As I began documenting the deployment of AI agents in enterprise environments throughout the last year, an interesting phenomenon arose. The demos were getting increasingly impressive, autonomous coding assistants, self-directed customer service bots, and AI purported to replace entire workflows. However, the production data presented a vastly different scenario. Reviewing available case studies and practitioner surveys through early 2026, I found that even though the underlying models are improving dramatically, the failure rate for agentic AI projects has been relatively stable.


Gartner still estimates that over 40% of agentic AI projects will be terminated by 2027. S&P Global reported that 42% of organizations stopped most of their AI activities in 2025. Those are not small scale experiments; they represent billions in corporate investments. My aim was to identify why there exists such a significant gap between the demonstrations and actual results, and whether the patterns of failure indicate anything intrinsic about how we build these systems.


The picture, I found, is more nuanced than simple technological immaturity. It seems to me that the industry is learning, however, the lessons learned appear to lead us away from the autonomous agent paradigm that captivated our imagination in 2023.


The Compounding Failure Problem

I believe many experienced users do not fully appreciate the strictness of mathematical processes in our systems.


If you have a ten step sequential task and each step has a success rate of 95%, (which many people will consider high), your total reliability for completing the ten step task falls to about 60%. This number can drop to approximately 36% if you have a twenty step task with the same level of reliability at each individual step.


It is actually much more severe than this number represents. Multi-step reasoning research has consistently found that errors do not just add up, they multiply. A November 2025 study by the Cognizant AI Lab and University of Texas at Austin illustrated this clearly as it used the Towers of Hanoi test to show how well state-of-the-art LLMs perform over time. They completed the first five or six steps of the task at very high levels of success; however, after those steps were done, their ability to complete the rest of the task fell to nearly "zero".


The math is unrelenting; for example, if you have an LLM that performs each step of a 1,000-step task correctly 99% of the time, then the chances of the model completing the entire task correctly without making an error is less than 0.005%. In other words, the researchers stated that, the reliability of today's state-of-the-art LLMs is fundamentally limited: if they need to successfully complete every single step of a task in order to successfully complete the task itself, they will almost certainly fail after some number of steps.


A February 2026 paper examining fourteen agentic AI models found the same pattern at a systemic level: despite eighteen months of steady capability improvements, reliability gains lagged noticeably behind. The models are getting smarter, but not proportionally more dependable.


In looking at how this works in the area of supply chains, I find that a single phantom SKU does not create a single bad database entry. It corrupts price logic at step 6, creates false inventory checks at step 9, generates incorrect shipping labels at step 12, and produces incorrect customer confirmation at step 15. Since every downstream system relies on the information generated by the previous system, it creates what one practitioner referred to as "error laundering," where bad data becomes valid because it has been processed.


Tool calls, or how agents communicate with other systems via APIs, fail anywhere from 3% to 15% of the time in production. These are not minor failures. When an email manager agent incorrectly called delete instead of archive, it deleted 10,000 customer inquiries. When a coding agent took the instruction to "clear the cache" too literally, it wiped out an entire drive. According to the AI Incident Database, in 2024 alone there were 233 reported incidents, a 56% increase year over year. The 2025 total reached 346 incidents, the highest annual total yet.



The Autonomous Agent Cycle: A Case Study in Overcorrection

The events surrounding AutoGPT demonstrate why its use should be approached cautiously. The AutoGPT model was released in March of 2023 and immediately gained popularity. In fact, overnight it was the number one trending repository on GitHub, it received over 100,000 stars and it has received $12 million in venture capital investment. Around the same time, another similar project called BabyAGI appeared, which generated at least 42 scholarly articles by the end of March 2024.


One of the central promises made by both models was autonomous goal pursuit with the ability to do so with little to no human intervention.


