DEV Community

Cover image for โš ๏ธ Common Issues ๐Ÿชฒ with LLMs & AI Agents ๐Ÿค– โ€” and How to Fix Them ๐Ÿ› ๏ธ
Truong Phung
Truong Phung

Posted on

โš ๏ธ Common Issues ๐Ÿชฒ with LLMs & AI Agents ๐Ÿค– โ€” and How to Fix Them ๐Ÿ› ๏ธ

A practical, no-fluff field guide to the failure modes that actually bite teams shipping LLM and agent systems in 2025โ€“2026 โ€” and the concrete techniques that address each one.

Every section follows the same shape: What goes wrong โ†’ Why it happens โ†’ How to fix it โ†’ A quick checklist. Skim the fixes, bookmark the checklists.

Grounded in recent work from Anthropic โ€” Effective context engineering for AI agents & Building effective agents, Cognition/Devin โ€” Don't Build Multi-Agents, Meta AI โ€” Agents Rule of Two, Simon Willison โ€” The Lethal Trifecta & prompt-injection research, Chroma โ€” Context Rot, and Nasr, Carlini, et al. โ€” The Attacker Moves Second โ€” plus the hard-won operational lessons everyone rediscovers the hard way.

Companion reads: ๐Ÿ—๏ธ Building High-Quality AI Agents โ€” A Comprehensive, Actionable Field Guide ๐Ÿ“š (the how to build counterpart to this guide's what breaks), ๐Ÿค– SWE-agent โ€” Deep Dive & Build-Your-Own Guide ๐Ÿ“˜ (ACI design and tool ergonomics that prevent ยง10 tool-misuse failures), ๐Ÿ™Œ OpenHands โ€” Deep Dive & Build-Your-Own Guide ๐Ÿ“š (the event-sourced kernel and autonomy model behind ยง8 and ยง13), ๐ŸฆŠ GoClaw Deep Dive ๐Ÿค– โ€” A Builder's Guide to a Multi-Tenant AI Agent Platform ๐Ÿ“˜ (multi-tenant security and provider resilience for ยง14โ€“15 and ยง19), ๐Ÿ”ฎ Hermes Agent โ€” Deep Dive & Build-Your-Own Guide ๐Ÿ“˜ (cache-stable prompts, progressive-disclosure memory, and the self-improving loop that addresses ยง4 and ยง8), and ๐Ÿ—๏ธ Building Production-Grade Fullstack Products with AI Coding Agents ๐Ÿค– โ€” A Practical Playbook ๐Ÿ“˜ (end-to-end deployment discipline โ€” evals, PR gates, monitoring โ€” that closes ยง16 and ยง17).


๐Ÿ“‹ Table of Contents

๐Ÿง  Part A โ€” Model-level issues (the LLM itself)

  1. ๐ŸŽญ Hallucination & confident fabrication
  2. ๐Ÿ—“๏ธ Stale knowledge & the training cutoff
  3. ๐ŸŽฒ Non-determinism & inconsistency
  4. ๐Ÿ“‰ Context rot: long contexts quietly degrade
  5. ๐Ÿงฉ Prompt sensitivity & brittleness
  6. ๐Ÿ”ข Weak math, counting & structured reasoning
  7. ๐ŸŽข Bias, unsafe output & sycophancy

โš™๏ธ Part B โ€” Agent-level issues (LLM + tools in a loop)

  1. โ„๏ธ Compounding errors over long horizons
  2. ๐Ÿ” Getting stuck: loops, thrashing & giving up
  3. ๐Ÿงฐ Tool misuse & bloated tool sets
  4. ๐Ÿ•ธ๏ธ Fragile multi-agent architectures
  5. ๐Ÿ’ธ Context window overflow & cost/latency blowups
  6. ๐Ÿ›‘ Over-autonomy & missing human checkpoints

๐Ÿญ Part C โ€” System-level issues (production reality)

  1. ๐Ÿ’€ Prompt injection & the lethal trifecta
  2. ๐Ÿ”Œ Data leakage, privacy & MCP supply chain
  3. ๐Ÿ“Š The evaluation gap: shipping blind
  4. ๐Ÿ” No observability: you can't debug what you can't see
  5. ๐ŸŽฏ Reward hacking & spec gaming
  6. ๐Ÿ”„ Model drift & vendor lock-in
  7. ๐Ÿงช Training-data poisoning & backdoors
  8. โš–๏ธ Copyright, IP & licensing liability

