The Rat in the Maze: why Harness and Determinism are the centerpiece of Autonomous Agents
A classic behavioral psychology analogy reveals the most overlooked principle in building AI agents: without walls, there is no path.
Table of Contents
In 1930, Edward Tolman placed rats in mazes and made one of the most important observations in learning psychology: rats that explored freely, without constraints, took significantly longer to find the exit than those whose path was limited by walls and gates. The “free” rat wandered, revisited dead ends, looped around, spending energy without converging. The rat guided by the maze walls learned faster, made fewer mistakes and, eventually, internalized a cognitive map of the route.
Eight decades later, we are repeating exactly the same experiment, but with Large Language Models instead of rats. And making the same mistake of believing that total freedom equals maximum performance.
This article is about walls. About the deterministic infrastructure that wraps a probabilistic model and transforms raw potential into reliable execution. About the concept the industry now calls a harness, and about why the determinism-first philosophy is the missing piece for autonomous agents to move from the lab into production.
The maze, the rat, and the LLM
The rat-in-the-maze analogy is not merely illustrative. It is structurally precise. An LLM, when given unrestricted access to tools and free rein to decide at each step what to do, behaves like the rat without walls: it may eventually reach the goal, but the path will be long, erratic, costly, and unpredictable. It repeats actions, explores dead ends, loses accumulated context and, in complex scenarios, enters self-correction loops that consume tokens without producing progress.
Harness engineering recognizes that the model is the rat: intelligent, adaptive, capable of reasoning. But that intelligence without structure does not scale. The maze walls do not make the rat less intelligent; they channel its intelligence so that exploration becomes productive. Analogously, the harness does not limit the LLM. It defines the boundaries within which the model’s probabilistic capability can operate at maximum efficiency.
Core Definition. Agent = Model + Harness. The harness is all the software infrastructure surrounding the LLM: workflow orchestration, deterministic validation, context management, state memory, feedback loops, sensors, guides, and approval gates. It is everything that is not the model, but that determines whether the model operates reliably.
Birgitta Böckeler, Distinguished Engineer at Thoughtworks, systematized this concept in her work on harness engineering for coding agents. She divides harness controls into two categories: guides (feedforward controls that anticipate agent behavior and steer it before the action) and sensors (feedback controls that observe the result and enable self-correction). Each of these can be computational (deterministic and fast) or inferential (semantic, using another LLM as judge).
The combination of guides and sensors creates what she describes as a virtuous cycle: without guides, the agent repeats the same mistakes because it never received the rule; without sensors, the agent follows rules but never discovers whether they worked. It is the wall and the map. It is the maze that simultaneously constrains and teaches.
The case against total autonomy
There is a natural temptation in the AI community: if the model keeps getting smarter, why not give it total autonomy? Let it decide on its own which tools to use, in what order, with what parameters. This is what Qodo internally called the “YOLO” approach, an “all-knowing” agent that freely scours all available tools.
Qodo, while building coding agents with LangGraph and MCP, learned from experience that this approach fails in production. Their guiding principle became a simple yet powerful phrase: “If you don’t need an LLM, don’t use an LLM.” The team began building opinionated flows, each sub-agent with a specific purpose, each graph node classified as static (deterministic), LLM (generative), or agentic (with limited autonomy). Autonomy was not eliminated; it was positioned at the nodes where it makes a difference.
| Without Harness (“Free rat”) | With Harness (“Structured maze”) |
|---|---|
| Agent decides everything at each step. Tool calls in unpredictable sequence. Context dilutes. Errors accumulate. Token cost scales exponentially. | Workflow defines topology. Deterministic nodes validate before and after. LLM is invoked only where semantic reasoning is needed. State is persisted. |
| Result: inconsistent, non-auditable, impossible to debug. | Result: predictable, auditable, recoverable, scalable. |
Salesforce reached the same conclusion through a different path. When developing Agentforce, Phil Mui’s team identified what they called “doom-prompting”, the vicious cycle of adjusting instructions, refining data, and hoping for consistency that never arrives. Their solution was the Agent Graph, a “guided determinism” architecture that uses finite state machines to manage transitions between agents, preserving the LLM’s natural language understanding while ensuring operational fidelity.
The lesson is convergent: companies of different scales, in different domains, arrived at the same insight. LLM reasoning alone cannot sustain enterprise workloads. Intelligence needs rails.
Determinism-First: the architectural principle
What we are calling determinism-first is not the elimination of the LLM from the decision-making process. It is the inversion of the hierarchy. Instead of a probabilistic model that occasionally calls deterministic functions, we have a deterministic engine that invokes the model at specific workflow points for tasks that genuinely require semantic reasoning.
