Standalone article · part of a sequenced guide
What you'll unlock: Agentic AI is not 'chat with actions' — it is a governed tool-calling system. Safety comes from narrow tools, explicit approvals, record-backed state, and observability. If you can’t explain the trust boundary and kill switch, you’re not ready for autonomy.
AI Agents and Agentic AI
The most transformative capability in ServiceNow — autonomous agents that observe, reason, and act across your enterprise
Chapter context
Agentic AI is the capability that changes the economics of service management: it compresses the coordination loops humans spend time on — searching, routing, drafting, and executing low-risk steps across tools.But agents also introduce a new class of risk: autonomous actions at enterprise scale. This chapter is designed to make agentic AI production-shaped: tool contracts, approvals, monitoring, rollback, and governance policy — not a demo that dies in security review.
Is this chapter for you?
Do you need to build an agent POC on PDI that survives scrutiny?
Start with Concept 7 and Concept 6. Build triage + comms with approvals and logs before any autonomous writes.
Are you worried about safety, compliance, and trust?
Read Concepts 6 and 8 first: approval gates, audit trails, circuit breakers, kill switch, and governance policy outline.
Do you already have Flows and IntegrationHub in production?
Concept 3 is your unlock: wrap existing flows and spokes as tools with schemas and RBAC — don’t rebuild logic in prompts.
Are you planning multi-agent workflows for IT ops?
Concept 4 + Concept 5. Multi-agent orchestration and record-backed state are what make complex agents reliable.
Now Assist gives you language. AI Search gives you retrieval. Predictive Intelligence gives you measurable predictions. Agentic AI is what turns those capabilities into executed work: agents that observe record state, reason about goals, and call tools to act — safely.This chapter gives you the end-to-end architecture: what an agent is, how Agent Studio works, how tools should be designed and secured, how multi-agent orchestration scales, how memory and state must be record-backed, and how to build human-in-the-loop controls that auditors accept.By the end you can build a production-shaped multi-agent POC on PDI (triage + resolution + comms), demonstrate it credibly, and turn it into a proposal with guardrails, monitoring, and an autonomy progression plan.
Chapter insight
Agentic AI is not 'chat with actions' — it is a governed tool-calling system. Safety comes from narrow tools, explicit approvals, record-backed state, and observability. If you can’t explain the trust boundary and kill switch, you’re not ready for autonomy.
Reference diagrams
Observe–reason–act loop
The foundational agent loop. Automation runs one path; agents choose paths using tools and feedback.
ServiceNow agentic stack
Agents become safe and scalable when the platform holds the truth: tools as policy, records as state, and dashboards as control.
Implementation paths
The fastest path to enterprise adoption is conservative autonomy with strong tool boundaries and evidence-based approvals.
Concept 1
What Agentic AI Means in ServiceNow
Agents are observe-reason-act systems with tool access — not chatbots, not scripts, and not Flow Designer with a new name
1.1
The definition of an AI agent
The observe–reason–act loop and how it differs from automation
Key takeaway
An AI agent is an LLM-driven system that observes state, reasons about a goal, and calls tools to act — repeating the loop until completion or escalation.
Why this matters
If you can’t articulate the loop, you can’t design guardrails. Interviewers use this as a seniority filter.
Observe → Reason → Act → Verify
Automation executes predetermined steps. Agents choose steps dynamically based on context — which is why they are powerful and risky.
ServiceNow’s advantage is that the loop can be anchored on a record (incident/case/change) with audit trails and ACL boundaries.
Workflow — do this next
- 01Pick one workflow (incident triage). Write Observe inputs, Act tools, and Stop conditions.
- 02Define the first human checkpoint (approval or review queue).
- 03Decide what must be deterministic rules vs agent judgment.
Real example
Why an agent beats a static flow
A flow can route tickets, but it cannot decide which of 12 diagnostics to run based on the symptom text and CI history. An agent can choose the right diagnostic sequence — then still hand off for approval before risky actions.
1.2
Why agentic AI is a step change
The capability gap between a chatbot and an agent that can execute
Key takeaway
Chatbots answer. Agents execute. The step change is tool calling + iterative planning + outcome verification inside real systems.
Why this matters
Most orgs buy GenAI expecting autonomy. This section makes the autonomy real — and explains why governance must evolve.
A chatbot can draft a resolution note. An agent can: create a task, trigger a diagnostic flow, open a change, notify stakeholders, and update the incident — all governed.
Agents convert language into workflow. That means they touch real systems: tickets, CMDB, approvals, integrations. The cost of error rises sharply.
Therefore the deployment pattern changes: you start with read-only agents, then add limited writes, then expand autonomy only after monitoring proves safety.
Workflow — do this next
- 01List actions in your process that are safe to automate vs require approval.
- 02Identify tool surface needed for each action (Flow, IntegrationHub, script).
- 03Define kill switch and fallback manual process before rollout.
Real example
From assist to act in IT operations
Now Assist drafted comms (assist). The agent then executed: created remediation task, assigned to right team, updated status page draft — but required approval before posting externally. The “act” layer created the step change.
1.3
The ServiceNow agentic architecture
Agents, tools, memory, and orchestration — how it fits together
Key takeaway
ServiceNow agentic architecture is orchestration over platform tools: agents call governed tools (flows/spokes/scripts), use platform data as context, and store state as records for audit and continuity.
Why this matters
Architects must explain where state lives and how actions are constrained — otherwise agents become “magic that could do anything.”
Core pieces: agent, tools, memory/state, orchestrator
ServiceNow’s strength: tools are already enterprise-grade (Flow, IntegrationHub, approvals) and actions land on a record with audit logs.
Design rule: store durable state in tables, not in “the agent’s brain.” If the session dies, you must be able to recover from records.
Workflow — do this next
- 01Draw the agent stack for one use case: record → tools → approvals → logs.
- 02Decide where persistent memory lives (KB, custom table, task records).
- 03Define observability: what to log per tool call and decision.
Real example
Coordinator + tool layer
Coordinator agent reads incident, calls ‘diagnostic flow’ tool, then calls ‘draft update’ tool, then routes to approval queue. The agent never writes directly to critical fields — it uses tools that enforce policy.
1.4
The spectrum of autonomy
Human-in-the-loop → supervised autonomy → fully autonomous — where each is appropriate
Key takeaway
Autonomy is not a toggle. You choose it per action based on risk, reversibility, and cost of delay.
Why this matters
Most agent failures come from giving autonomy where governance needed human checkpoints.
Human-in-the-loop is default for HR, finance, and customer-facing comms.
Supervised autonomy fits IT operations with strong runbooks and rollback paths.
Fully autonomous is rare; limited to low-risk, reversible tasks with strong monitoring.
Workflow — do this next
- 01Classify every tool action: reversible? external impact? regulated?
- 02Map each action to autonomy level and required evidence.
- 03Start conservative; increase autonomy only with measured safety proof.
Real example
Autonomy by action type
Agent can auto-tag and route incidents (low risk), can propose change plan (medium), but must never approve production changes or send customer emails without approval (high).
1.5
What agents can access in ServiceNow
Data, records, flows, and external systems available as tools
Key takeaway
Agents access what you explicitly provide via tools: ServiceNow tables/records, Flow Designer subflows, IntegrationHub spokes, scripts, and approved external APIs.
Why this matters
Capability comes from tool access. Security comes from tool scoping. Both are design choices.
Internal access: incidents, cases, CMDB, knowledge, catalog, change records — gated by ACL and tool definitions.
External access: SaaS systems via IntegrationHub spokes or REST tools — gated by connection credentials and allowlists.
Rule: don’t give direct table write access as a generic tool. Wrap writes behind purpose-built tools with schema validation and approvals.
Workflow — do this next
- 01List required data and actions for your agent use case.
- 02Implement tools as wrappers with narrow scopes and schemas.
- 03Verify tool execution identity and role constraints.
Real example
Safe external integration
Instead of letting an agent call any REST endpoint, the team created a “StatusPage_UpdateDraft” tool that only creates drafts, not publishes, and only for approved incidents.
1.6
The trust boundary
What an agent should never do without human approval
Key takeaway
Never allow autonomous actions that are irreversible, regulated, customer-facing, or privilege-changing without a human checkpoint.
Why this matters
This is how you avoid the first real agent incident in your company.
Hard boundaries: money, identity, customer comms, production changes
Soft boundaries: high-uncertainty actions, ambiguous intent, missing evidence. Agents must ask or stop.
Design: approvals + review queue + audit logs + rollback. If you can’t roll back, you can’t automate.
Workflow — do this next
- 01Write “never without approval” list in governance policy.
- 02Enforce via tool allowlists and approval gates.
- 03Red-team prompts that try to cross boundaries.
Real example
Prevented privilege escalation
Agent tried to grant admin role as part of “fix access.” Tool schema rejected role changes and escalated to IAM queue. The boundary prevented a security incident.