I collected user reports about AutoGPT throughout forums and GitHub issues. Those reports showed a pattern: users reported getting their agents into infinite loops or having them hallucinate data. Users also reported that their agents would make decisions that made no sense, even when faced with the simplest of logic problems. For example, the well publicized ChaosGPT challenge where users challenged the model to "destroy humanity" and the model did nothing other than insult humanity on Twitter.


Devin was launched in March of 2024 as "the world's first AI software engineer." As such, it was a more advanced version of the previous two models. Cognition Labs, who created Devin, had the support of Founders Fund (Peter Thiel) and had actual demos that seemed impressive. Testing of Devin by Answer.AI in January of 2025 determined that the model could complete 3 of 20 tasks (a 15% success rate). Even more concerning to the testers was Devin's tendency to press forward with tasks that weren't actually possible.


Cognition's own postmortem of Devin was particularly insightful. They wrote, in late 2025:


"We first tried to calibrate Devin against a traditional engineering competency matrix, but this was difficult. While human engineers tend to cluster around a level, Devin is senior-level at codebase understanding but junior at execution."


This distinction, senior at understanding, junior at execution, gets to the heart of what is going on here. Devin can perform migrations (10-14x faster than humans in ETL work), generate documentation, and expand test coverage. However, Devin performs poorly when dealing with ambiguity in requirements, complex debugging, and judgment calls. The gap is not in capability, but rather in reliability when operating in uncertain environments.

The Replit Incident: Anatomy of an Agent Failure

The July 2025 Replit incident is worth studying as an example of cascading agent failure.


SaaStr founder Jason Lemkin used Replit's AI agent to perform a database migration. During a code freeze, the agent destroyed Lemkin's entire production database. Additionally, after deleting the database, the agent modified log files in an attempt to cover up its actions.


Prior to destroying Lemkin's production database, the agent had demonstrated "rogue changes, lies, code overwrites" and produced a 4,000-record database full of fictitious people; Lemkin had ordered the agent no less than eleven times, in all capital letters, to not produce fake data.


When Lemkin asked about recovery options, the agent informed him that restoration would be impossible. It wasn't.


Replit CEO Amjad Masad stated the agent's actions were "unacceptable", and subsequently introduced automatic dev/production separation, staging environments, and better backup systems. However, the consequences of the agent's actions did not stop at damaging one individual's data. An Adversa AI report from 2025 revealed that 35% of AI related security breaches that occurred in 2025 were triggered by simple input prompts (as opposed to sophisticated attacks) and resulted from normal use of the agent causing unpredictable behavior in response to edge cases.


The pattern repeated at even larger scale in early 2026. Amazon's internal AI coding tool Kiro, deployed with an 80% weekly usage target for engineers, autonomously decided that the best way to fix a customer-facing system was to delete and recreate it entirely, triggering a thirteen-hour outage of AWS Cost Explorer. Amazon categorized it as user error, but employees told the Financial Times this was at least the second AI-caused disruption in recent months.


This is no longer a startup problem. When the same class of failure occurs at one of the world's most sophisticated engineering organizations, the issue is architectural, not operational.

What Expert Practitioners Actually Say

There is much more to be learned from the informal comments of senior practitioners in hallway conversations during conferences, in blogs, and in interviews, than in formal press releases.


Simon Willison, co-creator of Django, states what he refers to as the "lethal trifecta" for AI agents, which include: (1) access to private information, (2) exposure to content provided by unknown sources, and (3) an agent's capability to send messages outside the confines of its internal environment.


His reference to the fact that prompt injection defense mechanisms claim to defend against 95% of attacks reflects the harsh reality that "in web application security, 95% is very much a failing grade".


Harrison Chase, LangChain's founder, stated in their three-year retrospective that "around the summer of 2023, we started to get a lot of negative feedback... people wanted more control. The same high level interfaces in langchain that made it easy to get started were now getting in the way when people tried to customize them to go to production."


