Originally published at kunalganglani.com — read it there for inline code, hero image, and live links.
AI agent evaluation is the practice of systematically measuring whether an autonomous agent completes its assigned task correctly, safely, and efficiently — not just whether it generates plausible-sounding text. In 2026, knowing how to evaluate AI agents in production testing is the gap between teams that ship confidently and teams that ship and pray. Unlike traditional LLM evaluation, agent evals must assess multi-step reasoning, tool usage, plan quality, and behavioral drift over time. This guide covers the full production testing loop: deterministic checks, LLM-as-judge scoring, regression harnesses in CI/CD, tool-call fidelity verification, and the offline-to-online transition that most tutorials skip entirely.
Key takeaways:
- Agent evaluation requires measuring the full execution path — task completion, tool-call fidelity, step efficiency, and plan adherence — not just final output quality.
- Deterministic (code-based) checks should handle 60-70% of your eval surface; reserve LLM-as-judge for subjective quality dimensions where exact-match fails.
- Golden datasets versioned alongside prompts in Git, triggered in CI/CD, are the only reliable way to catch agent regressions before deployment.
- Most agent dashboards track latency and token counts — useful operational signals, but not proof the agent actually did its job.
- Shadow evaluation (running new and old agent versions in parallel) is the production transition pattern that prevents silent failures at scale.
What Is AI Agent Evaluation (and Why It's Different from LLM Evaluation)
Traditional LLM evaluation measures a single input-output pair: you send a prompt, get a response, and score it. Agent evaluation is fundamentally different because agents take actions across multiple steps, call external tools, maintain state, and produce side effects in the real world.
As Hamel Husain, independent AI consultant and former GitHub engineer, puts it: unsuccessful AI products almost always share a common root cause — a failure to create robust evaluation systems. Most teams focus exclusively on prompt engineering and fine-tuning, skipping the eval infrastructure that makes iteration possible.
The distinction matters practically. When you evaluate a chatbot, you're asking "was this response helpful?" When you evaluate an AI agent, you're asking a chain of harder questions: Did it pick the right tool? Did it pass the correct arguments? Did it complete the task in a reasonable number of steps? Did it avoid unsafe actions along the way? Did the final outcome match what the user actually needed?
If your eval only checks the agent's final output, you've tested 20% of what can go wrong.
Eugene Yan, Senior Applied Scientist at Amazon, notes that conventional evals relying on n-grams, semantic similarity, or gold references have become less effective at distinguishing good from bad responses as LLMs tackle increasingly complex, open-ended tasks. For agents — which chain multiple such tasks together — the gap is even wider. You need evaluation at every layer: the individual tool call, the reasoning step, the plan, and the end-to-end outcome.
How to Evaluate AI Agents in Production Testing: The Core Metrics
The Arize AI team defines four evaluation metric categories for agents, and this taxonomy is the clearest framework I've seen for organizing what to measure. Here's the breakdown:
Quality metrics cover correctness, grounding, and task fit. Did the agent produce the right answer? Is it grounded in source data (not hallucinated)? Does it match what this specific job requires? A customer support agent needs resolution accuracy; a coding agent needs test pass rate; a research agent needs citation accuracy.
Cost metrics track efficiency: cost per resolution, tokens consumed per task, and latency at P95. An agent that solves the problem but burns $4.50 in API calls per interaction isn't production-viable if your margin is $5.
Safety metrics monitor refusal rates, escalation frequency, and unsafe tool actions. Anthropic recommends that even "hazy" safety criteria can be quantified — for example, "less than 0.1% of outputs out of 10,000 trials flagged for toxicity by our content filter" — making them testable in a regression harness.
Behavior metrics detect workflow drift over time. Is the agent's reasoning path changing week over week? Are step counts creeping up? Is tool selection shifting? These signals catch silent degradation before it becomes a production incident.
The key insight from Arize: most agent dashboards track latency, tokens, traces, and tool calls. These are useful signals, but they are NOT proof the agent actually completed the job correctly. A support agent that responds in 200ms with perfect grammar but gives the wrong answer scores great on operational metrics and terrible on the one that matters.
