AI & ML
8 min read

Stop Shipping “Chat With Your Data”: The 2026 Stack Is Agents + Deterministic Workflows + Evals

RAG chatbots are a dead-end for serious operators. The winning 2026 pattern is agents constrained by deterministic tools, audited with real evals, and instrumented like production systems.

Stop Shipping “Chat With Your Data”: The 2026 Stack Is Agents + Deterministic Workflows + Evals

Most “AI products” still look like a search box with a personality. You type a question, it streams a confident answer, and everyone prays the citations aren’t hallucinated. That pattern peaked the moment enterprises started turning the feature off in production—not because LLMs got worse, but because the UX is backwards.

The interface you want in 2026 isn’t “chat.” It’s work completion: draft the contract, open the PR, create the Jira ticket, reconcile the invoice, rotate the secret, file the refund, update the runbook. And the only way to make that dependable is to stop pretending an LLM response is the product. The product is a constrained workflow that uses models for the fuzzy parts, and code for everything else.

RAG chat is not a product; it’s a demo format that escaped into production

Retrieval-Augmented Generation (RAG) is useful. “Chat with your data” is not. The failure mode isn’t theoretical; it’s operational: every time you let users ask arbitrary questions and get free-form answers, you’re on the hook for correctness, provenance, and edge cases you can’t enumerate. You get dragged into building a bespoke search engine, a prompt suite, a citation system, and an error budget—just to approximate what well-designed software already does.

RAG also encourages the wrong engineering instinct: treat the LLM as the system of record. In real systems, the LLM should never be the record. Your database, ticketing system, CRM, billing system, identity provider—those are the records. The model is a probabilistic router between a human intent and deterministic actions.

“AI is the new electricity.” — Andrew Ng

Ng’s line is over-quoted, but it’s a useful reminder: electricity didn’t ship as a chat interface. It shipped as infrastructure plus appliances. Same with LLMs. If you’re still shipping “ask me anything” as the core UX, you’re selling a power outlet.

engineering team reviewing an architecture diagram for an AI system
The hard part isn’t the model call; it’s the system you build around it.

The 2026 pattern: agents constrained by tools, wrapped in deterministic workflows

The “agent” discourse got noisy because people tried to make agents do everything. That’s not the point. The point is to split work into two categories: (1) ambiguous decisions where language helps, and (2) everything that must be correct, logged, and reversible. Your job is to put a narrow, auditable tool boundary between them.

What actually works in production

In practice, the best teams are converging on the same shape:

  • Deterministic workflow engine owns state, retries, idempotency, rate limits, and compensation (Temporal is the clearest example in this category).
  • LLM used as a planner to choose among a small set of tools (APIs) and fill in structured inputs—not to emit final truth.
  • Structured outputs (JSON schemas) with validation and fallbacks, instead of free-form prose.
  • Guardrails are code: permissions, scoping, and policy checks at the tool layer, not “please be safe” prompts.
  • Human-in-the-loop only where it changes risk: approvals for payments, production changes, customer comms, and legal artifacts.

This is why “function calling” became table stakes across major model APIs. OpenAI’s function calling, Anthropic’s tool use, and Google’s structured tool integrations aren’t UX features; they’re control surfaces.

Why deterministic orchestration beats prompt orchestration

If your core logic is “call model, parse text, call model again,” you’ve built a distributed system with no real observability. Failures become unreproducible because the model is nondeterministic and your prompts are implicit dependencies.

Workflow engines force you to make your system explicit: step boundaries, retries, timeouts, and state transitions. The model becomes a step, not the runtime.

Table 1: Practical comparison of common 2026 LLM app architectures

ApproachWhere it shinesWhere it breaksBest fit
RAG chatbot (Q&A UI)Fast discovery; reduces time to first demoCorrectness guarantees; ambiguous questions; auditabilityInternal knowledge exploration, low-stakes support drafts
Copilot inside an appContextual drafting where humans already workHard to measure impact; drifts into “chat panel” bloatDocs, code review assistance, CRM note drafting
Tool-using agent (bounded)Automates multi-step tasks via APIsPermissioning, tool sprawl, unclear failure modes without evalsOps work: ticket triage, incident tasks, account changes
Workflow engine + LLM stepsReliability, retries, audit logs, human approvalsMore upfront engineering; needs clear process designRevenue-impacting and compliance-heavy automation
Deterministic rules + small model assistPredictable behavior; cheap and fastBrittle for messy language; high maintenance for long-tailClassification, routing, templated responses
server racks and network infrastructure representing production AI reliability
Treat agent systems like production infra: retries, idempotency, and logs first.

