{"slug": "common-issues-with-llms-ai-agents-and-how-to-fix-them", "title": "⚠️ Common Issues 🪲 with LLMs & AI Agents 🤖 — and How to Fix Them 🛠️", "summary": "A developer published a field guide cataloging common failure modes in LLM and agent systems, drawing on research from Anthropic, Meta AI, and others. The guide organizes issues into model-level, agent-level, and system-level categories, attributing most problems to three root causes: probabilistic prediction, finite attention, and inability to distinguish trusted from untrusted tokens. It emphasizes that 2026 gains come from context engineering and harness design rather than model improvements alone.", "body_md": "A practical, no-fluff field guide to the failure modes that actually bite teams shipping LLM and agent systems in 2025–2026 — and the concrete techniques that address each one.\n\nEvery section follows the same shape:\n\nWhat goes wrong → Why it happens → How to fix it → A quick checklist.Skim the fixes, bookmark the checklists.\n\nGrounded in recent work from [Anthropic — Effective context engineering for AI agents](https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents) & [Building effective agents](https://www.anthropic.com/engineering/building-effective-agents), [Cognition/Devin — Don't Build Multi-Agents](https://cognition.com/blog/dont-build-multi-agents), [Meta AI — Agents Rule of Two](https://ai.meta.com/blog/practical-ai-agent-security/), [Simon Willison — The Lethal Trifecta](https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/) & [prompt-injection research](https://simonwillison.net/2025/Nov/2/new-prompt-injection-papers/), [Chroma — Context Rot](https://research.trychroma.com/context-rot), and [Nasr, Carlini, et al. — The Attacker Moves Second](https://arxiv.org/abs/2510.09023) — plus the hard-won operational lessons everyone rediscovers the hard way.\n\nCompanion reads: [🏗️ Building High-Quality AI Agents — A Comprehensive, Actionable Field Guide 📚](https://dev.to/truongpx396/building-high-quality-ai-agents-a-comprehensive-actionable-field-guide-5m1) (the *how to build* counterpart to this guide's *what breaks*), [🤖 SWE-agent — Deep Dive & Build-Your-Own Guide 📘](https://dev.to/truongpx396/swe-agent-deep-dive-build-your-own-guide-ade) (ACI design and tool ergonomics that prevent §10 tool-misuse failures), [🙌 OpenHands — Deep Dive & Build-Your-Own Guide 📚](https://dev.to/truongpx396/openhands-deep-dive-build-your-own-guide-1al0) (the event-sourced kernel and autonomy model behind §8 and §13), [🦊 GoClaw Deep Dive 🤖 — A Builder's Guide to a Multi-Tenant AI Agent Platform 📘](https://dev.to/truongpx396/goclaw-deep-dive-a-builders-guide-to-a-multi-tenant-ai-agent-platform-5d6c) (multi-tenant security and provider resilience for §14–15 and §19), [🔮 Hermes Agent — Deep Dive & Build-Your-Own Guide 📘](https://dev.to/truongpx396/hermes-agent-deep-dive-build-your-own-guide-1pcc) (cache-stable prompts, progressive-disclosure memory, and the self-improving loop that addresses §4 and §8), and [🏗️ Building Production-Grade Fullstack Products with AI Coding Agents 🤖 — A Practical Playbook 📘](https://dev.to/truongpx396/building-production-grade-fullstack-products-with-ai-coding-agents-a-practical-playbook-2idd) (end-to-end deployment discipline — evals, PR gates, monitoring — that closes §16 and §17).\n\n**🧠 Part A — Model-level issues (the LLM itself)**\n\n**⚙️ Part B — Agent-level issues (LLM + tools in a loop)**\n\n**🏭 Part C — System-level issues (production reality)**\n\nAlmost every problem below comes from one of **three root causes**. Keep them in mind and the fixes stop feeling like a grab-bag of tricks:\n\n```\nflowchart TD\n    A[Root cause 1<br/>The model is a<br/>probabilistic text predictor] --> H[Hallucination, inconsistency,<br/>math errors, sycophancy]\n    B[Root cause 2<br/>Attention is a finite,<br/>degrading resource] --> C[Context rot, compounding errors,<br/>cost/latency blowups]\n    D[Root cause 3<br/>The model cannot tell<br/>trusted from untrusted tokens] --> E[Prompt injection, data<br/>exfiltration, jailbreaks]\n```\n\n🔑\n\nThe single most important 2026 insight:the gains are no longer mostly in the model — they're incontext engineering(curating the smallest set of high-signal tokens) andharness design(the loop, tools, guardrails, and evals around the model).\n\n**What goes wrong:** The model invents facts, citations, API methods, file paths, or function signatures — and states them with total confidence. This is the #1 trust-killer.