Skip to content
Book demo
Back to Guides

Agent Platform Engineering: A Reference Architecture

Jul 4, 2026
Ani Galstian
Ani Galstian
Agent Platform Engineering: A Reference Architecture

Agent platform engineering is a production infrastructure model for hosting, governing, and operating AI agents. It adds runtime layers for agents that plan, call tools, persist state, and act with delegated identity. Agentic platforms place goal-driven, context-aware AI agents inside platform-defined constraints. Those agents reason across platform data and tooling, make decisions within explicit guardrails, and execute actions on behalf of engineers with observability, auditability, and rollback mechanisms.

TL;DR

Production agent platforms decompose into orchestration, model inference, tools, memory, retrieval, control plane, and runtime layers. Traditional CI/CD and Kubernetes stacks provide deterministic delivery primitives. Agent platforms add infrastructure for non-deterministic LLM systems that operate with delegated identity across long-running, tool-driven workflows. Augment Cosmos, the unified cloud agents platform, provides those layers as Environments, Experts, and Sessions so agents share context and memory across the software development lifecycle.

Four recurring failure modes expose the platform gap. Agents lose state, overuse tools, bypass CI/CD governance, or produce plausible results that no trace can explain. Kubernetes, CI/CD, and developer portals were built for standard software delivery, which leaves agentic workloads without dedicated runtime layers for planning, tool use, memory, and delegated identity.

Why Agent Platforms Require a New Engineering Discipline

Agent platform engineering starts where traditional platform engineering stops. Autonomous actors need persistent state, discoverable tools, and identity bindings at runtime. Traditional platform engineering remains infrastructure-centric, while MLOps targets model training, deployment, monitoring, and retraining. Agent platforms coordinate non-deterministic reasoning agents that plan, call tools, and maintain memory.

Long-running, agentic workloads combine planning, tool calls, external memory, delegated identity, and post-hoc traceability. Those workloads require additional platform layers beyond the CI/CD pipelines, Kubernetes orchestration, and developer portals that support standard software delivery.

AWS describes this shift through its AgentOps operating model, noting that "just as DevOps unifies development and operations, AgentOps connects intelligence with governance and execution." The CNCF Technical Oversight Committee has also recognized "Cloud-Native Foundations for Distributed Agentic Systems" as a named initiative.

The Seven Core Layers of a Production Agent Platform

A production agent platform separates responsibilities across seven layers so teams can isolate governance, scaling, and failure domains. Implementations often merge adjacent layers, but the separation clarifies which system owns planning, execution, memory, policy, and runtime operations. Teams comparing adjacent orchestration options can map platform choices to DevOps execution patterns using a curated list of workflow orchestration platforms.

LayerPlatform responsibilityRepresentative pattern
OrchestrationPlan steps, route tools, iterateAWS Bedrock orchestration, LangGraph state graphs
Model / inferenceRun the foundation modelAzure AI Foundry, Vertex AI models
Tool / function-callingExpose callable functionsAction Groups, OpenAPI schemas, MCP servers
Memory / statePersist contextLangGraph checkpointers and stores
Retrieval / contextRetrieve external knowledgeRAG pipelines and vector stores
Control plane / data planeSeparate governance from executionCentral policy above task execution
Agent runtime / computeRun agent logicAgent Engine, Cloud Run, GKE

Layer 1: Orchestration. The control loop interprets input, plans execution, routes to tools or sub-agents, and iterates. AWS decomposes orchestration in Bedrock Agents into pre-processing, orchestration, knowledge base response generation, and post-processing. LangChain models the same responsibility in the LangGraph runtime as a runtime for long-running, stateful agents.

Layer 2: Model / Inference. The foundation model supplies reasoning at each decision step. Microsoft treats models as swappable components in Azure AI Foundry, while Google Vertex AI describes AI models as the core reasoning engine.

Layer 3: Tool / Function-Calling. Tool layers expose external actions as schemas and callable functions. AWS implements Bedrock tools as Action Groups backed by Lambda functions, Return of Control functions, and an OpenAPI schema.

Layer 4: Memory / State. Memory persists context across turns and sessions. LangChain's LangGraph memory model defines short-term thread-scoped memory through a checkpointer and long-term cross-thread memory scoped to custom namespaces.

