Every decade or so, the software industry discovers that a new kind of system has quietly outgrown its operational assumptions, and a new discipline emerges to close the gap. DevOps, MLOps, and more recently LLMOps have each followed this pattern. Having worked through each of these shifts, most notably as an early adopter of MLOps, I have watched the same cycle repeat: first the pattern becomes visible, then tooling catches up, then the practices are named.
That moment has arrived again, and the discipline is already forming in practice, ahead of its formal definition. Autonomous AI agents are already being deployed into production, well ahead of the practices needed to run them safely, predictably, and at scale. AgentOps is the necessary response: not a rebranding of what came before, but a discipline shaped by what agents actually require. To understand what that really means, it helps to start with the disciplines that brought us here.
DevOps: Operationalising Software
The DevOps movement emerged in the late 2000s out of a simple frustration: software was being written faster than it could be safely deployed. Development teams and operations teams were structurally at odds, with one optimising for speed and change and the other for stability and reliability.
DevOps resolved this tension by treating infrastructure as code, automating the path from commit to production, and making deployment a routine event rather than a high‑stakes ritual. CI/CD pipelines, containerisation, infrastructure‑as‑code, and observability stacks became the canon. The unit of deployment was a service or application: deterministic, versioned, and relatively well‑understood. From this emerged the core DevOps template: identify the unit being deployed, instrument it, automate its lifecycle, and build feedback loops.
MLOps: Operationalising Models
By the mid‑2010s, machine learning models were graduating from research notebooks into production systems and promptly breaking in ways that traditional software monitoring could not catch. A model could pass all its unit tests and still degrade silently as the real‑world data distribution shifted beneath it, with no errors, no alerts, and no obvious signal that anything was wrong.
MLOps addressed this by extending the DevOps template to a new unit: the trained model. A useful way to frame the shift is that MLOps has to manage three interlocking artefacts rather than one—code (as in DevOps), plus data and models. All three need to be versioned, reproducible, and promotable through environments, and a change to any one of them can invalidate the others. This three‑artefact model is what makes MLOps structurally harder than DevOps, and it drove an entirely new class of tooling organised around the lifecycle of each artefact.
- Data versioning: a model is only as good as the data it was trained on, and reproducibility requires snapshotting datasets alongside code
- Feature stores: the same features need to be computed consistently at training and inference time, which requires treating feature pipelines as shared, versioned infrastructure
- Experiment tracking: training runs are expensive and need to be reproducible, with the exact combination of code version, data version, and hyperparameters recorded
- Model registries: you need to know which version of a model is in production, how it was produced, and be able to roll back
- Data drift and model performance monitoring: models don't fail with stack traces; they fail quietly when the input distribution changes or performance degrades
MLOps taught the industry that data is a first-class operational artefact, not just an input. It also introduced the concept of retraining pipelines: the idea that operational systems don't just deploy models, they continuously improve them by looping new data back through the code-data-model cycle.
LLMOps: Operationalising Large Language Models
When large language models arrived in force around 2022-2023, they broke the MLOps playbook in several important ways. LLMs are not trained in-house by most of the organisations using them; they are consumed via APIs. The model itself is largely opaque. And the "input" is no longer a structured feature vector; it's natural language, which is infinitely variable.
LLMOps inherits the MLOps artefact set but transforms it and adds to it. The model artefact is typically an API endpoint with a version string rather than a file in a registry. The data artefact is reconceived: instead of training datasets, it becomes retrieval corpora, embedding indices, and context documents. And a fourth artefact enters the picture: the prompt. Prompts are code in a meaningful sense, but they are authored, tested, and deployed differently from traditional code, and they require their own lifecycle tooling.
This shifted the operational surface dramatically:
- Prompt management became a first-class concern: prompts are code, and they need versioning, testing, and rollback
- Context window optimisation: fitting the right information into a limited context, reliably and cheaply
- Cost per token: LLM inference is expensive at scale; cost tracking and optimisation became operational necessities
- Evaluation: without ground truth labels, how do you know if your model got better or worse after a prompt change?
- Guardrails and content filtering: LLMs produce open-ended text, which requires output validation that traditional software monitoring doesn't address
- Retrieval-Augmented Generation (RAG) pipelines: new infrastructure for grounding models in external knowledge
A new category of tooling emerged to address these concerns, covering prompt lifecycle management, LLM observability, and evaluation, and spanning both commercial platforms and open-source alternatives. The unit of deployment was now a prompted model embedded in an application: still structured around discrete request-response calls, but with far more surface area for failure than a traditional microservice. Even with these additions, LLMOps remains largely oriented around managing responses to requests, not autonomous decision‑making over time.
