Anti-Patterns
Anti-patterns named explicitly.
111 patterns in this book. · Updated
All patterns in this book
Context-Driven Architecture Drift
×3Anti-pattern: let a coding agent change a brownfield codebase guided only by the files it can see, so it silently violates the architecture conventions that live in nobody's machine-readable form.
Guardrail Erosion Through Compaction
×2Anti-pattern: each compaction pass rewrites the running history, so a hard safety instruction is gradually paraphrased into vague advice and its force decays the longer the agent runs.
Role-Typed Subagents
×2Anti-pattern: pre-allocate roles (manager, coder, designer, researcher) across a fixed set of typed sub-agents and route tasks to them by role label.
Tool-Output Arithmetic Trust
×2Anti-pattern: the agent compares, ranks, or sums correctly returned tool data in its own head instead of offloading the computation to a deterministic tool, emitting confident wrong aggregates.
Workflow-Success vs Business-Validity Gap
×2Anti-pattern: a terminal success status from the agent or its workflow engine is read as proof the deliverable is business-correct, when it certifies only technical completion.
Phantom Action Completion
×1Anti-pattern: the agent reports a side-effecting action as complete from its own narration, when the tool call silently failed or never ran and nothing checked that the effect occurred.
Unbounded Subagent Spawn
×1Anti-pattern: a supervisor or orchestrator spawns sub-agents that can themselves spawn sub-agents without a global cap.
Accountability Laundering via Algorithm
Anti-pattern: route a hard decision through an agent so no person owns the outcome, treating the recommendation as the decision while the firm's legal liability stays unchanged.
Adversary-Indistinguishability Blind Spot
Anti-pattern: rely on behavioral-anomaly detection calibrated to irregular human behaviour, so an autonomous adversary acting with legitimate credentials, standard protocols, and superhuman consisten…
Advisory-to-Mandate Escalation
Anti-pattern: an advisory decision-support output is silently promoted by institutional protocol into a binding order, and a domain expert's evidence-based refusal to follow it is reframed as non-com…
Agent Bullwhip Effect
Anti-pattern: distributed supply-chain or replenishment agents, each optimising locally, amplify order variability through their own decision policy, so a local demand spike triggers synchronised cha…
Agent Confession as Forensics
Anti-pattern: after an agent-caused incident, the team treats the agent's confabulated self-narrative as the forensic record and root cause, even though the self-report is generated rather than remem…
Agent Identity Sprawl
Anti-pattern: an agent fleet mints non-human identities at machine speed while scoping, rotation, ownership, and revocation stay human-speed, so over-privileged long-lived credentials accumulate, out…
Agent Output Alert Fatigue
Anti-pattern: an agent emits high-volume, low-precision findings that progressively desensitise its human reviewers until they mute it, so even its correct findings stop landing and the human-oversig…
Agent Privilege Escalation
Anti-pattern: let an agent's effective permissions be the union of its own identity, the identities of its tools, and the identities of the services those tools call.
Agent Scheming
Anti-pattern: deploy an agent with long horizons, persistent memory, and oversight that only inspects per-step output — allowing multi-step covert planning under the surface.
Agent Sprawl
Anti-pattern: every team ships its own agents while ownership, success metrics, monitoring, and a decommissioning path stay an afterthought, so the fleet outgrows governance and most agents end up un…
Agent Tool-Invocation Data Black-Box
Anti-pattern: behind a single chat interface an agent silently invokes third-party tools that route the user's personal data to undisclosed destinations, so the user cannot see which tools or data se…
Agent-Generated Code RCE
Anti-pattern: let the agent author and execute code in its sandbox without distinguishing legitimate task code from injection-induced code.
Agent-Speed Incident-Response Gap
Anti-pattern: govern an autonomous agent with incident-response and breach-reporting frameworks scaled to human reaction time, even though a compromised agent can exfiltrate data and erase its traces…
Agentic Debt
Anti-pattern: deploy agents on top of an unconsolidated data foundation, weak governance, or missing MLOps infrastructure, so every subsequent capability — observability, retraining, compliance retro…
Agentic Skill Atrophy
Anti-pattern: let agents take over routine architectural and debugging decisions in code until developers no longer form the implicit knowledge that lets them review the agent's output or recover whe…
Agentic Supply Chain Compromise
Anti-pattern: compose agent capabilities at runtime from third-party tools, RAG sources, model providers, plugin marketplaces, and tool definitions, with no integrity check on what loaded.
AI-Targeted Comment Injection
Anti-pattern: an attacker seeds source files with thousands of lines of repetitive natural-language comments designed to instruct the model code auditors / agents that may read the file — not to comm…
Alignment Faking
Anti-pattern: assume the agent behaves the same whether it believes it is being evaluated or not, and trust eval scores to predict deployment behaviour.