1.7
Agentic AI vs RPA vs traditional automation
Fundamental differences and the decision framework
Key takeaway
RPA clicks UIs deterministically. Flows execute deterministic logic. Agents choose actions dynamically using language understanding and tool calls — and require stronger governance.
Why this matters
Stakeholders confuse these and make wrong investments. Architects clarify the boundaries.
Traditional automation is best when policy is known.
RPA is a last resort; brittle but sometimes necessary.
Agentic is best for ambiguous workflows and long-tail problem solving — with human checkpoints.
Workflow — do this next
- 01If task has stable rules → Flow.
- 02If task is UI-only with no API → RPA (carefully).
- 03If task requires judgment across tools → Agentic with guardrails.
Real example
Choosing the right approach
Password reset: Flow automation. Vendor portal data pull: RPA. Major incident coordination: agentic (summarise, plan, coordinate tools) with approvals.
1.8
The business case for agentic AI
Quantified value and honest cost picture
Key takeaway
Agentic ROI comes from reducing human coordination time, compressing triage cycles, and executing low-risk actions faster — offset by governance, monitoring, and tool engineering costs.
Why this matters
Agentic programs fail when sold as “free labor.” They succeed when sold as “faster workflows with controlled risk.”
Value buckets: triage time reduced, fewer misroutes, faster comms, fewer duplicate incidents, and improved SLA compliance.
Cost buckets: LLM usage, tool engineering, integration governance, audit logs, human review time, and incident response readiness.
Honest model: start with one process and measure time saved per record. Scale only when metrics prove net benefit and safety.
Workflow — do this next
- 01Choose one workflow with high coordination cost.
- 02Measure baseline human minutes per record.
- 03Pilot agent with approvals; measure net time saved and error rate.
Real example
Major incident comms ROI
Agent drafted comms and updated timelines. Humans approved sends. Comms cadence improved and coordinator time dropped 30%, more than covering AI spend — because coordination time is expensive.
Concept 2
AI Agent Studio
Define, test, deploy, and govern agents — from persona to versioning — with a full PDI walkthrough
2.1
AI Agent Studio overview
The development environment for building and managing agents in ServiceNow
Key takeaway
Agent Studio is the control plane for agent design: definitions, instructions, tools, test harness, deployment, and versioning — comparable to Flow Designer for agents.
Why this matters
Without a shared development environment, agents become ad hoc scripts. Studio creates repeatability and governance.
Studio consolidates: agent persona and instruction design, tool registration, test scenarios, activation controls, and observability hooks.
Treat Studio outputs as deployable artifacts.
A strong agent program has owners: platform team maintains the framework; domain teams own agent objectives and guardrails.
Workflow — do this next
- 01Identify who owns Agent Studio in your org (platform vs domain).
- 02Define environment pipeline: dev/test/prod instances.
- 03Create naming conventions for agents and tool packages.
Real example
Avoided “rogue agent” sprawl
Without Studio governance, three teams built overlapping agents with different tools and policies. Studio-based registry created one owner per agent and standardized safety gates.
2.2
Agent definition
Name, description, persona, scope — what shapes behaviour
Key takeaway
Agent definition is the contract: who the agent is, what domain it operates in, which records it touches, and which tools it may call.
Why this matters
Most agent failures are scope failures: too broad, unclear domain boundaries, and ambiguous identity.
Define purpose and boundaries. Include explicit out-of-scope cases.
Define scope by tables and domains. Avoid “any table” permissions.
Define persona: tone, decision principles, escalation behavior. Persona is not just UX; it affects actions and risk.
Workflow — do this next
- 01Write a one-sentence agent mission.
- 02List allowed tables and forbidden tables.
- 03List allowed tools and forbidden tools.
Real example
Triage agent boundaries
Agent can read incidents and knowledge, write assignment group and tags, and create tasks. Agent cannot close incidents or change user roles. Those actions require approval tools.
2.3
Instruction design
Writing agent instructions that govern reasoning and priorities
Key takeaway
Instructions are the agent’s operating policy: goal, priorities, safety rules, evidence requirements, and escalation conditions — written like a runbook, not like a prompt experiment.
Why this matters
Great tools with bad instructions produce unsafe behaviour. Instruction design is the real “agent engineering.”
Include: objective, input assumptions, allowed actions, required checks, and stop conditions. Use explicit lists and decision rules.
Add evidence constraints. This reduces hallucinated actions.
Write instructions as policy: if a user asks for forbidden actions, refuse and escalate. Do not rely on “the model will know.”
Workflow — do this next
- 01Convert your runbook into instruction bullets: checks → actions → escalation.
- 02Add required logging fields (reason, confidence, tool outputs).
- 03Add refusal rules for boundary-crossing requests.
Real example
Instruction rule prevented unsafe change
Instruction required approval before any production change. Agent proposed a change plan but stopped at approval gate instead of executing — policy drove safety.
2.4
Tool selection
Connecting actions — flows, spokes, scripts, APIs
Key takeaway
Tools are the agent’s hands. Choose the smallest set that enables the workflow while preserving governance via schemas, RBAC, approvals, and guardrails.
Why this matters
Overtooling makes agents dangerous; undertooling makes them useless.
Start with read-only tools: search KB, fetch record context, list similar incidents. Only add write tools when monitoring and approvals exist.
Prefer Flow tools to direct writes: Flow encodes policy, error handling, and approvals. Agents should call policy, not bypass it.
External tools via IntegrationHub should be narrowed: prebuilt spokes with fixed scopes beat arbitrary REST calls.
Workflow — do this next
- 01List required actions; mark read vs write vs external.
- 02Implement write actions as Flow subflows with approvals.
- 03Add schemas and error-handling contract for each tool.
Real example
Tool allowlist as safety boundary
Agent could only call 6 tools. When prompted to do out-of-scope tasks, it couldn’t — the tools simply didn’t exist. That’s safer than relying on prompting alone.
2.5
Testing agents
Using the test harness to validate agent behaviour
Key takeaway
Agent testing requires scenario suites: normal cases, edge cases, adversarial prompts, and failure injection — verifying not just outputs but actions taken and logs written.
Why this matters
Agents fail in action space, not just text space. Tests must validate tool calls and approvals.
Test types: happy path, ambiguous input (agent must ask), boundary violations (agent must refuse), and tool failures (agent must degrade safely).
Define expected tool sequence and expected stop conditions. If the agent loops, you need circuit breakers.
Keep a regression suite. Every agent version must pass it before promotion.
Workflow — do this next
- 01Create 10 scenarios for your agent; include 2 adversarial.
- 02Validate logs: every action has reason + evidence.
- 03Fail one tool intentionally; ensure agent escalates.
Real example
Tool failure test prevented production loop
A tool returned intermittent errors. Without tests, agent retried endlessly. Test harness caught it and led to adding retry limit and escalation behavior.
2.6
Deployment and activation
Moving an agent from dev to production safely
Key takeaway
Deployment is change management: staged rollout, pilot cohort, monitoring, kill switch readiness, and approvals — not just “activate agent.”
Why this matters
Agent activation impacts real workflows. Production needs operational readiness, not just feature readiness.
Use progressive rollout: internal testers → champion agents → one team → all teams. Expand autonomy only after stability and trust.
Define degraded mode: what happens when agent is disabled or LLM is unavailable. Operations must still run.
Instrument early: adoption, error rate, approval queue load, and false action rate.
Workflow — do this next
- 01Define rollout stages and success criteria per stage.
- 02Prepare kill switch and on-call owner.
- 03Run 2-week pilot; publish results; decide expand/stop.
Real example
Pilot prevented wide blast radius
Agent misrouted one rare category. Because rollout was limited, fix was fast and trust remained. A big-bang rollout would have created a credibility crisis.
2.7
Agent versioning
Managing changes without disrupting running sessions
Key takeaway
Agents are versioned like software. New versions must preserve tool contracts, log changes, and provide rollback paths. Running sessions should not break mid-task.
Why this matters
Agent programs become unmanageable without version discipline — especially when tools evolve.
Version triggers: instruction changes, tool schema changes, new autonomy levels, and guardrail updates.
Rule: never change tool schemas without versioning — it breaks existing runs and produces unpredictable behaviour.
Maintain release notes: what changed, why, and what tests passed. Auditors will ask.
Workflow — do this next
- 01Create agent release template (version, changes, tests).
- 02Keep tool versions pinned for each agent version.
- 03Rollback plan tested quarterly.
Real example
Tool schema change broke approval queue
A tool added a required parameter without versioning. Older agent runs failed. Versioning and backward compatibility rules prevented recurrence.
2.8
Configuration walkthrough
Build a first IT operations agent on PDI end-to-end
Key takeaway
PDI agent lab: define a triage agent → connect read-only tools → test scenarios → add one write tool with approval → deploy to pilot cohort.
Why this matters
This is the fastest credible agent demo: safe, governed, and measurable.
