// APPLIED AI

Agentic AI and MCP: engineering systems you can
actually trust

A prompt answers a question. An agent takes action in the world - and that changes everything about how you build, verify and ship it. Here is the architecture we use when the wrong output costs real money.

Global reach
Earth · , 
Applied AI9 min read
Nithish Rajan
Nithish Rajan
Co-Founder, BulkBeings

There is a specific moment in every agent project where the demo stops being impressive and starts being dangerous. It is the moment the system moves from generating text to taking action: writing to a database, sending a message, issuing a refund, updating a customer record. Up to that point, a wrong answer is an inconvenience. After it, a wrong answer is an incident. Most teams build the demo and never fully cross that line - which is exactly why so many agentic AI projects look spectacular on a Tuesday and quietly disappear by the following quarter.

At BulkBeings we build custom MCP servers, bespoke tools and multi-agent systems for teams who need the agent to be right, not just fluent. This post is the honest version of what that takes. Not the keynote demo - the architecture. We do not rent AI. We engineer it, and engineering means treating an autonomous system with the same suspicion you would treat any process that acts on your behalf without asking first.

What agentic AI actually is: plan, act, verify

Strip away the marketing and an agent is a loop, not a prompt. A prompt is a single function call: text in, text out, done. An agent runs a control loop where the model decides what to do next, does it via a tool, observes the result, and decides again. The defining property is not intelligence - it is that the model's output feeds back into the world and then back into the model.

The useful mental model has three phases. Plan: decompose a goal into steps and choose which tool serves the next step. Act: call that tool with concrete arguments and get a real result. Verify: check whether the result actually moved you toward the goal, and correct if not. The verify phase is the one almost everyone skips, and skipping it is the single largest reason agents fail in production. A system that plans and acts but never verifies is not autonomous - it is a very confident intern with no supervisor and admin access.

Why most agent demos fail in production

Demos are built on a happy path with three or four steps. Production has twenty steps, malformed inputs, flaky APIs and adversarial users. Three failure modes account for most of the collapse.

  • Compounding error. If each step is 95 percent reliable, a ten-step task is only about 60 percent reliable end to end. Errors multiply, they do not average. The agent that looked flawless over five steps quietly falls apart over fifteen, and nobody notices until a customer does.
  • No verification. The model returns a plausible answer, the loop accepts it, and a hallucinated order number propagates downstream. Without an explicit check against ground truth, the system cannot tell the difference between a correct result and a confident fabrication.
  • Unbounded tool use. Give an agent open-ended tools with no limits and it will eventually take an action nobody intended - delete instead of archive, refund the wrong amount, loop forever calling the same API. Capability without constraint is the failure, not a bug within it.
A prototype proves the model can do the task once. Production requires the system to refuse to do the wrong thing a thousand times. Those are different engineering problems.

MCP: why standardised tool interfaces matter

An agent is only as good as the tools it can reach, and for years wiring tools to models was bespoke glue code - a different, brittle integration for every API, rewritten for every framework. The Model Context Protocol changes the shape of that problem. MCP is an open standard that defines how a model-facing client discovers and calls tools, reads resources and runs prompts from a server, over a consistent transport. Think of it as a common port that any agent can plug into, instead of soldering wires by hand for each connection.

The practical payoff is separation of concerns. Your MCP server owns the capability - the authenticated call to your CRM, the parameterised query against your warehouse, the validated write to your ledger - with its own input schemas, permission scoping and error handling. The agent owns the reasoning. Because the interface is standardised, the same server works across different models and orchestration frameworks, and it can be tested, versioned and secured independently of whatever LLM is calling it this month.

This is most of what we build. When we ship a custom MCP server for a client, the design work is not the model - it is the tool boundary. What is the smallest, safest set of operations that lets the agent do its job? A well-designed tool is narrow, validated and hard to misuse: prefer refund_order(order_id, amount) with server-side ceilings over a raw execute_sql. The protocol gives you the interface; the discipline of what you expose through it is where trust is won or lost.

Multi-agent orchestration with LangGraph

Once tasks get complex, a single agent juggling twelve tools in one prompt becomes unmanageable - it loses the thread, misuses tools and becomes impossible to debug. The answer is orchestration: several focused agents, each with a narrow role and a small toolset, coordinated by an explicit structure. We reach for LangGraph here because it models the system as a graph of nodes and edges with real, inspectable state, rather than an opaque chain you can only pray about.