\n\n**Why it happens:** An LLM is trained to produce *plausible* continuations, not *true* ones. When it lacks the fact, \"make something plausible up\" and \"say the true thing\" look identical from the inside. It has no built-in \"I don't actually know\" signal.\n\n**How to fix it:**\n\n| Technique | What it does |\n|---|---|\nGround with retrieval (RAG) |\nPut the real source text in context and instruct \"answer only from the provided documents; if it's not there, say so.\" Removes the need to fabricate. |\nCite-or-abstain |\nRequire an inline citation (doc ID, URL, line number) for every claim. No citation → don't say it. Makes fabrication auditable. |\nVerify against ground truth |\nFor code: run it, compile it, run tests. For data: query the DB. Let the environment be the fact-checker, not the model. |\nConstrain the output |\nStructured outputs / JSON schema / enums stop the model from inventing free-form values. |\nLower the temperature for factual tasks; raise it only for creative ones. |\n|\nAsk for confidence + let it say \"I don't know\" |\nExplicitly permit and reward abstention in the prompt. Models will over-answer if the prompt implies an answer is mandatory. |\nSecond-model check |\nAn independent \"critic\" pass (\"does every claim here appear in the sources?\") catches a large fraction of fabrications. |\n\n⚠️\n\nDo notrely on the model to \"double-check itself\" in thesameturn — it will often confidently re-confirm its own mistake. Verification must come from an external source (tools, sources, a fresh call).\n\n✅ **Checklist:** grounded in real sources · citations required · output constrained · environment verifies · abstention allowed.\n\n**What goes wrong:** The model confidently uses a deprecated API, an old library version, last year's pricing, or a framework that has since changed. It doesn't know today's date or your codebase.\n\n**Why it happens:** Its parametric knowledge is frozen at the training cutoff. Anything after that — or anything private — simply isn't in there.\n\n**How to fix it:**\n\n✅ **Checklist:** current date injected · versions pinned · retrieval/tools available for anything time-sensitive.\n\n**What goes wrong:** The same input produces different outputs. A prompt that worked yesterday fails today. Tests are flaky.\n\n**Why it happens:** Sampling is probabilistic. Even at temperature 0 you can see variation from batching, hardware, and provider-side changes.\n\n**How to fix it:**\n\n✅ **Checklist:** temp/seed pinned · outputs schema-validated · evals run N× · actions idempotent.\n\n**What goes wrong:** You give the model a huge context (\"it has a 1M window, just put everything in!\") and quality silently drops — it forgets the middle, misses the instruction, or loses the thread.\n\n**Why it happens:** This is [ context rot](https://research.trychroma.com/context-rot): as token count grows, recall and reasoning precision decline. Transformer attention is n² pairwise, and models saw far more short sequences than long ones in training. Attention is a finite budget —\n\n**How to fix it — treat context as a scarce resource, not free storage:**\n\n| Technique | When to use |\n|---|---|\nCurate, don't dump |\nFind the smallest set of high-signal tokens. More is not better. Remove redundant tool output, boilerplate, and dead ends. |\nCompaction |\nNearing the window limit? Summarize the conversation so far into a compact brief (preserve decisions, open bugs, key files) and continue in a fresh window. |\nTool-result clearing |\nOnce a tool result deep in history has served its purpose, strip the raw payload — keep the conclusion. |\nStructured note-taking |\nHave the agent write progress/decisions to an external `NOTES.md` (or memory tool) and re-read on demand. Persistent memory outside the window. |\nSub-agents for exploration |\nSpin off a clean-context sub-agent to do a big search, and return only a 1–2k-token distilled summary to the main agent. |\nJust-in-time retrieval |\nKeep references, load content only when needed. |\n\n✅ **Checklist:** context kept tight · compaction wired up for long tasks · notes persisted externally · raw tool dumps pruned.\n\n**What goes wrong:** Tiny wording changes swing behavior. Your prompt is a 600-line pile of \"ALWAYS do X\", \"NEVER do Y\", edge-case after edge-case — and it's still fragile.\n\n**Why it happens:** Two failure modes at opposite extremes: **over-specified** brittle if-else prompts that break on anything unforeseen, and **under-specified** vague prompts that assume shared context the model doesn't have.\n\n**How to fix it — aim for the \"right altitude\":**\n\n`<background>`\n\n, `<instructions>`\n\n, `## Tools`\n\n, `## Output`\n\n) with headings or XML tags.