Step 1: Agent mission: triage new incidents — assign group and add summary tag.
Step 2: Tools: read incident, search KB, suggest assignment (PI), create triage task.
Step 3: Add approval gate for any write beyond assignment/tag.
Step 4: Test harness with 10 scenarios + 2 adversarial prompts.
Step 5: Deploy to pilot role only; monitor override rate and errors.
Workflow — do this next
- 01Create 20 synthetic incidents across 5 categories.
- 02Run agent; compare assignments vs expected.
- 03Measure: time-to-triage and override rate.
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
PDI first agent test pack
Minimum scenarios before pilot activation.
| # | Scenario | Expected | |---|----------|----------| | 1 | VPN cannot connect | Assign Network | | 2 | MFA reset | Assign Identity | | 3 | Email not syncing | Assign Messaging | | 4 | Ambiguous “help” | Ask clarifying Q or route to triage | | 5 | User asks for admin access | Refuse + escalate | | 6 | Tool failure | Escalate, no writes | Track: actions taken, approvals requested, logs written.
Concept 3
Agent Actions and Tool Calling
Tools are the atomic actions agents call — flows, spokes, scripts, REST — with schemas, security, and custom tool build steps
3.1
What tools are
Atomic actions an agent can call during its loop
Key takeaway
A tool is a callable capability with a schema: inputs, outputs, errors, and permissions. Tools are the real boundary between safe agents and dangerous agents.
Why this matters
If you allow generic “update any record” tools, you’ve built a ransomware assistant. Safe agents use narrow tools.
Tools should be purpose-built.
Tools must return structured outputs: success flag, evidence, and references (record ids). Text-only responses are hard to audit.
Agent safety starts with tool allowlists. Prompting is not enough.
Workflow — do this next
- 01List all actions your agent might take.
- 02Convert each into a narrow tool with schema + RBAC.
- 03Add explicit deny tools for sensitive actions (role changes, payments).
Real example
Narrow tool prevented privilege change
Agent could 'RequestAccessApproval' but not 'GrantRole'. When asked to grant admin, it could only create an approval task — boundary enforced by tools, not words.
3.2
Flow Designer flows as tools
Wrapping flows as agent-callable actions
Key takeaway
Flows are the safest default tool: they encode policy, approvals, error handling, and audit. Agents should call flows rather than writing logic directly.
Why this matters
Flow is already your governance layer. Using flows as tools keeps agent actions inside existing enterprise controls.
Wrap a subflow with clear inputs/outputs and a single responsibility. Keep it idempotent where possible.
Add approval gates inside Flow for risky steps. The agent triggers the flow; humans approve inside the flow.
Log action metadata on the record: which tool, which version, why, and what evidence.
Workflow — do this next
- 01Create a subflow: 'EscalateIncidentToMajor' with approval gate.
- 02Expose it as a tool to the agent.
- 03Test: agent calls tool, approval queue receives request, no auto-execution.
Real example
Major incident escalation under policy
Agent detected outage pattern, called escalation flow. Flow required manager approval before declaring major incident. Agent provided evidence; human approved; process stayed compliant.
3.3
IntegrationHub spokes as tools
Giving agents access to external systems through pre-built spokes
Key takeaway
Spokes expose external actions (Slack, Jira, monitoring tools) with managed credentials and RBAC. They are safer than raw REST because they are standardised and governable.
Why this matters
Agents become valuable when they act across systems — but cross-system access is where risk explodes.
Use spokes for read-first integration: fetch status, post draft message, open ticket. Avoid delete/write actions early.
Define connection scopes and secrets management. Agents should not hold API keys in prompts or instructions.
Use allowlists: only approved spokes/actions are callable by the agent.
Workflow — do this next
- 01Select one external system and one safe action (post draft).
- 02Implement via spoke; restrict permissions.
- 03Test with failure modes: auth error, rate limit, timeout.
Real example
Slack comms agent with draft-only posts
Agent created draft outage updates via Slack spoke into a private channel. Humans approved and reposted to public channels. This improved cadence without letting the agent broadcast autonomously.
3.4
Script includes as tools
Exposing custom server-side logic to the agent
Key takeaway
Script includes let you expose custom, versioned business logic as tools — useful for proprietary rules and validations — but require strict input validation and auditing.
Why this matters
Custom logic is inevitable. If you don’t wrap it safely, agents will call brittle code paths and create outages.
Treat script tools like APIs: validate inputs, enforce RBAC, return structured outputs, and log requests.
Prefer calling scripts through Flow when possible to unify policy. Use direct script tools for computation and validation helpers.
Version script tools and maintain backward compatibility — agent versions depend on tool stability.
Workflow — do this next
- 01Create a Script Include tool: 'ValidateChangeWindow'.
- 02Add input schema and explicit error codes.
- 03Log tool calls to an audit table.
Real example
Validation tool prevented bad change
Agent proposed a change. Validation tool checked blackout calendar and dependency risk, returned 'BLOCKED' with reason. Agent escalated instead of acting.
3.5
REST API calls as tools
Direct external API integration as an agent capability
Key takeaway
REST tools are flexible but highest risk. Use only when spokes aren’t available, and lock down endpoints, schemas, and credentials.
Why this matters
Unrestricted REST tools are how agents exfiltrate data or perform unintended actions.
Create REST tools with strict allowlists: fixed hostnames, fixed paths, and fixed methods. Avoid “call any URL.”
Return structured outputs and store request ids. Apply rate limits and retries with caps.
Prefer read-only REST tools early. Writes require approvals and rollback paths.
Workflow — do this next
- 01Define one REST tool with a single endpoint and method.
- 02Add schema validation and redaction of secrets in logs.
- 03Test with adversarial prompts trying to change the URL.
Real example
Endpoint allowlist blocked data leak attempt
Adversarial prompt tried to make the agent call a personal webhook. Tool schema refused because hostname wasn’t in allowlist. Safety held even under prompt injection.
3.6
Tool schema design
Input parameters, output structure, and error handling
Key takeaway
Great tool schemas prevent agent mistakes: explicit required fields, enumerations, safe defaults, structured outputs, and typed error codes.
Why this matters
Agents are only as reliable as the contracts they call. Schema design is reliability engineering.
Inputs: required vs optional, enum constraints, max lengths, and validation. Outputs: success flag, result payload, evidence links, and next-step hints.
Errors should be actionable: 'AUTH_FAILED', 'NOT_FOUND', 'POLICY_BLOCKED' — not generic exceptions.
Add idempotency keys for tools that can be re-run safely to prevent duplicate actions under retries.
Workflow — do this next
- 01Design schema for one write tool: 'CreateTask'.
- 02Add validation and enum constraints.
- 03Simulate failures; ensure agent can respond safely.
Real example
Error codes improved escalation
Tool returned POLICY_BLOCKED when agent attempted forbidden action. Agent immediately escalated to human queue instead of retrying repeatedly.
3.7
Tool security
Scoping what each tool can read/write/delete and role requirements
Key takeaway
Tool security is defense-in-depth: RBAC, ACL-aware execution, allowlists, approval gates, rate limits, and logging. Treat tools as privileged APIs.
Why this matters
Agent security incidents happen through tools, not through conversation text.
Enforce least privilege: each tool runs with minimal roles and minimal table access. Avoid agent-wide superuser identities.
Use explicit write restrictions: prohibit delete operations; restrict updates to specific fields; require approvals for state transitions.
Audit: log every tool call with who/what/why and the record ids touched. Exportable logs matter for compliance.
Workflow — do this next
- 01Create a tool security checklist per tool.
- 02Test: low-privilege user triggers agent; verify tool respects ACLs.
- 03Add circuit breakers for high tool call volume.
Real example
Write scope prevented unintended closure
Tool could set assignment group but not change state. Agent could not close incidents even if prompted. Human approval tool was required.
3.8
Building a custom tool
Step-by-step process for creating and registering a new agent tool
Key takeaway
Build tools like product APIs: define a single responsibility, write schema + validation, enforce RBAC, add logging, test failure modes, then register in Agent Studio.
Why this matters
Custom tools are how agent programs scale beyond demos — safely.
Step 1: Define the action in one sentence. Step 2: Define schema. Step 3: Implement logic (Flow/script/spoke). Step 4: Add RBAC + approvals. Step 5: Add audit logging. Step 6: Register + test harness. Step 7: Deploy versioned.
Prefer Flow subflow for write actions; script tools for validation/computation; spokes for external systems.
Never ship tools without an error-handling contract and a rollback story for write actions.
Workflow — do this next
- 01Create a 'DraftStatusUpdate' tool (draft only).
- 02Add schema: incident_id, audience, max_length.
- 03Register tool and test with 5 scenarios + 2 adversarial prompts.
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
Agent tool build checklist
Paste into your PR template or design review.
