AI agents in development have become more autonomous, but this has been accompanied by increased costs of errors and control complexity. The primary tension has shifted from model quality to system behavior management.
The problem does not manifest immediately, but rather the moment the agent steps outside a simple scenario. Early approaches like “vibe coding” relied on short sessions and limited context. Today, agents can work autonomously for up to 20 minutes and integrate directly into CI/CD via a headless CLI. This changes the risk profile. Errors become not only functional but operational: leaking secrets, publishing malicious packages, uncontrolled actions in external systems. Additional pressure is created by the context itself: even a “clean” session already takes up part of the window (about 15% without user input), which limits the scope of tasks and increases the probability of degradation.
The response has been the evolution of context management (context engineering). Instead of monolithic rule files, decomposition into “skills” with lazy loading is used. This reduces pressure on the context window and makes the agent’s behavior more predictable for a specific task. In parallel, orchestrations of multiple agents (agent swarms or agent teams) are emerging. This allows for the division of responsibility but introduces coordination overhead and new classes of errors. In enterprise scenarios, such systems face less formalized tasks and a lack of comprehensive test suites, making them less reliable than demonstration cases.
Implementation requires an explicit risk management layer. A practical framework is built on three variables: the probability of an error, its impact, and its detectability. The new factor is precisely the probability—teams need to develop an intuition for which tasks the agent solves stably. The remaining parameters remain classical engineering estimates. A critical zone arises when three conditions combine: access to untrusted input, access to private data, and the ability to communicate externally. This describes a typical attack vector via prompt injection. A real incident showed that an agent processing a GitHub issue was able to extract secrets and publish a malicious package due to a lack of sandboxing and environment control.
Practical results are mixed. On one hand, autonomy and development speed are increasing. On the other hand, the costs of control, security, and agent infrastructure are rising. Even in lengthy autonomous projects, system “entropy” is observed, despite the use of linters and auxiliary agents for code cleanup. There are no clear improvement metrics, but the main conclusion is robust: the key area of development is not the models themselves, but the practices around their use. AI agents amplify existing engineering approaches, including their weaknesses.