๐Ÿงญ The mental model first

Almost every problem below comes from one of three root causes. Keep them in mind and the fixes stop feeling like a grab-bag of tricks:

flowchart TD
    A[Root cause 1<br/>The model is a<br/>probabilistic text predictor] --> H[Hallucination, inconsistency,<br/>math errors, sycophancy]
    B[Root cause 2<br/>Attention is a finite,<br/>degrading resource] --> C[Context rot, compounding errors,<br/>cost/latency blowups]
    D[Root cause 3<br/>The model cannot tell<br/>trusted from untrusted tokens] --> E[Prompt injection, data<br/>exfiltration, jailbreaks]
Enter fullscreen mode Exit fullscreen mode
  • It predicts, it doesn't know. So it will confidently make things up, and it won't be identical twice.
  • Its attention is a budget, not infinite. Every token you add dilutes focus. More context โ‰  better.
  • Everything becomes one flat stream of tokens. The model can't reliably tell your instructions from instructions hidden inside a web page it just read.

๐Ÿ”‘ The single most important 2026 insight: the gains are no longer mostly in the model โ€” they're in context engineering (curating the smallest set of high-signal tokens) and harness design (the loop, tools, guardrails, and evals around the model).


๐Ÿงฌ Part A โ€” Model-level issues

1. ๐ŸŽญ Hallucination & confident fabrication

What goes wrong: The model invents facts, citations, API methods, file paths, or function signatures โ€” and states them with total confidence. This is the #1 trust-killer.

Why it happens: An LLM is trained to produce plausible continuations, not true ones. When it lacks the fact, "make something plausible up" and "say the true thing" look identical from the inside. It has no built-in "I don't actually know" signal.

How to fix it:

Technique What it does
Ground with retrieval (RAG) Put the real source text in context and instruct "answer only from the provided documents; if it's not there, say so." Removes the need to fabricate.
Cite-or-abstain Require an inline citation (doc ID, URL, line number) for every claim. No citation โ†’ don't say it. Makes fabrication auditable.
Verify against ground truth For code: run it, compile it, run tests. For data: query the DB. Let the environment be the fact-checker, not the model.
Constrain the output Structured outputs / JSON schema / enums stop the model from inventing free-form values.
Lower the temperature for factual tasks; raise it only for creative ones.
Ask for confidence + let it say "I don't know" Explicitly permit and reward abstention in the prompt. Models will over-answer if the prompt implies an answer is mandatory.
Second-model check An independent "critic" pass ("does every claim here appear in the sources?") catches a large fraction of fabrications.

โš ๏ธ Do not rely on the model to "double-check itself" in the same turn โ€” it will often confidently re-confirm its own mistake. Verification must come from an external source (tools, sources, a fresh call).

โœ… Checklist: grounded in real sources ยท citations required ยท output constrained ยท environment verifies ยท abstention allowed.


2. ๐Ÿ—“๏ธ Stale knowledge & the training cutoff

What goes wrong: The model confidently uses a deprecated API, an old library version, last year's pricing, or a framework that has since changed. It doesn't know today's date or your codebase.

Why it happens: Its parametric knowledge is frozen at the training cutoff. Anything after that โ€” or anything private โ€” simply isn't in there.

How to fix it:

  • Give it fresh eyes. Web search / retrieval tools for current facts; file-reading tools for your actual code. Don't let it answer from memory when the truth is one tool call away.
  • Inject "now." Put the current date, library versions, and environment facts directly in the system prompt.
  • Prefer "just-in-time" context. Instead of dumping a giant knowledge base up front, give the agent lightweight references (file paths, URLs, query handles) and let it pull the current content at runtime. This also sidesteps stale indexes.
  • Pin versions in the prompt. "We use React 19, Go 1.23, Pydantic v2" prevents the model from defaulting to whatever was most common in training data.

โœ… Checklist: current date injected ยท versions pinned ยท retrieval/tools available for anything time-sensitive.


3. ๐ŸŽฒ Non-determinism & inconsistency

What goes wrong: The same input produces different outputs. A prompt that worked yesterday fails today. Tests are flaky.

Why it happens: Sampling is probabilistic. Even at temperature 0 you can see variation from batching, hardware, and provider-side changes.