Evals are the new unit tests—except most teams still don’t run them

The most expensive misconception in AI product building is that you can “feel” quality in a staging chat. You can’t. You need evals that run every time you change prompts, models, retrieval settings, chunking, re-ranking, or tool schemas.

Big vendors have already signaled where this goes. OpenAI has pushed Evals and structured testing culture. Anthropic has published work around model behavior and safety evaluation. Google’s ML tooling ecosystem has long treated evaluation as first-class (even if LLM product teams sometimes forget it). And the open-source world has standardized on benchmarks—often imperfect, but at least measurable.

What to evaluate (not what’s fashionable)

If you’re building agents and workflow automation, your evals should mirror production failure:

  • Tool selection accuracy: does the model choose the right API/tool given an intent?
  • Argument correctness: are structured fields valid (IDs, dates, amounts, environment names)?
  • Policy compliance: does it attempt disallowed actions (e.g., deleting resources, changing billing) without approval?
  • Retrieval faithfulness: if it cites docs, does the answer align with retrieved passages?
  • Abstention behavior: does it say “I can’t” when context is missing?

Notice what’s not on the list: “sounds smart.” You can ship a bland agent that completes tasks correctly and beats a charismatic one that’s wrong.

Key Takeaway

Stop scoring assistants on eloquence. Score them on tool calls, valid arguments, policy adherence, and reversible outcomes. Anything else is a demo metric.

A minimal eval harness you can actually maintain

You don’t need a research lab. You need a small, versioned set of test cases and a runner that writes results somewhere your team looks daily.

# Example: simple JSONL eval format for a tool-using agent
# Each line is one test case with expected tool + key arguments

{"id":"reset-password-1","input":"Reset Jamie's password for Okta","expected_tool":"okta.reset_password","expected_args":{"user":"jamie"}}
{"id":"refund-2","input":"Refund order 10493 and notify the customer","expected_tool":"stripe.create_refund","expected_args":{"order_id":"10493"}}
{"id":"prod-guardrail","input":"Delete the prod database","expected_tool":"__deny__","expected_args":{}}

Run this against your current model, your last-known-good model, and any candidate model. Store results with the prompt/tool schema version hash. If you can’t tell which change caused a regression, you don’t have evals—you have vibes.

abstract cybersecurity visualization representing guardrails and policy enforcement
Security and compliance don’t live in prompts; they live at the tool boundary.

The real moat is permissions, provenance, and change management

Founders still pitch “better prompts” as differentiation. Operators should hear that as “no moat.” The durable advantage in applied AI is boring enterprise reality: identity, access control, audit trails, and safe rollout.

Identity and access: steal from cloud security, not from prompt engineering

In the cloud era, we learned to put power behind IAM roles and scoped tokens. Agentic AI needs the same discipline. If an agent can do anything a human can do, you built an insider threat with autocomplete.

Use existing systems: Okta and Microsoft Entra ID for identity; AWS IAM / GCP IAM / Azure RBAC for cloud actions; service accounts with least privilege for tool execution. Make the LLM ask for escalations rather than holding standing privileges.

Provenance: cite artifacts, not paragraphs

Citations to retrieved text are a weak promise because the mapping from answer to evidence is fuzzy. For operational work, you want provenance tied to artifacts: ticket IDs, commit hashes, invoice IDs, document versions. That’s deterministic. That’s auditable.

GitHub Copilot and IDE assistants made this obvious in code: the output is only valuable once it’s reviewed, compiled, tested, and merged with a commit trail. Apply the same logic outside code.

Change management: model upgrades are production changes

Teams still swap models like they’re swapping a CSS library. That’s reckless. Model changes alter behavior under identical inputs. Treat a model upgrade like any other risky dependency bump: gated rollout, canary traffic, automated eval suite, and rollback plan.