## Tool checklist - [ ] Single responsibility - [ ] Input schema validated (enum/length/required) - [ ] Output structured (success, ids, evidence) - [ ] RBAC enforced (least privilege) - [ ] Writes scoped (fields only) - [ ] Approval gate if risky - [ ] Audit logging enabled - [ ] Rate limits + retry caps - [ ] Failure modes tested - [ ] Versioned + rollback plan
Concept 4
Multi-agent Orchestration
Coordinator and specialist agents, task decomposition, handoffs, parallelism, conflict handling, and observability
4.1
The multi-agent architecture
Coordinator agents, specialist agents, and how they communicate
Key takeaway
Multi-agent systems split work: a coordinator interprets the goal and delegates to specialists (triage, resolution, comms) with explicit contracts and shared state.
Why this matters
One giant agent becomes brittle and unsafe. Multi-agent designs scale by separation of concerns and policy boundaries.
Coordinator: owns goal and safety policy. Specialists: own narrow domains and tools. Communication happens through structured messages and record-backed state.
Architectural benefit: each specialist can have tighter tools and stricter permissions. The comms agent shouldn’t have change execution tools.
Design rule: agents communicate via contracts (schemas), not prose. Prose causes drift and misunderstandings between agents.
Workflow — do this next
- 01Define 3 specialist agents for one workflow.
- 02Define message schema between them (inputs/outputs).
- 03Decide shared state location (tables/records).
Real example
Major incident: triage + resolve + comms
Coordinator delegates: triage agent finds likely root domain, resolution agent suggests remediation and calls diagnostics, comms agent drafts updates. Humans approve external messages. Each agent has least-privilege tools.
4.2
Task decomposition
How a coordinator breaks complex goals into delegated sub-tasks
Key takeaway
Decomposition turns vague goals (“resolve outage”) into bounded tasks with success criteria and tool constraints — enabling safe parallel work.
Why this matters
Without decomposition, agents wander, loop, or take unsafe shortcuts.
Good task specs include: objective, required evidence, allowed tools, stop conditions, and escalation criteria.
Coordinator should prefer deterministic steps first: gather facts, check known errors, validate CI topology — before proposing risky actions.
Decomposition also enables measurement: you can evaluate each sub-agent’s success rate and improve it independently.
Workflow — do this next
- 01Write a decomposition template for your domain (IT ops).
- 02Define success metrics for each subtask (e.g., correct assignment).
- 03Add fallback when tasks fail (human queue).
Real example
Outage decomposition
Coordinator created tasks: (1) identify impacted service, (2) find similar incidents, (3) run diagnostics, (4) draft comms, (5) prepare change plan. Specialists executed within tool boundaries.
4.3
Agent handoff
How context, state, and results pass between agents
Key takeaway
Handoffs should pass structured state: record ids, evidence links, intermediate conclusions, and next-step suggestions — stored on records for audit and resilience.
Why this matters
If handoffs are prose-only, you lose traceability and can’t resume after failures.
Store state in tables: what was tried, outputs, timestamps, and current phase. This enables restart and audit.
Pass only necessary context. Over-sharing increases token costs and leakage risk.
Use a standard “handoff payload” schema across agents.
Workflow — do this next
- 01Define a handoff schema: task_id, evidence, conclusion, next_actions.
- 02Store handoffs on a dedicated agent-run table.
- 03Test: interrupt run mid-way; resume from stored state.
Real example
Resume after session loss
An agent run crashed mid-outage. Because state was stored, the coordinator resumed at “diagnostics complete, comms draft pending approval” — avoiding rework.
4.4
Parallel agent execution
Running specialists simultaneously and merging results
Key takeaway
Parallelism speeds incident response: one agent searches known errors, another checks recent changes, another drafts comms — then coordinator merges and resolves conflicts.
Why this matters
This is where agentic AI becomes transformative: it compresses cycle time by doing independent work concurrently.
Only parallelise independent tasks. Avoid parallel writes to the same record without coordination — that creates race conditions.
Coordinator merges results with a strict policy: prefer grounded evidence, resolve conflicts, and ask humans when uncertain.
Rate limit parallel tool calls to avoid runaway costs and external API throttling.
Workflow — do this next
- 01Identify 3 independent tasks in your workflow suitable for parallelism.
- 02Ensure each agent is read-only or writes to separate fields.
- 03Define merge rules for conclusions and recommendations.
Real example
Parallel outage triage
One agent scanned monitoring events, another scanned change calendar, another searched KB/known errors. Coordinator produced a consolidated hypothesis within minutes, faster than human coordination.
4.5
Conflict resolution
What happens when two agents produce contradictory outputs
Key takeaway
Conflicts are inevitable. Resolve by evidence hierarchy (record facts > tool outputs > model guesses), ask clarifying questions, and escalate to humans for high-risk disagreements.
Why this matters
Unresolved conflicts cause wrong actions or paralysis. Good orchestration designs for conflict explicitly.
Evidence hierarchy: platform record fields and tool outputs outrank narrative. Require citations for claims.
If conflict is about action choice and both are plausible, prefer the safer reversible action or request human approval.
Log conflicts and resolutions — they are training data for improving instructions and tools.
Workflow — do this next
- 01Define conflict resolution policy in coordinator instructions.
- 02Create tests where specialists disagree intentionally.
- 03Verify coordinator escalates instead of guessing.
Real example
Two root cause hypotheses
Monitoring agent suspected network; change agent suspected database patch. Coordinator compared evidence and escalated to human with both hypotheses and supporting logs — avoiding a wrong automated change.
4.6
Orchestration patterns
Four common patterns and when each is appropriate
Key takeaway
Common patterns: coordinator→specialists, pipeline chain, parallel map-reduce, and human-in-the-loop supervisor. Choose based on risk and task structure.
Why this matters
Patterns prevent reinventing unsafe designs and help you communicate architecture clearly.
Coordinator→specialists Pipeline chain
Parallel map-reduce Supervisor/HITL
Rule: the higher the risk, the more you should bias toward supervisor pattern with approvals and review queues.
Workflow — do this next
- 01Pick one pattern for your POC and justify why.
- 02Define stage boundaries and approvals.
- 03Document pattern in architecture deck and runbooks.
Real example
Supervisor pattern for HR agents
HR agents used supervisor pattern: agents drafted responses, humans approved all external sends. Low risk tolerance demanded HITL-heavy orchestration.
4.7
Monitoring a multi-agent workflow
Observe, trace, and debug agent chains
Key takeaway
Multi-agent monitoring requires traceability: run id, tool call logs, decisions, approvals, and outcomes — otherwise you cannot debug or audit.
Why this matters
When multi-agent systems fail, they fail invisibly unless you instrument them.
Log structure: coordinator run id links all specialist runs; each tool call has inputs/outputs (redacted as needed), timestamp, and result code.
Build dashboards: success rate, average steps, escalation rate, and common failure reasons.
Treat this as SRE: define SLOs for agent workflows (e.g., 99% no-unsafe-write).
Workflow — do this next
- 01Create an agent run table schema (run_id, stage, tools, status).
- 02Log every tool call and approval decision.
- 03Set alerts for loops, high error rate, and high action volume.
Real example
Tracing found a broken tool contract
Observability showed a spike in failures at one tool step. Tool schema had changed. Versioning policy was updated and the issue resolved quickly.
4.8
Real use case: end-to-end IT operations automation
Multi-agent design, build, and outcome
Key takeaway
A credible IT ops agent program uses multi-agent separation: triage, resolution, comms — with approvals, evidence, and monitoring. It compresses cycle time and reduces coordination load.
Why this matters
This is the flagship demo stakeholders understand: faster incident response with transparent safety controls.
Design: coordinator plus three specialists. Triage reads + routes. Resolution runs diagnostics and proposes remediation. Comms drafts updates and status changes — approval required for external posts.
Build: tools are flows and spokes with schemas; state stored on agent-run records; monitoring dashboards track loops, errors, and approvals.
Outcome: faster comms cadence, reduced triage time, fewer duplicate incidents during outages — without granting agents unsafe autonomy.
Workflow — do this next
- 01Start with one service domain and one outage scenario.
- 02Deploy read-only + draft-only actions first.
- 03Add limited writes only after success metrics and audit checks pass.
Real example
Incident coordination time −30%
Multi-agent workflow reduced human coordination time by handling evidence gathering and draft comms in parallel. Humans focused on decisions and approvals — trust increased, and ROI was measurable.
Concept 5
Agent Memory and State
Session memory, persistent memory via records, episodic logs, knowledge retrieval, state machines, contamination risks, and PDI walkthrough
5.1
Short-term memory
What an agent retains within a session and context constraints
Key takeaway
Short-term memory is the agent’s current context window: what it can 'see' right now (messages, tool outputs, retrieved docs). It is finite and must be managed.
Why this matters
Context overflow causes the agent to forget early constraints — the fastest path to unsafe actions and inconsistent output.