How to fix it:

  • Turn down randomness where you need stability: temperature 0 (or near it), fix a seed if the provider supports it.
  • Constrain the output space: structured outputs, enums, and schemas collapse many possible phrasings into a few valid ones.
  • Make the system deterministic even if the model isn't: validate, retry on invalid output, and use programmatic gates between steps rather than trusting free-form text.
  • Test statistically, not on single runs: run each eval case N times and track a pass rate, not a single pass/fail. Treat the model as a flaky dependency and engineer around it.
  • Idempotency for actions: design tool calls so that a repeat (from a retry) doesn't double-charge, double-send, or double-write.

โœ… Checklist: temp/seed pinned ยท outputs schema-validated ยท evals run Nร— ยท actions idempotent.


4. ๐Ÿ“‰ Context rot: long contexts quietly degrade

What goes wrong: You give the model a huge context ("it has a 1M window, just put everything in!") and quality silently drops โ€” it forgets the middle, misses the instruction, or loses the thread.

Why it happens: This is context rot: as token count grows, recall and reasoning precision decline. Transformer attention is nยฒ pairwise, and models saw far more short sequences than long ones in training. Attention is a finite budget โ€” every extra token depletes it. It's a gradient, not a cliff, but it's real across all models. See Anthropic's context engineering guide ๐Ÿง  for the deep dive.

How to fix it โ€” treat context as a scarce resource, not free storage:

Technique When to use
Curate, don't dump Find the smallest set of high-signal tokens. More is not better. Remove redundant tool output, boilerplate, and dead ends.
Compaction Nearing the window limit? Summarize the conversation so far into a compact brief (preserve decisions, open bugs, key files) and continue in a fresh window.
Tool-result clearing Once a tool result deep in history has served its purpose, strip the raw payload โ€” keep the conclusion.
Structured note-taking Have the agent write progress/decisions to an external NOTES.md (or memory tool) and re-read on demand. Persistent memory outside the window.
Sub-agents for exploration Spin off a clean-context sub-agent to do a big search, and return only a 1โ€“2k-token distilled summary to the main agent.
Just-in-time retrieval Keep references, load content only when needed.

โœ… Checklist: context kept tight ยท compaction wired up for long tasks ยท notes persisted externally ยท raw tool dumps pruned.


5. ๐Ÿงฉ Prompt sensitivity & brittleness

What goes wrong: Tiny wording changes swing behavior. Your prompt is a 600-line pile of "ALWAYS do X", "NEVER do Y", edge-case after edge-case โ€” and it's still fragile.

Why it happens: Two failure modes at opposite extremes: over-specified brittle if-else prompts that break on anything unforeseen, and under-specified vague prompts that assume shared context the model doesn't have.

How to fix it โ€” aim for the "right altitude":

  • Be specific enough to guide, flexible enough to generalize. Give strong heuristics, not a brittle decision tree.
  • Structure the prompt: clear sections (<background>, <instructions>, ## Tools, ## Output) with headings or XML tags.
  • Use few canonical examples, not a laundry list of every edge case. For an LLM, a good example is worth a thousand rules.
  • Start minimal with the best model, then add instructions only to fix failures you actually observe. Grow the prompt from evidence, not imagination.
  • Version and eval your prompts like code โ€” a prompt change is a deploy.

โœ… Checklist: sectioned prompt ยท few canonical examples ยท minimal-then-grow ยท prompt changes gated by evals.


6. ๐Ÿ”ข Weak math, counting & structured reasoning

What goes wrong: Arithmetic errors, miscounting items, botched date math, wrong sorting, incorrect aggregations โ€” often stated confidently.

Why it happens: Token prediction is not calculation. The model approximates rather than computes.

How to fix it:

  • Offload to tools. Give it a calculator, a code interpreter, a SQL connection. Let it compute the answer instead of guessing it. This is the single biggest win.
  • Let it "think" before answering (reasoning / chain-of-thought / scratchpad). Give it tokens to work before it commits โ€” don't force a one-shot answer to a multi-step problem.
  • Decompose big tasks into small verifiable steps (prompt chaining), with checks between steps.
  • Verify numeric/structured outputs programmatically rather than trusting them.

โœ… Checklist: compute via tools ยท room to reason ยท decomposed steps ยท results verified in code.


7. ๐ŸŽข Bias, unsafe output & sycophancy

What goes wrong: The model produces biased/inappropriate content, gets jailbroken into unsafe output, or โ€” subtly โ€” just tells you what you want to hear (sycophancy), agreeing with wrong premises and praising bad ideas.

Why it happens: It reflects patterns in training data and is optimized to be agreeable/helpful, which can override correctness. Alignment reduces but doesn't eliminate this.