Cross-layer design questionRelevant platform boundaryProduction concern
Who owns planning?OrchestrationPlan execution, route tools or sub-agents, and iterate
Where does context persist?Memory / statePreserve context across turns and sessions
Where does external knowledge enter?Retrieval / contextRetrieve knowledge that prompt-only continuity cannot carry
Where are policy and identity governed?Control plane / data planeSeparate governance from task execution
Where does agent logic run?Agent runtime / computeExecute agent logic separately from model inference

Layer 5: Retrieval / Context. Retrieval augments prompts with external knowledge, while memory preserves session continuity. Retrieval provides knowledge access that exceeds what prompt-only continuity can carry.

Layer 6: Control Plane vs. Data Plane. Control planes govern deployment, policy, identity, and coordination. Data planes execute tasks and interact with tools. The control plane defines deployment rules and behavior policies for agents.

Layer 7: Agent Runtime / Compute. The runtime executes agent logic separately from model inference. Google's Vertex Agent Engine provides a secure runtime that manages agent lifecycle, orchestrates tools, and coordinates reasoning steps. For long-running work, Microsoft's Azure agent design patterns advise teams to persist shared state externally, since in-memory context alone cannot survive process restarts.

Platform teams otherwise assemble runtime location, agent behavior, and audit capture as separate internal services. Cosmos maps those concerns to Environments, Experts, and Sessions. Environments define where agents run, Experts define behavior and events, and Sessions capture each run as an auditable, replayable workflow.

How Orchestration Patterns Shape Runtime Execution

Agent orchestration patterns shape runtime execution by choosing one loop or multiple coordinated agents to plan, call tools, and persist state. That choice changes cost, reliability, and debuggability. A single-agent loop receives a prompt, calls the LLM with available tools, executes the selected tool, feeds the result back into the model, and repeats until completion or a turn limit.

A single-agent loop works well as the default when task boundaries, tools, and context are defined. Multi-agent systems add coordination costs because more agents must coordinate state, tool use, and responsibility boundaries.

Single-agent loops break down when work requires supervised loops, scheduled execution, survival across process restarts, sub-agents that run for hours, or post-hoc observability. Teams evaluating those paths can compare AI agent workflows for legacy Java apps before adding coordination layers.

Several patterns handle those cases:

  • Graph-based workflows: LangChain's multi-agent workflows in LangGraph model agents as state graphs where edges manage control flow and agents write to shared state.
  • Orchestrator-workers: Anthropic's guide to building effective agents defines orchestrator-worker patterns where a central LLM breaks down tasks, delegates work, and synthesizes results.
  • Handoffs vs. agents-as-tools: The OpenAI Agents SDK orchestration guide distinguishes control transfer to a specialist from bounded specialist calls by a manager.
  • Event-driven group chat: AutoGen v0.4 adopted an event-driven architecture where agents perform computations in response to messages.

Durable execution cuts across every pattern. Inngest frames durability as a property of the execution layer underneath the loop. Cosmos Sessions turn one-off prompts into auditable, replayable workflows and preserve run history for reuse, so teams can keep long-running and parallel agent workflows durable across days and weeks.

Managing State, Memory, and Context Across Sessions

Memory management becomes an infrastructure design concern when agents carry state across turns, sessions, and external stores. Prompt-context overload, summarization drift, and stale long-term memory create production failure modes. Short-term memory is session-scoped, while long-term memory persists externally and survives between sessions.

A production memory taxonomy distinguishes episodic memory for conversation history, semantic memory for domain knowledge, and state for live operational context. Consolidation policy defines what moves from short-term to long-term storage and when.

Memory concernScopePlatform risk
Short-term memorySession-scoped turnsPrompt-context overload
Long-term memoryExternally persisted storageStale memory across sessions
Episodic memoryConversation historySummarization drift
Semantic memoryDomain knowledgeIncorrect or outdated knowledge access
Live stateOperational contextState loss during long-running work
Consolidation policyMovement from short-term to long-term storagePersistent storage of the wrong context

Prompt-only context does not remove the need for memory architecture. Compaction lets long-running sessions continue, but it introduces a failure surface. Anthropic's guidance on effective context engineering defines compaction as distilling accumulated session context so the agent can continue with minimal degradation.