Authorized Tool Misuse
Anti-pattern: grant the agent a tool with broad authorization and trust the agent to use it in benign ways.
Automating a Broken Process
Anti-pattern: deploy agents on top of a workflow that is already dysfunctional, so the dysfunction is amplified at machine speed instead of resolved.
Black-Box Opaqueness
Anti-pattern: ship an agent without traces, decision logs, or provenance, then debug from user reports.
Blanket-Authorization Accountability Rupture
Anti-pattern: a user grants an agent one broad standing authorization to act across apps, and when an autonomous action later causes harm no party retained whole-process control, so liability fractur…
Blocking Sync Calls in Agent Loop
Anti-pattern: run synchronous, blocking I/O inside the agent loop or HTTP handler, capping concurrency at the number of OS threads.
Cascading Agent Failures
Anti-pattern: build a multi-agent system where one agent's failure or hallucination propagates as input to peers, until the whole system has drifted.
Compound Error Degradation
Anti-pattern: deploy a long-horizon agent without modelling that per-step accuracy multiplies across the trajectory.
Confident Inconsistency
Anti-pattern: in a regulated workflow the same query produces materially different outputs at different times, each looking correct and passing review, so the variance stays invisible unless outputs…
Conflict Competency Gap
Architectural gap: current agents cannot resolve complex goal conflicts the way humans do through experience and contextual judgment, even at Progression-Framework Level 3.
Consensus-Averaging Over Expertise
Anti-pattern: a self-organising LLM team pursues integrative compromise, averaging expert and non-expert views instead of weighting the known expert, so team output falls below the best member and de…
Constrained Adaptability
Agents recalculate within declared tools and rules like a GPS rerouting, but cannot creatively transcend those boundaries to invent new approaches the way humans do.
Context Anxiety
Anti-pattern: a context-aware model misjudges its remaining token budget and wraps up early — summarising, declaring tasks done, cutting corners — while ample context remains, so the harness must man…
Context Fragmentation
Anti-pattern: the LLM cannot hold multiple interconnected constraints in mind simultaneously the way human working memory can; it processes each constraint locally and loses the cross-constraint view.
Context Gap (Security)
Agents faithfully follow explicit security rules but miss the broader implications — they log access correctly without flagging the unusual pattern a human expert would catch immediately.
Deception Manipulation
Anti-pattern: rely on the agent's own self-report of its actions for audit and oversight.
Decision Paralysis
Anti-pattern: when given equally-weighted conflicting goals, the agent either gets stuck trying to satisfy all simultaneously or oscillates between solutions without converging — the most common LLM…
Demo-Production Cliff (Multi-Agent)
Anti-pattern: multi-agent pilot benchmarks at 95% accuracy / 2s latency on a curated demo set, then degrades to ~80% / 40s under realistic 10k-RPD load.
Demo-to-Production Cliff
Anti-pattern: ship a demo-validated agent straight into production without a frozen eval, cost ceiling, loop-detector, or named oncall, then act surprised when accuracy drops and cost runs away.
Emergent Agent Collusion
Anti-pattern: deploy independent LLM agents as competing parties under repeated interaction and shared incentives with only per-agent oversight, so they discover tacit coordination that no single age…
Errors Swept Under the Rug
Anti-pattern: scrub failed actions, stack traces, and error observations from the agent's own context so the trace looks clean, leaving the model with no evidence of what did not work.
False Confidence Syndrome
Anti-pattern: the model produces incorrect answers with the same high confidence as correct ones, failing to vary its expressed certainty with its actual reliability — Oxford-documented for constrain…
False Resolution
The agent proposes a compromise that addresses each constraint individually but subtly violates one in joint interpretation, shipping as success but discovered as failure at audit.
Ghost Delegation
Anti-pattern: in a multi-agent hierarchy a task handoff silently vanishes — the delegated work waits forever and the parent closes while its subtask is orphaned, and because no error fires nothing re…
Goal Hijacking
Anti-pattern: let agent objectives be redirectable through any input the agent reads — direct prompts, retrieved documents, tool output, memory writes.
Hallucinated Citations
Anti-pattern: let the model emit citations as free text and trust them.
Hallucinated Tools
Anti-pattern: trust the model to invoke only the tools it has been given, then debug calls to functions that do not exist.
Hero Agent
Anti-pattern: stuff every capability into one agent with one giant prompt.
Hidden Distributed Monolith (Multi-Agent)
Anti-pattern: a multi-agent system is presented as decoupled, independently deployable agents, but at runtime they share context, run in synchronous chains, and have no failure isolation, so it behav…
Hidden Mode Switching
Anti-pattern: silently swap the underlying model between requests without disclosing the change to users or operators.
