Engineering·
5 Failure Modes in Self-Improving AI Agents
By Oxagen Team
- AI Agents
- Debugging
- Self-Improvement
- Production
- Failure Analysis
Self-improving agents fail in predictable ways. The mechanisms — reflection, memory accumulation, skill acquisition — each introduce a failure mode that is different from the failure modes of static agents, and the patterns repeat across implementations with enough regularity to be named.
This article covers the five failures that show up most often in production. Each one is described precisely: what it looks like, why it happens, what signals detect it early, and what prevents it. Teams that have read this list before shipping will recognize these patterns when they appear, rather than debugging them from first principles.
Failure 1: Reflection collapse
What it looks like: The agent runs a reflection loop and produces outputs with increasing confidence, but accuracy is flat or decreasing. The agent "verifies" its answers, agrees with itself, and returns them with high certainty. Users report that the agent sounds very sure of things that are wrong.
Why it happens: Reflection requires a verifier. When no deterministic verifier exists — when the agent uses an LLM to judge its own output — the critique step becomes a consistency check rather than a quality check. The agent asks "does this answer look like a correct answer?" and its own prior beliefs answer yes. Self-consistency is not self-correction.
This failure is documented in multiple studies. Huang et al. (2024) showed that LLMs cannot reliably self-correct reasoning without external feedback. The failure is not a bug in the implementation — it is a fundamental limitation of using an LLM to verify its own LLM output.
Detection signals:
- Confidence scores on reflection-revised outputs are uniformly high, regardless of actual accuracy on eval
- LLM-judge scores increase over time while deterministic verifier scores stay flat or drop
- Users report correct-sounding but wrong answers at higher rates than without reflection
Prevention:
- Only use reflection on tasks with deterministic verifiers (test suites, schema validators, answer checkers)
- Run parallel eval: LLM-judge score alongside at least one automatable metric
- Set a reflection budget and require measurable improvement above the budget threshold to justify the cost
- If no deterministic verifier exists for a task class, do not add reflection to it
Failure 2: Memory poisoning
What it looks like: The agent accumulates an incorrect fact — either extracted incorrectly from a source or explicitly provided by a bad actor — and the fact spreads through the memory graph via relationship edges and observations. Future retrieval surfaces the incorrect fact confidently, often alongside plausible-looking provenance.
Why it happens: Extraction pipelines make mistakes. A confidence-0.9 extraction from a misleading subject line or an out-of-context passage will enter the graph as a near-certain fact. Because memory accumulation is additive, the incorrect fact gains weight over time as other memory items are associated with it. Entity resolution may merge the poisoned node with the correct one, spreading the contamination.
In adversarial settings, this can be intentional. An agent that processes user-provided documents can be fed documents containing false facts about entities the agent already tracks. If the agent's extraction pipeline does not sanity-check new observations against existing ones, the false facts persist.
Detection signals:
- Known-fact eval fixture results degrade over time despite the underlying facts not changing
- Provenance queries on wrong answers trace to a single source with a recent
ingested_attimestamp - Entity observation history shows a fact being added and then contradicted without the contradiction being resolved
Prevention:
- Confidence thresholds on ingestion: observations below 0.7 confidence require a second extraction confirmation before writing to the graph
- Contradiction detection: when a new observation conflicts with an existing one on the same entity, queue both for review rather than silently overwriting
- Source quality scoring: track the accuracy rate of each source over time; weight observations from low-accuracy sources as lower confidence
- Audit trail: every observation has a
source_idpointing to its origin; the agent should be able to explain why it believes a fact
Failure 3: Entity fragmentation
What it looks like: The agent knows many things about a person, company, or resource — but the knowledge is spread across multiple nodes. Queries that should return a complete picture return partial results. The agent cannot answer "everything we know about Sarah" because "Sarah" is three nodes.
Why it happens: Entity resolution did not run, or ran but did not catch this case. The most common cause is variations in name representation across sources — "Sarah Chen," "S. Chen," and "schen@acme.com" from three different data sources create three entity nodes if the ingestion-time resolution step does not catch the match.
Fragmentation is self-reinforcing. Each fragment accumulates its own observations. The further they drift apart in embedding space, the less likely future resolution is to catch them. An agent that starts with 20 resolved entities and 6 months of ingestion may have 80+ entity nodes representing the same 20 real entities by the time someone investigates a retrieval failure.
Detection signals:
- Multi-hop eval fixture fails while single-hop eval passes
- Entity count grows faster than expected given the size of the workspace
- Neighborhood expansion queries return nodes with suspiciously few observations (fragments have less data than the real entity)
- Alias overlap between two nodes — one node's
nameappears in another node'saliaseslist
Prevention:
- Run entity resolution at ingestion time: every new entity mention is checked against existing nodes before creating a new one
- Schedule a batch resolution sweep weekly: re-run candidate generation across all workspace entities, surface high-confidence merge candidates for automated merging
- Monitor entity count growth: alert when the count grows faster than the source ingestion rate justifies
- Expose the alias-overlap check as a maintenance query the eval harness runs weekly
Failure 4: Eval blindness
What it looks like: The agent has been running in production for months. The team believes it is improving because it has been running reflection and accumulating memory. Nobody has checked. When they finally run a systematic eval, they discover the agent has been getting worse for six weeks.
