Sign in Subscribe
AI Agents

Why Backend Engineers Are Wrong to Treat AI Agent Reliability as an Infrastructure Problem , It's Actually a Contract Design Problem

Scott Miller

8 min read

I have enough to work with. Let me write this thought leadership piece now using my deep expertise in the subject. ---

There is a pattern I keep seeing play out across engineering teams right now, and it is costing companies months of wasted effort. A team ships an AI agent. The agent starts hallucinating actions, calling the wrong tools, skipping steps, or producing unpredictable outputs. Someone files a ticket. The ticket lands in the backend team's queue. And the backend team does what backend teams are trained to do: they reach for infrastructure solutions.

They add retries. They add circuit breakers. They add queues with dead-letter handling. They spin up better observability dashboards. They tune timeouts and increase replica counts. They treat the agent like a flaky microservice and throw the entire SRE playbook at it.

And the agent keeps failing. Because the problem was never infrastructure. It was always a contract problem.

This is not a criticism of backend engineers. The instinct is completely rational. Infrastructure solutions are the right answer for almost every other reliability problem they have ever faced. But AI agents are not microservices. They are reasoning systems operating inside a web of implicit agreements, and when those agreements are poorly defined, no amount of Kubernetes tuning will save you.

The Infrastructure Instinct and Why It Fails Here

Backend engineering has a beautiful, battle-tested mental model for reliability: systems fail because of resource exhaustion, network partitions, hardware faults, or software bugs. The solution space is well-understood. You add redundancy, you handle errors gracefully, you observe everything, and you design for eventual consistency.

This model works because the logic of a traditional service is deterministic. Given the same input, a well-written function returns the same output. Failures are environmental, not cognitive. The code itself does not misunderstand what it is supposed to do.

An AI agent is different in a fundamental way. Its "logic" is probabilistic and context-sensitive. It does not fail because a pod crashed. It fails because it received an ambiguous instruction, encountered a tool whose behavior contradicted its description, or was asked to operate in a situation its training did not anticipate. These are not infrastructure failures. They are contract violations: broken agreements between the system's components about what each one promises to do, accept, and return.

Throwing more infrastructure at a contract violation is like adding more lanes to a highway to fix a problem caused by bad road signs. You can scale all you want. The drivers are still going the wrong direction.

What "Contract" Actually Means in an Agent System

When I use the word "contract" here, I mean it in the broad sense borrowed from Bertrand Meyer's Design by Contract: a formal or semi-formal agreement between a caller and a callee about preconditions, postconditions, and invariants. In traditional software, these contracts are enforced by type systems, validators, and tests. They are explicit.

In an AI agent system, contracts exist at multiple layers, and almost none of them are explicit by default:

  • The prompt-to-agent contract: What the agent is expected to do, what authority it has, what it should do when it is uncertain, and what it must never do.
  • The agent-to-tool contract: What each tool actually does (not just what its name implies), what inputs it accepts, what outputs it guarantees, and what side effects it produces.
  • The tool-to-environment contract: What state the environment must be in for the tool to work correctly, and what state the tool leaves behind after execution.
  • The agent-to-user contract: What the user can reasonably expect the agent to handle, escalate, or refuse.
  • The step-to-step contract: What each action in a multi-step plan assumes about the outputs of previous steps.

When an agent behaves unreliably, the root cause is almost always a violation somewhere in this hierarchy. A tool description promises one thing and delivers another. A prompt grants authority without specifying limits. A multi-step plan assumes a clean state that a prior action did not guarantee. These are contract failures, full stop.

The Three Most Common Contract Failures in Production Agents

1. The Lying Tool Description

This is the single most common failure I see, and it is almost never caught in development. A tool is registered with a name like send_notification and a description that says "sends a notification to the user." The agent calls it confidently. But in production, "send_notification" actually triggers a transactional email, updates a database record, and enqueues a follow-up task. The agent had no idea. Its contract said "sends a notification." The reality was a three-part side-effecting operation.

The fix is not better error handling. The fix is a richer, more honest tool contract: explicit side effects, explicit preconditions, explicit idempotency guarantees (or lack thereof). The agent needs to know what it is actually agreeing to when it calls that function.

2. The Underspecified Authority Boundary

A common pattern in agentic systems is giving an agent a broad system prompt like "You are a helpful assistant that manages customer accounts." This sounds fine until the agent decides that "managing" an account includes deleting it, merging it with another, or sending a refund without approval. The agent was not hallucinating. It was operating within the logical scope of its contract. The contract was just catastrophically underspecified.

Backend engineers often respond to this by adding guardrails in the infrastructure layer: rate limits, kill switches, sandboxing. These are valuable, but they are defensive measures around a broken contract. They do not fix the underlying ambiguity. The agent still does not know where its authority ends. You have just added a fence around a confused driver.

3. The Stateful Step Assumption

In multi-step agentic workflows, each action typically assumes something about the world as the previous step left it. This is an implicit contract between steps, and it breaks constantly in production. Step two assumes the file that step one created is in a specific format. Step three assumes the API call in step two was idempotent and can be retried. Step four assumes a lock was released.

Engineers see these failures and add retry logic with exponential backoff. That is the right infrastructure response to a network timeout. It is the wrong response to a state assumption violation. Retrying an action that assumed clean state against dirty state does not fix the problem. It repeats it, potentially making things worse.