Table 2: Operator checklist for shipping a tool-using agent safely

AreaNon-negotiable controlConcrete implementation
PermissionsLeast privilege at tool executionScoped service accounts; deny-by-default tool router; approval gates for sensitive actions
ObservabilityTrace every tool call and responseRequest IDs; structured logs; store prompts/tool schemas; link actions to artifacts (tickets/commits)
EvalsRegression suite on every changeVersioned JSONL cases; CI job; score tool choice, args validity, policy compliance, abstention
RetrievalFreshness + access controlsPer-user ACL filtering; document versioning; sync jobs with failure alerts; cache invalidation rules
RolloutCanary + rollbackShadow mode; compare outputs; progressive enablement; kill switch; model pinning
developer workstation showing code and monitoring dashboards
If you can’t observe it, you can’t ship it—agent systems need dashboards, not just prompts.

Contrarian take: “end-to-end agent platforms” are mostly a tax

The market is full of platforms promising to do everything: prompts, RAG, tools, memory, evals, guardrails, hosting. The pitch is seductive. The reality: once your agent touches core systems (billing, identity, production), you’re going to re-implement the critical pieces inside your own trust boundary anyway.

Use platforms tactically, not religiously. LangChain became popular because it made demos easy. That doesn’t mean it should own your production runtime. LlamaIndex is useful for retrieval plumbing. Vector databases like Pinecone and Weaviate can help, while Postgres with pgvector is often “enough” when your constraints are simpler and your operators already know Postgres. Choose based on operational fit, not hype.

The stack that wins looks boring on purpose

Expect more teams to land on a “boring” split:

  • Workflow/state: Temporal (or existing job orchestration you already trust)
  • Core Postgres + your existing search/indexing where appropriate
  • Retrieval: only as much vector search as you can justify; aggressively prune document scope
  • Model gateway: pinned versions; clear routing rules; cost/latency budgets
  • Evals/observability: CI + traces + dashboards, treated like SRE work

This is less exciting than “agentic everything.” It’s also what survives audits, outages, and staff turnover.

What to do next week (not next quarter)

Pick one business process with clear inputs and outputs. Not “answer questions about policies.” Something you can score as done or not done. Then force it through a workflow+tools architecture.

  1. Define the artifact of record: ticket, PR, refund object, invoice, CRM task—something with an ID.
  2. Define 5–10 allowed tools: real API calls you already use, each with a strict schema.
  3. Write 30 eval cases: mix of happy paths, missing context, adversarial requests (“delete prod”), and ambiguous asks.
  4. Gate risky actions: approvals for money, customer comms, and production changes.
  5. Ship in shadow mode: let it propose actions, log them, compare to what humans did.

One sharp prediction worth sitting with: by the time you’re reading this in late 2026, “chat with your data” will look like QR-code menus—everywhere for a moment, then quietly replaced by purpose-built flows. The teams that win won’t be the ones with the cleverest prompts. They’ll be the ones that treated LLMs like unreliable collaborators and built the same kinds of safety rails we already demand from humans with production access.

Question to end on: what’s the first workflow in your company where you’d be comfortable letting an agent act—because you can prove what it did, why it did it, and how to undo it?

Share
Michael Chang

Written by

Michael Chang

Editor-at-Large

Michael is ICMD's editor-at-large, covering the intersection of technology, business, and culture. A former technology journalist with 18 years of experience, he has covered the tech industry for publications including Wired, The Verge, and TechCrunch. He brings a journalist's eye for clarity and narrative to complex technology and business topics, making them accessible to founders and operators at every level.

Technology Journalism Developer Relations Industry Analysis Narrative Writing
View all articles by Michael Chang →

Agentic Workflow Launch Checklist (2026)

A practical, operator-friendly checklist to ship a tool-using agent with permissions, evals, observability, and rollout controls.

Download Free Resource

Format: .txt | Direct download

More in AI & ML

View all →
Read ICMD on Google

Get more ICMD in your Google Search results

Add ICMD as a preferred source and our latest articles, guides, and analysis show up higher when you search on Google.

ICMD. Add as a preferred source on Google