A Brief Detour: AIOps
It's worth noting a naming collision in this lineage. AIOps, a term coined by Gartner, refers to something subtly different: the application of AI to IT operations themselves. AIOps platforms use machine learning to correlate alerts, detect anomalies, and accelerate incident response. It's a product category, not a practitioner discipline in the same tradition as DevOps or MLOps.
AIOps runs parallel to this evolutionary chain rather than sitting within it. It's worth acknowledging because the acronym is frequently conflated with the broader "-Ops" lineage, but its concerns are distinct.
AgentOps: Operationalising Autonomous AI Agents
Autonomous AI agents require an operational discipline that none of the previous waves adequately provide. Agents don't just respond to a single prompt; they pursue multi-step goals, call external tools, spawn sub-agents, maintain memory across sessions, and make branching decisions with real-world consequences. The practices that kept applications, models, and prompted models reliable in production do not scale to systems that act autonomously in the world. This is the gap AgentOps exists to fill.
AgentOps inherits everything from LLMOps and expands the artefact set further. On top of code, data, models, and prompts, it adds:
- Tool and API definitions: the set of actions an agent can take, each of which must be described, versioned, permissioned, and tested
- Memory: persistent state that survives across turns and sessions, which has its own versioning, retrieval, and garbage-collection problems
- Orchestration logic: the control flow that routes between models, tools, and sub-agents, which is code of a particularly critical kind because it determines emergent behaviour
This is now a seven‑artefact system, and each artefact interacts with the others in ways that are hard to predict statically. A change to a tool description can alter agent behaviour as meaningfully as a change to a model, and a memory corruption can poison future runs indefinitely. Once again, the pattern repeats: a new unit of deployment expands the operational surface faster than the discipline needed to manage it can fully form. This is why AgentOps is not just LLMOps with extra steps.
This expansion changes the operational problem fundamentally. Every previous “‑Ops” discipline dealt with systems that were essentially stateless and reactive: you send an input, you get an output, and you measure the result. Agents are stateful and proactive. They act in the world over time, accumulating context and consequences. And that changes everything.
What Makes AI Agents Operationally Different
Non-determinism compounds across steps. A single LLM call has some variance. An agent that makes twenty sequential LLM calls has variance that compounds at each step. A failure mode that occurs 2% of the time per step will derail roughly one in three ten-step tasks. Traditional error rates that are acceptable in stateless systems become unacceptable in agentic ones.
Failures are hard to reproduce. Because agents interact with live external systems and accumulate state, reproducing a failure requires reconstructing not just the initial input but the entire execution context: tool call outputs, intermediate reasoning, and the state of external systems at the time.
Bugs produce wrong actions, not just wrong outputs. When a microservice has a bug, it returns a bad response. When an agent has a bug, it might send an erroneous email, delete a file, place an order, or call an API in an unexpected sequence. Unlike a wrong response, a wrong action cannot always be undone.
Orchestration is a new class of problem. Multi-agent systems, where a coordinating agent routes tasks to specialised sub-agents, introduce distributed systems problems that software engineers know well (consistency, ordering, failure isolation) in a context where the "services" are probabilistic language models.
Observability requires new primitives. Tracing a distributed system requires tracking calls across services. Tracing an agent requires tracking reasoning across time: why did the agent decide to call this tool, given this context, at this step? Existing distributed tracing tools don't capture the semantic layer.
Safety and alignment are runtime concerns. In a traditional application, safety checks happen at development time. In an agentic system, the model is making decisions at runtime that weren't fully anticipated at design time. Guardrails, permission systems, and human-in-the-loop escalation become operational infrastructure, not just model properties.
Reasoning can be misleading. Unlike traditional ML models, agents produce natural-language explanations of their own behaviour as a byproduct of how they work. This is seductive but dangerous: the stated reasoning may not faithfully reflect the actual decision process. Agents can post-hoc rationalise decisions just as humans do, and verifying that an explanation is causally connected to the action is a genuinely open problem.
