← Blog

Why AI agents fail in production: the failure modes and how to prevent them

AI agentsZegaware engineering14 min read

Last updated: 14 July 2026

AI agents fail in production because per-step errors compound over multi-step tasks, behaviour is non-deterministic between runs, and tool calls are unreliable. Most failures are operational: no evaluation harness, no observability, unbounded context, and excessive permissions with no human checkpoint. State-of-the-art agents still succeed on under half of realistic multi-turn tasks.

An AI agent that demoed well can still be the wrong thing to put in front of customers. A chatbot that gives a wrong answer wastes a moment; an agent with tool access that takes a wrong action can send the email, issue the refund, or change the record. When we audit AI-built software, agents are where the gap between "it worked in the demo" and "it is safe to run unattended" is widest. This guide is part of our AI agents coverage: it sets out the failure modes we see most often, each with its evidence, and the senior-engineer practices that prevent them.

Most AI agent projects do not reach production

Most agentic AI projects do not survive contact with production, and the industry now has numbers to prove it. Gartner predicts that over 40% of agentic AI projects will be cancelled by the end of 2027, citing escalating costs, unclear business value, and inadequate risk controls [1]. Its senior director analyst Anushree Verma put it plainly: "Most agentic AI projects right now are early stage experiments or proof of concepts that are mostly driven by hype and are often misapplied" [1].

The wider AI-delivery picture is no kinder. The RAND Corporation, interviewing 65 experienced data scientists and engineers, found that more than 80% of AI projects fail, roughly twice the failure rate of non-AI IT projects, and that leadership and problem-framing issues, not raw technical difficulty, were the most-cited root cause [2]. A widely reported 2025 MIT study of enterprise generative AI adoption reached a similar headline: around 95% of pilots delivered no measurable profit-and-loss impact [3]. That last figure is about generative AI broadly rather than agents specifically, but the pattern holds across all three sources: getting to a working prototype is easy now, and getting to something dependable is where projects die.

The reasons are not mysterious. Below are the specific failure modes, in the order we tend to encounter them in an audit.

Failure mode 1: compounding error over multi-step tasks

Agents fail on long tasks because per-step errors multiply, not because any single step is hard. This is the single most important thing to understand about agent reliability. An agent that is 95% reliable on one step is only about 60% reliable across ten dependent steps, because the errors compound. METR, a non-profit AI evaluations organisation, measured this directly: current models complete tasks that take a human expert under four minutes at close to 100% success, but success drops below 10% on tasks that would take a human expert more than about four hours [4].

The cause is sequencing, not competence. METR's own analysis is explicit that "AI agents often seem to struggle with stringing together longer sequences of actions more than they lack skills or knowledge needed to solve single steps" [4]. Anthropic's engineering team, describing their own production multi-agent system, made the same observation from the builder's side: "Minor changes cascade into large behavioral changes, which makes it remarkably difficult to write code for complex agents" [5]. In an audit, this shows up as a system that passes its scripted demo, which is short, and then quietly fails on the long, messy, real tasks it was actually bought to do.

Failure mode 2: non-determinism and silent drift

An AI agent will not necessarily do the same thing twice, even given identical inputs. Traditional software is deterministic; agents are not. Anthropic states it directly: "Agents make dynamic decisions and are non-deterministic between runs, even with identical prompts. This makes debugging harder" [5]. A failure you saw yesterday may not reproduce today, and a fix you cannot reproduce is a fix you cannot verify.

Non-determinism compounds with statefulness. Agents "can run for long periods of time, maintaining state across many tool calls" [5], which means a fault can surface several steps after its root cause. Teams that treat an agent like a normal service, expecting a stack trace and a reproducible bug, find themselves unable to explain their own production incidents. That is not a tooling gap you can paper over later; it has to be designed in from the start.

Failure mode 3: unreliable tool calls

Tool calling is where agents meet the real world, and it is less reliable than most teams assume. An agent is only as good as its ability to call the right function, with the right arguments, at the right time. The tau-bench benchmark, built by the research team at Sierra, found that even state-of-the-art function-calling agents of the GPT-4o class "succeed on less than 50% of the tasks" in realistic multi-turn retail and airline scenarios, and are "quite inconsistent (pass^8 less than 25% in retail)" when the identical task is repeated eight times [6].

That consistency figure is the one that matters for production. A pass rate under 25% across eight identical attempts means the same agent, given the same starting conditions, frequently produces a different and sometimes wrong sequence of tool calls. Averages hide this: a system that is "70% accurate on average" can still be unusable if you cannot predict which requests land in the failing 30%. Reliable tool use is a first-class engineering problem, covered in our guide to building a reliable AI agent, not a property you get for free from a capable model.