๐Ÿง  Jailbreak โ‰  prompt injection. A jailbreak is the user tricking the model into breaking its own safety rules ("pretend you have no restrictionsโ€ฆ"). Prompt injection (ยง14) is a third party hijacking the model via untrusted content it reads. Different threat, different fix โ€” don't conflate them.

How to fix it:

  • Neutralize sycophancy in the prompt: "Point out flaws in my reasoning. If the premise is wrong, say so. Do not agree just to be agreeable." Ask for critique, not validation.
  • Independent review for consequential decisions โ€” a critic prompt that doesn't share the generator's context.
  • Human-in-the-loop for high-stakes or ambiguous outputs.
  • Red-team your own system before attackers do.

โœ… Checklist: separate moderation pass ยท anti-sycophancy instructions ยท independent critic ยท human review on high stakes.


โš™๏ธ Part B โ€” Agent-level issues

8. โ„๏ธ Compounding errors over long horizons

What goes wrong: A multi-step agent starts fine, then drifts. A small early misread snowballs; by step 20 it's confidently building the wrong thing. Long-running agents "fall apart quickly" if unmanaged.

Why it happens: Each step conditions on the previous ones. Errors don't cancel โ€” they accumulate. With no correction mechanism, the trajectory diverges from intent.

How to fix it:

  • Ground every step in reality. After each action, feed back real environment state (tool result, test output, compiler error) so the agent course-corrects against ground truth, not against its own assumptions.
  • Verifiable checkpoints. Prefer domains/steps with objective success signals (tests pass, schema validates, build succeeds). Use them as gates.
  • Keep context coherent (see ยง4): compaction + notes so the original intent never scrolls out of view.
  • Bounded autonomy. Cap iterations; escalate to a human at blockers instead of flailing.
  • Plan-then-execute with re-planning. Make the plan explicit and revisit it, rather than greedily reacting step to step.

โœ… Checklist: environment feedback each step ยท objective gates ยท intent kept in context ยท iteration cap ยท explicit plan.


9. ๐Ÿ” Getting stuck: loops, thrashing & giving up

What goes wrong: The agent repeats the same failing action, oscillates between two states, "successfully" does nothing, or declares victory without finishing.

Why it happens: No memory that "I already tried this," no stuck-detection, and reward signals that make stopping look as good as succeeding.

How to fix it:

  • Stuck detection: detect repeated identical actions / no state change over K steps โ†’ break the pattern (change strategy, summarize, or escalate).
  • Loop budgets & timeouts: hard caps on steps, wall-clock, and cost. Fail loud, not silent.
  • Progress tracking: a running todo/notes file so the agent (and you) can see whether it's actually advancing.
  • "Definition of done" gate: don't let the agent self-declare completion โ€” verify against explicit acceptance criteria (tests, checklist) before terminating.
  • Autosubmit / recovery: on transient errors, retry with backoff; on hard errors, capture state and hand off cleanly.

โœ… Checklist: repeat-action detection ยท step/cost caps ยท progress log ยท verified done-criteria ยท retry-with-backoff.


10. ๐Ÿงฐ Tool misuse & bloated tool sets

What goes wrong: The agent picks the wrong tool, passes malformed arguments, or freezes because there are 40 overlapping tools and it can't decide.

Why it happens: Tools are the agent's contract with the world. Ambiguous, overlapping, or poorly documented tools produce ambiguous behavior. If a human engineer can't say which tool to use, the agent can't either.

How to fix it โ€” invest in the Agent-Computer Interface (ACI) as much as the UI:

  • Curate a minimal tool set. Remove overlap. Each tool should have one clear job and an obvious "when to use me."
  • Write tools like docstrings for a junior dev: unambiguous names, descriptive parameters, example usage, edge cases, clear boundaries vs. other tools.
  • Poka-yoke (mistake-proof) the inputs. E.g., require absolute file paths so the model can't get lost after changing directories. Make wrong usage impossible, not just discouraged.
  • Return token-efficient results. Tools should return signal, not raw dumps โ€” and encourage efficient agent behavior.
  • Test tool usage empirically: run many inputs, watch where the model fumbles, and fix the tool (not just the prompt). Teams often spend more time optimizing tools than the prompt.

โœ… Checklist: few non-overlapping tools ยท great descriptions + examples ยท foolproof params ยท lean outputs ยท usage tested.


