Evals Are Production Tests
How to turn agent judgment into a quality gate the team can actually improve · ~16 min read ~– min read · Suggested by Q technicaloperations
Agent work fails differently from ordinary software. The code may compile, the tests may pass, and the assistant may still choose the wrong source, skip the risky edge case, or write a confident answer that no operator would send. Evals are how we make that judgment inspectable, repeatable, and worth improving instead of treating it as model weather.
The Test That Traditional Tests Miss
A normal quality gate can tell us whether the artifact is syntactically valid, type-safe, tested, formatted, and free of known dependency vulnerabilities. It cannot tell us whether an agent chose the right source, respected the right authority boundary, or made a judgment an experienced teammate would recognize. Evals fill that gap by testing behavior against examples, rubrics, traces, and reviewable outcomes.
What an Eval Is Actually For
An eval is not a benchmark scoreboard. Benchmarks are useful for choosing tools, but production evals are local: they encode what good looks like inside our workflows. The useful question is not “which model is best in general?” It is “did this run do the thing this team needed, under the constraints this team cares about?”
Start With the Decision, Not the Model
The first eval artifact should be a list of decisions that matter. Did the agent classify the request correctly? Did it choose a trusted source before a web source? Did it ask for approval before a side effect? Did it preserve privacy in the final message? Those decisions become the eval surface because they are the points where judgment changes the outcome.
The Smallest Useful Dataset
A useful eval suite can start with 20 to 50 examples, not 2,000. Include common happy paths, recent failures, near misses, adversarial cases, and expensive edge cases. The important property is not volume; it is that the examples are reviewed by someone who knows the workflow and updated whenever production teaches us a new failure mode.
Graders Need Their Own Trust Model
LLM graders are convenient because many agent failures are semantic, but they are not authority. Use deterministic checks where the fact is mechanical, rubric graders where judgment is unavoidable, and human audits to calibrate the grader. A grader that is never checked becomes a second untested agent.
Offline Evals Catch Regressions; Online Evals Catch Reality
Pre-deploy evals keep a prompt, tool, model, or policy change from making known cases worse. Production evals sample live traces and find what the offline set does not yet know. The loop matters: live misses become new offline cases, and offline regressions block future changes.
Trace Data Is the Raw Material
A final answer alone is rarely enough to grade agent work. We need the path: what sources were read, which tools were called, what policy gates fired, what commands ran, where approval entered, and what artifact changed. Trace the work, then grade the trace.
Put Evals Beside the Existing Gates
Evals should join lint, typecheck, tests, audit, preview environments, and review rather than replacing them. A sensible gate starts small: run fast evals on every prompt/tool change, run heavier suites before rollout, and require human review when the score moves or the failure class is high impact.
What to Remember
Evals are production tests for probabilistic work. They translate taste into examples, examples into gates, gates into traces, and traces back into better examples. The team that treats evals as a living product surface gets compounding reliability; the team that treats them as a one-time benchmark gets a spreadsheet.
Discussion Prompts
The next useful discussion is not whether evals are good in the abstract. It is which recurring lane deserves the first small suite, which decisions in that lane need trace evidence, and which production misses should become permanent fixtures. Start where the workflow repeats often enough that a better gate will pay rent.
References
- OpenAI: How evals drive the next chapter in AI for businesses - A practical Specify, Measure, Improve framing for contextual evals.
- LangSmith: Evaluation concepts - Clear distinction between offline and online evals, plus evaluator types.
- NIST AI Risk Management Framework - The risk-management backdrop for treating evaluation as lifecycle governance.
- SWE-bench leaderboards - Useful public evidence that coding-agent evaluation needs harnesses, not vibes.
The Test That Traditional Tests Miss
The uncomfortable thing about agent work is that the visible artifact can look fine while the work was wrong. A pull request can compile. The tests can pass. The final Slack answer can sound reasonable. The assistant can still have trusted the wrong source, missed the risk-bearing edge case, mutated state without enough authority, or summarized a private detail into a public channel.
Traditional gates catch deterministic failures. We need those gates more, not less. Formatting, types, lint, unit tests, integration tests, vulnerability scans, preview environments, and human review still carry the baseline contract. But agentic work adds a second contract: judgment. The system did not merely execute a known function. It selected context, interpreted intent, chose tools, navigated uncertainty, and decided when to stop.
That judgment needs tests of its own. Not because evals are magic, and not because a model can grade every model. Evals matter because they make the implicit standards of a workflow explicit enough to run, review, and improve.