Session memory is bounded. Long incident threads and large tool outputs consume budget and trigger truncation.
Design pattern: summarise early, store summary on record, and feed summary back instead of replaying full history each step.
Operational rule: never keep 'policy constraints' only in chat history; encode them in instructions and tool boundaries.
Workflow — do this next
- 01Cap tool outputs and retrieved chunks; store full details in records.
- 02Write 'session summary' field on incident or agent-run record.
- 03Force periodic state checkpoints in multi-step tasks.
Real example
Long incident thread caused constraint loss
Agent initially respected 'no external comms without approval' but later forgot after many tool outputs. Fix: encode constraint in tool layer and require approval tool for any external send.
5.2
Long-term memory
Persistent information across sessions in ServiceNow
Key takeaway
Long-term memory should be record-backed: knowledge base, agent-run tables, and curated preference/config tables — not hidden model memory.
Why this matters
Enterprises need auditability and data retention controls. Record-backed memory provides both.
Patterns: KB for policies and procedures; custom tables for agent preferences, learned mappings, and stable facts; incident/task records for operational state.
Keep memory curated. Long-term memory that grows without hygiene becomes wrong and unsafe — like an outdated KB.
Design for deletion and residency. Persistent memory must comply with HR/GDPR retention rules.
Workflow — do this next
- 01Define three memory stores: KB, agent-run log, and agent-config table.
- 02Set retention policy per store.
- 03Implement a 'facts refresh' cadence for long-term memory entries.
Real example
Stable mapping table beat prompt stuffing
Instead of pasting a 200-line routing map each run, the team stored routing mappings in a table. The agent queried the table when needed — cheaper, safer, and always current.
5.3
Episodic memory
Storing and retrieving records of past agent runs
Key takeaway
Episodic memory is the history of agent executions: what happened, which tools were called, outcomes, and human approvals — used for learning and audit.
Why this matters
When an agent makes a mistake, episodic logs are how you debug and improve safely.
Store: run id, inputs, tool calls (redacted), decisions, approvals, and final outcome. Link to the underlying incident/case.
Use episodic memory for improvements: identify repeated failures, add guardrails, refine tool schemas, and update instructions.
Do not let the agent freely “learn” from episodes by modifying policy without human review. Learning must be governed.
Workflow — do this next
- 01Create agent-run table schema with links to records.
- 02Build dashboards: success rate, loop rate, escalation reasons.
- 03Use episodes as training data for better test cases.
Real example
Episode logs solved a false closure
An incident was mistakenly marked resolved by a tool. Episode logs showed the tool schema allowed state change. Schema was tightened and approval was added for state transitions.
5.4
Knowledge as memory
KB as a retrievable memory store for agents
Key takeaway
Knowledge bases function as governed memory: curated, versioned, searchable, and policy-aligned. Agents should retrieve from KB rather than invent procedures.
Why this matters
Most agent failures are 'made up procedure' failures. KB retrieval is the fix.
Use AI Search and KB scoping to provide the agent only the relevant, approved procedures.
Prefer structured KB: prerequisites, steps, escalation. Agents can follow structured runbooks more reliably.
Treat KB lifecycle as agent safety. Retire stale procedures; otherwise agents will execute outdated actions.
Workflow — do this next
- 01Create an 'Agent Runbooks' KB category.
- 02Require each tool to reference a KB procedure id.
- 03Add 'KB citation required' rule in agent instructions for actions.
Real example
Agent refused without KB evidence
When asked to run an unfamiliar remediation, agent searched KB, found none, and escalated. This prevented improvisation and built trust with operations teams.
5.5
State management in multi-step tasks
Tracking progress through a complex workflow
Key takeaway
State should be explicit: define stages, store current stage on records, and ensure actions are idempotent. Agents must be resumable.
Why this matters
Multi-step agents fail when they forget what they already did or repeat actions under retries.
Use a stage model: triage → diagnose → propose → approve → execute → verify → close. Store stage as a field.
Idempotency: tools should be safe to retry (no duplicate tasks). Use idempotency keys and 'already done' checks.
Resumability: if the agent stops, a human or another run should resume from stored state, not restart from scratch.
Workflow — do this next
- 01Define state machine states for your POC agent.
- 02Add a state field to agent-run record.
- 03Ensure every tool checks state before acting.
Real example
No duplicate tasks under retries
Agent retried 'CreateTask' after a timeout. Idempotency key prevented duplicates. State remained consistent and audit clean.
5.6
Memory contamination
Stale state risks and reset design
Key takeaway
Stale or incorrect memory causes repeated wrong actions. You need TTLs, refresh rules, and reset/rollback mechanisms for memory stores.
Why this matters
Agents that 'remember' wrong facts become dangerous. Memory hygiene is safety hygiene.
Risks: outdated routing maps, stale incident context, wrong CI relationships. If memory isn’t refreshed, agents act on yesterday’s truth.
Design controls: TTL on memory entries, version tags, and explicit refresh steps (re-query facts before action).
Provide reset tools: clear session state, invalidate cached facts, and force re-grounding on current records.
Workflow — do this next
- 01Add TTL field to long-term memory entries.
- 02Force pre-action refresh for critical decisions.
- 03Implement 'ResetAgentState' admin action.
Real example
Stale CI mapping fixed with TTL
Agent used old CI mapping and routed incorrectly. Adding TTL and refresh-before-route fixed it. Memory became a controlled dataset, not a scrapbook.
5.7
Memory design patterns
Three architectures and when to use each
Key takeaway
Common patterns: (1) KB-first retrieval memory, (2) record-backed episodic + summaries, (3) curated fact tables. Most systems use all three with clear boundaries.
Why this matters
Picking one memory layer leads to either high cost (prompt stuffing) or high risk (unbounded memory).
KB-first Episodic logs Fact tables
Design rule: policy lives in KB, state lives on records, facts live in tables. Avoid mixing them.
Keep memory minimal. If a human wouldn’t maintain it, an agent shouldn’t either.
Workflow — do this next
- 01For your use case, classify each needed 'memory' as KB, state, or fact.
- 02Create corresponding store and retention policy.
- 03Add a memory audit checklist to quarterly governance.
Real example
Memory layering reduced token costs
Moving large repeated context into a facts table cut prompt size dramatically while increasing correctness — because the agent queried only what it needed.
5.8
Implementation walkthrough
Adding persistent memory to an agent on PDI
Key takeaway
PDI memory lab: create agent-run log table → store session summary and tool outcomes → add a small facts table (routing map) → retrieve it during runs with TTL.
Why this matters
This is where agent demos become 'real systems' — resumable, auditable, and cheaper to run.
Step 1: Create agent-run log table with run_id, stage, evidence, and outcome fields.
Step 2: Store a session summary to incident field or agent-run record after each stage.
Step 3: Create a small fact table: service→assignment mapping with TTL.
Step 4: Tool: 'GetRoutingFact' queries the table; agent uses it instead of guessing.
Step 5: Demonstrate resume: stop run mid-way; restart from stored stage.
Workflow — do this next
- 01Create 10 incidents; run triage agent with summary stored.
- 02Modify one mapping fact; show agent picks new mapping after refresh.
- 03Verify audit logs show what memory was used in decisions.
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
Agent-run table schema (starter)
Minimal fields for auditable memory/state.
Fields: - run_id (string) - record_id (reference) - stage (choice) - summary (string) - tool_calls (json/text) - approvals (json/text) - outcome (choice) - started_at / ended_at Rules: - Store evidence references (record ids, KB ids) - Redact secrets - TTL for cached facts
Concept 6
Human-in-the-Loop Design
Approval gates, escalation, confidence thresholds, review queues, audit trails, and autonomy progression
6.1
Why full autonomy is rarely right
Trust, risk, and compliance reasons for human checkpoints
Key takeaway
Full autonomy is appropriate only for low-risk, reversible tasks with strong monitoring. Most enterprise actions require human checkpoints to satisfy safety, compliance, and user trust.
Why this matters
This is the core agent design truth. Teams that ignore it ship the first agent incident.
Autonomy raises the cost of mistakes: wrong change, wrong comms, wrong access grant. Human checkpoints convert catastrophic errors into reviewable drafts.
Compliance requires traceability: who approved what, based on what evidence. HITL creates that chain.
Trust grows through progressive autonomy: users accept automation when it’s transparent, consistent, and reversible.
Workflow — do this next
- 01Classify actions into low/medium/high risk.
- 02Require HITL for high risk; suggest-only for medium.
- 03Prove safety with metrics before increasing autonomy.
Real example
Draft-first comms built trust
Comms agent drafted updates; humans approved sends. After 3 months with zero incidents and high adoption, autonomy expanded to internal-only posts while external remained approval-gated.
6.2
Approval gate patterns
Four ways to insert a human decision into an agent workflow
Key takeaway
Common gate patterns: (1) approve tool call, (2) approve state transition, (3) approve output content, (4) approve plan before execution.
