Anyone can film a model doing something impressive once: friendly input, controlled room, one take. What you are buying, though, is month three — the agent still doing the job against inputs nobody scripted, with no human catching every mistake. Most agent projects die somewhere between the demo and month three. This is a map of where.
Reliability at the edges
A language model is probabilistic. Give it the same task twice and you may get two different answers. On the common cases it will usually be right. On the strange ones, the malformed input or the unusual request or the case nobody thought to test, it can be confidently wrong. It can invent a fact, cite a source that does not exist, or take an action based on a misreading.
The demo only ever shows the common case. Production is mostly edges. The first job is to find them: collect the real inputs the agent will face, build a set of test cases from them, and measure how often the agent gets each one right. Without that measurement, you are guessing.
Tool use fails in ordinary ways
Most useful agents do more than talk. They call tools. They search a database, hit an API, or file a ticket. Every one of those calls can fail in the boring ways software always fails: the service times out, returns an error, or hands back a shape the agent did not expect. A model that was never shown what to do when a tool fails will improvise.
Production agents need the same defensive engineering as any other software that talks to other software: check the response, handle the error, and have a defined fallback for when a step does not return what it should.
Cost and latency add up
A single model call is cheap and fast enough. An agent that reasons over several steps, calls tools, and retries can make many calls to answer one request. Multiply that by real traffic and both the bill and the wait can grow past what the use case can bear. These are not reasons to avoid agents. They are design constraints to plan around: choosing the right model for each step, caching what can be cached, and keeping the agent from doing expensive work it does not need to.
Security is a new surface
Agents introduce a class of risk that traditional software does not have. Because they follow instructions written in plain language, they can be steered by instructions hidden in the very content they read. This technique is known as prompt injection. A support agent that reads a customer message, or a research agent that reads a web page, can be told by that text to ignore its rules or reveal data. It is a well-known, documented risk. Any agent that reads untrusted input and can take real actions needs limits on what it is allowed to do, regardless of what it is told.
Silent degradation
Ordinary software breaks loudly, with an error, a crash, a red alert. An agent can break quietly. The model behind it can be updated, your data can drift, a prompt change can have effects nobody predicted, and the agent keeps running, just a little worse. Nobody notices until the quality has slipped for weeks. The defence is monitoring built for this: watching the agent’s outputs over time, sampling real cases, and catching the drift before your customers do.
Ambiguity is the hardest part
The single most common failure is not dramatic. It is an agent doing something reasonable that was not what the user meant. People are vague. They leave things out, contradict themselves, and expect the system to fill the gap the way a colleague would. An agent that guesses wrong, confidently, and acts on the guess causes more trouble than one that pauses to ask. Knowing when to act, when to ask, and when to hand off to a human is the difference between an agent that helps and one that creates cleanup.
How to build for it
None of this means agents are not ready. It means treating the production work as the real work: test cases drawn from real inputs and run on every change, hard limits on what the agent can do, a safe path for every way a step can fail, and monitoring that catches quiet decline. That list is most of an agent engagement, and it starts on day one.
Scope matters too. An agent aimed at a narrow, well-defined task with a clear measure of success is far more likely to hold up than one asked to be generally capable. The reliable agents in production today are the modest, bounded ones.