Why it happens: There is no eval harness, or the eval harness runs but nobody looks at the results, or the eval harness measures the wrong things (LLM-judge scores that inflate with confidence, eval tasks that are too easy and show near-ceiling performance from day one).
This is the most common failure mode by occurrence, and the most preventable. It is not a technical failure — it is a process failure.
Detection signals:
- Users file increasing support tickets about incorrect answers
- Team members disagree about whether the agent is "getting better" with no data to resolve the disagreement
- The last eval run was more than two weeks ago
Prevention:
- Build the eval harness before shipping the self-improving mechanisms
- Make eval runs blocking: no merge to the agent codebase without a green eval run
- Assign ownership: one person is responsible for reviewing eval trends weekly
- Alert on regression: an automated alert fires when any eval category drops 5 percentage points below its prior best
- Include at least one hard task in the eval suite: a task the agent is currently failing, so the eval can detect improvement as well as regression
Failure 5: Skill entropy
What it looks like: The agent's tool registry has grown large and inconsistent. The agent calls deprecated tools, selects the wrong tool for a task, or fails to find a tool that exists because the registry has too many near-synonyms. New tools were added with poor names and descriptions. Old tools were never removed.
Why it happens: Skill acquisition without curation. Voyager-style skill libraries are compelling in research because they show the agent expanding its capabilities. In production, the registry requires active maintenance. Tool schemas must be clear, tool descriptions must be discriminative, and deprecated tools must be removed or marked clearly.
When skill acquisition runs without human curation — when the agent writes and registers new tools autonomously without review — the registry drifts toward entropy. The agent tool-selection step works well with 20 tools and poorly with 200 near-synonyms.
Detection signals:
- Tool-use eval fixture accuracy drops over time even though the tools being tested still exist
- Tool call logs show the agent invoking the same tool via multiple different names
- Registry growth rate increases monotonically with no corresponding growth in task coverage
- The agent sometimes calls no tool when a tool exists for the task — the tool is not being selected because the description has drifted from the use case
Prevention:
- Require human review before any agent-written tool enters the production registry
- Run discriminability checks: when a new tool is registered, check that its description produces the highest cosine similarity among all tools for its target use case (not another tool)
- Deprecation policy: tools that have not been called in 30 days are flagged for review; tools not called in 90 days are removed
- Tool version history: maintain a version for each tool schema; when a tool is updated, increment the version rather than overwriting
- Registry size limit: cap the production registry at a fixed size (50–100 tools for most agents) and enforce the cap with the deprecation policy
Summary
| Failure | Root cause | Primary signal | Prevention |
|---|---|---|---|
| Reflection collapse | No deterministic verifier | Confidence inflation on evals | Verifier gate before adding reflection |
| Memory poisoning | No contradiction detection | Known-fact eval degradation | Confidence thresholds + provenance |
| Entity fragmentation | Insufficient entity resolution | Multi-hop eval failures | Ingestion-time + batch resolution |
| Eval blindness | No harness or stale harness | Support ticket volume rises | Harness before mechanisms; weekly review |
| Skill entropy | No registry curation | Tool-use eval degradation | Human review + deprecation policy |
All five failures are detectable early if the eval harness is running and the right metrics are being tracked. None require special tooling. The common thread: self-improvement requires observability. An agent that is changing but not being measured is an agent that is failing silently.
FAQ
What is reflection collapse in AI agents?
Reflection collapse is when an agent's reflection loop produces higher confidence outputs without improving accuracy. It happens when the verifier is another LLM rather than a deterministic check — the agent confirms its own prior beliefs instead of checking them against ground truth.
How does memory poisoning happen in self-improving agents?
Memory poisoning occurs when an incorrect fact enters the agent's persistent memory through an extraction error or adversarial input. Because memory is additive and facts gain weight as more memory items reference them, the incorrect fact compounds over time and surfaces confidently in retrieval.
What causes entity fragmentation?
Entity fragmentation happens when the same real-world entity appears as multiple nodes in the memory graph — "Sarah Chen," "S. Chen," and "schen@acme.com" as three separate nodes. The primary cause is insufficient entity resolution at ingestion time or missing batch resolution sweeps.
How do I know if my agent has eval blindness?
If you do not have a running eval harness with nightly results, or if the last eval run was more than two weeks ago, or if the team disagrees about agent performance with no data to resolve the disagreement — those are the signals.
What is skill entropy in self-improving agents?
Skill entropy is the degradation of an agent's tool registry over time due to uncurated skill acquisition. The registry accumulates near-synonym tools, deprecated tools, and poorly described tools until tool selection becomes unreliable.
Further reading
- Self-Improving AI Agents: A Technical Overview — the mechanisms behind each failure mode
- Reflection in AI Agents: How Self-Critique Actually Works — detailed breakdown of reflection collapse and its prevention
- Knowledge Graphs for Agent Memory: Design Patterns — entity resolution patterns that prevent fragmentation and poisoning
- How to Evaluate Self-Improving AI Agents — the eval harness that catches all five failure modes early
Oxagen is the ontology layer for AI agents — typed, workspace-scoped, Neo4j-backed memory with entity resolution, provenance, and contradiction detection built in. Read the docs to get an API key, or book a demo to see what production-grade agent memory looks like.