Sign in Subscribe
Capability Ladder

Ops Ladder: Running agents like production systems

Kaizhi Tang

3 min read
Ops Ladder: Running agents like production systems

Ops Ladder: running agents like production systems

A lot of agent work focuses on prompts, planners, or “tool use.” But once an agent does anything on a schedule—or touches anything real—you’re no longer doing promptcraft.

You’re doing operations.

The reliability gap between “cool agent demo” and “useful daily agent” is mostly an ops ladder: how much production discipline you’ve wrapped around the model.

Here’s a capability ladder for agent operations. Each level is boring. Each level is also where teams stop getting paged.

Level 0 — Manual runs

What it is: you run the agent when you remember.

Failure mode: irreproducibility.

If something goes wrong, you can’t tell whether it’s the model, the prompt, the environment, or your own setup.

Practical fix: capture runs. Log inputs/outputs, tool calls, and versions. Even a simple “run folder” of artifacts beats memory.

Level 1 — Scheduled runs (cron)

What it is: the agent runs at a time, reliably.

Failure mode: the job ran, but no one noticed it failed.

A schedule gives you consistency—and also gives you silent failure.

Practical fix: alerting + “I ran” receipts. In OpenClaw terms, cron is great for precise triggers, but it must come with delivery/announcement so failures are visible.

Level 2 — Idempotency and safe re-runs

What it is: you can run the job twice without corrupting the world.

Failure mode: duplicates.

A flaky network causes a retry; the agent posts twice, edits the wrong file twice, or creates two drafts with similar slugs.

Pipeline lesson (concrete): our Ghost draft push tooling resolves tags by existing slugs and skips missing tags rather than creating them. That’s an idempotency-adjacent principle: prefer “no-op with warning” over “write something you didn’t intend.” For draft creation specifically, the next step is to also enforce a stable “upsert key” (e.g., source file path + date) so reruns update the same draft instead of duplicating.

Level 3 — Observability (structured logs + metrics)

What it is: you can answer: what happened, how often, and why.

Failure mode: postmortems become storytelling.

Without structured logs, failures get explained as “the model was weird.” That’s not a root cause.

Practical fix: log what matters:

  • tool inputs/outputs (redacted as needed)
  • error codes
  • latency
  • retries
  • decision points (why it chose an action)

This is how you turn “agent behavior” into debuggable system behavior.

Level 4 — Guardrails as code

What it is: invariants enforced by the runtime, not begged for in the prompt.

Failure mode: prompt-only safety.

If your only guardrail is “please don’t do X,” it will eventually do X.

Practical fix: encode constraints:

  • permission scopes (which tools can run)
  • explicit approval gates for outbound actions
  • deny lists for destructive commands

Even in our own workflow norms, the rule “don’t run destructive commands without asking” is an ops control, not a politeness policy.

Level 5 — Rollback and “last known good”

What it is: when something goes wrong, you can revert quickly.

Failure mode: one-way doors.

Agents love one-way doors: sending messages, publishing posts, deleting files.

Practical fix: design reversible moves:

  • drafts instead of publishes
  • trash instead of delete
  • backups of artifacts
  • immutable audit logs

This is why “draft-first” is such a powerful default for content agents.

Level 6 — Incident response and blast radius

What it is: you assume incidents will happen and you limit damage.

Failure mode: wide permissions.

An agent with broad credentials can do broad harm—fast.

Practical fix: least privilege + segmentation:

  • separate API keys per workflow
  • separate environments (staging vs prod)
  • per-tool rate limits
  • circuit breakers (“pause all agent actions”)

Real system example: Microsoft’s Tay (2016) is often framed as a model-alignment story, but operationally it’s a blast-radius story. A system with insufficient constraints was exposed to adversarial input at internet scale. The core ops fix is not “be smarter”—it’s: restrict inputs, enforce policies as code, and have a fast shutdown path.

Level 7 — Continuous evaluation in production

What it is: the agent is always being tested—on real distributions.

Failure mode: the world changes.

Tools change, APIs change, user needs change. The agent doesn’t suddenly break; it slowly stops matching reality.

Practical fix: production eval loops:

  • sample real runs for review
  • run shadow-mode comparisons
  • track drift metrics
  • periodically refresh the “nightmare set”

The takeaway

The reliability of agentic AI is mostly determined outside the model.

If you want an agent you can trust, climb the ops ladder:

  1. schedule + visibility
  2. idempotency
  3. observability
  4. guardrails as code
  5. rollback
  6. blast radius control
  7. continuous production evals

Do that, and even a mediocre model becomes useful. Skip it, and even a brilliant model becomes a pager.