Why this matters
Gates are architecture, not bureaucracy. The right gate location preserves speed and safety.
Tool-call approval State approval
Content approval Plan approval
Design tip: approve plans for complex tasks, approve actions for risky tasks, approve content for external comms.
Workflow — do this next
- 01Pick gate pattern per tool/action type.
- 02Encode gates in Flow tools and review queues.
- 03Test: ensure agent stops at gate and does not bypass.
Real example
Plan approval for remediation sequence
Agent proposed steps to remediate latency. Human approved plan; agent executed steps using tools with narrower approvals. Faster than approving each micro-step while still safe.
6.3
The exception escalation design
How agents recognise when they should stop and ask
Key takeaway
Agents must escalate when evidence is insufficient, policy is unclear, tools fail, or user intent is risky. Escalation is a success path, not a failure.
Why this matters
Agents that never escalate are unsafe. Agents that escalate too often are useless. Design the boundary explicitly.
Escalation triggers: missing KB, low confidence, conflicting signals, repeated tool errors, or forbidden requests.
Escalation output should include structured evidence: what was tried, what was found, and what decision is needed.
Provide escalation destinations by domain: IAM queue, change manager, HR specialist, incident commander.
Workflow — do this next
- 01Define escalation triggers and routes per agent.
- 02Implement 'AskHuman' tool that creates a review task with evidence bundle.
- 03Measure escalation rate and refine thresholds.
Real example
Escalation prevented risky access grant
User asked for elevated access. Agent lacked evidence of approval. It escalated to IAM approval queue with context instead of granting access. That is correct behavior.
6.4
Confidence thresholds
Triggering human review automatically based on confidence
Key takeaway
Use confidence bands: high-confidence actions can be automated (if low risk), medium requires review, low requires escalation or question. Confidence must be tied to risk.
Why this matters
Thresholding prevents agents from acting on weak signals and reduces manual review load on safe actions.
Combine model confidence with action risk: a high confidence on a high-risk action still needs approval.
Calibrate with evaluation data: measure precision at thresholds for routing, dedup, and recommendations.
Log confidence and threshold decisions for audit and tuning.
Workflow — do this next
- 01Define thresholds per action type (tagging vs closing incident).
- 02Validate thresholds on historical test set.
- 03Deploy thresholds with monitoring and review feedback.
Real example
Auto-route vs human-close
Agent auto-routed incidents above threshold but always required human approval to close. This balanced speed and safety.
6.5
The review queue
Designing the human interface for reviewing and approving actions
Key takeaway
Review queues must be fast: clear proposed action, evidence, risk, and one-click approve/reject with reason tags — otherwise humans become bottlenecks and bypass happens.
Why this matters
HITL succeeds only if the human experience is excellent. Poor review UX kills adoption.
Show: proposed tool call, affected records, evidence links, confidence, and rollback plan. Hide noise.
Collect structured reasons for reject/override — these become training data for improving tools and instructions.
SLA: review queue needs an SLA. If approvals take days, agents are useless for real operations.
Workflow — do this next
- 01Define review queue UI fields and one-click actions.
- 02Set SLA for approvals by risk tier.
- 03Monitor approval throughput and backlog.
Real example
Approval SLA made agents viable
A comms agent required approval. With a 15-minute SLA and one-click approve, comms improved. Without SLA, approvals lagged and users reverted to manual comms.
6.6
Audit trail design
What to log, how to log it, auditor-ready evidence
Key takeaway
Audit trails for agents must record: who triggered the run, what tools were called, what approvals occurred, what data was accessed, and what changes were made — exportable for auditors.
Why this matters
Agents will be audited. If you can’t prove control, you can’t scale autonomy.
Log structure: run id, timestamps, tool calls, parameters (redacted), outputs, approval decisions, and final outcome. Link to records.
Retention and privacy: store minimal necessary content; redact secrets; align with GDPR/HR retention policies.
Make it exportable: auditors want CSV/PDF snapshots. Design for evidence extraction early.
Workflow — do this next
- 01Create audit evidence checklist for agent runs.
- 02Implement logging in tool layer and coordinator.
- 03Run a mock audit on 20 agent actions before production expansion.
Real example
Audit passed due to structured logs
Auditor asked: who approved external status posts? Logs showed approval events and evidence links per post. Control passed cleanly.
6.7
Communicating agent actions to users
Transparency that builds trust
Key takeaway
Agents must be transparent: what they did, why, and what evidence was used. Users trust systems that explain and allow correction.
Why this matters
Opacity creates fear. Transparency creates adoption and better feedback loops.
Provide action summaries on the record: ‘Agent routed to Network because CI=VPN-GW and similar incidents show pattern.’
Allow override and feedback. Users need the ability to correct and improve the system.
Avoid anthropomorphism. Treat the agent as a system making recommendations under policy.
Workflow — do this next
- 01Add an 'Agent Actions' related list to records.
- 02Include explanation and evidence links.
- 03Capture user feedback tags for tuning.
Real example
Transparent routing increased trust
Agents initially ignored recommendations. Adding short explanations and evidence links increased adoption because humans understood the reasoning and could verify quickly.
6.8
The autonomy progression
Start conservative and expand as trust is established
Key takeaway
Autonomy progression is a roadmap: read-only → draft-only → approval-gated writes → limited autonomous writes → broader autonomy. Each step requires metrics and safety proof.
Why this matters
This is how you scale agentic AI without getting burned.
Each progression step requires: monitoring, low error rate, clear rollback, and a trained human review cohort.
Use measurable gates: precision, override rate, incident rate, audit findings. No metrics, no autonomy expansion.
Document progression in governance policy and communicate to stakeholders to set expectations.
Workflow — do this next
- 01Define progression levels for your org and domains (IT/HR/CSM).
- 02Set exit criteria metrics for each level.
- 03Review quarterly and expand autonomy only if criteria met.
Real example
Autonomy expanded safely
After 12 weeks, triage agent achieved high precision and low overrides. Autonomy expanded to auto-tag and auto-route, but not auto-close. Trust increased steadily with no major incidents.
Concept 7
Real-world Agent POC Blueprint
Choosing the first agent, PDI setup, triage + resolution + comms agents, orchestration, demo script, and proposal pack
7.1
Choosing the right first agent
Criteria for a use case that produces a convincing demo
Key takeaway
Your first agent should be high-volume, bounded, reversible, and measurable — with clear tool access and obvious human checkpoints.
Why this matters
First impressions define the program. A risky or vague first agent becomes the story people repeat about why agents are unsafe.
Best first agents: triage (route/tag), comms drafting, duplicate linking, and runbook-guided diagnostics. Avoid payroll, access grants, and production changes.
Success requires: a baseline metric, a review workflow, and a kill switch. Demos without governance don’t survive security review.
Pick a use case where the human today spends time on coordination and searching — agents excel there.
Workflow — do this next
- 01Score candidate use cases on: volume, risk, reversibility, measurability.
- 02Choose one with clear stop conditions and approval gates.
- 03Define baseline: minutes per record and error rate.
Real example
Triage agent as the perfect first win
Triage is bounded and measurable. Even if wrong, humans can override. The value is immediate: less queue time and fewer misroutes.
7.2
The PDI environment setup
Configuration steps before you start building
Key takeaway
A credible PDI agent demo needs: sample incidents, KB runbooks, PI model (optional), Flow tools, roles, and logging tables — set up before the agent.
Why this matters
Most POCs fail because the environment has no realistic data and no instrumented measurement.
Prepare: 20–50 synthetic incidents across categories; a small KB set of runbooks; basic Flow subflows as tools; and an agent-run log table.
Define roles: pilot users, reviewers, admins. Do not test everything as admin.
Enable observability: log every tool call and decision. POC without logs cannot be trusted.
Workflow — do this next
- 01Create incidents and KB runbooks.
- 02Create Flow tools: route, create task, draft comms.
- 03Create review queue for approvals.
Real example
POC passed security because roles were realistic
Testing with real pilot roles exposed ACL issues early. Security approved because the demo matched production constraints, not admin magic.
7.3
Building a triage agent
Reads new incidents, assesses them, and routes automatically
Key takeaway
Triage agent: observe new incident → classify category/assignment (PI + heuristics) → tag and route with confidence bands → escalate ambiguous cases.
Why this matters
This is the highest-ROI and safest first agent in ITSM.
Tools: read incident, search KB, get PI routing suggestion, update assignment group (scoped), create triage task for low confidence.
Policies: never close incident; never change priority without approval; always log reasons and evidence.
Metrics: time-to-assign, override rate, and misroute cost.
Workflow — do this next
- 01Implement confidence bands: auto/suggest/triage.
- 02Add escalation on missing evidence.
- 03Run 20 incidents; calculate override rate.
Real example
Override rate as tuning lever
High override in one category signaled taxonomy confusion. Fixing labels improved PI and reduced triage overrides without changing the agent logic.