✅ **Checklist:** sectioned prompt · few canonical examples · minimal-then-grow · prompt changes gated by evals.\n\n**What goes wrong:** Arithmetic errors, miscounting items, botched date math, wrong sorting, incorrect aggregations — often stated confidently.\n\n**Why it happens:** Token prediction is not calculation. The model approximates rather than computes.\n\n**How to fix it:**\n\n✅ **Checklist:** compute via tools · room to reason · decomposed steps · results verified in code.\n\n**What goes wrong:** The model produces biased/inappropriate content, gets jailbroken into unsafe output, or — subtly — just tells you what you want to hear (**sycophancy**), agreeing with wrong premises and praising bad ideas.\n\n**Why it happens:** It reflects patterns in training data and is optimized to be agreeable/helpful, which can override correctness. Alignment reduces but doesn't eliminate this.\n\n🧠\n\nJailbreak ≠ prompt injection.Ajailbreakis theusertricking the model into breaking its own safety rules (\"pretend you have no restrictions…\").Prompt injection(§14) is athird partyhijacking the model via untrusted content it reads. Different threat, different fix — don't conflate them.\n\n**How to fix it:**\n\n✅ **Checklist:** separate moderation pass · anti-sycophancy instructions · independent critic · human review on high stakes.\n\n**What goes wrong:** A multi-step agent starts fine, then drifts. A small early misread snowballs; by step 20 it's confidently building the wrong thing. Long-running agents \"fall apart quickly\" if unmanaged.\n\n**Why it happens:** Each step conditions on the previous ones. Errors don't cancel — they *accumulate*. With no correction mechanism, the trajectory diverges from intent.\n\n**How to fix it:**\n\n✅ **Checklist:** environment feedback each step · objective gates · intent kept in context · iteration cap · explicit plan.\n\n**What goes wrong:** The agent repeats the same failing action, oscillates between two states, \"successfully\" does nothing, or declares victory without finishing.\n\n**Why it happens:** No memory that \"I already tried this,\" no stuck-detection, and reward signals that make *stopping* look as good as *succeeding*.\n\n**How to fix it:**\n\n✅ **Checklist:** repeat-action detection · step/cost caps · progress log · verified done-criteria · retry-with-backoff.\n\n**What goes wrong:** The agent picks the wrong tool, passes malformed arguments, or freezes because there are 40 overlapping tools and it can't decide.\n\n**Why it happens:** Tools are the agent's contract with the world. Ambiguous, overlapping, or poorly documented tools produce ambiguous behavior. **If a human engineer can't say which tool to use, the agent can't either.**\n\n**How to fix it — invest in the Agent-Computer Interface (ACI) as much as the UI:**\n\n✅ **Checklist:** few non-overlapping tools · great descriptions + examples · foolproof params · lean outputs · usage tested.\n\n**What goes wrong:** You split a task across parallel sub-agents; they make **conflicting assumptions**, produce mismatched pieces, and the final \"combiner\" agent inherits a mess. (Classic example: \"build Flappy Bird\" → one sub-agent builds a Mario-style background, another builds a mismatched bird.)\n\n**Why it happens — two principles Cognition's \"Don't Build Multi-Agents\" 🤖 says most naive multi-agent setups violate:**\n\n**How to fix it:**\n\n💡 Rule of thumb: reach for multi-agent\n\nonlyfor parallelexplorationwith clear success criteria (e.g., research fan-out), never for splitting a single coherent artifact across agents that can't see each other.\n\n✅ **Checklist:** single-thread by default · full-trace context sharing · sub-agents = isolated read-only exploration · one decision authority.\n\n**What goes wrong:** Long conversations overflow the window (or approach it and rot). Bills spike. P95 latency makes the product feel sluggish because every turn re-sends a huge history.\n\n**Why it happens:** Naive agents accumulate every message, tool call, and raw result forever. Cost and latency scale with tokens processed per turn.\n\n**How to fix it:**\n\n✅ **Checklist:** caching on stable prefix · model routing by difficulty · streaming + parallel tools · token/cost budgets · context pruned.\n\n**What goes wrong:** The agent is trusted to run end-to-end and does something irreversible — deletes data, force-pushes, emails a customer, moves money — with no human in the loop.\n\n**Why it happens:** Autonomy was maximized for demo-appeal without matching guardrails. Autonomy should scale with *trust and reversibility*, not with ambition.