AI Agents: Tools, Planning, and Autonomy

An agent perceives, decides, and acts in an environment to pursue goals. Modern LLM-based agents combine a reasoning core (the LLM), tool use (function calling), memory (short-term context plus long-term retrieval), and an explicit or implicit planning loop.

The ReAct pattern (Yao et al., 2022) — interleaving Reasoning and Acting steps — became the canonical scaffolding. Modern frameworks include OpenAI's Agents SDK, Anthropic's Claude Agent SDK, LangGraph, and AutoGen.

Function calling lets the LLM emit structured calls to external APIs — search, databases, calculators, code execution. Web browsing extends knowledge beyond the training cutoff.

Computer-use agents (Anthropic Claude computer use, 2024; OpenAI Operator, 2025) control a virtual mouse, keyboard, and screen the way a human would, enabling automation of arbitrary GUI applications.

Reliability degrades sharply with task length. Errors compound across steps, planning failures cascade, and recovery from off-trajectory states is unreliable.

Prompt injection — adversarial instructions embedded in retrieved data or web pages — is the dominant security failure mode for agents with tool access. Sandboxing, capability constraints, and human-in-the-loop confirmation are standard mitigations.

• Error accumulation: a 95% per-step success rate is only ~36% over 20 steps.
• Prompt injection via untrusted inputs (web, email, files).
• Cost: long agent runs can consume millions of tokens per task.
• Evaluation: benchmarks like SWE-bench, OSWorld, WebArena, GAIA measure real-world agentic capability.

SWE-bench Verified (real GitHub issues): frontier agents resolve >70% as of 2025. OSWorld and WebArena (general computer use): solid double-digit progress year-over-year. GAIA (general assistant): top systems at ~75% on level-1 questions.

Coding agents (Cursor Agents, Claude Code, Devin) are the most mature deployment category; general-purpose autonomous agents remain narrower than marketing implies.