Deterministic Checks vs. LLM-as-Judge vs. Human Eval — Choosing the Right Evaluator
This is where most teams get stuck. They hear about LLM-as-judge and try to use it for everything, or they write a few regex checks and call it a day. You need a decision framework.
Layer 1: Deterministic (code-based) checks. These are fast, free, and perfectly reproducible. Use them for anything with a verifiable ground truth: did the agent return a valid JSON schema? Did it call the correct API endpoint? Does the output contain required fields? Is the response under the token limit? Based on the benchmark data I maintain at kunalganglani.com/llm-benchmarks, I've found that deterministic gates catch roughly 60-70% of real failures in structured agent outputs — and they run in milliseconds, not seconds.
Layer 2: LLM-as-judge. When the quality dimension is subjective — helpfulness, tone, reasoning coherence, whether a summary captures the key points — you need a model to evaluate the model. Eugene Yan documents that LLM-evaluators can be orders of magnitude faster and cheaper than human annotators, and often more reliable. But matching the precision and recall of a fine-tuned classifier is a harder bar to clear. Use LLM-as-judge for 25-35% of your eval surface: the dimensions where code can't express "good."
Layer 3: Human evaluation. Reserve this for calibration and edge cases. Humans are slow and expensive, but they're the ground truth for ambiguous cases. Use human eval to validate your LLM judge's scores quarterly, to review failures the automated pipeline flags, and to build the initial golden datasets that everything else trains against.
Layer 4: Shadow evaluation. In production, run the new agent version alongside the current one, compare outcomes, and promote only when the new version matches or beats the incumbent. This is the layer nobody talks about, but it's the one that prevents catastrophic rollouts.
The decision rule is simple: start at Layer 1. If code can express the quality criterion, stop there. Escalate to the next layer only when the lower one can't capture what matters. Running my site's 7-agent publishing pipeline taught me this the hard way — deterministic gates before LLM review catch more issues than doubling the review model's size. I route Sonnet for tool-loop evaluations and Opus for prose quality judgments, because model-per-job-shape beats one-model-everywhere on both cost and accuracy.
Task Completion Scoring: Measuring Whether the Agent Did the Job
Task completion is the north star metric for any agentic AI system. Everything else — step efficiency, cost, safety — is secondary if the agent didn't accomplish what it was asked to do.
DeepEval's Task Completion metric is architecturally interesting because it doesn't use a traditional input-output test case. Instead, it takes an LLM trace as input, evaluating the full multi-step execution path rather than a single response. The DeepEval / Confident AI team defines six core agentic metrics: Task Completion, Argument Correctness, Tool Correctness, Step Efficiency, Plan Adherence, and Plan Quality.
Here's how to implement task completion scoring practically:
Define success criteria before you build the eval. Anthropic's documentation recommends criteria that are Specific, Measurable, Achievable, Relevant, and Time-bound. "The agent should help the user" is useless. "The agent resolves the customer's billing issue without requiring escalation in under 3 minutes" is testable.
Score on a rubric, not binary pass/fail. A 0-1 continuous score with a configurable threshold (DeepEval defaults to 0.5) gives you much more signal than pass/fail. You can track score distributions over time and catch drift before it crosses the failure line.
Evaluate the trace, not just the final message. An agent that arrives at the right answer through a dangerous reasoning path (e.g., accessing data it shouldn't, calling tools unnecessarily) is a ticking time bomb. Trace-level evaluation catches this.
Separate task completion from task quality. The agent completed the task (score: 1.0) but the response was verbose and unhelpful (quality score: 0.4). These are different failure modes requiring different fixes.
For teams building multi-agent systems, task completion gets harder. When an orchestrator delegates to subagents, you need to score both the delegation decision and each subagent's execution independently. If the chain fails, you need to attribute the failure to the right node — orchestrator, tool, or subagent.
