AI & Machine LearningAll explainers

How AI agents work

An AI agent wraps an LLM in a loop that can plan, call tools, read the result, and decide the next step. Here is how agentic AI works, the architectures teams use, and what production really demands.

On this page

An AI agent is a system that wraps a large language model in a loop so it can do more than answer once. The agent plans a step, calls a tool, reads the result, and decides what to do next, repeating until the task is done. That shift from a single response to a goal pursued over many steps is what people mean by agentic AI, and it's the difference between a chatbot and a piece of software that gets work done.

How the agent loop works

Under the hood an agent runs a tight cycle, usually some variant of the ReAct pattern, which pairs reasoning with action.

  1. Reason — the model looks at the goal and the current state and decides the next step.
  2. Act — it calls a tool: a web search, an API request, a database query, a code execution.
  3. Observe — the tool's output is fed back into the model's context.
  4. Repeat — the loop continues until the goal is met or a stop condition fires.

The split matters. Decision logic lives inside the model, which keeps the system flexible; execution logic lives in your code, which keeps it inspectable and controllable. You can log every thought and every tool call, validate arguments before they run, and cut the loop off when it stalls. An agent isn't magic. It's a while-loop with a language model in the condition.

Agents vs generative AI

The two terms get used loosely, so it helps to be precise. generative-ai is the broad capability: give a model a prompt, get back new content. An agent runs that capability inside a control loop that has a goal, memory, and the ability to take real actions.

A useful test: if the system returns one output and stops, it's generative AI. If it can call a tool, look at what came back, and choose a different action as a result, it's an agent. Every agent is built on generative models; not every use of a generative model is an agent. Keep the distinction, because "we need an agent" and "we need a good prompt" lead to very different amounts of engineering.

Architectures and patterns

Most production agents are assembled from a small set of patterns rather than one grand design. The common ones, roughly in order of how often you meet them:

  • ReAct — the stepwise reason-act-observe baseline behind most tool-using agents. Simple, and enough for a lot of constrained tasks.
  • Plan-and-execute — a planner breaks a goal into a task list, then an executor works through it. This is what you want for long-horizon jobs where a single reasoning pass would lose the thread.
  • Reflection — the agent critiques its own output with a second pass before committing. It lifts reliability on code and high-stakes decisions, and it costs you extra latency and tokens, so it's usually optional.
  • Router — a dispatcher picks which specialist agent, model, or tool should handle a request. Often just a classification prompt with sensible fallbacks.

Real systems mix these. A typical stack is ReAct for the inner loop, a planner on top for structure, and a router at the front to send work to the right place.

Tools and memory

Two things separate an agent from a model in a text box: what it can do, and what it can remember.

Tools are typed functions exposed to the model through a schema. The model picks a tool and emits structured arguments; your runtime executes the call and returns the result. This is where the hard edges live. Tools enforce validation, access control, rate limits, and logging, so a well-designed tool layer is most of what keeps an agent safe. In late 2024 Anthropic open-sourced the Model Context Protocol (MCP), a standard for connecting models to tools and data, and through 2025 and 2026 it became a common way to share one tool layer across agents instead of re-wiring every integration.

Memory comes in two flavors. Short-term memory is the working state of the current task: the conversation, the plan so far, recent tool outputs, all bounded by the model's context window. Long-term memory persists across sessions, usually as embeddings in a vector store that the agent queries when it needs something relevant. Many agents lean on retrieval-augmented-generation to pull grounded facts into context at the moment they act, rather than trusting whatever is baked into the weights.

Single-agent vs multi-agent

A single agent is one model in one loop with its tools and memory. It's cheaper, easier to reason about, and enough for most bounded workflows like triaging a support ticket or running a scripted research task. Start here.

A multi-agent system splits the work across specialists, a planner plus workers such as a researcher, a coder, and a tester, coordinated by an orchestrator that assigns tasks and merges results. It buys you specialization and cleaner permission boundaries, and it costs you coordination overhead, more failure modes, and a harder time debugging. The honest rule: reach for multiple agents when one genuinely cannot hold the whole job, not because the architecture diagram looks impressive.

How teams evaluate agents

Agents are hard to test precisely because they are stochastic and act over many steps. The same task can succeed down one path and fail down another, and a small mistake early can surface much later. Two kinds of evaluation cover it.

Outcome evaluation asks whether the goal was met: did the patch fix the bug, did the ticket get resolved. Public benchmarks like SWE-bench, which scores fixes to real GitHub issues, and tau-bench, Sierra's benchmark for tool-using agents in customer-service tasks, measure exactly this. Trajectory evaluation goes deeper and inspects the whole sequence of decisions and tool calls for wasted steps, wrong turns, or policy violations. Outcome tells you if it worked; trajectory tells you whether you can trust how.

What production demands

Autonomy is the whole value and also the whole risk. A demo agent is a weekend project. A reliable one is an engineering effort, and it needs:

  • Tool guardrails — scoped permissions per agent and validation on every action, so an agent can only touch what its job requires.
  • Human-in-the-loop — approval gates on anything irreversible, like a payment, a deployment, or a data deletion.
  • Observability — traces of every reasoning step and tool call, which is what makes both debugging and trajectory evaluation possible.
  • Cost and loop control — hard caps on steps, tokens, and tool calls, plus cheaper models for routine work, so a stuck agent cannot spin up the bill.
  • Prompt-injection defense — untrusted text in a web page or document can smuggle in instructions that hijack the agent, so anything that reads outside content and can act on it needs input filtering and output checks.

None of this is exotic. It's the ordinary discipline of shipping software that takes actions on your behalf, applied to a system that decides for itself what to do next. Teams that respect the failure modes ship agents that hold up; the ones that skip straight to full autonomy ship a demo.

Frequently asked questions

  • An AI agent is a system that wraps a large language model in a loop so it can act, not just answer. It plans a step, calls a tool such as a search or an API, reads the result, then decides what to do next, repeating until the goal is met. The model makes the decisions; the surrounding code runs the actions and holds the state. That loop is the whole idea, and it's what separates an agent from a chatbot that only replies.

  • Generative AI takes a prompt and returns one output, like a paragraph or an image. An AI agent runs generative models inside a control loop, so it can pursue a goal over many steps, use tools, and react to results. Every agent uses generative AI under the hood, but not every generative model is an agent. Agentic AI is the term for that goal-directed, multi-step behavior.

  • They can, but most production agents run on a leash. Teams cap the steps, scope which tools an agent may call, and route risky actions like payments through a human approval gate. Full autonomy is possible and rarely what you want, since an unbounded loop is expensive and hard to trust.

  • A multi-agent system splits a job across several specialized agents coordinated by an orchestrator. A planner breaks the goal into tasks, workers such as a researcher, a coder, and a tester handle their parts, and the orchestrator routes work and merges results. It buys specialization and clearer permissions at the cost of more moving parts, so reach for it only when one agent genuinely cannot cope.

  • You measure two things, the outcome and the path. Outcome evaluation asks whether the task got done correctly, using benchmarks like SWE-bench for coding fixes or tau-bench for tool-driven support tasks. Trajectory evaluation inspects the full sequence of reasoning and tool calls for wasted steps, wrong turns, or policy breaches. Both need logged traces, which is why observability is a prerequisite, not an afterthought.

Related expertise