The paper “Blueprint First, Model Second” (Qiu et al., Alibaba, 2025) formalizes this principle with the SOURCE CODE AGENT framework. The idea is simple and radical: an operational procedure defined by domain experts is encoded into an execution blueprint (Python code defining step sequences, conditional logic, and decision points). A deterministic engine executes this blueprint with full fidelity. The foundation model’s role is strategically reconfigured: it is no longer the central decision-maker, but a specialized tool invoked at specific nodes for complex but bounded tasks, such as interpreting an error log or summarizing a command’s output.
Principle. Separation of responsibilities: the deterministic engine manages the workflow blueprint; the intelligent model handles discrete subtasks. Each does what it does best.
The paper’s experimental results are significant: by imposing a deterministic workflow, the approach significantly improves task success rates and operational efficiency. A “Double-Check” module (a coded step that intercepts proposed actions, validates against rules, and requests model re-evaluation) transforms the agent from a reactive predictor into a methodical executor.
The mcp-agent, an open-source framework by LastMile AI, implements these patterns within the MCP context. The project added deterministic plan verification before execution, validation that checks whether the LLM-generated plan is structurally valid, whether dependencies make sense, and whether referenced resources exist. If verification fails, the orchestrator generates a structured error message and requests a new plan. This is the computational sensor in action: cheap, fast, deterministic, running on every change.
Anatomy of a Determinism-First Workflow
User Input → Deterministic Routing → LLM: Intent Parser → Plan Validation → LLM: Executor → Verification + Tests → Validated Output
The pattern is clear: the LLM appears at two points (intent interpretation and execution), while the rest of the pipeline is deterministic. Routing, validation, and verification do not require semantic reasoning. They are operations that can be coded, tested, and reproduced.
MCP: the protocol that enables an interoperable harness
If the harness is the infrastructure surrounding the model, the Model Context Protocol (MCP) is the contract that standardizes how the tools in that infrastructure communicate. Developed by Anthropic, MCP works as a universal interface between agents (MCP clients) and external capabilities (MCP servers): databases, APIs, file systems, search tools, knowledge graphs.
MCP’s importance for the determinism-first paradigm lies in standardization. Without a unified protocol, every integration requires ad-hoc code, every tool has its own interface, and the harness becomes a fragile patchwork that is impossible to maintain. With MCP, tools are exposed once through a standardized server and become available to any client: Claude Desktop, Cursor, custom agents, CI/CD tooling.
Graph Workflow, published on the MCP Market, exemplifies the convergence of graphs, MCP, and determinism. The tool transforms requirement documents (PRDs) into hierarchical task graphs with explicit dependencies, persisted in SQLite. The agent does not improvise work decomposition. The graph defines topology, dependencies determine execution order, and context is compressed by 70-85% to optimize token consumption. It is the maze built algorithmically from the goal.
Projects like MCP Agent Graph take the idea further, integrating sub-agents, long-term memory, and visual workflow into a system where nodes can dynamically select the next step, but always within the bounds of the defined graph. Agent autonomy is not eliminated; it is channeled by the graph, like the rat by the walls.
From the lab to production: concrete evidence
Stripe: 1,000+ PRs per week with Minions
Stripe revealed that its Minions system (one-shot, end-to-end coding agents) produces over a thousand merged pull requests per week, all generated without human intervention during execution, with mandatory human review before merge. The architecture is oriented toward unattended execution in an isolated environment, with deterministic tests, limited remediation, and human approval as the control gate. Stripe concluded that the decisive source of value is not the individual model, but the quality of the “execution envelope” around it.
Datadog: Harness-First Engineering
Datadog’s engineering team explicitly adopted the principle of harness-first engineering: instead of reviewing every line of agent-generated code, investing in automated checks that determine with high confidence, in seconds, whether the code is correct. In the redis-rust project, they used Deterministic Simulation Testing (DST) with millions of seeds to validate invariants: linearizability, transaction consistency, ordering guarantees. Bugs that human review might catch “on a good day” were captured deterministically, in seconds.
Datadog’s pattern is crystal clear: the agent generates code, the harness verifies, production telemetry validates, and if something is wrong, feedback updates the harness and the agent tries again. The loop is closed by observability, not by hope.
Process Street: the agent that does not improvise
Process Street implemented workflows as MCP servers, exposing each step (forms, approval gates, conditional logic) as tools callable by agents. The result is an agent that operates within the process, not above it. When the workflow requires managerial approval, the agent stops, notifies the manager, and waits. No agent capability can bypass this gate, because the workflow is deterministic. Approval is not a suggestion. It is a structural constraint.