Tool-Call Fidelity: Verifying the Right Tool Was Called with the Right Arguments
Tool-call fidelity evaluation is the most under-discussed dimension in agent testing, and it's where I've seen the most silent production failures. An agent can produce a perfectly coherent response while having called the wrong tool, passed incorrect arguments, or called tools in the wrong order.
Tool-call fidelity checks answer three questions:
Did the agent call the right tool? If the user asked to cancel an order and the agent called
get_order_statusinstead ofcancel_order, the tool selection failed — even if the agent eventually produced a reasonable-sounding response.Did it pass the correct arguments? The agent called
cancel_orderbut passedorder_id: "latest"instead of the actual order ID from context. This is an argument correctness failure, and it's harder to catch because the tool call looks structurally valid.Did it call tools in the right sequence? Some workflows require specific ordering — you must verify the order exists before canceling it. Sequence violations can cause silent data corruption.
Here's a practical scoring rubric for tool-call fidelity:
- Full match (1.0): Correct tool, correct arguments, correct sequence
- Partial match — right tool, wrong args (0.5): The agent's intent was correct but execution was flawed. Often fixable with better function calling schemas.
- Wrong tool entirely (0.0): Fundamental misunderstanding of the task. Requires prompt or architecture changes.
- Unnecessary tool calls (penalty: -0.1 per extra call): The agent called 5 tools when 2 would suffice. This wastes tokens, increases latency, and signals plan quality issues.
Implement this by storing expected tool-call sequences in your golden dataset alongside expected outputs. On each eval run, diff the actual trace against the expected sequence. DeepEval's Tool Correctness and Argument Correctness metrics automate parts of this, but building a custom diff at the argument level gives you the most diagnostic signal.
For agents using MCP (Model Context Protocol), tool-call fidelity is even more critical because the tool surface area is dynamic. The agent discovers available tools at runtime, which means your eval needs to verify not just that the right tool was called, but that the agent correctly interpreted the tool's schema from the MCP server.
Step Efficiency and Plan Adherence: Evaluating the Agent's Reasoning Path
Two agents can complete the same task with wildly different reasoning paths. One takes 3 steps and 1,200 tokens. Another takes 11 steps and 8,400 tokens. Both succeed, but only one is production-viable.
Step efficiency measures whether the agent completed the task in a reasonable number of steps. Define "reasonable" by establishing baselines from your golden dataset. If the optimal path for a billing inquiry is 3 tool calls and the agent consistently takes 7, you have a step efficiency problem.
Step efficiency directly impacts LLM cost. At $3 per million input tokens (a typical mid-tier API price in 2026), an agent that uses 4x more steps than necessary is burning 4x the token budget. Across thousands of daily interactions, that compounds fast.
Plan adherence asks a different question: did the agent follow the intended workflow? This matters most for regulated or high-stakes domains where the reasoning path is as important as the outcome. A medical triage agent that skips the symptom-verification step and jumps straight to a recommendation might get the answer right 90% of the time, but the 10% where it doesn't could be catastrophic.
To evaluate plan adherence, define reference plans for your key workflows. Each plan is a sequence of expected steps with optional branches. Score adherence as the overlap between the agent's actual step sequence and the reference plan, penalizing skipped steps more heavily than reordered ones.
DeepEval's Plan Adherence and Plan Quality metrics use LLM-as-judge to evaluate these dimensions against a reference plan. For deterministic workflows, I prefer code-based sequence matching — it's faster and more reproducible. For open-ended workflows where multiple valid paths exist, LLM-as-judge is the right call.
Building a Regression Harness: Golden Datasets, Versioning, and CI/CD Integration
This is the section that no competitor covers end-to-end, and it's arguably the most important for teams shipping agents to production. A regression harness is the infrastructure that catches agent quality degradation before it reaches users.
The pattern has three components:
1. Golden datasets. Start with 5-10 manually curated examples per critical workflow, as the LangChain team recommends in the LangSmith documentation. Each example includes: the input (user message + context), the expected output, the expected tool-call sequence, and quality annotations. Grow this dataset over time by adding production failures, edge cases from human review, and adversarial examples from red-teaming.
