I have written about thirty-odd posts on building AI agents, one boundary per post. One on stopping it from making things up. One on keeping memory you can trust. One on when to let it act on its own. One day I stepped back and looked at the whole pile, and saw they were not thirty separate topics. They were the structure of one thing: an agent that survives contact with real use.
By demo I mean the thing we all see in a course or a YouTube clip: type one prompt and the AI does the task on screen. That is not an agent yet, it is just one question and one answer. An agent takes a goal and then plans and acts on its own across many steps until the job is done.
Here is what nobody says out loud: that demo is easy, anyone can do it. But run the same thing every day for real and it starts to forget what it did yesterday, starts adding facts nobody gave it, starts doing things it should not, and when you run two at once they overwrite each other. Every one of those symptoms is a missing piece.
Think of a working agent as a building made of several stacked layers, each doing its own job. Take away one layer and the agent fails in that layer's way. This post is the map of all seven: the layers that separate an agent that runs nicely in a class or a workshop from one that actually works in production. I have written each layer up in depth as its own post, from real work, and linked them so you can go deeper.
First, search "ai agent architecture" on Google. What you mostly find is textbook diagrams of agent types: reactive agents, deliberative agents, BDI agents. Useful for an exam. But once the agent goes to work, what breaks it is not which type you picked. It is the layers the textbook never draws: memory, guardrails, verification. That is the architecture production actually needs.
Layer 1The engine is not the agent
People just starting to build an agent tend to think the agent is the model: pick Claude or GPT and you are done. Build one for real and you see the model is just one part. Like the engine in a car, it matters, but it is not the whole vehicle. The real agent is everything wrapped around the engine: the rules, the memory, the tools.
The boundary for this layer is do not marry one model. If you design the agent and the engine as separate pieces, then the day a cheaper or better model appears, or the day your current vendor raises prices, you just swap it out. No rebuild. And different jobs can run different-sized engines: hard judgment calls on a large model, simple repetitive work on a small local model that costs almost nothing.
Go deeper: separate the identity, the engine, and the orchestration · size the model to the job · the real cost of the engine
Layer 2Orchestration
One agent doing one thing at a time is a demo. As the real work grows, you want to split a big job into small pieces, run several agents at once, and have one of them hold the overall picture. This is the orchestration layer, and it opens problems you never hit running a single agent.
The boundary people skip most here is stopping the agents from stepping on each other. Run two in the same workspace and they overwrite each other's files, and the results mix until you cannot trust them. The controller has to isolate each one first. It is not the worker agent's job to be careful; it is the controller's job. And the most expensive part is usually not the agents at all: it is the person who has to sit and hand out work one job at a time. That is what you design away.
Go deeper: the expensive part is not the agents · split work across a fleet of agents · isolation is the orchestrator's job · a task board as the fleet's intake
Layer 3Memory
An agent with no memory starts from zero every time it opens. It re-asks what you just told it and forgets the rules you agreed on yesterday. So memory is not an add-on, it is a layer you design. And there are two different things in it: rules (what it must know every time) and data (what it fetches only when needed). Mix them and both break: rules get lost, or the context floods and slows down.
The boundary here is memory can lie too, so it has to be memory you can trust. If the agent pulls the wrong piece of memory, it answers with full confidence anyway. So what it remembers must trace back to a source. The file is the truth, the search tool is just a shortcut, and anything not written to a file does not exist yet.
Go deeper: design memory you can trust · separate rules from data · two files that carry knowledge to the whole fleet · the memory stack we actually run · feed the knowledge base without letting AI make things up
Layer 4Tools and skills
On its own the model can only print text. To read a file, call an API, or send a message, you have to give it tools. This is the layer where the agent acts on the real world, and the "free" stuff here is not free. Every tool you connect eats the model's context and opens one more way to attack it.
This layer has two boundaries. First, evaluate a tool before you install it, do not just follow the hype. A tool that is installed but never called is context you pay for and get nothing back. Second, put work on the right side: work that must come out exactly the same every time, like loops and arithmetic, belongs in deterministic code; work that means reading and then deciding belongs to the model. Ask the model to do arithmetic and you get a different answer each run.
Go deeper: evaluate plugins before installing · the tool you installed but never call · split deterministic code from judgment · what a skill is · connect agents across machines without open ports
Layer 5Guardrails: where production splits from the demo
If I had to pick one layer that separates a demo from the real thing, this is it. Every demo assumes everything goes to plan. Production is getting ready for when it does not. Guardrails are the set of rules that keep the agent from doing what it should not, and there are several of them.
- When to act, when to ask first. Reversible work, let it run. Irreversible work, a human decides. That line has to be drawn in advance.
- A message is not a command. Someone typing something at the agent does not mean it should do it. You need a gate that checks who is asking and for what.
- Private data must not leak. Personal or customer data must not be sent where it should not go. Know exactly what each tool sends out.
- Do not trust one model's confidence. A model can be wrong and sure of itself. For anything important, have a different engine take a look. Different angles catch the blind spots a single view cannot.
Go deeper: when AI acts vs asks · a message is not a command · the layers that keep data from leaking · why AI agents lie to you · let cross-vendor AI red-team each other
Layer 6Verification
The agent finishes a job or writes some code and says "done." How much can you trust that? This layer is proving it actually did the work right, and the biggest trap is that the checker itself can lie.
The boundary here is do not trust a green check until you have proved it can fail. A checker that died and a checker that passed because nothing was actually wrong look identical. Feed it a known-bad input first and confirm it catches it. Then, for anything important, have a different engine review, not the one that wrote the work grading itself.
Go deeper: have a second engine review the code · prove your checks can fail · pin existing behavior before you change it
Layer 7Reachability
Once the agent works, the last layer is making it reachable by people and by other agents. Your site today is not read only by people. It is read by AI search engines and by agents that pull data to answer with.
The boundary here is control who gets to read it, and lay out the structure so machines can parse it. Choose which bots get to crawl you, and give your pages a structure that both people and machines can reuse, not just something that looks good to human eyes.
Go deeper: make your site readable by agents · make AI see your site · control AI crawlers one by one on Cloudflare
Wrap-upWhich layer to start with
The architecture is not a diagram you draw once. It is the set of guardrails you add each time an easy demo meets the real world. Here are all seven again.
- Engine swappable; do not marry one model.
- Orchestration isolate first, or the agents step on each other.
- Memory split rules from data, and make it trustworthy.
- Tools and skills evaluate before installing; deterministic work in code, judgment in the model.
- Guardrails when to ask, a message is not a command, no leaks, do not trust one model.
- Verification a checker has to catch a known bad before you trust it.
- Reachability control who reads you, structure it for machines.
You do not need all seven on day one. Start with the layer that is hurting you right now. If the agent makes things up often, start with guardrails and memory. If it is slow and expensive, start with the engine and tools. If parallel runs mix their results, start with orchestration. Each layer above has a deep-dive post already written. Pick the one that matches your pain and follow the link.
- Every one of the seven layers here is written up as its own post from real work, linked inside each section above. This post is the map that ties them together.
- AGENTS.md as a standard instruction file for agents: agents.md