Back to portfolio
Systems Engineering: Building Agentic Software That Works
FeaturedApril 7, 20266 min read

Systems Engineering: Building Agentic Software That Works

Most agentic apps fail not because of bad models, but bad system design. Here's the five-layer framework that actually works.

agentic-aisystems-engineeringsoftware-architecturemulti-agentsecurity

The core argument: just like Bell Labs discovered in the 1940s that you can't optimize a telephone network by optimizing individual components, you can't build good agentic software by only thinking about the agent layer. The whole system matters.

He breaks it into five layers every agentic system needs:

The five layers every agentic system needs — optimizing one without the others creates cascading failures.

  1. Agent Engineering: the actual agent logic, tools, and execution flow
  2. Data Engineering: memory, storage, and knowledge managed with proper database principles (not the filesystem)
  3. Security Engineering: RBAC, JWT-scoped tools, audit logs, request isolation (read-only access is NOT a prompt instruction, it's a tool configuration)
  4. Interface Engineering: handling multiple surfaces (REST, Slack, MCP) with consistent auth across all of them
  5. Infrastructure Engineering: mostly standard DevOps, with small tweaks for streaming and longer request times

Agent Engineering

A team of agents is better than one. A Leader routes requests to specialists, each scoped by what their tools actually allow, not by what they're prompted to do.

A Leader routes requests to specialists scoped by what their DB connection allows, not by what they're prompted to do.

Data Engineering

Raw LLMs writing SQL hit a wall fast. The data layer solves this with six layers of grounded context that get richer over time, plus a learning loop: the agent hits an error, diagnoses the fix, saves it. Query 100 is better than Query 1 without retraining the model.

Six layers of grounded context. The learning loop means Query 100 is better than Query 1 without retraining the model.

Security Engineering

Read-only access is a PostgreSQL connection parameter. The database rejects writes regardless of what the model generates. One user's context leaking into another's is a data breach, not a bug.

Security enforced at three tiers. Request isolation between users is a legal requirement, not a nice-to-have.

Interface Engineering

Every surface (REST, Slack, Web UI, CLI) has its own identity scheme. The interface layer maps them all to your internal auth before the request reaches the agent.

Every surface has its own identity scheme — the interface layer maps them all to your internal auth before the agent sees the request.

Putting it all together: the Dash example

Bedi's open-source project Dash demonstrates all five layers in one working system: a natural-language data agent you can clone, run with docker compose up, and have a fully working product.

The Dash open-source agent — all five layers working together in one deployable system.

The tldr: agentic software is just regular software with business logic replaced by agents, so use the engineering disciplines that already exist.