While experimenting with autonomous agents recently, I keep running into a pattern that feels oddly familiar from distributed systems history.

A lot of current discussion around agent reliability focuses on:

• better prompting
• model alignment
• sandboxed execution environments
• tool-use training

All of these are important.

But a large class of failures in production agent systems seems to come from something else entirely: uncontrolled execution of side effects.

Examples I’ve observed (and seen others mention):

• identical inputs producing different execution paths across runs
• agents calling tools with parameters that were never explicitly defined
• retry loops repeatedly hitting external APIs
• silent failures where the system returns an answer but the intermediate reasoning path is wrong
• tools triggered in contexts where they should not run

The typical response is to add more prompt instructions or guardrails.

That sometimes helps, but it feels fundamentally fragile because the LLM is still the system deciding whether an action should execute.

Analogy with distributed systems

Distributed systems ran into similar issues decades ago.

Applications originally controlled things like:

• rate limits
• authorization decisions
• retry logic
• resource consumption

Over time those responsibilities moved into infrastructure layers.

For example:

• load balancers enforce request limits
• databases enforce transaction boundaries
• IAM systems enforce authorization policies
• service meshes enforce network policies

In other words, systems evolved from:

application decides everything 

to:

application proposes infrastructure enforces 

Current agent architectures

Most agent frameworks today look roughly like this:

Prompt ↓ LLM reasoning ↓ Tool selection ↓ Execution 

Examples include frameworks such as LangChain, AutoGen, and CrewAI.

These systems focus primarily on orchestration and reasoning.

However, the LLM still decides:

• which tool to call
• when to call it
• which parameters to use

This works well for prototyping.

But once agents interact with real systems (APIs, infrastructure, databases), incorrect tool execution can have real consequences.

Possible missing primitive: execution authorization

One architecture that seems underexplored is introducing a deterministic control layer between the agent runtime and tool execution.

Conceptually:

(insert diagram here)

Agent proposes action ↓ Policy engine evaluates ↓ ALLOW / DENY ↓ Execution

In this model:

• the agent remains responsible for planning and reasoning
• execution is gated by a deterministic policy layer

Such a layer could enforce invariants like:

• resource budgets
• concurrency limits
• allowed tool scopes
• replay protection
• idempotency guarantees

These concepts are common in distributed systems, but they do not appear to be widely implemented yet in agent runtimes.

Relationship to existing work

There are some related directions:

• observability tools for LLM pipelines (tracing and debugging systems)
• sandboxing approaches for agent execution
• verification approaches where LLMs generate programs that are validated before execution

However, a general-purpose execution authorization layer for agent actions does not seem widely explored yet.

Question for the community

As agents become more capable and start interacting with external systems, stronger execution guarantees may become necessary.

I'm curious how people working on agent infrastructure think about this.

Do you see value in a deterministic authorization layer for agent actions?

Or do you expect emerging approaches like program synthesis + verification to make this unnecessary?

For context, I’ve been experimenting with this idea in an open-source project exploring deterministic policy enforcement for agent actions:

https://github.com/AngeYobo/oxdeai

Would be very interested in feedback from people building agent runtimes or researching agent reliability.