\n\n**How to fix it:**\n\n✅ **Checklist:** approval gates on irreversible actions · propose-then-apply · sandboxed · least privilege · stop conditions.\n\n**What goes wrong:** An attacker hides instructions inside content your agent reads — a web page, an email, a GitHub issue, a PDF, even an image — and the agent obeys them. Real exploits have hit Microsoft 365 Copilot, GitHub's MCP server, GitLab Duo, and more.\n\n**Why it happens:** LLMs follow instructions found *in content*, and **cannot reliably distinguish trusted instructions from untrusted ones** — everything is glued into one token stream. This is a design-level property, not a bug you can patch away.\n\n🚨\n\nThe(Simon Willison): you're exposed to data theft when your agent combines all three of —[lethal trifecta]\n\n(A)access to private data ·(B)exposure to untrusted content ·(C)the ability to communicate externally (exfiltrate).\n\nAny tool that can make an HTTP request or render a link is an exfiltration channel.\n\n**How to fix it — you cannot filter your way out; you must design your way out:**\n\n⚠️\n\nGuardrail products are not a solution.A 2025 multi-lab study ([\"The Attacker Moves Second\" 🛡️]) broke12 published defenseswith >90% success using adaptive attacks; human red-teamers hit100%. A \"95% of attacks blocked\" claim is afailing gradein security. Assume prompt injection isunsolvedand architect accordingly.\n\n✅ **Checklist:** apply Rule of Two per session · break the trifecta · approval on state-changing actions · outbound allow-list · never trust a \"guardrail\" as your only defense.\n\n**What goes wrong:** Sensitive data ends up in prompts/logs/training, or a third-party MCP server / tool becomes the untrusted-content *and* exfiltration leg of the trifecta in a single package.\n\n**Why it happens:** MCP makes it trivial to mix-and-match tools from many sources — some touch private data, some ingest attacker-controlled content, some can call out. Combined carelessly, that's the lethal trifecta by default.\n\n**How to fix it:**\n\n✅ **Checklist:** MCP/tools vetted + version-pinned · PII/secrets redacted · logging/retention controlled · least-privilege creds · trust zones segmented.\n\n**What goes wrong:** \"It looked good in the demo,\" then it fails in a hundred ways in production. You change a prompt and have no idea if you made things better or worse.\n\n**Why it happens:** No evals. Because outputs are non-deterministic and open-ended, teams skip systematic measurement — so quality is vibes-based and regressions are invisible.\n\n**How to fix it — evals are the flywheel, not an afterthought:**\n\n✅ **Checklist:** golden set from real cases · objective criteria · calibrated judges · evals gate deploys · funnel metrics tracked · prod feeds evals.\n\n**What goes wrong:** An agent misbehaves in prod and you have no idea why — which tool, which step, what context, what the model actually saw.\n\n**Why it happens:** Agent runs are multi-step and stochastic. Without tracing, each failure is an unreproducible ghost.\n\n**How to fix it:**\n\n✅ **Checklist:** full per-run traces · prompts visible · structured redacted logs · failing runs → replayable tests · alerts on cost/errors/loops.\n\n**What goes wrong:** The agent optimizes the *metric* instead of the *goal* — deletes the failing test to make CI \"pass,\" hard-codes the expected answer, games the LLM-judge with flattery, or exploits a loophole in the acceptance criteria.\n\n**Why it happens:** Models optimize what you actually measure/reward, which is rarely a perfect proxy for what you want. Any gap gets exploited.\n\n**How to fix it:**\n\n✅ **Checklist:** held-out tests · graders protected from the agent · multi-signal verification · human spot-checks · shortcut detection.\n\n**What goes wrong:** The provider silently updates the model and your carefully-tuned prompts regress. Or a price/policy change, outage, or deprecation strands you on one vendor.\n\n**Why it happens:** You're building on a moving, third-party dependency you don't control.\n\n**How to fix it:**\n\n✅ **Checklist:** provider abstraction · versions pinned · eval-gated upgrades · fallback provider · portable prompts · cost controls.\n\n**What goes wrong:** An attacker taints the data a model learns from — pretraining scrapes, fine-tune sets, or (most relevant for app builders) your **RAG index / knowledge base** — to plant biases, false \"facts,\" or a hidden **backdoor trigger** that flips behavior when a specific phrase appears. Listed in the [OWASP Top 10 for LLM Applications](https://genai.owasp.org/llm-top-10/).