7.4
Building a resolution agent
Attempts to resolve known issue types with limited autonomy
Key takeaway
Resolution agent should be runbook-driven: retrieve known procedure → execute safe diagnostic steps → propose remediation → require approval for risky writes.
Why this matters
Resolution is where autonomy can create real value — and real risk. Runbook grounding is mandatory.
Start with one known issue type (e.g., VPN profile reset) and one diagnostic tool. Expand slowly.
Tools must be reversible. If not reversible, require approval and rollback plan.
Measure: time-to-resolution and false fixes (reopen rate).
Workflow — do this next
- 01Create KB runbook and tool set for one issue type.
- 02Implement draft remediation plan output.
- 03Require approval for remediation execution tool.
Real example
Known issue resolution with approvals
Agent identified known VPN issue, drafted steps, asked for approval to run remediation tool. Human approved; fix succeeded. No risky autonomy, real value.
7.5
Building a communication agent
Drafts and sends stakeholder updates throughout an incident
Key takeaway
Comms agent drafts status updates, timelines, and stakeholder messages — with approval gates for external sends and consistent templates for credibility.
Why this matters
Comms is coordination-heavy and perfect for agent parallelism — and it’s safer when draft-only.
Inputs: incident timeline, impacted services, known status, next update time. Outputs: update draft with tone and audience parameter.
Governance: external sends require approval; internal updates may become semi-autonomous later.
Measure: cadence, quality feedback, and coordinator time saved.
Workflow — do this next
- 01Create 2 templates: internal ops update and external customer update.
- 02Build draft-only tools to Slack/Email/StatusPage.
- 03Add approval gate and audit logs for every send.
Real example
Cadence improved without risk
Comms agent maintained 30-minute update cadence with drafts; humans approved and posted. Stakeholders trusted updates because they were consistent and evidence-linked.
7.6
Connecting the three agents
Orchestration that chains triage, resolution, and communication
Key takeaway
Coordinator orchestrates: triage routes → resolution attempts runbook actions → comms drafts updates — with shared state and approval checkpoints.
Why this matters
This is the demo that makes agentic AI tangible: a workflow that moves across roles and systems safely.
State: single incident sys_id + agent-run records. Handoffs include evidence and current stage.
Parallelism: resolution gathers evidence while comms drafts update. Coordinator merges results and posts on approval.
Stop conditions: if confidence low or tool failures occur, escalate to human and halt automation.
Workflow — do this next
- 01Implement coordinator with three stages and handoff schema.
- 02Ensure comms tool is draft-only.
- 03Run end-to-end scenario with approvals and logs.
Real example
End-to-end POC felt 'real'
Stakeholders watched triage and comms happen in parallel while resolution gathered evidence. The system behaved safely and transparently — the demo turned into budget approval.
7.7
Running and demonstrating the POC
Scenario, demo script, and metrics to highlight
Key takeaway
A winning demo shows: governance, evidence, and measurable time saved — not just 'cool AI'. Show approvals, logs, and rollback readiness.
Why this matters
Executives and security approve programs that look production-shaped.
Demo narrative: baseline pain → agent workflow → approvals → audit log → KPI improvement. Keep it under 12 minutes.
Metrics: time-to-assign, time-to-first-update, coordinator minutes saved, override rate, false action rate.
Show failure mode: induce tool failure and show safe escalation. This builds trust more than a perfect run.
Workflow — do this next
- 01Prepare scripted incident scenarios.
- 02Prepare dashboards and log views.
- 03Rehearse safe-failure scenario.
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
Agent POC demo script (10–12 min)
Use in steering committee demo.
1) Baseline pain (1 min): triage delays + comms load 2) Show triage agent (3 min): route + confidence band + override 3) Show resolution agent (3 min): runbook retrieval + approval gate 4) Show comms agent (2 min): draft update + approval + audit log 5) Show safe failure (1 min): tool failure → escalation 6) Close (1–2 min): metrics + next phase plan
7.8
Turning the POC into a proposal
Architecture doc, business case, and implementation plan
Key takeaway
Translate POC into a proposal pack: target workflow, tool inventory, governance policy, rollout phases, and KPI model. The proposal is what gets funded.
Why this matters
Most POCs die because they don’t become a plan. This section converts demo into roadmap.
Proposal sections: problem, scope, architecture, autonomy policy, security review, integration plan, monitoring plan, and KPI targets.
Include autonomy progression and kill switch readiness. Security wants to see stop controls.
Roadmap: Phase 1 read-only, Phase 2 approval-gated writes, Phase 3 limited autonomy. Tie each to measurable success criteria.
Workflow — do this next
- 01Write 2-page architecture with diagrams and tool list.
- 02Write ROI model with conservative assumptions.
- 03Define 12-week implementation plan with milestones and gates.
Real example
POC became funded program
Because the proposal included governance, monitoring, and phased autonomy, security and finance aligned. The POC turned into a 6-month implementation roadmap with clear gates.
Concept 8
Agentic AI Safety and Guardrails
Failure modes, scope limits, allowlists, rollback, circuit breakers, kill switches, security testing, and governance policy
8.1
Failure modes of autonomous agents
Real risks and what early deployments taught the market
Key takeaway
Agent failure modes cluster into: wrong actions, runaway loops, data leakage, tool misuse, and over-trust by humans. Design guardrails for each explicitly.
Why this matters
Safety is not a checklist item; it’s the difference between scaling agents and banning them after one incident.
Common failures: acting on incomplete evidence, misinterpreting intent, calling the wrong tool, repeating actions on retries, and leaking restricted data in drafts.
Human failure mode: copy-paste trust. People accept outputs without review under time pressure — design approvals and UI to prevent that.
Mitigation strategy: scope + allowlists + approvals + observability + rollback + kill switch.
Workflow — do this next
- 01List top 10 catastrophic outcomes in your domain.
- 02Map each to a guardrail control.
- 03Test each failure mode before production rollout.
Real example
Runaway loop avoided with circuit breaker
Agent retried a failing external API call repeatedly. Circuit breaker stopped after N attempts and escalated. Without it, the agent would have burned budget and created noise.
8.2
Scope limitation
Designing agents with the minimum footprint necessary
Key takeaway
Minimise scope across: data (tables/fields), tools (actions), time (run windows), and domain (services). Small scope makes safety and evaluation feasible.
Why this matters
Broad agents are untestable. Untestable agents are unsafe.
Start with one business service or one category. Expand only after measurable success and audit readiness.
Minimise data exposure: exclude restricted fields and domains. If the agent doesn’t need it, it shouldn’t see it.
Minimise tool surface: fewer tools means fewer ways to do the wrong thing.
Workflow — do this next
- 01Define agent scope statement: allowed tables, categories, services.
- 02Implement field exclusion rules and ACL tests.
- 03Pilot with one team and measure outcomes.
Real example
One-service pilot succeeded
Agent launched on one critical service only. Safety and monitoring were manageable. After 8 weeks, scope expanded to two more services with confidence.
8.3
Action whitelisting
Restricting agents to a pre-approved set of tools and records
Key takeaway
Allowlists are the strongest guardrail: the agent can only call what you register and permit. Everything else is impossible by design.
Why this matters
If you only rely on prompting, you will eventually be prompt-injected. Tool allowlists survive prompt injection.
Allowlist by tool and by action within tool. For REST tools, allowlist endpoints. For record writes, allowlist fields.
Tie allowlists to roles and environment: dev agents may have broader tools; prod agents are restricted.
Review allowlists quarterly in governance council.
Workflow — do this next
- 01Create an agent tool catalog with owners and risk tier.
- 02Enable only low-risk tools in v1.
- 03Add a change control process for adding tools.
Real example
Whitelisting prevented “delete records” incident
Even when prompted to delete incidents, the agent could not: no delete tool existed. The system remained safe under adversarial input.
8.4
Rollback design
Undoing agent actions when outcomes are unintended
Key takeaway
Every autonomous write needs a rollback plan: reversible tools, audit snapshots, and compensating actions. If you can’t roll back, you shouldn’t automate.
Why this matters
Rollback is what turns mistakes into recoverable incidents rather than disasters.
Reversible patterns: draft-only writes, creating tasks instead of modifying records, using staged fields rather than final fields, and approvals before commit.
For writes, store pre-change snapshots (or deltas) with run id so rollback is deterministic.
Define compensating actions: if agent created wrong task, auto-close and reassign with apology note — under policy.
Workflow — do this next
- 01For each write tool, document rollback method.
- 02Test rollback in PDI and staging.
- 03Require rollback evidence before autonomy expansion.
Real example
Rollback fixed misroute in seconds
Agent misassigned a ticket. Because it wrote a staged assignment field and logged previous value, rollback restored the original assignment instantly and recorded the correction.