Evals are not a replacement for deterministic quality gates. They are the gate for the parts of agent work that deterministic tests cannot see: source choice, policy adherence, tool trajectory, judgment, and final communication.
In the Constructured world, that means an eval is not just “did the assistant write the expected paragraph?” It might be “did Q treat web content as untrusted while researching a cairn?” or “did the PR routine inspect unresolved review threads before editing?” or “did the operations helper distinguish a doc-vault export from live cron configuration?” Those are production questions. They deserve production tests.
What an Eval Is Actually For
The word eval has been pulled in two directions. One direction is the public benchmark: SWE-bench, MMLU, HumanEval, FrontierMath, GDPval, and whatever replaces this week’s leaderboard by next quarter. Benchmarks are useful. They help us notice broad capability shifts and pick a starting model or scaffold. They are not enough to certify our workflow.
The other direction is contextual evaluation: a local test of whether an AI system behaves well inside a specific product, team, domain, and operating constraint. That is the one we can act on. OpenAI’s public framing is useful here: specify what good means, measure against real conditions, and improve from errors. LangSmith’s docs put the same idea into lifecycle terms: offline evals before deployment, online evals in production, and a feedback loop between the two.
For us, the unit under test is rarely “the model.” It is the whole agent system: prompt, model, tool contracts, retrieval rules, sandbox policy, command surface, memory, human confirmation, trace capture, and final delivery. Changing any one of those can make the behavior better or worse. A model upgrade can break a prompt. A better prompt can expose a weak tool schema. A new tool can make an old safety instruction insufficient. A routing change can send a safe task through a lane with the wrong authority.
This is why model-only comparisons become misleading quickly. A weaker model with a better harness can outperform a stronger model with vague tools and no trace discipline on the workflow that matters.
The purpose of an eval, then, is not to crown a winner. It is to answer a change-management question: can this version of the system handle the cases we already know matter, and what new failures did reality teach us this week?
A production eval is a repeatable test of agent behavior against local expectations. It may use deterministic assertions, examples, rubrics, LLM graders, human review, or all of them together.
Start With the Decision, Not the Model
The fastest way to write a weak eval is to begin with the model output. “Was the answer good?” is too broad. Good according to whom? Good for which risk? Good before or after tool use? Good even if the agent skipped the required source? Good even if it was right for the wrong reason?
Start with the decisions that matter. In an agent workflow, the failure usually enters through a decision point before it becomes visible in the final artifact. The agent classifies the task. It chooses whether to read internal docs or web sources first. It decides whether a source is authoritative. It decides whether a command is safe to run. It decides whether to ask the user, continue independently, or stop. It decides what evidence belongs in the final answer.
Those decisions become the eval surface. For a research-and-publish routine, examples might grade whether the agent selected the oldest actionable request from a queue, avoided private-channel material, treated web pages as untrusted, cited primary sources, and did not put arbitrary external URLs into source-backed frontmatter. For a PR-review routine, examples might grade whether it distinguished resolved from unresolved threads, edited only the relevant files, and ran the smallest useful verification command before reporting success.
flowchart TD A[Workflow goal] --> B[Decision points] B --> C[Examples and edge cases] C --> D[Graders and assertions] D --> E[Gate in CI or routine rollout] E --> F[Production traces] F --> C
The diagram is deliberately circular. Evals are not a document you write once. They are a living map of the decisions that have mattered so far.
When an eval feels fuzzy, ask which decision you would want to inspect in a trace. The answer usually turns into a crisp assertion or rubric item.
The Smallest Useful Dataset
A team does not need a giant dataset to start. In fact, a giant unreviewed dataset can make the system look more mature while making it harder to change. The smallest useful eval set is the one a domain owner can still read, argue with, and update.
Start with 20 to 50 examples. Include the common happy paths because regressions there are embarrassing. Include recent production failures because they are already paid-for lessons. Include near misses because they reveal brittle boundaries. Include adversarial cases where untrusted text tries to steer the system. Include expensive edge cases, even if they are rare, because a low-frequency mistake can still dominate risk.
A good example should include the input, the expected behavior, the unacceptable behavior, and the reason the case exists. That last field matters. Six months from now, someone will ask why the eval is so picky about one phrase, one source order, or one confirmation step. The answer should be in the fixture, not in someone’s memory.
There is a useful discipline here: an eval suite should be boring enough that a human can audit it. If nobody can explain why a case exists, retire or rewrite it. If a case catches a real regression, keep it and annotate it. If production reveals a new pattern, add the smallest example that preserves the lesson.