Anti-pattern. Relying on the prompt to enforce operational constraints. A prompt can say “run tests after writing code.” But nothing prevents the agent from skipping that step. A harness ensures that the workflow cannot advance until the deterministic test step has been executed and approved.
Why agents fail: the structural taxonomy
A large-scale empirical analysis conducted across 13,602 issues in 40 open-source agent repositories revealed a taxonomy of 37 failure types. The central finding is revealing: the majority of failures originate from incompatibilities between probabilistically generated artifacts and deterministic interface constraints. In other words, a structural harness problem, not a model capability issue.
This confirms the maze analogy quantitatively. The rat does not fail due to lack of intelligence; it fails because the walls (or the lack thereof) were not designed to channel its exploration productively. Similarly, when an agent generates malformed JSON, invokes a tool with invalid parameters, or loops trying an action the system does not support, the problem is not the model. It is the absence of deterministic validation between probabilistic output and deterministic input.
The Natural-Language Agent Harnesses paper (2026) goes even further by proposing that harness control can be expressed in executable natural language, not replacing deterministic code but carrying editable, inspectable orchestration logic while adapters and scripts provide the deterministic hooks (tests, linters, scrapers, validators). Experimental results show that verification modules, multi-candidate search, and dynamic orchestration concentrate their effects on a resolution frontier, turning tasks that previously failed into successes, without changing the underlying model.
A framework for deciding what is deterministic
The practical question that emerges is: how do you decide which parts of the workflow should be deterministic and which should be delegated to the LLM? The framework that has consolidated in the industry follows a simple heuristic:
If the path is known, use a deterministic workflow. If the input follows a pattern, validation can be coded, and the output has a predictable format, then the LLM is unnecessary and counterproductive. File parsing, data formatting, test execution, rule-based routing, schema validation: all of this belongs to conventional code.
If the path is unknown but the goal is clear, consider an agent with a harness. Input ambiguity, the need for investigation, diagnosis, or reasoning about unstructured context: these are the moments where the LLM adds value. But even here, the agent should operate within guardrails: token budgets, tool call limits, output validation, recovery checkpoints.
If neither the path nor the goal is clear, keep humans in the loop. Reduce scope, request clarification, do not delegate to total autonomy. Autonomous agents work when the solution space is defined, not when it is infinite.
Back to the maze
Tolman’s rat taught us something that AI engineering is rediscovering: constraints are the mechanism of efficient learning, not its enemy. The maze does not punish the rat. It encodes the problem so that the rat can solve it productively. Every wall is a piece of information: “don’t go this way.” Every gate is a checkpoint: “validate before continuing.” Every path is a contract: “if you follow this sequence, you reach the goal.”
Harness engineering is the discipline of building these mazes for LLMs. The Model Context Protocol is the standard that makes the walls interoperable. The determinism-first principle is the philosophy that places structure as foundation and intelligence as tool.
The formula that emerges from the convergence of papers, frameworks, and production experience is this: the most efficient agent is not the most autonomous one. It is the one whose harness was best engineered. Stripe does not have the best model; it has the best execution envelope. Datadog did not eliminate bugs with AI; it eliminated bugs with deterministic simulation that validated the AI. Process Street did not train smarter agents; it built workflows that no agent can subvert.
In the end, the question is not “how smart is the rat?” The question is “how well designed is the maze?”
References and Further Reading
- Böckeler, B. (2026). “Harness Engineering for Coding Agent Users.” martinfowler.com
- Qiu, L. et al. (2025). “Blueprint First, Model Second: A Framework for Deterministic LLM Workflow.” Alibaba Group. arxiv.org
- Anthropic (2024). “Building Effective Agents.” anthropic.com
- Anthropic (2025). “Writing Effective Tools for AI Agents.” anthropic.com
- Datadog (2026). “Closing the Verification Loop: Observability-Driven Harnesses.” datadoghq.com
- Mui, P. (2026). “Agentforce’s Agent Graph: Toward Guided Determinism.” engineering.salesforce.com
- LastMile AI, mcp-agent: Build Effective Agents Using MCP. github.com
- Graph Workflow, MCP Market. mcpmarket.com
- Qodo (2025). “Building Agentic Flows with LangGraph and Model Context Protocol.” qodo.ai
- Process Street (2026). “Agents Do Not Improvise Well.” process.st
- Costa, R. et al. (2026). “Natural-Language Agent Harnesses.” arxiv.org
- awesome-harness-engineering, Curated Resources. github.com
- MCP Agent Graph, Multi-Agent System Built on Context Engineering. github.com
- Anthropic (2025). “Demystifying Evals for AI Agents.” anthropic.com