called more than N times this session? Does the requested action exceed the user’s permission scope? Is the budget ceiling breached?

In LangChain, you implement this via custom tool wrappers with pre- and post-invocation hooks:

from langchain.tools import BaseTool
from pydantic import BaseModel, validator

class RefundInput(BaseModel):
    order_id: str
    amount_cents: int

    @validator("amount_cents")
    def cap_refund(cls, v):
        if v > 10000:  # $100 hard cap
            raise ValueError(f"Refund {v} exceeds policy limit")
        return v

class RefundTool(BaseTool):
    name = "create_refund"
    args_schema = RefundInput

    def _run(self, order_id: str, amount_cents: int):
        # pre-flight: idempotency check against Redis
        # execution: call Stripe
        # post-execution: log to audit trail
        ...

In AutoGen, you override generate_reply on a UserProxyAgent to inject policy checks before any tool call reaches the execution layer. The pattern is the same: intercept, validate, enforce, then execute or reject.

Engineering Predictable Behavior

Schema-driven tool invocation is the single highest-leverage change you can make to an agentic system. In our internal IT automation pilots, adding Pydantic validation at tool boundaries reduced malformed API requests by over 70% and cut downstream error-handling costs by an estimated 15%. The model still hallucinates inputs — but now it hallucinates into a validator that throws, not into a live API that silently accepts garbage.

Explicit state management matters just as much. Don’t let the agent reconstruct context from conversation history alone — that’s how you get drift over long sessions. Store session state in Redis with a TTL:

import redis
import json

r = redis.Redis(host="localhost", port=6379, db=0)

def get_session_state(session_id: str) -> dict:
    raw = r.get(f"agent:session:{session_id}")
    return json.loads(raw) if raw else {}

def update_session_state(session_id: str, updates: dict, ttl: int = 3600):
    state = get_session_state(session_id)
    state.update(updates)
    r.setex(f"agent:session:{session_id}", ttl, json.dumps(state))

For guardrails, think in three tiers:

  • Pre-flight: Validate inputs before the LLM sees them. Sanitize, scope-check, classify intent.
  • In-flight: Intercept tool calls before execution. Check rate limits, budget ceilings, idempotency keys.
  • Post-execution: Audit outputs before returning to the user or triggering downstream actions. Flag anomalies, log to your observability stack.

Each tier catches a different failure class. Pre-flight stops prompt injection and scope creep. In-flight stops the Stripe loop. Post-execution catches semantic failures that pass validation but violate business logic.

Monitoring and Observability

You can’t debug what you can’t see. For agentic systems, standard APM dashboards are insufficient — you need metrics that reflect the agent’s decision loop, not just HTTP latency.

Track these at minimum:

  • Token usage per interaction — broken down by prompt vs. completion, by agent step
  • Tool call success/failure rates — per tool, per session, per time window
  • Guardrail trigger counts — which rules fire, how often, for which user segments
  • Structured thought logs — the agent’s reasoning chain, not just inputs/outputs

A useful dashboard layout: real-time token burn rate in the top panel (with a budget ceiling line), tool call heatmap by type in the middle, and a guardrail trigger feed at the bottom with drill-down to the offending session. Anomaly detection should alert on any 3x spike in tool call volume within a 5-minute window — that’s your Stripe loop detector.

For shipping changes safely, run new agent versions in shadow mode first: the updated agent processes live traffic in parallel, logs its decisions, but doesn’t execute tool calls. Compare decision distributions against the production agent before promoting. This catches behavioral regressions that unit tests miss because they require real traffic patterns to surface.

Canary deployments work well for low-stakes agents. For agents with write access to external systems, shadow mode isn’t optional — it’s the only way to validate a behavior change without accepting the blast radius.

The architecture described here isn’t over-engineering. It’s the minimum viable control surface for an agent that touches external APIs in production. The teams that skip it spend their engineering cycles on incident retrospectives instead of features. The teams that build it ship faster because they trust their agents enough to give them more autonomy — which is the actual goal.

Share Post on X Share on LinkedIn