The dataset is not just test data. It is the team’s encoded taste about the workflow: what good looks like, what bad looks like, and which mistakes are worth preventing forever.
Graders Need Their Own Trust Model
Some eval checks are mechanical. Did the final answer include a permalink? Did a markdown file contain the required frontmatter? Did the agent run the build? Did it call a forbidden tool? Did a patch touch files outside the owned area? These should be code assertions. Do not spend model tokens judging a fact the machine can check directly.
Other checks are semantic. Was the final note appropriately concise for a public channel? Did the article explain the tradeoff without overstating the source? Did the agent’s review identify the most severe issue first? Did it preserve the user’s intent while refusing an unsafe action? These are places where rubric-based human review or an LLM grader can help.
The trap is treating an LLM grader as a neutral judge. It is another probabilistic system, usually reading the same kind of ambiguous text as the original agent. It can be biased by phrasing. It can miss subtle policy failures. It can reward fluency. It can drift when the underlying model changes. A grader is useful when it is calibrated and audited; it is dangerous when it becomes invisible authority.
Pairwise graders can be especially useful for prompt changes because the question becomes narrower: did candidate B improve this workflow relative to candidate A under the same fixture?
A practical trust model looks like this: deterministic checks first, rubric graders second, human audit around the grader, and escalation rules for high-impact failures. If the evaluator says a production-facing message is safe but the deterministic privacy check finds a token, ID, or secret-shaped string, the deterministic check wins. If the rubric grader passes a case that a domain owner rejects, the rubric changes.
Never let the existence of a grader hide the question “who is allowed to define good?” For business and operations workflows, subject-matter experts own the rubric even when engineers own the harness.
Offline Evals Catch Regressions; Online Evals Catch Reality
Offline evals are the familiar shape. They run before a change ships. We take a curated dataset, execute the candidate version, grade the outputs and trajectories, and compare the result to the current baseline. This is the right place to catch prompt regressions, model-upgrade surprises, schema changes, and new tool behavior that breaks known cases.
Online evals are different. They sample live runs, often without a perfect reference answer, and ask whether production behavior still matches expectations. That matters because agents meet cases nobody thought to put in the fixture. Real users phrase requests strangely. Source documents drift. APIs fail halfway through a workflow. A tool returns a surprising error. A benign-looking web page contains adversarial instructions. The offline suite only knows yesterday’s lessons.
The two modes should feed each other. When an online eval or human review catches a miss, reduce it to a fixture and add it to the offline suite. When an offline eval starts failing after a change, inspect the trace and decide whether the system regressed or the expectation is stale. Either outcome is useful. A stale eval is not an annoyance; it is a prompt to update the team’s encoded standard.
sequenceDiagram participant Dev as Candidate change participant Offline as Offline eval suite participant Prod as Production runs participant Review as Human or rubric review participant Dataset as Eval dataset Dev->>Offline: Run known cases Offline-->>Dev: Block or approve rollout Dev->>Prod: Ship behind policy Prod->>Review: Sample traces and outcomes Review->>Dataset: Add new failure modes Dataset->>Offline: Strengthen future gates
Offline evals protect against known regressions. Online evals discover unknown behavior. Reliability comes from the loop, not from either side alone.
Trace Data Is the Raw Material
The final answer is often too late to grade the work. Imagine an agent publishes a correct-looking summary. Did it use the authoritative internal doc or a stale web post? Did it see an injection attempt and ignore it, or did it never inspect the risky source? Did it run the build before pushing, or did it merely claim that it did? Did it ask for approval before a side effect? The answer lives in the trace.
This is where evals connect directly to observability. A trace should capture the workflow identity, source reads, tool calls, command outcomes, policy gates, approvals, artifacts, and final delivery. The eval harness can then grade not just what the agent said, but what it did. For agentic operations, trajectory is part of correctness.
The security payoff is significant. Prompt injection defenses often depend on process: trusted-first reading order, content wrapping, hardcoded rules, least privilege, and explicit refusal to let untrusted content trigger actions. A final answer cannot prove those defenses held. A trace can show whether web content was read after the trusted outline, whether suspicious instructions were flagged, whether commands came only from the operator’s plan, and whether final text avoided sensitive identifiers.
This does not mean broad transcript indexing. The trace can store references, hashes, redacted attributes, and access-controlled payload links. Evals need evidence, not a new leak surface.