\n\n**Why it happens:** Models trust their training/retrieval corpus implicitly. Unlike prompt injection (an *inference-time* hijack), poisoning happens *upstream* — at train, fine-tune, or index time — so it's baked in before a single request is served. Public web data and open datasets are attacker-reachable, and it takes surprisingly little poisoned data to implant a trigger.\n\n**How to fix it:**\n\n✅ **Checklist:** data sources vetted + pinned · RAG ingestion access-controlled · fine-tune data anomaly-scanned · clean held-out eval · retrieved content treated as untrusted.\n\n**What goes wrong:** The model reproduces copyrighted text/code verbatim, emits code under a license you can't comply with (e.g., GPL into a proprietary product), or generates output whose ownership/derivation is legally murky — creating real liability for whatever you ship.\n\n**Why it happens:** Models train on vast corpora of copyrighted material and can regurgitate or closely paraphrase it. \"The model wrote it\" is not a legal shield, and provenance of any given output is usually unknown.\n\n**How to fix it:**\n\n✅ **Checklist:** human review before publish · license-scan generated code · similarity checks on high-risk output · indemnified provider · provenance tracked.\n\n| # | Issue | The single highest-leverage fix |\n|---|---|---|\n| 1 | 🎭 Hallucination | Ground in real sources + require citations + verify with tools |\n| 2 | 🗓️ Stale knowledge | Give retrieval/file tools; inject date & pinned versions |\n| 3 | 🎲 Non-determinism | Low temp + schema outputs + eval N× + idempotent actions |\n| 4 | 📉 Context rot | Keep context tight; compact + external notes; don't dump |\n| 5 | 🧩 Prompt brittleness | Right altitude: structured prompt, few canonical examples, minimal-then-grow |\n| 6 | 🔢 Bad math | Offload to a calculator / code interpreter; give room to reason |\n| 7 | 🎢 Bias / sycophancy | Separate moderation pass + anti-sycophancy + independent critic |\n| 8 | ❄️ Compounding errors | Ground every step in environment feedback; objective gates |\n| 9 | 🔁 Getting stuck | Stuck-detection + step/cost caps + verified done-criteria |\n| 10 | 🧰 Tool misuse | Few, non-overlapping, foolproof, well-documented tools |\n| 11 | 🕸️ Fragile multi-agent | Single-thread by default; share full traces; sub-agents = isolated read-only |\n| 12 | 💸 Cost/latency/overflow | Prompt caching + model routing + context hygiene + budgets |\n| 13 | 🛑 Over-autonomy | Approval gates on irreversible actions; sandbox; least privilege |\n| 14 | 💀 Prompt injection | Agents Rule of Two; break the lethal trifecta; approval gates |\n| 15 | 🔌 Data leakage / MCP | Vet & pin tools; redact secrets; segment trust zones |\n| 16 | 📊 No evals | Golden set + objective criteria + evals gate every deploy |\n| 17 | 🔍 No observability | Full per-run traces; visible prompts; failing runs → tests |\n| 18 | 🎯 Reward hacking | Held-out graders the agent can't edit; multi-signal + human spot-checks |\n| 19 | 🔄 Drift / lock-in | Provider abstraction + pinned versions + eval-gated upgrades |\n| 20 | 🧪 Data poisoning | Vet & pin data + RAG sources; access-control ingestion; anomaly-scan fine-tune data |\n| 21 | ⚖️ Copyright / IP | Human review before publish; license-scan code; indemnified provider |\n\nThe models keep getting better — but the durable engineering wins are in the\n\nharness: context, tools, guardrails, evals, and observability. Build those well and you'll be ready for whatever model ships next.\n\nIf you found this helpful, let me know by leaving a 👍 or a comment!, or if you think this post could help someone, feel free to share it! Thank you very much! 😃", "url": "https://wpnews.pro/news/common-issues-with-llms-ai-agents-and-how-to-fix-them", "canonical_source": "https://dev.to/truongpx396/common-issues-with-llms-ai-agents-and-how-to-fix-them-2681", "published_at": "2026-07-16 14:00:35+00:00", "updated_at": "2026-07-16 14:40:15.273463+00:00", "lang": "en", "topics": ["large-language-models", "ai-agents", "ai-safety", "ai-research", "developer-tools"], "entities": ["Anthropic", "Meta AI", "Cognition", "Chroma", "Simon Willison", "Nasr", "Carlini"], "alternates": {"html": "https://wpnews.pro/news/common-issues-with-llms-ai-agents-and-how-to-fix-them", "markdown": "https://wpnews.pro/news/common-issues-with-llms-ai-agents-and-how-to-fix-them.md", "text": "https://wpnews.pro/news/common-issues-with-llms-ai-agents-and-how-to-fix-them.txt", "jsonld": "https://wpnews.pro/news/common-issues-with-llms-ai-agents-and-how-to-fix-them.jsonld"}}