Failure mode 4: shipping without an evaluation harness

If you cannot measure your agent's task-success rate, you cannot know whether it is getting better or worse. The most common process failure we find is an agent in production with no evaluation harness behind it: no representative test set, no scored success metric, no regression check when the prompt or model changes. Anthropic's guidance is blunt about why this is dangerous: "The autonomous nature of agents means higher costs, and the potential for compounding errors. We recommend extensive testing in sandboxed environments, along with the appropriate guardrails" [7].

A one-off smoke test is not an evaluation harness. AWS makes the architectural point in its Well-Architected Agentic AI Lens: "An agent that works perfectly in testing may behave unpredictably in production when context windows fill up, models return unexpected outputs, or downstream agents become unavailable" [8]. Evaluation has to run continuously against varied, realistic cases, not once before launch. We cover how to construct that measurement in our piece on AI agent evaluation.

Failure mode 5: no observability or tracing

When an agent fails and you cannot see why, you cannot fix it. Because agents are non-deterministic, observability is not optional instrumentation you add when you have time; it is the only way to diagnose a system whose failures do not reproduce on demand. Without full execution tracing across every model call, tool call, and intermediate decision, a team cannot tell whether a failure was a one-off model quirk, a broken downstream API, or a systemic prompt problem.

This is an organisational maturity issue as much as a technical one. DORA's 2025 research, based on around 5,000 technology professionals, found that "AI's primary role is as an amplifier, magnifying an organization's existing strengths and weaknesses" [9]. Teams with strong tracing and delivery discipline see agents amplify that strength; teams without it see speed convert into instability. The observability foundation has to exist before the agent, not after the first incident.

Failure mode 6: context-window degradation and unbounded memory

An agent that accumulates history over a long run can lose track of its earliest instructions well before its context window is technically full. Long context is not the same as usable context. The peer-reviewed "Lost in the Middle" study found that model performance "significantly degrades when models must access relevant information in the middle of long contexts, even for explicitly long-context models" [10]. For an agent piling up tool outputs, conversation history, and retrieved documents, the original task or a critical constraint can effectively become invisible partway through.

There is a cost and stability dimension too. OWASP's current Top 10 for LLM Applications lists "Unbounded Consumption" as LLM10:2025, covering the resource and cost exhaustion that follows from uncontrolled context or memory growth [11]. Agents need deliberate memory management, summarisation, and context budgeting, rather than an assumption that a bigger window solves the problem on its own.

Failure mode 7: cost and latency blow-ups

Agentic architectures carry a cost floor that surprises teams who budgeted for a chatbot. Autonomy is expensive by construction. Anthropic reports that single agents already use about four times the tokens of a simple chat interaction, and full multi-agent systems use about fifteen times the tokens of chat [5]. Their conclusion is a design constraint, not a footnote: multi-agent systems "require tasks where the value of the task is high enough to pay for the increased performance" [5].

Latency scales with the same autonomy. Every additional reasoning step and tool round-trip adds wall-clock time, so an agent that is acceptable for a background job can be unusable in an interactive flow. Teams that do not model token cost and latency per task before shipping tend to discover the economics only when the invoice or the timeout arrives.

Failure mode 8: excessive agency and no human checkpoint

The failure that turns a model mistake into a real-world incident is giving the agent more power than it needs, with nobody in the loop. OWASP names this directly: "Excessive Agency" is LLM06:2025, defined as what happens when a system "is granted more capability, permission, or autonomy than is necessary, enabling it to perform harmful actions in response to unexpected, ambiguous, hallucinated, or manipulated outputs" [11]. An email-summarising agent that can also delete and send mail is one hallucinated instruction away from doing damage.

UK guidance is unambiguous on the fix. The NCSC, jointly with its Five Eyes partners, advises giving agents "only the minimum access they need, for the shortest time required," and sets a clear deployment bar: "If you cannot understand, monitor or contain an agent's actions, it is not ready for deployment" [12]. Anthropic's recommended patterns build in the same discipline, with agents designed to "pause for human feedback at checkpoints or when encountering blockers" because "human review remains crucial" [7]. The principle of least privilege plus a human checkpoint on high-consequence actions is the difference between a contained error and a serious incident. We go deeper on scoping access you can revoke in our guide to letting an AI agent onto your servers.

Failure mode 9: prompt injection turning a bad answer into a bad action

For an agent with tool access, prompt injection is not a content problem, it is an action problem. Prompt injection is the top entry on the OWASP list, LLM01:2025, and it covers adversarial input, including content the agent retrieves from a web page or document while doing its job, that alters the model's behaviour [11]. In an ordinary chatbot, a successful injection produces a bad answer. In an agent that can act, the same injection can trigger a real action against a real system.