If a workflow cannot produce enough trace data to grade its own important decisions, it is not ready for high-agency automation. Add observability before adding authority.
Put Evals Beside the Existing Gates
A mature eval program should feel like an extension of the existing delivery pipeline, not a separate research ritual. We already know how to use gates: fast checks on every change, slower checks before merge or rollout, human review for judgment, and production monitoring after release. Evals slot into that pattern.
For prompt, tool, routing, or model changes, run a small fast suite automatically. It should be cheap enough that people do not avoid it. For changes that affect authority, public output, private data, or production mutation, run the heavier suite and require review of failures. For recurring autonomous routines, run canary sampling in production and keep a dashboard or report of failure classes over time.
The gate should not be a single magic score. Scores are useful, but failure class matters more. A one-point drop caused by a harmless formatting preference is not equivalent to one missed approval before a mutating tool call. Treat eval output like test output: inspect the failing cases, classify the risk, and decide whether to block, fix, or update the expected behavior.
eval_gate:
fast:
runs_on: [prompt_change, tool_schema_change, model_change]
blocks_on: [policy_violation, missing_required_source, forbidden_tool_call]
release:
runs_on: [routine_rollout, authority_change]
requires_review_for: [score_drop, new_failure_class, grader_disagreement]
production:
samples: traces
feeds_back_into: offline_dataset
Do not ask evals to produce certainty. Ask them to produce accountable evidence before the team grants more authority to the system.
What to Remember
The teams that get reliable value from agents will not be the teams with the fanciest demo prompt. They will be the teams that turn their local taste into executable checks: examples, rubrics, traces, gates, reviews, and feedback loops. That is slower than hoping the next model fixes everything. It is also how engineering usually wins.
The public benchmark still matters. SWE-bench and similar harnesses show that agent evaluation needs real tasks, codebases, and executable outcomes. NIST’s AI risk work reminds us that evaluation belongs across the lifecycle, not just at launch. Product eval platforms give us vocabulary for offline and online measurement. But the durable advantage is local: our workflows, our edge cases, our data boundaries, our users, our notion of a good result.
For Constructured, the useful next step is modest. Pick one recurring agent lane, probably one with clear authority boundaries and repeated structure. Write down the decisions that matter. Build 20 examples. Add deterministic assertions for the facts. Use a rubric grader only where judgment is real. Sample production traces. Every time the lane surprises us, add the smallest fixture that would have caught it.
- Test the judgment layer - Traditional checks prove the artifact; evals prove the agent's decisions, trajectory, and communication.
- Keep evals local - Public benchmarks help choose tools, but production evals encode our workflows and risks.
- Grade traces, not just answers - Source order, tool calls, approvals, policy boundaries, and command results are part of correctness.
- Close the loop - Offline evals catch known regressions; online evals discover new cases; both should update the dataset.
- Audit the graders - Deterministic checks should win where facts are mechanical, and humans should calibrate semantic rubrics.
Discussion Prompts
- Which recurring agent lane should get the first 20-case eval suite: Cairns publishing, GitHub PR review, issue triage, or OpenClaw maintenance?
- What are the three highest-impact decisions in that lane that a final answer alone cannot prove?
- Which production traces already contain enough evidence to create eval fixtures, and which missing fields would make grading possible?
References
- OpenAI: How evals drive the next chapter in AI for businesses - Defines contextual evals as a Specify, Measure, Improve loop and emphasizes domain-expert ownership.
- OpenAI API: Evaluation best practices - Current OpenAI API guidance for designing evals, useful even as the older Evals platform moves through deprecation.
- OpenAI API: Deprecations - Notes the June 3, 2026 deprecation timeline for the Evals platform; a reminder to separate eval discipline from any one hosted product.
- LangSmith: Evaluation concepts - Explains evaluator types and the offline/online split in a way that maps cleanly to agent delivery pipelines.
- NIST AI Risk Management Framework - Places evaluation inside AI lifecycle risk management, including generative AI profile work and critical-infrastructure direction.
- SWE-bench leaderboards - Public coding-agent benchmark family showing why realistic tasks, harnesses, and solved-instance metrics matter.
- SWE-Bench Pro: Can AI Agents Solve Long-Horizon Software Engineering Tasks? - Research arguing that harder, contamination-resistant, long-horizon software tasks are needed as simpler coding benchmarks saturate.
- Trace the Work, Not Just the Error - The local Cairns companion on why agent operations need causal traces before they can be evaluated well.
Generated by Cairns · Agent-powered with Claude