Target 50-100 examples per workflow for statistical significance. Below 30, your eval results are noisy enough that random variation looks like real regression. Above 200, you're probably spending more on eval maintenance than the signal justifies.
2. Version alongside code. Your golden dataset is code. Store it in Git, in the same repository as your agent's prompts and configuration. When you change a prompt, the dataset diff should be in the same PR. This creates an auditable history: "we changed the system prompt on June 3rd and task completion dropped from 0.87 to 0.72 — revert."
Structure your dataset directory like this: one JSONL file per workflow, with each line containing the test case. Name files by workflow and version. Keep a CHANGELOG.md in the dataset directory documenting why examples were added or modified.
3. CI/CD integration. Run your eval suite on every PR that touches agent code, prompts, or tool definitions. Set up your CI/CD pipeline to:
- Execute all golden dataset test cases against the PR's agent version
- Compare scores against the main branch baseline
- Block merge if task completion drops more than 5% or any safety metric regresses
- Post a summary comment on the PR with score deltas per workflow
The eval run itself takes time — typically 2-8 minutes depending on dataset size and whether you're using LLM-as-judge. This is acceptable for PR checks. For faster feedback during development, run a smoke subset (10-15 cases) on every commit and the full suite on PR creation.
LangSmith's evaluation lifecycle maps this nicely: development with offline evaluation against curated datasets, initial deployment with online evaluation on live runs, and continuous improvement via feedback loops. The regression harness is your bridge between stages 1 and 2.
Offline vs. Online Evaluation: The Production Transition
Offline evaluation tests your agent against static datasets before deployment. Online evaluation monitors live agent interactions in production. The transition between them is where most teams stumble.
Offline evaluation gives you control and reproducibility. You know the inputs, you know the expected outputs, and you can run the same suite 100 times. But offline evals have a fundamental limitation: they can't capture the full distribution of real user inputs. Your golden dataset, no matter how carefully curated, represents a biased sample of what users will actually ask.
Online evaluation closes this gap by scoring live interactions. But it introduces new challenges: you need to evaluate without blocking the user experience, you need to handle the cost of running LLM-as-judge on every interaction (or a sampled subset), and you need alerting that distinguishes real quality drops from normal variance.
The transition pattern that works:
- Development: Full offline eval suite on every PR. Block deploys on regression.
- Shadow mode: Deploy the new agent version alongside the current one. Route 100% of traffic to both, serve responses from the incumbent, log responses from the challenger. Compare task completion scores on identical inputs.
- Canary deployment: Route 5-10% of live traffic to the new version. Monitor quality, cost, safety, and behavior metrics in real-time. Set automatic rollback triggers if any metric crosses a threshold.
- Full rollout: Promote to 100% traffic. Continue online evaluation with sampling (evaluate 10-20% of interactions with LLM-as-judge, 100% with deterministic checks).
- Feedback loop: Route online failures back into your golden dataset. This is how your offline evals improve over time.
Shadow evaluation is particularly powerful for agent orchestration changes. When you modify how an orchestrator routes between subagents, shadow mode lets you compare the full execution traces without risking production quality.
LLM-as-Judge: Prompting Techniques, Bias Risks, and Score Calibration
LLM-as-judge is the backbone of modern agent evaluation for subjective quality dimensions. But it's not a plug-and-play solution. Bad judge prompts produce scores that are worse than useless — they're confidently wrong.
Eugene Yan documents the key techniques:
Direct scoring asks the judge to assign a score (1-5 or 0-1) to a single response. It's simple and fast but can suffer from score compression — judges tend to cluster scores around 3-4 out of 5, making it hard to distinguish good from great.
Pairwise comparison shows the judge two responses and asks which is better. This produces more reliable orderings but requires 2x the eval budget and doesn't give you an absolute score.
Rubric-grounded scoring provides the judge with an explicit rubric defining what each score level means. This is the most reliable approach for agent evals because it anchors the judge's assessment to concrete criteria rather than vibes.