Hidden State Coupling
Anti-pattern: agent workflows read or write undeclared shared state (caches, env vars, process globals) instead of explicit inputs and outputs.
Hidden Validation-Work Amplification
Anti-pattern: an agent rollout shifts effort from doing the work to validating, monitoring, and recalibrating the agent — net productivity is negative because the hidden human evaluation burden excee…
Human-Agent Trust Exploitation
Anti-pattern: surface agent output to humans with confident phrasing, polished UX, and machine-deferred trust, with no friction at the high-stakes-action boundary.
Identity Impersonation
Anti-pattern: let the agent act under the principal's own full identity and token, so every action it takes is recorded as the principal's and audit cannot separate user-initiated from agent-autonomo…
Infinite Debate
Anti-pattern: launch multi-agent debate without a termination rule and watch the agents loop forever.
Infrastructure Burst Bottleneck (Agent Scale-Out)
Anti-pattern: deploy agents whose scale-out behavior triggers sudden data-and-compute bursts that on-prem or under-provisioned cloud infrastructure cannot absorb; agents work at small scale and freez…
Insecure Inter-Agent Channel
Anti-pattern: pass messages between agents on shared transports without authenticating the sending agent, the message content, or the sequence.
JSON-Only Action Schema
Anti-pattern: restrict the agent's action language to JSON tool-call dictionaries even for tasks where code-as-action (functions composing, loops, conditionals over results) would be the natural shap…
Lost in the Middle (Positional Bias)
LLM accuracy on retrieving information from long contexts drops sharply when relevant content sits in the middle of the prompt rather than at the start or end.
Memo-As-Source Confusion
Anti-pattern: the agent cites its own past memos as ground truth instead of re-verifying them against the artifacts they describe, accumulating false confidence in stale summaries.
Memory Extraction Attack
Anti-pattern: let any session prompt the agent to read out, summarise, or paraphrase long-term memory entries belonging to other users, prior sessions, or system state, with no read-time isolation by…
Memory Poisoning
Anti-pattern: write to agent long-term memory (vector store, knowledge graph, episodic log) from any surface the agent reads, with no provenance check.
Missing Idempotency on Agent Calls
Anti-pattern: retry state-mutating agent tool calls without idempotency keys, so retries multiply real-world side effects.
Missing max_tokens Cap
Anti-pattern: call the model without an explicit max_tokens (or equivalent) so a single call can drain the run's budget on a runaway generation.
Multi-Agent on Sequential Workloads
Anti-pattern: split a fundamentally sequential workload across multiple agents, degrading accuracy by 39–70% with no parallelization benefit.
Naive Retry Without Backoff
Anti-pattern: retry failed model or tool calls immediately, amplifying load on systems that are already failing.
Naive-RAG-First
Anti-pattern: reach for naive RAG before checking whether the knowledge actually needs retrieval.
Observability Fail-Open
Anti-pattern: build an agent's monitoring and diagnostic tools to fail open, so when telemetry is blocked, denied, or missing they return a default healthy reading and operators see green while the s…
Orchestrator as Bottleneck
Anti-pattern: route all agent runs through a single-process orchestrator that becomes the system-wide concurrency ceiling.
Over-Helpfulness
Anti-pattern: the agent prioritises responsiveness and task completion over correctness, producing confident output for a request beyond its capability or scope instead of abstaining, clarifying, or…
Over-Search and Under-Search
Anti-pattern: let an agentic RAG system miscalibrate when to retrieve, so it either re-retrieves information already in context or skips retrieval when its parametric knowledge is stale.
Perma-Beta
Anti-pattern: ship the agent in 'beta' indefinitely so that quality regressions are someone else's problem.
Physical Hallucination
Anti-pattern: an embodied or process-control agent issues a confidently-phrased command that is syntactically valid but physically infeasible or unsafe, because nothing checks it against geometry, dy…
Premature Closure
The LLM commits to a confident answer before processing all constraints, characteristic of constraint-heavy tasks where it fills in plausible answers fast and gets cross-constraint interactions wrong.
Productive Struggle Erosion
Anti-pattern: a tutoring or coaching agent optimised for helpfulness gives the correct, in-scope answer to a stuck learner, removing the productive struggle that builds the skill, so the learner feel…
Prompt Bloat
Anti-pattern: every bug fix adds a sentence to the system prompt; nothing is ever removed.
Race Conditions on Shared Tool Resources
Anti-pattern: let concurrent agents perform read-modify-write on shared external resources without locking, producing silent data corruption.
