Agent
A system that observes context, selects or plans steps, uses bounded tools, and evaluates progress toward a goal.
A · AI Orchestration deep dive
Coordinate reasoning, tools, workflows, and humans
Treat a model proposal as untrusted input to deterministic identity, authorization, policy, approval, execution, observation, and recovery.
Core concepts
An agent is one component, not the control plane
Orchestration
The control plane coordinating agent/model calls, state, tools, workflows, humans, budgets, timeouts, policy, telemetry, and recovery.
Tool contract
A typed, versioned interface stating purpose, inputs, outputs, side effects, identity, authorization, idempotency, timeout, and error behavior.
Workflow/state machine
Explicit durable states and transitions for deterministic business control, especially approvals, retries, waiting, and compensation.
Human-in-the-loop
A defined decision right with sufficient context, time, authority, UI, alternatives, and recorded outcome—not a decorative approval button.
Evaluation
Repeatable measurement of task quality, groundedness, safety, policy compliance, tool choice, latency, cost, and outcome before and during operation.
Compensation
A business action that mitigates or reverses a completed side effect when technical rollback is impossible.
Safe state
A bounded condition reached after uncertainty, stop, timeout, or failure, with ownership and a known path to recovery.
Logistics example
Recommendation and execution are separate
Context → route options → policy check → dispatcher approval → scoped tool call → confirmation → outcome
| Step | Agent contribution | Deterministic control |
|---|---|---|
| Plan | Rank feasible routes and explain trade-offs. | Input quality gate, allowed objective, budget, structured output schema. |
| Authorize | Request the TMS tool. | Workload identity, allow-list, least privilege, risk policy, approval threshold. |
| Execute | Supply approved route parameters. | Idempotency key, precondition, timeout, transaction/compensation, output validation. |
| Observe | Interpret result and propose next step. | Immutable-enough trace, SLO, alert, reconciliation, escalation, emergency stop. |
Control pattern
Bound every consequential action
Identity
Separate user, agent, model, service, tool, approver, and deployment identities.
Least privilege
Issue short-lived, task-scoped access; deny unknown tools and parameters by default.
Policy
Enforce autonomy, amount, location, safety, confidence, and data rules outside prompt text.
Approval
Route threshold cases with evidence, alternatives, consequence, expiration, and segregation of duties.
Resilience
Limit retries, contain failure, stop new work, reach safe state, and compensate completed effects.
Observability
Trace identity, context, model/prompt/version, policy, tool input/output, approval, outcome, cost, and latency.
Technology map
Agent frameworks, durable workflows, policy, and runtime
| Need | Open / specialized | Databricks | Snowflake | Microsoft Fabric / Azure |
|---|---|---|---|---|
| Agent development | LangGraph, Semantic Kernel, AutoGen, LlamaIndex; use only with explicit control wrappers | Mosaic AI Agent Framework, Model Serving, Vector Search | Cortex Agents, Cortex Search/Analyst | Fabric data agents, Azure AI Foundry Agent Service, Copilot Studio |
| Durable workflow | Temporal, Camunda, Argo Workflows, Airflow/Dagster for data work | Databricks Workflows/Jobs; external durable workflow for long-running business sagas | Tasks for data automation; external durable engine for human/business processes | Durable Functions, Logic Apps, Power Automate, Fabric pipelines |
| Tool/API gateway | API gateways, MCP servers with controls, service mesh, Vault | Model Serving endpoints, Unity Catalog functions, Unity AI Gateway | Stored procedures/functions, external access integrations, API integrations | API Management, Functions, managed identities, Key Vault, connectors |
| Policy/approval | Open Policy Agent, Cedar, Casbin; workflow task queues | Unity Catalog permissions plus external policy/approval control | RBAC, masking/row policies plus external policy/approval control | Entra ID, Azure Policy, API Management policies, Power Automate approvals |
| Evaluation/observability | OpenTelemetry, MLflow, Phoenix, promptfoo, Giskard, custom golden/adversarial suites | MLflow evaluation/tracing and system/model serving telemetry | Cortex evaluation/observability features and account/query history | Foundry evaluations/tracing, Application Insights, Fabric monitoring |
| Runtime | Containers, Kubernetes, serverless, queues, service mesh | Model Serving, Apps, Jobs, serverless compute | Snowpark Container Services, warehouses, serverless tasks | Azure Container Apps/AKS/Functions plus Fabric workloads |
Platform agent ≠ governed orchestration: add independent identity, policy, approvals, deterministic tool enforcement, incident response, stop, compensation, and evidence around any agent feature.
Implementation
How to achieve the A layer
Bound
Define goal, users, decisions, autonomy, prohibited actions, tools, data, risk, budgets, success, and safe state.
Register
Inventory owner, agent/model/prompt/tool versions, intended use, dependencies, permissions, evaluations, and deployment.
Separate
Keep probabilistic reasoning separate from deterministic policy and side-effect execution; start with read-only tools.
Orchestrate
Implement explicit state, typed contracts, approvals, timeouts, idempotency, retry limits, compensation, and escalation.
Attack
Test injection, poisoned context, unauthorized tools, excessive agency, data exfiltration, tool failure, loops, budget breach, and stop.
Operate
Release gradually; monitor outcomes, drift, blocked actions, overrides, incidents, cost, latency, rollback, and user recourse.
Evidence
- Agent/model/prompt/tool registry and approved autonomy matrix
- Tool schemas, IAM/policy tests, approval logs
- Golden, adversarial, security, resilience, stop and compensation tests
- End-to-end traces, outcome dashboards, incidents, changes, rollback records
Acceptance
- Unknown or prohibited tools are denied outside the model.
- Consequential actions cannot bypass required approval.
- Every action is attributable and independently reconstructable.
- Stop and compensation contain harm within stated objectives.