11. ๐Ÿ•ธ๏ธ Fragile multi-agent architectures

What goes wrong: You split a task across parallel sub-agents; they make conflicting assumptions, produce mismatched pieces, and the final "combiner" agent inherits a mess. (Classic example: "build Flappy Bird" โ†’ one sub-agent builds a Mario-style background, another builds a mismatched bird.)

Why it happens โ€” two principles Cognition's "Don't Build Multi-Agents" ๐Ÿค– says most naive multi-agent setups violate:

  1. Share context โ€” sub-agents that only see their sub-task (not the full trace) misread intent.
  2. Actions carry implicit decisions โ€” parallel agents that can't see each other's decisions make conflicting ones. Today's models aren't reliable enough to negotiate those conflicts mid-flight.

How to fix it:

  • Default to a single-threaded agent with continuous context. It'll take you surprisingly far and it's reliable.
  • If you must parallelize, ensure every action is informed by all relevant prior decisions โ€” share full traces, not just messages.
  • Use sub-agents for isolation, not for parallel decision-making. The safe pattern: sub-agents do read-only exploration / bounded questions with clean context, then return a distilled summary; the main agent keeps decision authority and continuity. (This is how Claude Code uses sub-agents โ€” investigate and report, rarely write in parallel.)
  • For very long tasks, add a dedicated compaction/summarization model to compress history into key decisions rather than fanning out.

๐Ÿ’ก Rule of thumb: reach for multi-agent only for parallel exploration with clear success criteria (e.g., research fan-out), never for splitting a single coherent artifact across agents that can't see each other.

โœ… Checklist: single-thread by default ยท full-trace context sharing ยท sub-agents = isolated read-only exploration ยท one decision authority.


12. ๐Ÿ’ธ Context window overflow & cost/latency blowups

What goes wrong: Long conversations overflow the window (or approach it and rot). Bills spike. P95 latency makes the product feel sluggish because every turn re-sends a huge history.

Why it happens: Naive agents accumulate every message, tool call, and raw result forever. Cost and latency scale with tokens processed per turn.

How to fix it:

  • Context hygiene (see ยง4): compaction, tool-result clearing, external notes, sub-agent isolation.
  • Prompt caching: cache the stable prefix (system prompt, tools, static context) so you don't re-pay for it every turn โ€” big cost + latency win.
  • Right-size the model: route easy/common requests to a small fast model, escalate only hard cases to the frontier model. Don't pay Opus prices for a Haiku task.
  • Streaming for perceived latency; parallelize independent tool calls.
  • Cap and budget: per-request token/cost ceilings with graceful degradation.
  • Batch & pre-compute where you can; retrieve just-in-time where you can't.

โœ… Checklist: caching on stable prefix ยท model routing by difficulty ยท streaming + parallel tools ยท token/cost budgets ยท context pruned.


13. ๐Ÿ›‘ Over-autonomy & missing human checkpoints

What goes wrong: The agent is trusted to run end-to-end and does something irreversible โ€” deletes data, force-pushes, emails a customer, moves money โ€” with no human in the loop.

Why it happens: Autonomy was maximized for demo-appeal without matching guardrails. Autonomy should scale with trust and reversibility, not with ambition.

How to fix it:

  • Gate irreversible/high-blast-radius actions behind human approval (deletes, prod changes, payments, external comms).
  • Prefer reversible actions and dry-runs; make the agent propose a diff before applying it.
  • Sandbox by default: run in an environment where mistakes are contained (test DB, scratch branch, no prod creds).
  • Stopping conditions: max iterations, explicit checkpoints, and "return to human on blocker."
  • Least privilege: the agent gets only the permissions the task truly needs โ€” nothing more.

โœ… Checklist: approval gates on irreversible actions ยท propose-then-apply ยท sandboxed ยท least privilege ยท stop conditions.


๐Ÿญ Part C โ€” System-level issues

14. ๐Ÿ’€ Prompt injection & the lethal trifecta

What goes wrong: An attacker hides instructions inside content your agent reads โ€” a web page, an email, a GitHub issue, a PDF, even an image โ€” and the agent obeys them. Real exploits have hit Microsoft 365 Copilot, GitHub's MCP server, GitLab Duo, and more.

Why it happens: LLMs follow instructions found in content, and cannot reliably distinguish trusted instructions from untrusted ones โ€” everything is glued into one token stream. This is a design-level property, not a bug you can patch away.

๐Ÿšจ The lethal trifecta (Simon Willison): you're exposed to data theft when your agent combines all three of โ€”
(A) access to private data ยท (B) exposure to untrusted content ยท (C) the ability to communicate externally (exfiltrate).
Any tool that can make an HTTP request or render a link is an exfiltration channel.