LangChain's context engineering patterns organize mitigation around writing context outside the prompt, selecting context into the prompt, compressing context to the required scope, and isolating context by splitting it up. For multi-file tasks, engineering teams using the Context Engine see 5-10x task speed-up because it processes entire codebases across 400,000+ files through semantic dependency graph analysis and preserves architectural understanding. Cosmos exposes a shared virtual filesystem that keeps tenant-shared and private memory scopes available across workflows. Accumulated patterns, conventions, and corrections persist outside a single prompt, and Cosmos stores that shared memory and workflow history for long-running agent sessions so the same memory boundary carries into later workflows.

How Tool Use and External Integration Work

Tool use in agent platforms works through standardized protocols and schema-enforced function calling. The Model Context Protocol is emerging as the connector layer between orchestration and tool execution. The MCP specification follows a client-host-server architecture built on JSON-RPC and provides a stateful session protocol for context exchange.

The architecture assigns roles across host, client, server, tool, and sandbox boundaries.

  • Host: Creates and manages clients, enforces security policies, and coordinates LLM integration.
  • Clients: Maintain isolated server connections.
  • Servers: Expose resources, tools, and prompts.
  • Tools: Represent arbitrary code execution and must be treated with appropriate caution.
  • Sandboxed execution: Adds another boundary around tool invocation, hooks, and MCP configurations that spawn local processes.

The MCP first-anniversary update announced the donation of MCP to the Agentic AI Foundation, a directed fund under the Linux Foundation established with Anthropic, Block, and OpenAI as founding project contributors.

The MCP specification treats tools as a security boundary. The spec states: "Tools represent arbitrary code execution and must be treated with appropriate caution." Hosts must obtain explicit user consent before invoking tools. Servers must validate inputs, implement access controls, rate-limit invocations, and sanitize outputs.

Schema enforcement differs by provider. OpenAI's Structured Outputs guide enforces schema adherence through constrained decoding, while Anthropic's Claude tool use documentation requires a tool with an input_schema and returns a tool_use block when invoking.

Sandboxed code execution adds another boundary. NVIDIA's sandboxing guidance for agentic workflows warns that systems can sandbox only tool invocation. Hooks and MCP configurations can still spawn local processes outside that boundary.

Observability, Evaluation, and Monitoring Requirements

Agent observability requires trace-level instrumentation because final-output logging cannot identify which LLM call, tool invocation, retrieval step, or state mutation failed inside a multi-step workflow. OpenTelemetry's GenAI semantic conventions define standards for LLM, VectorDB, and AI agent observability. Teams designing evaluation loops can compare AI agent quality frameworks before relying on final-output review.

Agent traces use a hierarchy that starts with a top-level invoke_agent trace span, then adds child chat spans for each LLM call and execute_tool spans for tool invocations. Standardized attributes identify models and model-usage fields. The LLM Working Group recommends capturing prompt content and tool results on event-based payloads because backends can struggle with payload-heavy events.

Observability also exposes cost drivers by tracking per-step model usage and latency. Production platforms track model usage, latency, error rates, cost breakdowns, and feedback scores. Teams can then identify expensive execution patterns before they drain budgets.

Traditional infrastructure monitoring does not evaluate decision-level correctness. Correct latency and model costs do not guarantee correct outputs, because a flawed early decision can propagate through downstream tool calls. LLM-as-judge evaluation matters because traditional metrics like BLEU and ROUGE measure token overlap but miss whether a response hallucinated. Recent work on trajectory evaluation extends evaluation across entire trajectories, capturing decision quality at each step.

Guardrails connect observability to enforcement. AWS documents guardrail frameworks that include Amazon Bedrock Guardrails, NVIDIA NeMo Guardrails, Guardrails AI, and LLM Guard. Cosmos Sessions support trajectory-level observability as auditable, replayable workflows, so teams can capture traces for agent runs that require post-incident reconstruction.

[ Coming up next ]

The New Code Review Workflow for AI-Native Engineering Teams

See how leading teams keep code review fast and rigorous as AI writes more of the code.

