THE LINUX FOUNDATION PROJECTS
search
Community Blog

Demo to Production: An Open Source Architecture for Reliable AI Agents

By November 25, 2025No Comments

Author: Ashok Prakash, Senior Principal Engineer at Oracle AI

Summary

The promise of AI agents is simple: automation. The reality, as many production teams have learned, is a story of unpredictable failures, security holes, and runaway costs. Moving an agent from a controlled demo to a reliable, cloud-native service is one of the toughest challenges in AI engineering today. This article outlines a production-grade, vendor-neutral reference architecture built on the open ecosystem, leveraging projects like ONNX for portability and KServe for robust model serving. It is not about a specific model, but about the open source scaffolding required to build, deploy, and manage agents that are safe, observable, and efficient. We focus on bounded loops, policy-as-code, and the critical human-in-the-loop controls that separate a production system from a science project.

The Gap Between Demo and Production

An agent that performs well in a limited demo often breaks down under real-world conditions. Common failure modes include unsafe actions, where the agent modifies live resources without approval, or cost overruns, where it enters an uncontrolled retry loop. The lack of observability means the agent’s decision-making is a “black box,” making it impossible to debug root causes like a flawed prompt or context limit. This precedes the problem of drift, where performance silently degrades as tool APIs change or models are updated.

An Open Source Reference Architecture

A reliable agent is the centerpiece of an observable, policy-bound ecosystem. This architecture relies entirely on open, interchangeable standards.

  • Serving Layer: KServe or Ray Serve handle deployment. KServe offers a standard InferenceService, while Ray Serve excels at orchestrating complex agent logic. vLLM can optimize batching.
  • Agent Controller: The agent’s “brain” should be a durable workflow using Temporal or Celery to checkpoint state.
  • Tools: Tools are containerized services with JSON Schema or OpenAPI contracts, which serve as the agent’s guide for usage.
  • Policy and Safety: Open Policy Agent (OPA) or Kyverno acts as the central gatekeeper, requiring permission before any tool is called. Presidio can redact PII from prompts and logs at the edge.
  • Retrieval (RAG): FAISS or pgvector provides search. Apache Spark or Apache Flink run the ingestion pipelines.
  • Queues and Streams: Kafka or RabbitMQ is essential for decoupling components, buffering approval requests, and streaming observability events.
  • Observability: OpenTelemetry traces the agent’s entire decision-making process. Prometheus scrapes metrics for cost and errors, and Grafana provides the dashboard.
  • Portability: ONNX is valuable for ensuring models can be served across different runtimes.

The Bounded Agent Loop

The core of a production-ready design is the Bounded Agent Loop, which enforces strict budgets and classifies every potential action using the Automate, Augment, Human-Only framework.

  1. Automate: Low-risk, read-only tasks. The agent has full autonomy (e.g., searching a public knowledge base).
  2. Augment: Medium-risk tasks. The agent proposes a plan or draft, which a human must approve (e.g., drafting a sensitive customer email).
  3. Human-Only: High-risk actions. The agent is forbidden from executing these, period (e.g., deleting production data, changing user permissions).

The agent controller enforces this by applying a hard budget to every run. If any budget is hit, the loop terminates and is escalated.

  • Budgets: Step Budget (Max 10 steps), Token Budget (Max 8,000 tokens), Tool Budget (Max 3 calls to any single tool), and Wall Time Budget (Max 120 seconds).

Responsible AI and Human-in-the-Loop Controls

Safety is enforced at the tool-call boundary. Every action must be auditable and governed by policy.

The Responsible AI Checklist

Before any new tool is added, it must pass a checklist covering: Consent, Sensitivity (PII), Bias Risk, and Auditability.

Enforcing Human-in-the-Loop (HIL)

For “Augment” or “Human-Only” actions, the agent’s job is to propose, not to execute. The controller stages the proposed action and flags it for HIL approval. A human operator generates an approval artifact—a signed predicate, like a short-lived signed token, that includes the run’s trace identifier. The policy engine validates this artifact before permitting the final execution.