The bias risks are real and well-documented:
- Position bias: Judges prefer the first (or last) response they see in pairwise comparisons. Mitigate by randomizing order and averaging across both positions.
- Verbosity bias: Judges rate longer responses higher, even when the shorter response is more accurate. Mitigate by explicitly instructing the judge to penalize unnecessary length.
- Self-preference bias: Models prefer outputs generated by themselves. Use a different model family for judging than for generation — if your agent runs Claude, judge with GPT-4.1 or Gemini, and vice versa.
Score calibration is the step everyone skips. The default pass/fail threshold in DeepEval is 0.5, but that number is arbitrary. To calibrate properly:
- Have human annotators score 50-100 examples on the same rubric your LLM judge uses.
- Compare the judge's scores to human scores. Calculate correlation (Spearman's rho works well for ordinal scales).
- Adjust your threshold based on the correlation. If the judge consistently scores 0.15 points higher than humans, lower your threshold by 0.15.
- Re-calibrate quarterly as models update and your agent's behavior evolves.
Evaluator spend is a real concern at scale. If you're running GPT-4.1 as a judge on every agent interaction, your eval costs can rival your agent's inference costs. Strategies to manage this: use a smaller model (Claude Haiku 4.5 or Gemini Flash) for initial screening, escalate to a larger judge only for borderline scores, and sample rather than scoring every interaction in production — 10-20% sampling catches systemic issues while cutting eval costs by 80%.
Metrics That Create False Confidence
The Arize AI team calls these out directly, and I want to amplify it because I've seen teams make expensive decisions based on misleading metrics.
Latency alone is not a quality signal. A fast wrong answer is still wrong. Tracking P50 and P95 latency matters for user experience, but it tells you nothing about correctness.
Token counts are an efficiency proxy, not a quality proxy. An agent that uses fewer tokens might be more efficient — or it might be skipping critical reasoning steps. Always pair token metrics with task completion scores.
Trace completion rate ("the agent didn't crash") is table stakes, not a success metric. If 99% of your agent runs complete without errors, great — but how many of those completions actually solved the user's problem?
Tool call count without tool call correctness is misleading. An agent that makes 3 tool calls per task looks efficient. But if 1 of those 3 calls is consistently wrong, you have a 33% tool-call failure rate hiding behind a clean-looking metric.
User satisfaction ratings without grounding. Users rate agents higher when they're confident-sounding, even when they're wrong. A/B test satisfaction against task completion to identify cases where the agent is charming but incorrect.
Build your dashboard around metrics that answer: "Did the agent do the job?" Everything else is supporting evidence.
Tools and Frameworks for Agent Evaluation in 2026
The tooling ecosystem has matured significantly. Here are the frameworks worth evaluating:
DeepEval (open-source, by Confident AI) offers 50+ metrics including the 6 agentic-specific ones (Task Completion, Tool Correctness, Argument Correctness, Step Efficiency, Plan Adherence, Plan Quality). Its trace-based evaluation is unique among open-source tools. DeepEval 4.0, released in 2026, added MCP-aware evaluation and improved the DAG scoring technique.
LangSmith (by LangChain) provides the most complete evaluation lifecycle management — offline datasets, online monitoring, and human annotation workflows in a single platform. Its strength is the tight integration with LangChain and LangGraph agent frameworks, though it works with any agent stack via the API.
Arize AI / Phoenix covers the observability-to-evaluation pipeline. Phoenix is open-source and handles tracing and basic evals; Arize AX adds production monitoring, behavioral drift detection, and annotation workflows. Strong on the online evaluation side.
Braintrust focuses on the regression harness pattern with Git-like dataset versioning, CI integration, and side-by-side eval comparisons. Good fit for teams that want the "eval-as-code" workflow without building it from scratch.
Confident AI's managed platform (built on DeepEval) adds governance features, annotation forms for structured human feedback, and team-wide eval policies. Kritin Vongthongsri and Jeffrey Ip of Confident AI have been pushing AI governance with standardized evals as of mid-2026.