What AgentOps Tooling Looks Like
The AgentOps tooling ecosystem is early but forming rapidly. The key capabilities it needs to provide include:
- Execution tracing: capturing full agent traces including tool calls, intermediate reasoning steps, and branching decisions, in a way that is human-readable and queryable
- Replay and debugging: the ability to reproduce and step through an agent run to diagnose failures
- Evaluation frameworks: automated and human evaluation of multi-step task completion, not just single-response quality
- Cost and latency tracking: agents can make many LLM calls per task; understanding the cost per task is non-trivial
- Permission and scope management: defining what tools and actions an agent is allowed to take, and enforcing those boundaries at runtime
- Human-in-the-loop infrastructure: knowing when to pause, surface a decision to a human, and resume
- Versioning for agent configurations: prompts, tool definitions, memory configurations, and orchestration logic all need to be versioned together
- Decision attribution and reasoning faithfulness: understanding not just what an agent did but why, and whether its stated reasoning faithfully reflects its actual decision process. This extends MLOps-style explainability into the multi-step, natural-language domain, where the challenge shifts from extracting explanations to verifying them.
The existing LLMOps tooling ecosystem has been extending into agent tracing and evaluation, and a new category of agent-specific platforms has emerged alongside it. Major cloud providers are adding agent observability to their core infrastructure offerings, suggesting this capability is on its way to becoming standard rather than specialised.
The Pattern Across the Waves
Looking at the full arc, a clear pattern emerges. Each "-Ops" wave was triggered by the same underlying dynamic:
A new unit of deployment emerged that existing operational tooling couldn't adequately observe, control, or improve.
| Wave | Unit of Deployment | Artefacts Managed | Core New Problem |
|---|---|---|---|
| DevOps | Service / Application | Code | Deployment reliability and speed |
| MLOps | Trained Model | Code + Data + Models | Data drift, reproducibility, retraining |
| LLMOps | Prompted Model | Code + Data + Models + Prompts | Prompt management, cost, evaluation |
| AgentOps | Autonomous AI Agent | Code + Data + Models + Prompts + Tools + Memory + Orchestration | Multi-step failure, safety, orchestration |
Each wave also inherited the lessons of the previous one. AgentOps needs everything LLMOps built: prompt management, cost tracking, guardrails. It then adds a new layer on top.
What Remains Unsolved
AgentOps is still in its formative phase, and the hardest problems are still open:
Evaluation at scale. How do you evaluate whether an agent completed a complex, open-ended task correctly? Human evaluation doesn't scale. LLM-as-judge is promising but has its own reliability issues. This remains one of the deepest open problems in the field.
Formal verification and safety. Can we make rigorous guarantees about what an agent will and won't do, before it runs? Current approaches rely on runtime guardrails, which are probabilistic. This is an active research area with no settled answers.
Standardisation. The ecosystem is fragmented. There is no widely adopted standard for agent trace formats, tool interfaces, or evaluation benchmarks, analogous to what earlier waves eventually produced for distributed systems and infrastructure monitoring. This kind of convergence will come, but it hasn't yet.
Cross-agent trust and security. As agents call other agents, including agents run by different organisations, questions of authentication, authorisation, and prompt injection become critical infrastructure problems. Early industry protocols are beginning to address these concerns, but the security model is still maturing.1
Conclusion
The gap between what autonomous agents can do and what our operational practices can safely contain is already visible in production systems today. This is not a future concern or a theoretical edge case. As agents become more capable and more autonomous, the operational challenges they create are emerging faster than the tooling and practices designed to manage them.
The evolution from DevOps to AgentOps is not a marketing trend or a naming exercise. It reflects a recurring dynamic in software systems: each time a new unit of deployment expands the operational surface, existing disciplines fall short. DevOps, MLOps, and LLMOps all followed this arc. Each borrowed what it could from what came before and invented what it could not. AgentOps follows the same pattern, driven not by abstraction, but by necessity.
AI agents represent the most significant expansion of that operational surface yet. They act in the world, accumulate state, make decisions, and fail in ways that are both novel and consequential. The operational practices that succeeded in earlier waves are not sufficient to contain them. AgentOps is the response this moment requires. The organisations that invest now in defining its artefacts, tooling categories, and evaluation and safety practices will shape the standards others eventually adopt. The unit of deployment has evolved. The discipline must evolve with it.
If AgentOps is becoming a priority in your organisation, we would be happy to discuss how to approach it, get in touch.
Author
Marat Bagiev