This is why agent security has to be designed around the assumption that untrusted input will reach the model. We explain the mechanism in full in prompt injection explained, and map the wider risk surface in our plain-English walkthrough of the OWASP Top 10 for LLM applications. The short version: an agent that both reads untrusted content and holds real permissions must treat every retrieved instruction as potentially hostile.

Where multi-agent systems fail specifically

Adding more agents adds more ways to fail, and most of them are design and coordination problems rather than model weaknesses. A study of seven popular open-source multi-agent frameworks, annotating more than 1,600 execution traces, produced a failure taxonomy with a striking distribution: about 42% of failures came from specification and system-design issues, about 37% from misalignment between agents, and about 21% from task-verification failures [13]. In other words, most multi-agent failures were engineering and architecture problems, not the underlying model being incapable.

The lesson is to reach for multi-agent architectures only when a single agent or a fixed workflow genuinely will not do. Anthropic's advice is to prefer "the simplest architecture that works" and to use full autonomous agents only "when flexibility and model-driven decision-making are needed at scale" [7]. Complexity you did not need is complexity that will fail in ways you did not plan for.

How to prevent AI agents failing in production

Preventing agent failure is mostly disciplined engineering, applied before launch rather than after the first incident. None of the practices below are exotic; the discipline is in doing all of them, consistently, and treating the agent as a system to be verified rather than a demo to be shipped.

  • Start small and least-privileged. Give the agent the minimum tools and permissions for the task, scoped and time-limited, and expand only when evidence justifies it [12]. Prefer a fixed workflow over an autonomous agent wherever the task is well defined [7].
  • Build an evaluation harness first. Assemble a representative, scored test set that reflects real tasks, and run it on every prompt or model change so you can see task-success rate move [7], [8].
  • Instrument full tracing before launch. Capture every model call, tool call, and decision, so a non-reproducible failure is still diagnosable [5], [9].
  • Manage context and memory deliberately. Budget the context window, summarise long histories, and place critical instructions where the model reliably attends to them [10], [11].
  • Model cost and latency per task. Confirm the value of the task justifies the token and time budget before committing to an agentic, and especially a multi-agent, design [5].
  • Put a human at the high-consequence checkpoints. Require review or approval before irreversible or high-impact actions, and make sure someone can stop the agent [7], [12].
  • Treat retrieved input as hostile. Assume prompt injection will occur, and constrain what an agent can do so a manipulated instruction cannot become a damaging action [11].
  • Name an owner. The NCSC guidance is that before an agent touches real systems, an organisation should have defined "who owns" it, "who approves its access, who monitors its behaviour, who reviews incidents, and who can stop it" [12].

Standards bodies now codify this. NIST's Generative AI Profile (AI 600-1) maps its Measure and Manage functions onto exactly these evaluation and monitoring practices [14], and OWASP's LLM06 recommends limiting functions to the minimum necessary and logging extension activity with rate-limiting as a backstop [11]. The engineering is known. The failure is usually in skipping it.

The UK accountability angle

In the UK, agent governance is now a named regulatory expectation, not just good practice. The clearest current reference is the NCSC and Five Eyes guidance "Careful adoption of agentic AI services," which states that "if an agent is over-privileged or poorly designed, a single failure can quickly become a serious incident," and recommends starting small, using agents "only for low-risk tasks," and applying "established cyber security controls from the outset" [12].

Data-protection duties apply on top of that. The UK GDPR's rules on automated decision-making, amended by the Data (Use and Access) Act 2025, preserve a right to meaningful human review of decisions made without meaningful human involvement, and the Information Commissioner's Office has said updated statutory guidance is expected in summer 2026. Any UK organisation deploying an agent that makes or materially influences decisions about people should treat human oversight and an audit trail as compliance requirements, not optional extras, and should watch for that guidance. This is precisely the kind of accountable, named-owner review that the Zegaware Vibe Code Audit is built to provide.

Frequently asked questions

Why do AI agents fail in production but work in demos?

Demos are short and scripted, which hides the failure mode that matters most: compounding error. An agent that is reliable on a few steps becomes unreliable across a long, real task because per-step errors multiply. Demos also skip the production conditions, full context windows, untrusted input, and downstream outages, where agents behave unpredictably [4], [8].

What is the most common cause of AI agent failure?

The most common causes are operational rather than model-related: no evaluation harness to measure task success, and no observability to diagnose failures that do not reproduce. Research on AI project failure points to leadership and problem-framing issues over pure technical difficulty [2], and studies of multi-agent systems attribute most failures to design and coordination, not model weakness [13].

How reliable are AI agents at using tools?