Save your seat
Thu, Jul 9 // 9:45 AM PDT

Security, Access Control, and Governance for Agent Platforms

Agent platform security uses deterministic, code-level controls for orchestration layers, identity boundaries, and tool permissioning. The OWASP Top 10 for Agentic Applications spans goal hijack, tool misuse, identity abuse, memory poisoning, and rogue agents.

Security controls map agent-specific risks to deterministic enforcement points. The table below pairs each risk area with the failure mode it introduces and the control pattern that contains it.

Risk areaFailure modeControl pattern
Prompt injectionUser prompts alter behavior or output in unintended waysInput moderation and trust scoring
Indirect injectionExternal websites or files alter behaviorMemory sanitization and provenance tracking
Excessive agencyExcessive functionality, permissions, or autonomyPer-tool credential isolation
Agent identityCredentials are not bound to agent and service identitiesCryptographic signing and mutual authentication
Memory poisoningStored memory becomes a later execution pathBehavioral monitoring and human review checkpoints

Prompt injection sits at the root of the threat model. The OWASP LLM01:2025 entry on prompt injection defines it as occurring "when user prompts alter the LLM's behavior or output in unintended ways," with indirect injections arriving through external sources such as websites or files. Teams defining delegated access patterns can review secure AI agent login strategies before expanding autonomy.

Excessive agency compounds the risk through excessive functionality, excessive permissions, and excessive autonomy. AWS documents a containment pattern where agents initialize MCP clients with isolated credentials so each tool operates with a different credential set.

Agent identity is a governance gap of its own. The draft NIST IR 8596 guidance recommends binding agent and service identities to credentials using cryptographic signing and mutual authentication.

Memory poisoning creates persistent compromise when stored memory becomes a later execution path. Cosmos Human-in-the-Loop policies move human review from 8 interruptions to 3 checkpoints, escalating at prioritization, spec and intent review, and contextual understanding. The platform enforces the points where policy requires human judgment. Cosmos also carries SOC 2 Type II and ISO/IEC 42001 certifications, along with GDPR-related support.

Deploying, Scaling, and Operating Agent Platforms

Operating agent platforms combines control plane and data plane separation, model gateways for routing, and GPU-aware autoscaling. Containerized LLM workloads use operational primitives that differ from traditional microservices. Portkey's hybrid deployment architecture illustrates the split: the data plane runs the AI Gateway inside the customer VPC, while the control plane handles administration and analytics. Teams mapping these operating concerns into delivery pipelines can compare AI DevOps workflows from IaC to monitoring across infrastructure, monitoring, and rollout stages.

Open source
augmentcode/augment-swebench-agent873
Star on GitHub
Operating concernPlatform patternProduction implication
Control planeAdministration and analyticsGovernance stays separate from execution
Data planeAI Gateway inside the customer VPCAgent traffic runs inside the customer environment
Model gatewayRouting, load balancing, and fallbacksProvider selection becomes an operations concern
Redis resilienceFail fast on Redis degradationGateway failures are contained earlier
Heterogeneous runtimesManage runtimes, schedules, memory, and sessionsAgents can run across multiple environments
Inference reliabilityDetect silent hangsServers should not stop responding without surfacing errors

Model gateways handle routing, load balancing, and fallbacks across providers. LiteLLM documents routing strategies that include simple-shuffle, which it recommends for high-traffic production. LiteLLM advises against usage-based-routing for production because it adds latency due to Redis operations. Redis resilience matters as pod counts rise: LiteLLM's Redis circuit breaker analysis explains how Redis degradation can take down gateways, so the pattern is to fail fast on Redis degradation.

LiteLLM's argument that agents are the new LLMs explains why companies will not run every agent on one runtime, so the control plane must manage runtimes, schedules, memory, and sessions across heterogeneous environments. Databricks' work on reliable LLM inference at scale describes silent hangs where edge cases trigger unhandled errors in inference engines. Those unhandled errors can leave servers unresponsive, and the failures often go unreported as errors.

Cosmos Agent Runtime coordinates multiple agents working in parallel across workspaces. That runtime owns scheduling and isolation while agents run across laptops, Dev-VMs, and cloud environments.

What Vendor Reference Architectures Agree On

Vendor agent-platform reference architectures converge on a common separation between reasoning, execution, context, and control. Component names vary across vendors, but production systems still need clear ownership for model calls, memory, tools, orchestration, retrieval, gateways, observability, and governance. Divergences mostly reveal each vendor's center of gravity, and the underlying platform shape stays consistent.