The value of a graph is that control flow becomes explicit. You can see the path the system took, branch on conditions, retry a node, route to a specialist, and pause at a specific edge for human approval. State is a first-class object you can log and assert against, not a hidden variable buried inside a prompt. A researcher node gathers context, a planner node decides, an executor node acts through MCP tools, and a critic node verifies - each swappable and independently testable.

from langgraph.graph import StateGraph, END

def plan(state):    ...  # decompose goal into steps
def act(state):     ...  # call MCP tools
def verify(state):  ...  # check result vs source of truth

def route(state):
    if state["verified"]:
        return END
    if state["attempts"] >= 3:
        return "escalate"   # hand to a human
    return "plan"           # correct and retry

g = StateGraph(dict)
g.add_node("plan", plan)
g.add_node("act", act)
g.add_node("verify", verify)
g.set_entry_point("plan")
g.add_edge("plan", "act")
g.add_edge("act", "verify")
g.add_conditional_edges("verify", route)
agent = g.compile()

Notice what the graph encodes: a bounded retry count, an explicit verify step, and an escalation path when the system cannot self-correct. That is not extra scaffolding around the intelligence - that is the intelligence being made accountable.

Grounding agents in your source of truth

An agent that reasons from the model's training data alone is guessing about your business. Grounding means every consequential decision is tied back to a system you trust - your database, your document store, your product catalogue, your policy engine - rather than to the model's parametric memory. Retrieval brings the relevant facts into context at act time; verification checks the agent's proposed action against those same facts before it commits.

Concretely, the verify node should not ask the model "are you sure?" - models are cheerfully sure of wrong things. It should re-query the source of truth and compare. Did the order actually exist? Is the amount within policy? Does the record the agent claims to have updated now hold the expected value? Grounding turns verification from a vibe into an assertion, and assertions are the only thing that make a compounding-error curve bend back toward reliable.

Guardrails, observability and human-in-the-loop

The last three layers are what separate a system you can trust from one you merely hope about. They are unglamorous and non-negotiable.

Guardrails

Guardrails are hard limits enforced outside the model, because anything enforced only in the prompt is a suggestion. Validate every tool argument against a schema. Cap the number of steps and the total tool-call budget per task. Put ceilings on consequential actions - a refund tool that physically cannot exceed a threshold. Scope credentials so the agent can only touch what its role requires. The model proposes; the guardrails dispose.

Observability and tracing

You cannot operate what you cannot see. Every run should emit a full trace: the plan, each tool call with its arguments and result, each verification outcome, token cost and latency per step. When an agent does something wrong at 3 a.m., the trace is the difference between a ten-minute fix and a week of guesswork. Tracing is not a debugging luxury you add later - it is the primary interface through which you understand an autonomous system at all.

Human-in-the-loop

Full autonomy is a spectrum, not a switch, and the mature move is to place humans at the highest-consequence, lowest-frequency decisions. The graph pauses before an irreversible action and requests approval; a confidence threshold or a failed verification triggers escalation instead of a blind retry. Done well, humans review the 2 percent of cases that actually need judgment while the agent handles the 98 percent that do not - and every escalation becomes training data for where the system's real boundaries are.

An honest architecture for a trustworthy agent

Put the pieces together and the shape is clear. Narrow, validated tools exposed through MCP servers you control. A LangGraph orchestration of focused agents with explicit, inspectable state. A verify step grounded in your source of truth, not the model's confidence. Guardrails enforced outside the prompt. Full tracing on every run. And a human at the decisions that genuinely warrant one. None of this is exotic; all of it is work, and skipping any layer is where the trust leaks out.

The uncomfortable truth is that a trustworthy agent is mostly not-model engineering. The LLM is one node in a system built to contain it, check it and observe it. That is the difference between a demo and a deployment, and it is the work we sign up for. If you are evaluating agents for something that matters - where a wrong action costs money, trust or time - build the verification and the guardrails first. The intelligence is the easy part now. The accountability is the product.

Autonomy is not the absence of control. It is control moved to the right layer - schemas, graphs, traces and a human at the edges - so the system can move fast without being able to move wrong.
// FAQ

Questions, answered

Questions engineers ask about this.

A prompt is a single call: text in, text out. An agent runs a loop where the model plans a step, acts through a tool, observes the real result, and decides again - its output feeds back into the world and then back into itself. That feedback into real actions, not the model itself, is what makes it agentic and what makes verification essential.

MCP is an open standard for how agents discover and call tools, so you stop writing bespoke glue for every API and framework. It separates concerns: the MCP server owns the capability with its own schemas, permissions and error handling, while the agent owns the reasoning. The same server then works across different models and orchestration frameworks and can be tested and secured on its own.

Enforce limits outside the model, because anything in the prompt is only a suggestion. Expose narrow, validated tools with server-side ceilings, cap steps and tool-call budgets, scope credentials to the agent's role, verify every consequential action against your source of truth before committing, and route irreversible decisions to a human for approval. The model proposes; the guardrails dispose.

KEEP READING

More from the lab.

// START HERE

Have a problem worth engineering?

Tell us what you're building. We'll frame the outcome, build the eval, and prove the model against it - from scratch if that's what it takes.

Start a project