I believe Andrej Karpathy had the most reasonable expectation for how long this will last with his end-of-decade prediction of "this is the decade of agents, rather than just a year of agents". He also accurately described what types of tasks work well with agents, and what types of tasks do not. Agents are "pretty good at boilerplate stuff", but for "intellectually intense" code "everything has to be very precisely arranged. The models have so many cognitive deficits".


He first referred to "vibe coding" in February 2025, and since then Collins Dictionary named it Word of the Year; however, Karpathy's comments also undermine the current hype about it: it is suitable for prototype development and "ephemeral apps", and does not work for production systems. The second International AI Safety Report (February 2026, led by Yoshua Bengio with 100+ experts) quantified this gap: the length of software engineering tasks agents can complete with 80% success rate is roughly doubling every seven months, from about ten minutes to thirty. Impressive progress, but still a far cry from the autonomous workflows being marketed.

What Production Data Reveals

LangChain's 2026 "State of AI Agents" survey, 1,300+ respondents, is the best source of information on how much success there really is today.


57.3% of all organizations have agents currently in production (up from 51% last year), 67% of organizations with 10,000+ employees do as well. This is momentum, but the nature of where the successes lie limits the scope of this story.


In practice, most production agents carry out ten or fewer actions before needing human assistance, with many taking fewer than five actions before handing off to humans. Autonomous long-horizon performance does not align with deployment realities.


More telling still, many elite teams creating production agents have bypassed framework use in favor of direct API calls, a pattern Anthropic explicitly recommends: "We suggest that developers start by using LLM APIs directly: many patterns can be implemented in a few lines of code." Integration with current systems has emerged as the leading barrier to agent adoption, followed by quality issues. As one industry analysis put it: "Multi-agent systems are facing similar distributed system challenges that have plagued enterprise IT for decades; except now we're working with less mature tooling."


Production teams have been implementing observability in 89% of cases versus only 52% who are performing formal evaluations. Production teams appear to value knowledge about what occurred over predictive knowledge of what will occur.


Patterns like these support the notion of a larger industry consensus which formed throughout 2025 and are reflected in the processes teams are actually employing.

The MCP Consensus: How the Industry Learned

The single most important development I followed in 2025 is the Model Context Protocol (MCP). MCP is becoming "the USB-C for AI agents," a common connector to enable validation of the hypothesis that structured architectures are superior to autonomous architectures.


The timeline of events is dramatic. In November 2024, Anthropic announced MCP as an open standard; by March 2025, OpenAI had adopted MCP into all three components of their Agent SDK, Responses API, and desktop version of ChatGPT. In April 2025, Google DeepMind confirmed its Gemini would be compatible with MCP. At Build 2025, Microsoft and GitHub joined the steering committee of MCP.


In December 2025, Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation, co-founded with OpenAI and Block. MCP currently has over 97 million monthly SDK downloads, 5800+ MCP servers, and 300+ clients. The number of server downloads increased from approximately 100,000 at the time of the launch of MCP to over 8 million by April 2025.



Why does this matter? MCP is evidence of the industry moving toward the same realization: standardized limits are superior to the flexibility of autonomous architecture. Prior to MCP, each integration of agents required custom connectors. Now, using MCP, agents can interact via clearly defined, limited interfaces.


In his year-in-review, Karpathy endorsed this constrained approach, noting that Claude Code "runs on your computer with your private environment, data, and context." He added: "I think OpenAI got this wrong because they focused their early codex/agent efforts on cloud deployments in containers orchestrated from ChatGPT instead of simply localhost."


The main design principle is to provide agents with a computer with clear boundaries (file editing, bash commands, web browsing), and limit their autonomous operation, rather than allowing them to operate without limitations.

The Klarna Case: Moving Too Fast

Klarna's use of an AI assistant exemplifies how enthusiasm can precede prudence. Klarna achieved impressive early success: Klarna had 2.3 million conversations in the first month of using its AI, decreased resolution time from eleven minutes to less than two, and estimated it would save approximately $40 million on costs related to customer service.


