AI Agent Rules Best Practices
This page distills every rule list in the Agent Rules (tech lead) section into one standalone checklist - positive, enforceable practices for models, tools, security, observability, and team process.
It is meant for design reviews, production-readiness gates, and periodic audits - not as a one-time read.
How to Use This Checklist
- Work by category (A-F); new production teams usually start with A and B before deep multi-agent work.
- Require evidence for each checked item - a config value, code path, eval run, ADR, or PR template - not a vibe.
- Use as a gate before any multi-turn agent reaches real users, real budget, or write tools.
- Revisit after incidents and whenever autonomy, tool surface, or routing policy expands.
A - Opinionated Defaults and Bounds
- Write and own a short tech-lead rule set for production agents. Stops, budgets, tools, security, evals, and review are named defaults - not tribal knowledge.
- Enforce max turns, wall-clock timeout, and machine-readable stop reasons in runtime code. Prompts alone do not stop loops.
- Match autonomy to reversibility and blast radius. Draft and supervised modes before unsupervised writes.
- Prefer one well-scoped agent before multi-agent splits. Complexity waits for measured single-agent bounds.
- Document exceptions with owner and expiry. Silent local hardcodes are decision drift.
B - Model, Provider, and Cost Discipline
- Resolve models through logical policies or tiers, not scattered raw ids. Call sites request capability, not a fashion string.
- Default to the cheapest tier that meets the quality bar. Escalate with eval evidence.
- Predeclare acyclic fallback chains and degraded modes. Outages must not invent routing live.
- Enforce per-run and per-key spend caps. Fail closed when budgets burn.
- Log policy name, resolved model id, tokens, and estimated cost per run. Cost retros need facts.
C - Tool Design and Composition
- Keep tools one-job, strictly schema-validated, and host-gated. Kitchen-sink tools stay out of production.
- Rank side effects and enforce irreversible-action gates in code. Prompt "please don't" is not a control.
- Use least-privilege credentials per tool. Read paths cannot write; sandboxes hold no prod secrets.
- Cap timeouts, payload size, rows, and per-run tool budgets. Loops must not melt APIs or flood context.
- Version breaking tool contracts deliberately. Dual-serve and eval before hard cutovers.
D - Security Guardrails
- Maintain a written threat model for each production agent. Injection, exfil, spend abuse, and privilege escalation covered.
- Allowlist tools and egress destinations; block metadata and broad private ranges.
- Sandbox untrusted code execution with resource limits and network default deny.
- Keep secrets out of prompts, traces, and model-visible args. Redact at write time.
- Maintain a tested kill switch for agent, tool, or key disablement.
E - Observability, Evals, and SLOs
- Trace every run with stable ids and reconstructable steps. Goal, tools, model, stop reason, cost.
- Gate behavior-changing deploys with a golden eval suite. Prompt, tool, and model-map changes included.
- Define SLOs for task success, latency, and cost per success. Alert on product burn, not only process crashes.
- Mine production failures into the eval set. Hard negatives keep gold sets alive.
- Pair agent traces with infrastructure monitoring for tools and queues.
F - Team Review and Governance
- Classify agent PRs by blast radius and scale review rigor accordingly.
- Forbid self-merge on tool privilege or autonomy increases. Second reviewer required.
- Require eval (and cost/security notes when relevant) as merge evidence. Playground vibe is insufficient.
- Assign owners for platform defaults and for each production agent.
- Turn incident classes into checklist or rule updates on a fixed cadence.
Applying the Habits in Order
| Stage | Categories | Exit criterion |
|---|---|---|
| Bound the system | A | Stops, autonomy, and ownership documented |
| Control spend and models | B | Policy map, fallbacks, budgets live |
| Harden tools | C-D | Schemas, least privilege, sandbox/egress |
| Prove and watch | E | Traces, eval gate, SLOs alerting |
| Keep the team honest | F | PR template + CODEOWNERS enforced |
FAQs
How is this different from the Core Agent Rules quick-reference?
The quick-reference uses category tables with links.
This page restates the same ground as checkboxes for readiness reviews.
Do we need every checkbox before a prototype?
No.
You need them before real users, real budget, or write side effects.
Prototypes should still avoid unbounded production deploys.
Which category should we implement first?
Bounds and cost (A-B), then tools and security (C-D), then evals and review process (E-F).
How do we prove a checkbox honestly?
Point to code, config, CI, or a linked ADR - for example the module that enforces max_turns, the policy map file, or the PR template requiring eval links.
Can framework defaults satisfy these items?
They can satisfy pieces (iteration limits, optional tracing).
Product-specific tool allowlists, spend caps, eval suites, and review process still need your team.
What if a checkbox conflicts with a demo deadline?
Ship a narrow, bounded demo path; do not disable stops, authz, or budgets on the shared production worker to save a day.
How often should the checklist be re-run?
Before first production traffic, after material tool or autonomy changes, and on a fixed quarterly (or similar) cadence.
Is ten practices enough for the whole tech-lead group?
The title promises distilled practices; the lettered groups expand them into enforceable checkboxes covering the full section.
How does this page relate to fundamentals rules earlier on the site?
Fundamentals rules are the early single-agent bound set.
This checklist is the production tech-lead gate spanning fleet, security, evals, and process.
Should personal agents use the same list?
Yes for anything with shell, account access, or spend - blast radius is personal but real.
What do we do with unchecked items?
Track them as explicit debt with owners and dates - not as quiet failures to ignore.
Can we fork this checklist for our company?
Yes.
Keep the categories; replace numbers (turn caps, tiers, approval matrix) with your standards and link internal runbooks.
Related
- How Opinionated Rules Prevent Agent Production Incidents - why these checkboxes exist.
- The Core Agent Rules: A Quick-Reference List - table form with deep links.
- Model and Provider Rules: Routing, Fallback, and Cost Discipline - detail behind category B.
- Tool Design Rules for Safe, Composable Agents - detail behind category C.
- Security Guardrail Rules Every Tech Lead Should Enforce - detail behind category D.
- Observability and Eval Rules for Production Agent Systems - detail behind category E.
- Team Rules for Reviewing and Approving Agent Changes - detail behind category F.
- AI Agent Fundamentals Rules Best Practices - earlier fundamentals readiness checklist.
Stack versions: Pins from the category manifest (verify at build): OpenRouter (~315+ models, July 2026 pricing/fees); LangGraph 1.0+; CrewAI 1.14+; Microsoft Agent Framework 1.0; Vercel AI SDK 6; Pydantic AI (latest); LlamaIndex (latest); OpenAI Agents SDK (latest + MCP); MCP (Linux Foundation governance); A2A (HTTP+SSE+JSON-RPC 2.0); Solana
@solana/web3.js+@solana/spl-token.