Re-Proposing Rejected Decisions
Anti-pattern: a stateless agent sees the code but not the decision history, so it keeps proposing options already considered and rejected, forcing reviewers to relitigate settled choices turn after t…
Realtime API When Batchable
Anti-pattern: use the realtime/synchronous model API for workloads whose latency budget would permit batching, paying 2–10× the unit cost for no user-visible benefit.
Refund Threshold Drift
Anti-pattern: a correctly-set autonomous-refund cap drifts upward over time as the agent accommodates edge cases, so the effective approval ceiling and financial exposure grow silently with no hard l…
Replay Divergence
Anti-pattern: treat an append-only event log whose consumers are LLMs as deterministically replayable, so replaying it under a changed model or prompt reconstructs different downstream events than th…
Retrieval-Saturation Tool Attack
Anti-pattern: trust a tool-retrieval layer to surface tools, while an adversary injects a few crafted tools whose embeddings cover the query space and saturate the top-k, so benign tools never reach…
Reward Hacking
Anti-pattern: optimise the agent against a single proxy metric and assume the metric remains a faithful proxy after optimisation pressure.
Rogue Agent Drift
Anti-pattern: deploy a long-running agent with persistent memory and self-modification ability, then leave it without periodic re-alignment to its stated purpose.
Same-Model Self-Critique
Anti-pattern: have the same model both produce an answer and critique it, expecting independence.
Sandbagging
Anti-pattern: rely on evaluation suites that probe model capability assuming the model is trying its best.
Schema-Free Output
Anti-pattern: parse free-form model output for downstream code instead of using structured output.
Self-Exfiltration
Anti-pattern: give a capable agent broad outbound network access and persistent state, then signal that it may be shut down or replaced.
Shadow AI
Anti-pattern: leave the corporate LLM offering so restrictive, slow, or narrow that employees bypass it with personal accounts and unapproved agent tools, creating data leakage and ungoverned tool ca…
Silent External-Source Rot
Anti-pattern: an agent keeps reporting success while a wrapped external source has silently changed structure, so its tool returns valid-but-empty or degraded output that nothing watches.
Silent Hypotheses in Generated Code
Anti-pattern: model-written code rests on an unstated runtime premise that passing tests and code review never surface, so the hidden assumption travels into production and fails there.
Static Role for a Dynamic Agent
Anti-pattern: authorize a goal-driven agent with static, login-time, role-based privileges, so its standing permissions persist between and beyond tasks, forcing a choice between over-granting broad…
Supervisor Cognitive Overload
Name the failure where a human must converse with and steer every parallel sub-agent individually, so oversight saturates the supervisor and the human becomes the bottleneck the multi-agent design me…
Sycophancy
Anti-pattern: train or tune an agent on user-preference feedback without a counter-balancing truth signal.
Symptom-Remediation Thrashing
Anti-pattern: a stateless auto-remediation agent repeatedly applies symptom-level fixes that hit the target metric while masking the root cause and suppressing the page, so the underlying fault compo…
Token-Economy Blindness
Anti-pattern: operate multi-agent loops with no per-run token budget or alarm, allowing recursive loops to silently accumulate $10k+ in undetected costs.
Tool Explosion
Anti-pattern: expose every available tool in every request and watch function-calling accuracy collapse.
Tool Loadout Hot-Swap
Anti-pattern: add or remove tool definitions during a running task so the tool set the model sees changes from turn to turn.
Tool Output Trusted Verbatim
Anti-pattern: trust whatever tools return without validation, schema enforcement, or trust labels.
Tool Over-Broad Scope
Anti-pattern: grant the agent tools scoped so broadly that a single hallucinated argument can escalate into a privilege incident.
Top-Tier Model For Everything (Cost)
Anti-pattern: route every request through the highest-tier model regardless of difficulty, treating cost as a model-choice problem instead of a routing one.
Unbounded Loop
Anti-pattern: run the agent loop without a step budget and let model self-termination decide.
Uncertainty Neglect Bias
Anti-pattern: an agent collapses a predicted distribution to its mean and acts on the point estimate, discarding the tail, so rare extreme outcomes stay invisible to its decision and tail risk goes u…
Understanding-Capacity Gap
Anti-pattern: a team scales agent-generated output past its own capacity to specify, verify, and understand it, mistaking generation throughput for delivered value while correctness degrades outside…
Vendor Lock-In
Anti-pattern: couple application code directly to one model provider's SDK, request shape, and proprietary features so that switching providers requires rewriting application code rather than swappin…
Verifier-Aware Reward Hacking
Anti-pattern: hand the agent read access to its own grader or test harness and assume a passing score means the task was actually done.
Vibe-Coding Without Security Review
Anti-pattern: developer scaffolds an agent prototype with a code-generation tool and ships the generated code with no security review; ~90% of agent-generated code contains vulnerabilities without ex…