Engineering on Stack Research

Making Agents Aware of Agentic Risk

Tue, 28 Apr 2026 00:00:00 +0000

A capable agent can fail in two very different ways.

The first is loud. It breaks a rule, calls the wrong tool, or says something obviously false. You can see it.

The second is quiet. It forms a plausible plan on bad assumptions, keeps moving, and leaves a trail of reasonable-looking steps that point to the wrong place. That one is harder. It looks like progress until the consequences arrive.

Agent Incident Response Needs a Measurable Drill

Fri, 17 Apr 2026 00:00:00 +0000

Agent incident response needs a clock, a journal, and a stopping point.

Without those three things, failure remains theatrical. A bad action happens, someone opens logs, someone reconstructs intent, someone asks whether the system could have been stopped sooner. The answers arrive after the important interval has already passed.

The useful question is narrower: can a controlled agent failure be made measurable while it is happening?

ControlOps built the parts: scope validation, decision lineage, blast-radius assessment, and kill-path auditing. The drill described here connects those parts around one small incident. It does not prove that agent systems are safe. It proves something more modest and more useful: one proposed action can be checked, stopped, recorded, scored, and prepared for rollback before it becomes an invisible state change.

Artifact Intake Boundaries for Agentic Systems

Sun, 05 Apr 2026 00:00:00 +0000

Agentic systems do not only ingest prompts. They ingest files.

A reasoning trace arrives for debugging. A benchmark archive is downloaded for evaluation. A support export is added to a retrieval corpus. A set of examples is copied into a training library. Each object may look like ordinary text, but the object becomes active as soon as it is unpacked, parsed, rendered, indexed, transformed, or passed to another tool.

That makes artifact intake a security boundary.

Structural Debugging for Chain-of-Thought Graphs

Thu, 02 Apr 2026 00:00:00 +0000

When a program crashes, the stack trace does not explain the whole bug. It does something narrower and more useful: it shows where execution was, what called what, and which line broke.

When a language model’s reasoning goes wrong, the failure is usually harder to locate. The final answer may be fluent and wrong. The intermediate trace may drift quietly for a thousand tokens. There is often no structural map of what depended on what, and no obvious place to point and say: this is where the reasoning stopped holding together.

Why Agent Memory Needs a Control Plane

Mon, 23 Mar 2026 00:00:00 +0000

In an end-to-end memory governance scenario, a migrated record was present in the store but denied by default retrieval. The data existed, but policy correctly kept it out of the agent’s active context. That behavior sounds strict until a real system shows how quickly “just store it” turns into stale, unsafe memory that is hard to audit.

That gap is why Agentic Memory Fabric is a control plane for memory, not another retrieval wrapper. The point is simple: memory used by agents should be treated like governed infrastructure, with clear lineage and retrieval policy enforced at runtime.

Executable Metaphors: Compiling Analogy Into Prototype Code

Tue, 17 Mar 2026 00:00:00 +0000

Metaphors already shape software.

A pipeline moves data from one stage to another. Garbage collection reclaims unused memory. A queue holds work until something is ready to process it. These words are not decorative. They carry a small model of how a system should behave.

Executable Metaphors asks what happens if that model becomes the input to a compiler. A short analogy, written in Markdown, is treated as the source artifact. The generated code, build files, documentation, and repair scripts are outputs.

The Unaskable Question

Mon, 16 Mar 2026 00:00:00 +0000

Ask a language model something it does not know, and it may admit uncertainty or invent an answer. Ask it something a policy forbids, and it may refuse. Those are familiar failure modes. They have names, benchmarks, mitigations, and whole taxonomies around them.

There is another category that receives less attention: questions the model cannot engage with because the question contradicts the structure of the system being asked. Not a knowledge gap. Not a safety boundary. A structural impossibility.

Evolving Better Prompts

Sun, 15 Mar 2026 00:00:00 +0000

A four-generation prompt evolution run moved average fitness from 0.887 to 0.926. The best prompt reached 0.965. The run used a population of 8 prompts and completed in under 4 minutes on a MacBook Pro with llama3.1:8b running locally through Ollama.

The useful trick is not genetic programming in the old sense of random token edits. Mutation and crossover are language-model calls. Every variant is still a valid prompt. The model rewrites prompts in ways a human prompt engineer might recognize: tighter wording, added constraints, reordered instructions, more concrete examples, removed weak parts.

ControlOps: Letting Machines Talk

Sat, 14 Mar 2026 00:00:00 +0000

An autonomous system should not be judged only by the moment when it answers. The answer is the visible surface. Beneath it there are quieter questions: who allowed this action, which evidence shaped it, how far could the failure travel, and how quickly could the system be stopped?

These questions are often asked after the fact. A runbook is opened. A trace is reconstructed. Someone searches logs for the decision that mattered. The machine has already acted, and the organization is trying to recover the shape of the action from its shadow.

Memory Should Decay

Sat, 14 Mar 2026 00:00:00 +0000

An agent memory run started with 50 stored facts. Each fact had a half-life of 10 ticks. After 30 ticks of a task loop, 8 memories remained.

Those 8 were the ones the agent kept using. The other 42 expired automatically. No cleanup script. No manual pruning. No summarization pass pretending stale facts were still useful.

The experiment is small, but the shape is important. Agent memory does not need to be an attic where every fact waits forever. It can behave more like working state: reinforced by use, weakened by neglect, and removed when confidence falls below a threshold.

Build for the Hour After Failure

Sun, 08 Mar 2026 00:00:00 +0000

At 4 a.m., the model is rarely the whole problem. The missing recovery path is.

Agent systems are often designed around the moment before action: the prompt, the tool schema, the evaluator, the approval check, the confidence score. Those pieces matter. They shape whether the system should act at all. But the harder question arrives after a bad action has already crossed the boundary into production.

What stops next? What is still allowed to run? Which identity was used? Which records changed? Which downstream systems trusted the result? Which part can be reversed, and which part can only be compensated for?

Software That Expires

Mon, 16 Feb 2026 00:00:00 +0000

Software accumulates by default.

Features go in. Compatibility layers remain. Old state keeps its place because removing it feels riskier than carrying it. A temporary endpoint becomes a customer dependency. A migration flag survives long after the migration. A data field whose meaning has changed three times continues to answer because some quiet part of the system still asks for it.

The usual word for this is technical debt, but debt is too clean a metaphor. Debt has a lender, a balance, and a date on the bill. Software decay is less orderly. It is closer to sediment. Each layer is understandable when it lands, and opaque once enough layers have settled above it.