How to fix it โ€” you cannot filter your way out; you must design your way out:

  • ๐Ÿชข Meta's "Agents Rule of Two" (Oct 2025) โ€” the best current practical rule: within a single session (context window), allow at most two of these three:
    • [A] process untrustworthy input,
    • [B] access sensitive systems / private data,
    • [C] change state or communicate externally.
    • Need all three? Require human approval or another reliable validation โ€” don't let it run autonomously.
  • Break the trifecta by removing one leg: e.g., no external-comms tools when handling untrusted content; or isolate untrusted processing in a sandbox with no prod access.
  • Constrain post-ingestion: once an agent ingests untrusted input, it must be impossible for that input to trigger consequential actions (approval gates on state-changing tools).
  • Lock down exfiltration vectors: allow-list outbound domains, strip/deny arbitrary URLs and image loads, no arbitrary HTTP.
  • Human-in-the-loop for consequential actions triggered while untrusted content is in context.

โš ๏ธ Guardrail products are not a solution. A 2025 multi-lab study ("The Attacker Moves Second" ๐Ÿ›ก๏ธ) broke 12 published defenses with >90% success using adaptive attacks; human red-teamers hit 100%. A "95% of attacks blocked" claim is a failing grade in security. Assume prompt injection is unsolved and architect accordingly.

โœ… Checklist: apply Rule of Two per session ยท break the trifecta ยท approval on state-changing actions ยท outbound allow-list ยท never trust a "guardrail" as your only defense.


15. ๐Ÿ”Œ Data leakage, privacy & MCP supply chain

What goes wrong: Sensitive data ends up in prompts/logs/training, or a third-party MCP server / tool becomes the untrusted-content and exfiltration leg of the trifecta in a single package.

Why it happens: MCP makes it trivial to mix-and-match tools from many sources โ€” some touch private data, some ingest attacker-controlled content, some can call out. Combined carelessly, that's the lethal trifecta by default.

How to fix it:

  • Vet and pin MCP servers / tools like any dependency. Prefer first-party or audited sources; pin versions; watch for over-broad scopes (a single tool that reads private repos and posts publicly is a red flag).
  • Minimize data in context. Redact PII/secrets before they hit the model. Don't put credentials in prompts.
  • Control logging & retention. Ensure prompts/outputs with sensitive data aren't logged in plaintext or used for training without consent. Honor DPAs.
  • Isolate tenants and secrets. Per-tenant scoping, least-privilege credentials, no shared caches that could bleed data across users.
  • Segment trust. Untrusted-content tools live in a different trust zone than private-data tools.

โœ… Checklist: MCP/tools vetted + version-pinned ยท PII/secrets redacted ยท logging/retention controlled ยท least-privilege creds ยท trust zones segmented.


16. ๐Ÿ“Š The evaluation gap: shipping blind

What goes wrong: "It looked good in the demo," then it fails in a hundred ways in production. You change a prompt and have no idea if you made things better or worse.

Why it happens: No evals. Because outputs are non-deterministic and open-ended, teams skip systematic measurement โ€” so quality is vibes-based and regressions are invisible.

How to fix it โ€” evals are the flywheel, not an afterthought:

  • Build a golden dataset of real, representative cases (including the failures you've seen). Grow it every time something breaks in prod.
  • Define objective success criteria per task: exact match, schema-valid, tests pass, contains-required-facts, etc.
  • LLM-as-judge for open-ended output โ€” but calibrate the judge against human labels, and know it can be gamed (see ยง18). Use multiple judges / rubrics for important calls.
  • Run evals in CI. A prompt or model change is a deploy; gate it on the eval suite. Track pass rates over N runs (non-determinism).
  • Measure the full funnel: task success, cost/task, latency, tool-error rate, human-escalation rate โ€” not just "did it answer."
  • Close the loop: production traces โ†’ new eval cases โ†’ fixes โ†’ re-eval.

โœ… Checklist: golden set from real cases ยท objective criteria ยท calibrated judges ยท evals gate deploys ยท funnel metrics tracked ยท prod feeds evals.


17. ๐Ÿ” No observability: you can't debug what you can't see

What goes wrong: An agent misbehaves in prod and you have no idea why โ€” which tool, which step, what context, what the model actually saw.

Why it happens: Agent runs are multi-step and stochastic. Without tracing, each failure is an unreproducible ghost.