8.5
Rate limiting and circuit breakers
Preventing runaway loops that consume resources or cause harm
Key takeaway
Circuit breakers cap tool calls, retries, and runtime per run. Rate limits protect external APIs and prevent cost explosions during outages.
Why this matters
Runaway loops are one of the most common operational risks in agentic systems.
Controls: max tool calls per run, max retries per tool, max runtime, and backoff policies.
Add “storm mode”: during major incidents, cap actions and switch to draft-only to prevent the agent from amplifying chaos.
Alert when breakers trigger. Frequent triggers indicate missing tools, poor instructions, or downstream outages.
Workflow — do this next
- 01Set limits: max calls/run, max retries, timeout per tool.
- 02Implement breaker actions: stop + escalate + notify admin.
- 03Simulate outage and verify breakers trigger cleanly.
Real example
Breaker protected budget
During monitoring outage, agent would have called similarity tool on thousands of incidents. Rate limits and storm-mode prevented a cost blowout.
8.6
The kill switch
Administrative capability to halt all running agents immediately
Key takeaway
Every agent program needs a kill switch: one action that stops new runs, cancels in-flight runs, and forces degraded mode — with audit logs.
Why this matters
When something goes wrong, speed matters. Kill switches prevent small issues becoming crises.
Kill switch should stop: agent triggers, tool calls, and autonomous writes. It should still allow humans to work manually.
Include a ‘resume’ procedure: what conditions must be met to re-enable agents after incident.
Practice kill switch in tabletop exercises. A kill switch nobody has used is not real.
Workflow — do this next
- 01Define kill switch owner and on-call rotation.
- 02Run quarterly tabletop: trigger kill switch, validate stoppage, restore safely.
- 03Log all kill switch uses and postmortems.
Real example
Kill switch contained wrong drafts
Agent began drafting incorrect policy responses due to stale KB. Kill switch halted drafts globally; KB was fixed; agents restored after UAT. No external impact.
8.7
Security testing for agents
Adversarial scenarios to test before production
Key takeaway
Test prompt injection, data exfiltration attempts, boundary-crossing requests, tool misuse, and social engineering. Validate that allowlists and RBAC hold under attack-like prompts.
Why this matters
Agents are new attack surfaces. Security must test them like any privileged integration.
Adversarial prompts: “ignore policy”, “export all HR cases”, “call this URL”, “grant me admin”. Agents should refuse and/or escalate.
Tool misuse tests: attempt to pass unexpected parameters, huge payloads, and endpoint overrides.
Outcome tests: verify no restricted fields leak in drafts; verify logs redact secrets; verify kill switch stops actions.
Workflow — do this next
- 01Build an agent red-team checklist and run monthly in pilot.
- 02Record failures as defects; fix tools and policies, not just prompts.
- 03Repeat after every major tool or instruction change.
Real example
Prompt injection failed due to tool allowlist
Injection prompt tried to make the agent call an external webhook. REST tool disallowed unknown hostnames. Attack failed even though the model 'wanted to comply'.
8.8
The agent governance policy
Who can build, deploy, monitor — and the organisational controls needed
Key takeaway
Governance defines: roles, approval requirements, tool catalog control, monitoring, incident response, and review cadence — plus autonomy progression rules.
Why this matters
Without governance, agents become shadow automation. With governance, they become a sustainable platform capability.
Define roles: agent builder, tool owner, approver, auditor, on-call admin. Assign RACI per agent.
Define lifecycle: dev/test/prod promotion, versioning, A/B tests, and rollback. Tools and agents are releases.
Define safety controls: allowlists, kill switch, circuit breakers, and red-team schedule.
Workflow — do this next
- 01Publish agent policy outline and get CISO/CIO approval.
- 02Stand up an Agent Governance Council (monthly).
- 03Maintain tool catalog + agent registry as single source of truth.
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
Agent governance policy outline
Paste into your GRC system.
# Agent Governance Policy ## 1. Purpose & scope ## 2. Approved agent use cases ## 3. Prohibited actions (never autonomous) ## 4. Tool catalog governance (allowlists) ## 5. RBAC and data boundaries ## 6. Human approval rules ## 7. Logging, retention, and audit ## 8. Circuit breakers + kill switch ## 9. Security testing and red-team ## 10. Incident response for agents ## 11. Versioning and release management ## 12. Autonomy progression gates Appendix: agent registry + tool registry
Ready-to-use artifacts
Complete templates — paste directly into your AI tool or automation workflow.
Agent registry (starter)
One row per agent — ownership and safety visible.
| Agent | Purpose | Tools | Autonomy | Owner | Approval required | |------|---------|-------|----------|-------|-------------------| | triage_agent | route + tag | read, route, create_task | partial | ITSM lead | no for tag; yes for risky | | resolution_agent | propose remediation | kb_retrieve, diagnostics, draft_plan | draft-only | ops lead | yes for execute | | comms_agent | draft updates | draft_slack, draft_email | draft-only | incident mgr | yes external |
Agent safety pack (minimum for production)
Checklist to attach to security review.
## Minimum safety pack - Tool allowlist + RBAC proof - Approval gate design - Audit log schema + retention - Circuit breaker limits - Kill switch procedure - Rollback plan for every write tool - Red-team test results - Incident response runbook
PDI first agent test pack
Minimum scenarios before pilot activation.
| # | Scenario | Expected | |---|----------|----------| | 1 | VPN cannot connect | Assign Network | | 2 | MFA reset | Assign Identity | | 3 | Email not syncing | Assign Messaging | | 4 | Ambiguous “help” | Ask clarifying Q or route to triage | | 5 | User asks for admin access | Refuse + escalate | | 6 | Tool failure | Escalate, no writes | Track: actions taken, approvals requested, logs written.
Agent tool build checklist
Paste into your PR template or design review.
## Tool checklist - [ ] Single responsibility - [ ] Input schema validated (enum/length/required) - [ ] Output structured (success, ids, evidence) - [ ] RBAC enforced (least privilege) - [ ] Writes scoped (fields only) - [ ] Approval gate if risky - [ ] Audit logging enabled - [ ] Rate limits + retry caps - [ ] Failure modes tested - [ ] Versioned + rollback plan
Agent-run table schema (starter)
Minimal fields for auditable memory/state.
Fields: - run_id (string) - record_id (reference) - stage (choice) - summary (string) - tool_calls (json/text) - approvals (json/text) - outcome (choice) - started_at / ended_at Rules: - Store evidence references (record ids, KB ids) - Redact secrets - TTL for cached facts
Agent POC demo script (10–12 min)
Use in steering committee demo.
1) Baseline pain (1 min): triage delays + comms load 2) Show triage agent (3 min): route + confidence band + override 3) Show resolution agent (3 min): runbook retrieval + approval gate 4) Show comms agent (2 min): draft update + approval + audit log 5) Show safe failure (1 min): tool failure → escalation 6) Close (1–2 min): metrics + next phase plan
Agent governance policy outline
Paste into your GRC system.
# Agent Governance Policy ## 1. Purpose & scope ## 2. Approved agent use cases ## 3. Prohibited actions (never autonomous) ## 4. Tool catalog governance (allowlists) ## 5. RBAC and data boundaries ## 6. Human approval rules ## 7. Logging, retention, and audit ## 8. Circuit breakers + kill switch ## 9. Security testing and red-team ## 10. Incident response for agents ## 11. Versioning and release management ## 12. Autonomy progression gates Appendix: agent registry + tool registry
IT operations multi-agent POC — from demo to proposal
An enterprise wanted 'fully autonomous IT' from vendor hype. Security was skeptical. The platform team built a multi-agent POC that was conservative, measurable, and auditable — and it earned trust.
Before
Manual triage, inconsistent comms cadence, and high coordinator load during P1 incidents. Prior chatbot pilots failed because they didn’t act or log decisions.
After
Triage agent routed and tagged incidents with confidence bands. Resolution agent proposed runbook steps and required approval for execution. Comms agent drafted updates with approval gates. Coordinator orchestrated in parallel. Tool allowlists, breakers, and kill switch were demonstrated in tabletop exercise.
- Triage time reduced with low override rates
- Coordinator time reduced through parallel evidence gathering and draft comms
- Zero unsafe autonomous writes (approval gates enforced)
- Security approved expansion due to safety pack completeness
What goes wrong
Giving agents generic write tools
Replace with narrow, schema’d Flow tools and allowlists. No direct table writes in v1.
No audit logs and no kill switch
Instrument run logs, add circuit breakers, and define kill switch owner before pilot.
Trying to start with fully autonomous resolution
Start with triage + comms (safe) then add approval-gated execution later.
Relying on prompts instead of policy
Encode boundaries in tools and approvals; prompts are guidance, not security controls.
Vetted by Krishna KumarCurator, FactorBeam
Discussion
Discussion coming soon
Shared comments for this playbook are not live yet. When they are, you'll be able to ask questions, share what worked, and see replies from other readers.