Less reliable than most teams expect. On the tau-bench benchmark, state-of-the-art function-calling agents succeeded on under half of realistic multi-turn tasks, and were consistent on fewer than a quarter of identical repeated attempts in the retail domain [6]. Tool calling is a first-class engineering problem, and averaged accuracy figures hide dangerous inconsistency between runs.

Are multi-agent systems more reliable than single agents?

Not automatically, and often less so. Each additional agent adds coordination and design surface where failures occur, and a taxonomy of multi-agent failures attributed roughly 42% to specification and design and 37% to inter-agent misalignment [13]. Multi-agent systems also cost about fifteen times the tokens of a simple chat [5]. Use them only where a simpler design genuinely will not do.

How do you stop an AI agent from taking a harmful action?

Apply least privilege and a human checkpoint. Give the agent only the tools and permissions it needs, for the shortest time needed, and require human approval before irreversible or high-impact actions [12]. Assume prompt injection will occur, so a manipulated instruction cannot become a damaging action, and make sure someone can monitor and stop the agent [7], [11].

Is it safe to let an AI agent act without human review?

Only for low-consequence, reversible tasks with strong guardrails and monitoring. The NCSC sets a clear bar: "If you cannot understand, monitor or contain an agent's actions, it is not ready for deployment" [12]. For any action that moves money, changes records, or affects a person, keep meaningful human review in the loop, both for safety and for UK compliance.

Conclusion

AI agents do not usually fail because the model is not clever enough. They fail because per-step errors compound over long tasks, because behaviour is non-deterministic, because tool calls are inconsistent, and because the system ships without the evaluation, observability, context management, and least-privilege guardrails that would have caught the problem. Every one of these failure modes has a known engineering fix, and every one is routinely skipped in the rush from prototype to production.

That gap between "it worked in the demo" and "it is safe to run unattended" is exactly what our senior engineers assess. If you are building or already running an AI agent and want a named senior engineer to review whether it is safe to ship, book an audit. You can also read more about how we build dependable agents on our AI Agents service page.

Sources

  1. Gartner, "Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027", 25 June 2025. https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027
  2. RAND Corporation, "The Root Causes of Failure for Artificial Intelligence Projects and How They Can Succeed", 2024. https://www.rand.org/pubs/research_reports/RRA2680-1.html
  3. Fortune, "MIT report: 95% of generative AI pilots at companies are failing", reporting the MIT NANDA "State of AI in Business 2025" study, 18 August 2025. https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/
  4. METR, "Measuring AI Ability to Complete Long Tasks" (arXiv:2503.14499), 19 March 2025. https://metr.org/blog/2025-03-19-measuring-ai-ability-to-complete-long-tasks/
  5. Anthropic, "How we built our multi-agent research system", 13 June 2025. https://www.anthropic.com/engineering/multi-agent-research-system
  6. Shunyu Yao et al., Sierra, "tau-bench: A Benchmark for Tool-Agent-User Interaction in Real-World Domains" (arXiv:2406.12045), 17 June 2024. https://arxiv.org/abs/2406.12045
  7. Erik Schluntz and Barry Zhang, Anthropic, "Building effective agents", 19 December 2024. https://www.anthropic.com/engineering/building-effective-agents
  8. Amazon Web Services, "AWS Well-Architected Framework: Agentic AI Lens, Reliability", accessed 14 July 2026. https://docs.aws.amazon.com/wellarchitected/latest/agentic-ai-lens/reliability.html
  9. DORA, "State of AI-assisted Software Development 2025", announced 23 September 2025. https://dora.dev/dora-report-2025/
  10. Nelson F. Liu et al., "Lost in the Middle: How Language Models Use Long Contexts" (arXiv:2307.03172), Transactions of the ACL, 2024. https://arxiv.org/abs/2307.03172
  11. OWASP GenAI Security Project, "OWASP Top 10 for LLM Applications 2025", November 2024. https://genai.owasp.org/llm-top-10/
  12. NCSC (UK) and Five Eyes partners, "Careful adoption of agentic AI services", 1 May 2026. https://www.ncsc.gov.uk/blogs/thinking-carefully-before-adopting-agentic-ai
  13. Mert Cemri et al., "Why Do Multi-Agent LLM Systems Fail?" (arXiv:2503.13657), 17 March 2025. https://arxiv.org/abs/2503.13657
  14. NIST, "Artificial Intelligence Risk Management Framework: Generative AI Profile (NIST AI 600-1)", 26 July 2024. https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf

Want it done properly, once? We install OpenClaw isolated, hardened and monitored, then keep it updated under a plain monthly retainer. Fixed setup fee, quoted in writing.

Get set up