Architecture elementShared role in production platformsDivergence signal
Foundation modelsProvide reasoningVendor model ecosystem
MemoryPreserve contextSession and long-term state design
ToolsExecute external actionsFunction-calling and MCP access patterns
OrchestrationCoordinate planning and executionSingle-agent, graph, or multi-agent framing
RetrievalBring external knowledge into contextRAG and vector store choices
Model gatewaysRoute and manage model accessProvider routing and fallback strategy
ObservabilityTrace decisions and executionEvaluation and telemetry depth
GovernanceEnforce policy and identityControl-plane design

Vendor designs diverge around continuous improvement, communication protocols, governance layers, policy enforcement, and component framing. NVIDIA publishes a blueprint for building data flywheels as its continuous improvement layer, while Google publishes the A2A protocol for cross-vendor agent communication.

Governance and policy choices show another divergence point. Databricks positions Unity Catalog as the data governance foundation beneath agents. AWS positions Cedar policy as MCP tool-access enforcement. Microsoft frames the layers under its "8 essential components" Agent Factory blueprint.

Vendor designs converge on control plane and data plane separation. AWS prescriptive guidance confirms that control planes in agentic environments still apply even in multi-agent, multi-provider systems. Protocol convergence is active. The Linux Foundation hosts A2A and AGNTCY directly, and MCP now sits under the Agentic AI Foundation directed fund within the Linux Foundation.

What Production Teams Consistently Get Wrong

Production agent deployment failures expose architecture gaps when teams scale autonomy without deterministic state control, evaluation harnesses, and trace-level observability. Salesforce's write-up on reliable agent engineering patterns states the operating principles directly. Teams should separate reasoning from computation, use deterministic systems for consistent answers, treat context management as architecture, validate outputs objectively, and improve the harness before touching the prompt.

Failure patternArchitecture gapRecurring fix
State lossState control is not deterministicExternalize state to dedicated stores
Context driftContext management is treated as promptingTreat context management as architecture
Tool overuseReasoning and computation are not separatedSeparate reasoning from computation
Vibe testingEvaluation relies on final-output inspectionUse ground truth sets and small-scale tests
Unexplained outputsTrace-level observability is missingInstrument trajectories before scaling autonomy

Evaluation fails when teams rely on final-output inspection and skip small-scale tests, ground truth sets, and trajectory-level visibility. Anthropic advises teams to start small-scale testing right away, with effect sizes detectable in compact test sets. Shopify's account of building production-ready agentic systems grounds evaluation in samples drawn from real merchant conversations, replacing vibe testing with measurable signal.

The infrastructure pattern stays consistent across these failures. Teams need deterministic controls around non-deterministic systems before they expand autonomy. Salesforce, Anthropic, and Shopify all converge on that point.

Design the Control Plane Before You Scale Autonomy

Control-plane-first agent platform design puts state, policy, and observability outside the agent loop before autonomy scales. Externalized state reduces state loss. Policy enforcement keeps tool use inside deterministic controls. Trace-level observability supports post-incident reconstruction. Durable state, policy enforcement, trace-level observability, and deterministic scaffolding can take longer to build than the workflows themselves. Teams that succeed instrument and govern first, using the control plane to manage reliability, multi-tenancy, and security.

Platform teams should separate planes early. Keep orchestration as stateless as possible, externalize state to dedicated stores, and apply policy through deterministic controls at the platform layer alongside model-level guardrails. Cosmos brings shared context, shared memory, human-in-the-loop policy, and event-driven triggers into the same governed agent workflow, so governed agents remain reproducible across environments.

Frequently Asked Questions

Written by

Ani Galstian

Ani Galstian

Ani writes about enterprise-scale AI coding tool evaluation, agentic development security, and the operational patterns that make AI agents reliable in production. His guides cover topics like AGENTS.md context files, spec-as-source-of-truth workflows, and how engineering teams should assess AI coding tools across dimensions like auditability and security compliance

Get Started

Give your codebase the agents it deserves

Install Augment to get started. Works with codebases of any size, from side projects to enterprise monorepos.