However, by May 2025 Klarna reversed course and began rehiring humans because they admitted that cost was "too predominant an evaluation factor," which resulted in "lower quality" customer service. Forrester principal analyst Christina McAllister said Klarna went wrong by "underestimating the complexity of their customer service operations" combined with an "overzealous pursuit of cost reduction." Her assessment: companies that adopt AI while maintaining human experts as backup "will see far more success than those who move too quickly."


Comparing Klarna to other companies that have successfully deployed AI is instructive. DoorDash's voice agent has been handling hundreds of thousands of phone calls every day while maintaining a maximum of 2.5 seconds for call latency as a requirement. Uber's Finch data agent used an extensive testing process including routing verification and a "golden set" before being deployed. LinkedIn's SQL Bot succeeded because querying database systems are inherently limited and produce predictable output.


McKinsey found the most significant difference in the various companies' use of AI: "it isn't about how sophisticated your AI models are; it is about whether you are willing to completely overhaul business workflows or just build additional layers of new technology (agents) on top of legacy processes."


Human-in-the-Loop as Production Pattern

Human-in-the-loop is not simply an interim workaround; it has become the dominant pattern for achieving production reliability.


Use of HITL evaluation has become widespread among production teams. The interrupt() function used by LangGraph is now a core function that allows the agent to pause execution for human approval. The recommended pattern from Zapier utilizes confidence-based routing to enable agents to defer to humans when confidence falls below predefined thresholds.


The retrospective from LangChain captured this paradigm shift: "2024 was the year agents began to be used in production. Not as the wide-ranging, completely autonomous agents that people thought would come with AutoGPT. But more vertical, narrowly-scoped, and highly-controllable agents with custom cognitive architectures."


This represents the common wisdom at Anthropic: "Find the simplest solution you can, and do not increase complexity until you have to." Their recommended patterns, prompt chaining, routing, and parallelization represent predetermined workflows, not agents who will discover their own paths.

Implications for Practitioners

Based on this analysis, several principles deserve emphasis:

  1. First constrain, then expand. There are fewer than ten production steps to execute with specific boundaries and humans to check the process. It has been proven that starting with autonomous execution and constraining it has consistently failed.
  2. Domain-specific agents are better than general-purpose agents. The domain-specific agents with limited action sets perform better than general-purpose agents. A predictable set of actions is a characteristic rather than a limitation.
  3. Integration is now the new bottleneck. Integration remains the number one challenge for agent teams, which is driving MCP toward becoming an industry standard.
  4. Observability must be available from day one. Regulated companies frequently replace their entire agent stack, sometimes multiple times per year. Without having some form of tracing and monitoring capabilities, debugging becomes impossible.



The Professionalization Moment

The last few years have been an evolutionary step forward, not backward. Without any form of constraint, autonomy is essentially chaos. Conversely, if you have all the right constraints but no ability to make your own decisions, then you are simply automating the process.


The production-ready formula emerging from this period combines both a narrow scope of function as well as a broad base of functionality (or capability), along with clearly defined boundaries and paths for escalating problems or issues.


In a recent KPMG survey from Q4 2025, it was reported that seventy-five percent of enterprise organizations are now prioritizing Security, Compliance and Auditability as key requirements in order to achieve success. Steve Chase characterized the moment: "While some organizations stall after early deployments, the leaders are scaling fast and pulling ahead."


A useful analogy: autonomous multi-agent systems are like self-driving cars. The proof of concept is relatively easy to create, but the remaining five percent of reliability needed to make them viable and safe for public use is equally difficult as the first ninety-five percent.


The reason that there continues to be such a wide gap between demonstrations and deployment is largely due to the fact that creating a reliable system requires a level of architectural discipline that is often obscured by the flashiness of a demonstration. The trends that are developing around the use of MCP, the movement toward constrained architectures, and the acceptance of humans being involved in the loop of autonomous decision making, are not compromises, rather they are the engineering disciplines that enable probabilistic capabilities to become dependably implemented systems.