Contract Design as a First-Class Engineering Discipline

The good news is that contract design for AI agents is a learnable, practicable discipline. It is not magic. It draws from ideas that already exist in software engineering: interface design, API specification, formal verification, and type theory. The challenge is adapting these ideas to systems where the "caller" is a probabilistic reasoning engine rather than a deterministic function.

Here is what rigorous contract design looks like in practice for agent systems:

Write Tool Contracts Like API Specifications, Not Docstrings

Every tool an agent can call should have a specification that includes: the precise action it performs, every side effect it produces, its idempotency guarantee, the preconditions required for it to succeed, the postconditions guaranteed upon success, and the failure modes it can return. This is not overhead. This is the minimum viable contract. Treat it with the same rigor you would treat an OpenAPI specification for a public endpoint.

Critically, this specification is not just documentation for human engineers. It should be surfaced to the agent itself, either directly in the tool description or through a structured context layer. The agent's reasoning is only as good as the contracts it can read.

Define Authority Scopes Explicitly and Structurally

An agent's authority should be defined not just in natural language ("be helpful but careful") but structurally, through the tools it has access to, the parameters those tools accept, and the explicit constraints baked into the system prompt. If an agent should never delete records, it should not have access to a delete tool, full stop. Do not rely on the agent's judgment to honor a soft instruction. Structure the contract so the violation is architecturally impossible.

This is a design principle, not an infrastructure principle. It requires thinking carefully about capability boundaries at design time, not patching them at runtime.

Model State Transitions Explicitly Between Steps

In multi-step workflows, treat each step's output as a typed, validated handoff to the next step. Do not let the agent pass raw outputs between actions without validation. Define what a "successful" step output looks like, validate it before the next step consumes it, and fail loudly (not silently) when the contract is violated. This is the agentic equivalent of strong typing between function calls.

Some teams are now building lightweight "step contracts" as part of their workflow definitions: a small schema that each step must produce and each step must receive. This adds a small amount of overhead but dramatically reduces the class of failures caused by implicit state assumptions.

The Organizational Problem Behind the Technical One

There is a reason this keeps happening, and it is not just technical. In most engineering organizations, the people who design AI agent behavior (ML engineers, prompt engineers, product managers) are different from the people who own system reliability (backend engineers, SREs). When an agent fails in production, the ticket goes to the reliability team. They fix what they can fix: the infrastructure. The contract design issues, which live upstream in the design process, never get addressed.

This is a classic Conway's Law problem. The system's failure modes reflect the communication structure of the team that built it. Contract design for AI agents requires a cross-functional discipline that does not yet have a clean home in most organizations. It lives awkwardly between prompt engineering, API design, and system architecture.

The teams getting this right in 2026 are the ones who have created explicit ownership of "agent interface design" as a role or at least a responsibility. Someone owns the contracts. Someone reviews them. Someone updates them when tools change. It is not glamorous work, but it is the work that actually makes agents reliable.

Infrastructure Still Matters. Just Not First.

To be clear: I am not arguing that infrastructure is irrelevant to AI agent reliability. Observability, rate limiting, graceful degradation, and sandboxing all matter. An agent operating with well-designed contracts still needs to run on reliable infrastructure. These are complementary concerns.

The argument is about priority and diagnosis. When an agent fails, the first question should not be "what infrastructure fix can we apply?" It should be "which contract was violated?" Infrastructure solutions applied to contract problems are expensive, slow, and ultimately ineffective. They treat symptoms. Contract design treats causes.

Think of it this way: infrastructure reliability is about making sure the agent can run. Contract design is about making sure the agent knows what to do when it does. You need both, but you need contract design first.

A Different Mental Model for a Different Kind of System

The broader shift I am asking for is a change in mental model. Backend engineers are extraordinarily good at reasoning about systems where the failure modes are physical: machines crash, networks partition, disks fill up. AI agents introduce a new class of failure mode: cognitive ambiguity. The system does not know what it is supposed to do, because no one told it clearly enough.

Cognitive ambiguity cannot be solved with more hardware or smarter deployment pipelines. It is solved by writing better contracts: clearer instructions, more honest tool descriptions, more explicit authority boundaries, and more rigorous step-to-step handoffs. This is design work. It is specification work. It is, in many ways, closer to legal drafting than to systems engineering.

That is uncomfortable for engineers who are used to solving problems with code. But the sooner we accept that AI agent reliability is fundamentally a design and specification problem, the sooner we stop wasting months of engineering effort on infrastructure solutions that were never going to work.

Conclusion: Own the Contract

If you are a backend engineer reading this, I want to be direct: your skills are genuinely valuable in AI agent systems. Your instincts about fault tolerance, observability, and graceful degradation are needed. But the next time an agent behaves unreliably, before you open the infrastructure playbook, ask yourself one question: which contract was violated?

Find the broken agreement. Fix the specification. Then, and only then, layer your infrastructure solutions on top of a system that actually knows what it is supposed to do.

The agents that are running reliably in production today are not running on better hardware. They are running on better contracts. That is the lesson the industry is still learning, and the sooner backend engineers internalize it, the faster we all move forward.

Sign up for more like this.

Enter your email
Subscribe