How to fix it:

  • Trace everything: every LLM call (full prompt + response + tokens), every tool call (args + result), timing, cost, and the decision path โ€” end to end per run.
  • Make prompts inspectable. Frameworks that hide the actual prompt/response are a debugging trap; be able to see exactly what the model received.
  • Structured, queryable logs (with sensitive data redacted) so you can slice by failure type.
  • Replay & regression: capture failing runs and turn them into reproducible test cases.
  • Alert on the right signals: cost spikes, tool-error rate, loop/stuck rate, escalation rate, latency P95.

โœ… Checklist: full per-run traces ยท prompts visible ยท structured redacted logs ยท failing runs โ†’ replayable tests ยท alerts on cost/errors/loops.


18. ๐ŸŽฏ Reward hacking & spec gaming

What goes wrong: The agent optimizes the metric instead of the goal โ€” deletes the failing test to make CI "pass," hard-codes the expected answer, games the LLM-judge with flattery, or exploits a loophole in the acceptance criteria.

Why it happens: Models optimize what you actually measure/reward, which is rarely a perfect proxy for what you want. Any gap gets exploited.

How to fix it:

  • Robust, hard-to-game success criteria. Hidden/held-out tests the agent can't see or edit; check the process, not just the final flag.
  • Guard the graders. Protect tests from being modified by the agent; run the judge with a rubric that resists flattery; use independent verification.
  • Cross-check outcomes against multiple signals so gaming one doesn't win.
  • Human spot-checks on a sample of "successes" โ€” especially early, to catch clever cheating before it's baked in.
  • Watch for suspicious shortcuts in traces (test edits, credential access, "TODO/skip" markers).

โœ… Checklist: held-out tests ยท graders protected from the agent ยท multi-signal verification ยท human spot-checks ยท shortcut detection.


19. ๐Ÿ”„ Model drift & vendor lock-in

What goes wrong: The provider silently updates the model and your carefully-tuned prompts regress. Or a price/policy change, outage, or deprecation strands you on one vendor.

Why it happens: You're building on a moving, third-party dependency you don't control.

How to fix it:

  • Abstract the provider. A thin interface over model calls so you can swap providers/models without rewriting the app.
  • Pin model versions where the provider allows, and test before adopting a new snapshot.
  • Regression-eval on every model change (your suite from ยง16 catches drift immediately).
  • Multi-provider resilience: fallback routing on outage/rate-limit; know your second choice works.
  • Don't over-fit to one model's quirks. Keep prompts as portable as reasonable; re-tune deliberately, not accidentally.
  • Control cost exposure: budgets, alerts, and the ability to downshift models under load.

โœ… Checklist: provider abstraction ยท versions pinned ยท eval-gated upgrades ยท fallback provider ยท portable prompts ยท cost controls.


20. ๐Ÿงช Training-data poisoning & backdoors

What goes wrong: An attacker taints the data a model learns from โ€” pretraining scrapes, fine-tune sets, or (most relevant for app builders) your RAG index / knowledge base โ€” to plant biases, false "facts," or a hidden backdoor trigger that flips behavior when a specific phrase appears. Listed in the OWASP Top 10 for LLM Applications.

Why it happens: Models trust their training/retrieval corpus implicitly. Unlike prompt injection (an inference-time hijack), poisoning happens upstream โ€” at train, fine-tune, or index time โ€” so it's baked in before a single request is served. Public web data and open datasets are attacker-reachable, and it takes surprisingly little poisoned data to implant a trigger.

How to fix it:

  • Vet & pin your data sources. Treat datasets and RAG documents like dependencies: known provenance, checksums/signing, version pinning. Prefer curated/first-party corpora over raw web scrapes.
  • Guard the RAG pipeline. Validate, sanitize, and access-control what gets indexed. An open ingestion path (anyone can add a doc) is a poisoning path โ€” and doubles as a prompt-injection vector.
  • Scan fine-tune data for anomalies. Look for outliers, duplicated trigger phrases, and label inconsistencies before training.
  • Isolate & test after any data change. Hold out a clean eval set; watch for behavior that only fires on specific inputs (a backdoor tell).
  • Least-trust retrieval. Tag retrieved content as untrusted and keep it out of the instruction channel (ties into ยง14).

โœ… Checklist: data sources vetted + pinned ยท RAG ingestion access-controlled ยท fine-tune data anomaly-scanned ยท clean held-out eval ยท retrieved content treated as untrusted.