For most teams, I'd recommend starting with DeepEval for metric computation (it's open-source and framework-agnostic), adding LangSmith or Braintrust for dataset management and CI integration, and layering Arize for production monitoring once you're live. You don't need all of these on day one — start with deterministic checks in your existing test framework, add LLM-as-judge for subjective dimensions, and adopt dedicated tooling as your eval surface grows.
Teams building agents with the agent framework of their choice — whether CrewAI, LangGraph, or custom Python — should prioritize framework-agnostic eval tools. Locking your evaluation infrastructure to the same framework as your agent creates a dangerous coupling: you can't switch agent frameworks without rebuilding your entire eval pipeline.
How to Detect Behavioral Drift in Production AI Agents
Behavioral drift is the slow, silent degradation that regression harnesses alone can't catch. Your agent passes all golden dataset tests but starts behaving differently on real traffic — maybe because the underlying model was updated, a connected API changed its response format, or user behavior shifted.
Detect drift with these signals:
- Step count distribution shifts. If your agent's median step count per task type increases by more than 15% week-over-week, investigate. It might be taking longer paths due to tool failures, model confusion, or prompt degradation.
-
Tool selection entropy. Track which tools the agent selects for each task type. If the distribution shifts — the agent suddenly prefers
search_knowledge_baseoverquery_databasefor billing questions — something changed. - Score distribution shifts. Don't just track mean task completion scores. Plot the full distribution. A shift from a tight cluster around 0.85 to a bimodal distribution (some at 0.9, some at 0.3) indicates the agent is succeeding on some inputs and catastrophically failing on others.
- Escalation rate changes. If your agent's escalation-to-human rate jumps from 8% to 14%, it's encountering inputs it can't handle. This could be drift in user behavior or drift in agent capability.
Set up automated alerts for these signals. A 2-sigma deviation from the 30-day rolling baseline should trigger investigation. A 3-sigma deviation should trigger automatic canary rollback to the previous agent version.
This is where AI in production monitoring intersects with AI security. Behavioral drift can also be a signal of adversarial prompt injection — an attacker systematically probing your agent to change its behavior. Monitor drift signals through both the quality lens and the security lens.
The Eval Lifecycle: Putting It All Together
Here's the complete evaluation lifecycle for a production AI agent, from first prototype to scaled deployment:
Define success criteria. Before writing a single eval, define what "good" means for each workflow. Use Anthropic's SMART framework. Write it down. Get stakeholder sign-off.
Build golden datasets. Start with 5-10 examples per workflow. Include inputs, expected outputs, expected tool sequences, and quality annotations. Store in Git.
Implement deterministic checks. Cover schema validation, required fields, tool-call fidelity at the structural level, and safety filters. Run these on every commit.
Add LLM-as-judge. Define rubrics for subjective quality dimensions. Calibrate against human scores. Run on PR creation and merge.
Set up CI/CD regression gates. Block merges on task completion regression > 5%. Post score summaries on PRs. Track trends in a dashboard.
Deploy with shadow evaluation. Run new versions alongside the incumbent. Compare traces and scores on identical inputs before promoting.
Monitor with online evaluation. Sample 10-20% of production interactions for LLM-as-judge scoring. Run 100% through deterministic checks. Alert on drift.
Close the feedback loop. Route production failures back into golden datasets. Review and re-calibrate quarterly.
The teams that ship reliable agents in 2026 aren't the ones with the best prompts or the biggest models. They're the ones with the best eval infrastructure. Every prompt change, every model upgrade, every tool schema modification runs through a gauntlet of deterministic checks, LLM scoring, and human calibration before touching production traffic.
If you're building AI agents right now and you don't have a regression harness, stop building features. Build the harness first. It's the single highest-leverage investment you'll make — and the one you'll regret skipping when your agent silently degrades at 2 AM on a Saturday and nobody catches it until Monday's customer complaints pile up.
Originally published on kunalganglani.com
Top comments (0)