When an agent is ready for real work

Your agent works on a laptop. In production it can loop, spam tools, leak data, and burn money (depending on the use case). This is the checklist we wish we had before release.
On this page
  1. Prototype vs Production
  2. What a production-ready agent needs
  3. Without control an agent does not know boundaries
  4. Who is responsible for control
  5. Analogy from life
  6. In short
  7. FAQ
  8. What’s next

An agent can work in a demo.

Execute simple tasks.
Call tools.
And even return a correct result.


But that still does not mean it is ready for real work.

In a real environment, an agent mistake can:

  • Modify data
  • Spend money
  • Or call an external service

That is why there is a difference between a prototype and a production system.

Prototype vs Production

AI agent: asks to execute an action

A prototype shows that an agent can complete a task.

But it does not guarantee it will do this safely.


In a demo:
a mistake is just a wrong result

In production:
a mistake is:

  • Costs
  • Data changes
  • Or a request to an external system

For example:

TEXT
Agent tries to fetch data from API.

Think: call get_customer_data()  
Act: system calls API  
Observe: no response

Think: try again  
Act: system calls API  
Observe: error

Think: try another endpoint  
Act: system calls API  
Observe: error

Without stop conditions,
an agent can repeat these actions β€”
spending time and resources
or creating additional load on the system.

So a production agent needs control.

What a production-ready agent needs

To be ready for real work, an agent needs:

ComponentWithout it (Prototype)With it (Production)
MemoryRepeats the same stepsTakes previous actions into account
PermissionsCan perform unsafe actionWorks only within allowed access
Stop ConditionsWorks endlesslyStops by limit
Execution ControlExecutes action without checkingAction is checked before execution
Tool BudgetCan spend moneyLimited by spending budget

Without this, an agent is only a prototype.

Without control an agent does not know boundaries

Its job is to complete work.

Not to do it safely.

So it can repeat the same actions, modify data, or call external services β€” until it reaches a result or stops on its own.

Who is responsible for control

An agent does not verify itself.

It executes a task within what it is allowed to do.


Control is set by a human or a system.

They define:

  • What the agent can do
  • How long it can run
  • And when it must stop

Analogy from life

Imagine autopilot in a car.

It can drive on its own.
Keep lane.
Even change speed.


But that does not mean you can stop monitoring the road.


Because if something goes wrong, you must intervene.

That is why even automated systems have limits and control.

In short

Quick take

A prototype shows that an agent can complete a task.

A production agent:

  • Has memory
  • Works with permissions
  • Stops by conditions
  • And is under control

Only then can it be trusted.

FAQ

Q: Can a prototype be used in production?
A: Yes β€” but without limits and control, this can be unsafe.

Q: Are stop conditions alone enough?
A: No. Stop conditions can stop an infinite loop, but they do not prevent unsafe actions. An agent also needs permissions and execution control to work safely.

Q: Who is responsible for safe agent behavior?
A: A human or a system that sets limits and controls action execution. An agent works only within allowed permissions β€” but does not define them on its own.

What’s next

Now you know what a production agent needs.

Memory, permissions, stop conditions, control β€” this is the foundation.

But control is only part of the system.

An agent also needs to make decisions step by step:

assess the situation,
choose an action,
check the result,
and decide what to do next.

There is a separate pattern for this.

It is called ReAct.

⏱️ 4 min read β€’ Updated Mar, 2026Difficulty: β˜…β˜…β˜†
Integrated: production controlOnceOnly
Add guardrails to tool-calling agents
Ship this pattern with governance:
  • Budgets (steps / spend caps)
  • Tool permissions (allowlist / blocklist)
  • Kill switch & incident stop
  • Idempotency & dedupe
  • Audit logs & traceability
Integrated mention: OnceOnly is a control layer for production agent systems.
Author

This documentation is curated and maintained by engineers who ship AI agents in production.

The content is AI-assisted, with human editorial responsibility for accuracy, clarity, and production relevance.

Patterns and recommendations are grounded in post-mortems, failure modes, and operational incidents in deployed systems, including during the development and operation of governance infrastructure for agents at OnceOnly.