The Agentic Stack: How a State-of-the-Art AI Agent Actually Works

Run a ReAct loop with a cheap learned world model that predicts each candidate action's natural-language state diff before committing, and use it to gate irreversible actions. It buys most of the safety of MCTS tree search at one-step lookahead cost. Reach for full MCTS+DPO (Agent Q) only when you can afford training and live rollouts. (See the paper.)

• Represent environment state to the planner as a natural-language diff (what changed) rather than the full page/observation.
• Before any irreversible action (payment, delete, send), run a one-step lookahead predicting the resulting state diff and require it to match intent.
• For tasks where sub-results must merge rather than chain, model reasoning as a graph (Graph-of-Thoughts) with an explicit aggregation step instead of forcing a linear chain.
• Audit your action set for what cannot be undone and route exactly those through the lookahead/approval gate.

Reaching for MCTS or asynchronous interruptible planning first, even SOTA models collapse (47%→11%) on overlapping/interruptible tasks; get a gated synchronous loop solid before adding concurrency.

At scale, use hierarchical category→tool→endpoint retrieval with a self-reflective 're-retrieve if unsolvable' loop (AnyTool) to keep only a handful of candidate tools in context per step. Flooding the window with thousands of tool specs degrades function-calling accuracy via distractors. (See the paper.)

• Build a two-stage retriever: resolve a category, then a tool, then an endpoint, so the LLM only ever sees a small candidate set.
• Author every tool description against a six-field rubric, purpose, input schema, output schema, side effects, preconditions, examples, and fix missing-purpose first (the most common defect).
• Treat tool docs as testable artifacts: fuzz them (ToolFuzz-style) to surface underspecification before deployment, and expose only the ~20% of any API surface the agent actually needs.
• Add a self-reflection branch: on a failed/unsolvable call, re-retrieve rather than one-shot committing to the first tool.

Augmenting every tool description to fix 'smells', blanket augmentation adds ~67% more execution steps; augment only the smells that correlate with actual task failures.

Expose read/write/search tools over an external memory tier that the model pages in and out itself (MemGPT virtual-context paging), with a self-edited working-memory block mutated via tool calls. Memory is a state-management problem the agent should actively manage, not a passive top-k vector lookup. (See the paper.)

• Split storage into tiers, in-context working memory, searchable recall (chat history), and archival key-value/vector, and give the model explicit tools to read/write/search each.
• Store raw events verbatim and defer extraction/reasoning to retrieval time; never discard information at write time, because you don't yet know the query.
• Build a multi-stage retrieval funnel, cheap keyword recall → semantic re-rank → relational reasoning → reader, instead of a single similarity search; SQLite alone is competitive, no vector DB required.
• Add a scheduled reflection pass that synthesizes episodic memories into higher-level abstractions, and score retrieval by recency + importance + relevance, not similarity alone.

Trusting any memory layer on dependency/invalidation reasoning, current systems score ~1-3% on cascade/absence updates; if a fact can be superseded, model edge invalidation explicitly or a long-context baseline will beat you.

Optimize natural-language compression guidelines for observations and history via a failure-analysis feedback loop (ACON), 26-54% token reduction with improved success and zero fine-tuning, then distill the compressor into a small model for latency. It beats fixed summarization and needs no RL. (See the paper.)

• Compress observations and trajectory history separately, each tuned against its own task-failure signal, not with one generic summarizer.
• Place the most critical retrieved chunks at the top or bottom of the prompt and treat the middle as lossy storage; reorder RAG hits to front-load the top result.
• Shrink context aggressively even after retrieval succeeds, input length alone degrades accuracy 14-85% with perfect retrieval, so pass the shortest evidence-preserving span.
• If you can train, make context delete/insert (MemAct) or trajectory folding (AgentFold) first-class agent actions to cut context ~51% while preserving task signal.

Assuming more context is free or that retrieval quality is the only knob. Length itself is a quality/latency dial, and naively concatenating k docs in score order buries evidence in the dead middle.

Encode a known human workflow as an explicit phase DAG with schema-constrained handoffs and downstream-validates-upstream checks (MetaGPT SOP-as-prompt), not free-form chat. It breaks the hallucination cascade. Pair it with per-action compensating rollbacks (SagaLLM) so a failed phase recovers instead of silently corrupting. (See the paper.)

• Replace open-ended agent chatter with an explicit phase DAG; give each role a domain-expert system prompt and require structured (schema-validated) outputs between phases.
• Register a compensating undo action alongside every forward action at spawn time, and checkpoint at phase boundaries so rollback scope is bounded.
• Put an independent validation agent at each phase rather than letting actors self-validate.
• If agents share mutable state, use dedicated shards and reconstruct read-sets from observed traffic (S-Bus), self-reported read sets over-claim by 32-49%, so don't trust them.

Scaling agent count to beat context limits, agents exchange distributed state competently but fail to integrate it into correct answers (the Communication-Reasoning Gap), so naive fan-out adds cost without capability.

Score on final database/environment state with a simulated user and policy rules, and report pass^k across repeated trials (τ-bench). Capability and reliability are different axes, and pass^k separates real skill from a single lucky run. Trace-matching and pass@1 hide the reliability gap that dominates production. (See the paper.)

• Evaluate by diffing final environment/database state, not by matching the trajectory; allow multiple correct paths via milestone scoring (ToolSandbox).
• Report pass^k, not just pass@1, re-run identical tasks and measure how often the agent succeeds every time.
• Drive a simulated user with the policy document as input to test rule adherence under realistic back-and-forth.
• Before trusting any benchmark, audit it: diff model patches against the issue text for solution leakage and cross-check passing patches against ground-truth tests (SWE-bench+ found 32% leakage, 31% weak-test passes).

Believing single-run task-completion numbers and public leaderboards, agents that succeed once routinely fail on identical re-runs, and crowdsourced rankings are distorted by selective disclosure; keep immutable append-only result logs.

There is no robust model; nearly every deployed agent violates policy within 10-100 queries and robustness doesn't correlate with model size. The least-bad move is to adopt ART as a drop-in red-team suite and measure your agent's policy-robustness as a distinct axis from capability, then defend deterministically below the model. (See the paper.)

• Run a deployment-policy test harness covering data-access, financial-action, and regulatory-compliance violation classes under a 10-100 query attack budget; measure attack transferability across models.
• Treat the inter-agent message bus as an adversarial boundary, sign message envelopes and schema-validate every inbound message before acting (AiTM rewrites messages without compromising any agent).
• Audit MCP servers before adoption: tool-poisoning sits at ~5.5% prevalence, so validate and sanitize tool metadata and isolate context per tool invocation.
• Model cross-temporal attacks: enumerate every persistence substrate (memory, scheduled jobs, filesystem) × firing-separation, since sleeper-channel payloads fire later through a different surface.

Relying on point-in-time, within-task evaluation. The live attacks are delayed-trigger and cross-surface, which single-session red-teaming structurally cannot detect.