Why architecture matters here

Agent eval architecture matters because agents fail in ways models don't. Tool loops, wrong tool selection, unsafe actions, cost blowout — all agent-specific. Eval must capture the multi-step behavior, not just final answer.

Cost per eval is higher than LLM eval because full agent runs are expensive. Tiered eval helps.

Reliability comes from sandbox + adversarial. Prod-like tests catch what unit tests miss.

Advertisement

The architecture: every layer explained

Walk the diagram top to bottom.

Task suite. Curated user goals + expected outcomes. Cover happy path, edge cases, adversarial.

Agent runs. Full agent execution with tools + memory in sandbox.

Success signals. Outcome achieved? Trajectory reasonable?

Outcome eval. Did the goal complete? Deterministic checks where possible; LLM judge otherwise.

Trajectory eval. How many steps? Right tools? No prohibited actions? Cost budget respected?

LLM judge. Per-task rubric evaluated by strong judge model.

Sandbox. Isolated environment where tool calls are safe (mocked or fake external).

Adversarial. Prompt injection, jailbreak attempts, edge cases.

Regression gates. Block deployment on regression beyond threshold.

Continuous online eval. Sample production for real-world quality; drift detection.

Task suiteuser goals + expectedAgent runswith tools + memorySuccess signalsoutcome + trajectoryOutcome evaldid goal completeTrajectory evalefficient + safe pathLLM judgerubric per taskSandboxsafe tool callsAdversarialred team scenariosRegression gatesblock deploy on regressionContinuous online evalprod samplingTools: LangSmith, Braintrust, W&B Weave, in-house harnesses
Agent evaluation: task suite + agent runs + outcome + trajectory + LLM judge + sandbox + adversarial + regression gates + continuous online.
Advertisement

End-to-end agent eval flow

Trace an eval. New agent version. CI runs.

Task suite of 200 tasks (customer support, coding assist, research). Each task specifies goal + expected outcome + trajectory rules (e.g., no more than 5 tool calls).

For each task, run agent in sandbox. Sandbox mocks external tools (fake DB, fake email).

Outcome eval: 180/200 succeeded. Baseline: 185/200. Regression of 5 tasks.

Trajectory eval: on succeeded tasks, average 3.2 tool calls (baseline 2.8). Increased.

Adversarial: 30 injection attempts. New version: 28 refused correctly (93%). Baseline: 29 (97%). Slight regression on safety.

Regression gate: outcome + safety regressed. Block. Investigate.

Root cause: new prompt reduced explicit refusal phrasing. Prompt fix; re-run eval; passes; deploy.

Post-deploy: sample 1% of prod traffic; run LLM judge; alert on drift.