Implementation Concepts

  1. Defining Tool Contracts (JSON Schema) A tool contract defines the tool’s inputs (e.g., a user ID) and describes its function. This structured schema is the agent’s primary prompt for correct tool use.
  2. Enforcing Policy (OPA/Rego) A policy would define a “default deny” rule. It would allow read-only tools but explicitly deny a high-risk tool (like one that deletes a user) unless the request includes a validated human approval artifact, programmatically enforcing HIL.
  3. Deploying the Service (KServe) The agent model is deployed via a standard InferenceService manifest. This turns the agent into a standard, scalable, and manageable Kubernetes service.
  4. Tracing Execution (OpenTelemetry) To debug the “black box,” you create a parent trace for the entire agent run, tagging it with the initial user prompt and final metrics. Child traces for every tool call are tagged with the parameters sent and the output received, giving a readable trace of the agent’s thought-and-action process.
  5. Alerting on Failure (Prometheus) Alert rules watch for behavioral failures, not just server errors. An alert can fire if the rate of tool calls for one agent exceeds a set threshold (signaling a retry storm) or if the average cost-per-run exceeds a set budget.

Efficiency Without Sacrificing Safety

Once the foundation is in place, we focus on efficiency without creating new risks.

  • Optimization: Aggressively cache everything with a short TTL: prompt results, RAG lookups, and tool calls.
  • Serving: Use a serving runtime that supports continuous batching. Use KV cache reuse and speculative decoding to speed up token generation.
  • Tiering: Use a small, fast model as a router to classify intent, only escalating to the largest model when necessary. Quantization can dramatically reduce latency and cost for non-precision-sensitive tasks.

CI/CD for Agents

An agent is code. It needs a CI/CD pipeline.

CI Evaluation

On every commit, the agent runs against a “golden set” of evaluation tasks defined to test both behavior and safety. A “pass” case checks that a user details query calls the correct tool; a “fail” case checks that a dangerous query (e.g., “delete user”) is correctly blocked by policy. The build fails if accuracy drops or if a safety policy fails. The pipeline must also log model, tool, and data versions to detect drift.

The Closed Feedback Loop

A production agent requires a tight, closed feedback loop.

  1. Capture Signals: Collect traces, user feedback, and cost metrics.
  2. Weekly Triage: A human team reviews the worst-performing traces.
  3. Policy-First Updates: Before retraining, fix the failure by updating the prompt, the tool’s schema description, or the policy rules. This is faster and cheaper.
  4. Canary Updates: All changes roll out as canaries in shadow mode, proving their safety against the production version before a full rollout.

Production Plan

  1. Internal Shadow Mode. Deploy the agent but expose it only to copies of live traffic. Humans review logs daily for safety flaws.
  2. Internal Canary. Enable the agent for a small, expert group of internal users. Gather direct, qualitative feedback.
  3. External Canary (1%). Roll out to 1% of external users. Monitor alerts for cost, error rates, and retry storms.
  4. Phased Rollout (10% -> 100%). Gradually increase traffic, watching the dashboards at each step.

The Architectural Imperative

The core lesson from operating large-scale AI is that governance dictates performance. By focusing engineering effort not on the model’s core intelligence, but on the scaffolding that surrounds it, the system gains deterministic reliability. This open source architecture ensures that whether the agent is facing an unexpected budget threshold, an ambiguous user request, or a potential security exposure, the system will reliably defer to policy and human judgment rather than failing silently or destructively. The true measure of a production-ready agent is not its intelligence, but its obedience to the safety envelope.

Conclusion

Moving an AI agent into production is an architectural challenge, not just a modeling one. Success depends on embracing open standards and a policy-first mindset. By implementing a bounded loop, defining clear human-in-the-loop controls, and leveraging the open source ecosystem for governance and observability, teams can reliably deploy agents that transition safely from a limited demo environment to a scalable, cost-effective, and trustworthy production reality. The necessity of strong governance and automated controls is further underscored by published research at the Association for Computational Linguistics and named U.S. patent filings in automated remediation and programmatic reprovisioning. This robust, open stack approach has demonstrably optimized efficiency, providing a performance uplift equivalent to up to 50% in total operational savings when scaling production-ready agents.

All tools and standards listed are open source or open standards; examples are interchangeable.

Author