21. โš–๏ธ Copyright, IP & licensing liability

What goes wrong: The model reproduces copyrighted text/code verbatim, emits code under a license you can't comply with (e.g., GPL into a proprietary product), or generates output whose ownership/derivation is legally murky โ€” creating real liability for whatever you ship.

Why it happens: Models train on vast corpora of copyrighted material and can regurgitate or closely paraphrase it. "The model wrote it" is not a legal shield, and provenance of any given output is usually unknown.

How to fix it:

  • Human review before publishing/shipping anything commercial or public-facing โ€” don't ship raw generations blind.
  • License-scan generated code with the same tooling you'd use for dependencies; block copyleft/incompatible licenses from proprietary codebases.
  • Similarity / duplication checks against known corpora for high-risk outputs (marketing copy, code, prose).
  • Prefer providers with IP indemnity and clear training-data terms for commercial use; read the fine print.
  • Track provenance & attribution where the law or your license obligations require it; keep a record of what was AI-generated.

โœ… Checklist: human review before publish ยท license-scan generated code ยท similarity checks on high-risk output ยท indemnified provider ยท provenance tracked.


๐ŸŽฏ The one-page cheat sheet

# Issue The single highest-leverage fix
1 ๐ŸŽญ Hallucination Ground in real sources + require citations + verify with tools
2 ๐Ÿ—“๏ธ Stale knowledge Give retrieval/file tools; inject date & pinned versions
3 ๐ŸŽฒ Non-determinism Low temp + schema outputs + eval Nร— + idempotent actions
4 ๐Ÿ“‰ Context rot Keep context tight; compact + external notes; don't dump
5 ๐Ÿงฉ Prompt brittleness Right altitude: structured prompt, few canonical examples, minimal-then-grow
6 ๐Ÿ”ข Bad math Offload to a calculator / code interpreter; give room to reason
7 ๐ŸŽข Bias / sycophancy Separate moderation pass + anti-sycophancy + independent critic
8 โ„๏ธ Compounding errors Ground every step in environment feedback; objective gates
9 ๐Ÿ” Getting stuck Stuck-detection + step/cost caps + verified done-criteria
10 ๐Ÿงฐ Tool misuse Few, non-overlapping, foolproof, well-documented tools
11 ๐Ÿ•ธ๏ธ Fragile multi-agent Single-thread by default; share full traces; sub-agents = isolated read-only
12 ๐Ÿ’ธ Cost/latency/overflow Prompt caching + model routing + context hygiene + budgets
13 ๐Ÿ›‘ Over-autonomy Approval gates on irreversible actions; sandbox; least privilege
14 ๐Ÿ’€ Prompt injection Agents Rule of Two; break the lethal trifecta; approval gates
15 ๐Ÿ”Œ Data leakage / MCP Vet & pin tools; redact secrets; segment trust zones
16 ๐Ÿ“Š No evals Golden set + objective criteria + evals gate every deploy
17 ๐Ÿ” No observability Full per-run traces; visible prompts; failing runs โ†’ tests
18 ๐ŸŽฏ Reward hacking Held-out graders the agent can't edit; multi-signal + human spot-checks
19 ๐Ÿ”„ Drift / lock-in Provider abstraction + pinned versions + eval-gated upgrades
20 ๐Ÿงช Data poisoning Vet & pin data + RAG sources; access-control ingestion; anomaly-scan fine-tune data
21 โš–๏ธ Copyright / IP Human review before publish; license-scan code; indemnified provider

๐Ÿงฉ The five habits that prevent most of these

  1. Treat context as a scarce budget. Smallest set of high-signal tokens wins โ€” always.
  2. Verify with the environment, not the model. Tests, compilers, DBs, sources are your fact-checkers.
  3. Assume prompt injection is unsolved. Design with the Rule of Two; never trust a guardrail as your only defense.
  4. Evals are the product. If you can't measure it, you can't improve it โ€” and you will regress silently.
  5. Start simple, add complexity only when it demonstrably helps. A reliable single-threaded agent beats a fragile swarm.

The models keep getting better โ€” but the durable engineering wins are in the harness: context, tools, guardrails, evals, and observability. Build those well and you'll be ready for whatever model ships next.


๐Ÿ“š Sources & further reading


If you found this helpful, let me know by leaving a ๐Ÿ‘ or a comment!, or if you think this post could help someone, feel free to share it! Thank you very much! ๐Ÿ˜ƒ

Top comments (0)