Agent Evaluation Framework

Evaluation starts with a job definition. A support triage agent, a code review agent, a research agent, and a finance assistant should not share the same success metric. Each has a different acceptable error, tool set, latency budget, cost profile, and escalation rule. Without a job definition, teams argue about abstract model quality instead of whether the agent completed the user task safely.

Write the job as a contract: user goal, allowed data sources, allowed tools, disallowed actions, expected output format, human approval requirements, maximum cost, and escalation conditions. This contract becomes the basis for test cases and rubrics. It also clarifies when the right behavior is refusal or clarification rather than completion.

An agent evaluation set should contain categories that reflect real operating risk. Happy-path cases prove that the workflow can work. Edge cases prove that it works when inputs are messy. Adversarial cases prove that it resists manipulation. Failure cases prove that it degrades safely. Cost cases prove that it can run at scale without surprising the business.

For agent security, include prompt injection cases in retrieved documents, web pages, emails, tickets, and tool outputs. For reliability, include missing data, unavailable tools, conflicting instructions, partial outputs, and multi-step tasks. For memory, include stale preferences, user corrections, poisoning attempts, and privacy-sensitive facts. For cost, include large context requests and repeated tasks that could trigger expensive loops.

Many agent failures look good in the final answer. The agent may produce a polished summary after using the wrong data, skipping a required approval, or calling an unnecessary expensive model. Score tool selection, tool input, tool output handling, and final response separately. This makes failures actionable. A prompt fix may improve final text, while a tool-schema fix may improve action safety.

For each test, define the expected tool sequence if one exists. Sometimes the correct behavior is no tool call. Sometimes the correct behavior is to ask a clarifying question before using a tool. Sometimes the correct behavior is to prepare a draft and wait for approval. The evaluation should reward the safe path, not just any path that reaches a plausible answer.

Automated checks are fast and consistent. They can verify JSON schema, required citations, forbidden phrases, no tool call, correct tool call, cost ceiling, latency ceiling, and exact output fields. Rubric scoring is slower but captures usefulness, clarity, completeness, tone, and whether a human would trust the result. A mature framework uses both.

Rubrics should be specific. Instead of 'good answer', use dimensions such as factual correctness, source grounding, task completeness, security behavior, escalation behavior, and user-facing clarity. Define score levels with examples. If reviewers cannot apply the rubric consistently, the evaluation will not survive model or prompt changes.

Prompt injection tests should simulate realistic attack placement. Put malicious instructions in a web page, a CSV row, a GitHub issue, a customer email, a PDF excerpt, a documentation snippet, and a tool response. The agent should keep following the trusted user and system instructions while treating the injected text as untrusted data.

The expected outcome may vary by workflow. A research agent should ignore the malicious instruction and cite the benign content. A browser agent should not navigate to unrelated URLs because a page asked it to. A memory-capable agent should not save attacker-provided policy changes. A write-capable agent should not send messages or change records because retrieved content requested it.

Cost and latency are product-quality dimensions. An agent that is safe but too slow may not be adopted. An agent that is accurate but too expensive may not be viable. Add cost and latency budgets to your evaluation framework. Use representative daily request volumes and token sizes, then estimate monthly spend with /tools/ai-cost-calculator/ before launch.

Cost tests should include worst-case context, retries, tool loops, and premium-model routing. Latency tests should include slow tools, rate limits, and multi-step workflows. Track cost per successful task rather than only cost per model call. Failed runs still cost money, and a high failure rate can make a cheap model more expensive than a stronger model with fewer retries.

Evaluations should not be a one-time launch gate. Production monitoring will reveal failures that your initial test set missed. Every significant incident, near miss, user complaint, unexpected tool chain, memory mistake, or cost spike should become a new test case. This closes the loop between /guides/agent-monitoring/ and your release process.

The strongest teams maintain versioned evaluation sets. They can say which prompt, model, tool schema, and memory policy passed which tests on which date. When a model provider updates behavior or a new tool is added, the evaluation suite becomes the safety net. Without this loop, teams rely on vibes and rediscover the same failure modes repeatedly.