A single large language model asked to "investigate and remediate this alert" will happily hallucinate a root cause, run a destructive command, and declare victory in the same breath. The fix is not a smarter model — it is a smarter division of labor. This article breaks down the four-role pattern — Planner, Executor, Critic and Verifier — that turns a chatty LLM into an operations-grade autonomous system, with architecture, guardrails, and worked examples from IT and security operations.
Why monolithic agents fail in production
Most agent prototypes start the same way: a system prompt, a tool list, and a loop that asks the model to think, call a tool, observe the result, and repeat until it decides it is done. This "ReAct"-style loop is a reasonable demo pattern, but it collapses under the weight of real operational requirements for one structural reason — the same model instance is simultaneously deciding what to do, doing it, and judging whether it worked. There is no independent check in the loop. When the model's plan is subtly wrong, the same reasoning that produced the flawed plan is used to evaluate its own output, so errors compound rather than get caught.
In IT operations and security operations, this failure mode is not academic. A monolithic agent troubleshooting a database latency spike might decide the fix is to restart a connection pool, execute the restart, observe that latency briefly dips during the restart window, and conclude the incident is resolved — when in fact the underlying cause was a runaway query that will spike latency again in twenty minutes. A monolithic agent triaging a phishing alert might decide an email is benign because the sender domain looks similar to a trusted vendor, take the action of closing the case, and never surface the near-miss typosquat domain to a human. The cost of a wrong action in these domains is not "wrong chat answer" — it is production downtime, data loss, or a missed intrusion.
The deeper problem is that reasoning, acting, and evaluating are three qualitatively different cognitive tasks, and a single forward pass through a transformer optimized for fluent token prediction is not naturally suited to switching cleanly between them mid-stream. Decomposing an incident into a plan requires holding a wide context and weighing options. Executing a step requires precision, low creativity, and strict adherence to a schema. Judging whether an action succeeded requires skepticism and a willingness to contradict the very reasoning that produced the plan. When one prompt asks a model to do all three at once, the path of least resistance is narrative consistency — the model tends to confirm its own plan was good, because it just generated that plan and self-consistency is a strong prior in generated text.
The role-separated architecture addresses this directly by giving each cognitive function its own context window, its own prompt, often its own model size or even model family, and critically, an adversarial relationship to its neighbors. The Critic's job is to find fault with the Planner's output. The Verifier's job is to distrust the Executor's self-reported success. This is not a stylistic choice — it is the same reason engineering organizations separate the person who writes code from the person who reviews it, and separate the person who deploys a change from the monitoring system that independently confirms the deployment is healthy.
The four-role model, defined
Planner, Executor, Critic, and Verifier map cleanly onto a control loop that has existed in autonomous systems and control theory for decades — sense, plan, act, check — but applying it to LLM-driven agents requires being precise about what each role is allowed to do, what context it sees, and what it is forbidden from doing.
The Planner takes a goal (an alert, a ticket, a policy trigger, a scheduled maintenance objective) plus the current state of the environment, and produces a structured plan: an ordered or partially ordered set of steps, each with a stated hypothesis, an expected outcome, required tools, and a rollback path. The Planner does not touch production systems. Its output is a plan artifact, typically JSON or a constrained DSL, not free text, so downstream roles can parse it deterministically.
The Executor takes one step of the plan at a time and turns it into a concrete tool call — a read-only query, a script execution, an API call, a configuration change — against a real or sandboxed system. The Executor is deliberately kept "dumb" relative to the Planner: it should not be re-deriving strategy, only translating a well-specified step into a correctly-formed action, handling retries, timeouts, and capturing raw output faithfully.
The Critic operates before and during execution. Its job is to red-team the plan and the in-flight reasoning: does this step violate a policy, does it contradict evidence already gathered, is the hypothesis actually supported by the data, is there a cheaper or safer alternative, does the blast radius exceed what the incident justifies. The Critic can reject a plan and send it back to the Planner with a specific objection, or it can approve a step to proceed to the Executor.
The Verifier operates after execution and is the most frequently under-implemented role in agent stacks. Its job is to independently confirm, using evidence outside the Executor's self-report, that the intended outcome actually happened — the service is actually responding within SLA, the malicious process is actually terminated, the firewall rule is actually active, the ticket's stated resolution matches observed telemetry. The Verifier should query ground truth (metrics, logs, a control-plane API) rather than trust the Executor's "success: true" flag, because that flag reflects only that the API call did not throw an exception, not that the desired state was achieved.
It is worth being explicit about what distinguishes Critic from Verifier, since the two are often conflated. The Critic evaluates intent before or during action — is this the right thing to do. The Verifier evaluates outcome after action — did the right thing actually happen. A plan can pass Critic review (it is safe, policy-compliant, well-reasoned) and still fail Verifier check (the command executed but did not produce the expected state, perhaps because of a race condition or a stale assumption about the environment). Systems that only implement a Critic and skip the Verifier will confidently close incidents that are not actually resolved.
Reference architecture and message passing
The four roles need a shared substrate to communicate through, and how you build that substrate determines whether the system is auditable and debuggable in production or an opaque mess of prompt chaining. The pattern that holds up under operational load is an explicit, append-only case log (sometimes called a scratchpad or blackboard) that every role reads from and writes to, combined with a lightweight orchestrator that routes control between roles based on the state of that log rather than free-form model chatter.
Concretely, each entry in the case log is a typed record: a plan proposal, a critic verdict with a reason code, an execution result with raw tool output, a verification result with the specific evidence queried. This is not a nicety — it is what makes an agentic SOC or NOC pipeline defensible to an auditor after the fact, and it is what lets you replay a specific incident to understand exactly which role made which call and why. Free-text chat transcripts between agents look impressive in a demo and are nearly impossible to audit six months later when a customer asks why an automated action touched their environment.
The orchestrator itself should be a conventional piece of software, not another LLM call. A state machine or workflow engine (many teams build this on top of existing job schedulers or use frameworks purpose-built for agent orchestration) reads the case log, determines whose turn it is next based on explicit transition rules (plan proposed -> critic must review; critic approved -> executor may run next step; step executed -> verifier must check before next step is planned), and invokes the correct role with exactly the context it needs. Keeping this routing logic deterministic and outside the LLM removes an entire class of failure where the agent talks itself into skipping its own safety checks.
Context isolation between roles matters as much as the routing logic. The Planner should see the full incident history and prior similar cases. The Executor should see only the specific step it is asked to run plus the minimum environment state needed to form the call correctly — not the Planner's speculative reasoning about root cause, which can bias it into fabricating supporting evidence. The Critic should see the plan and the policy corpus, not the Executor's implementation details. The Verifier should see the intended outcome and live telemetry, deliberately withheld from seeing the Executor's own success claim until after it has formed an independent judgment, to avoid anchoring.
This maps onto a layered platform stack. At the foundation sits the data and telemetry layer — logs, metrics, traces, asset inventory, identity graph — that both Executor and Verifier depend on for ground truth. Above that sits the tool and action layer — the concrete integrations into ITSM, EDR, firewalls, cloud APIs, orchestration systems. Above that sits the four-role reasoning layer itself. This is the architecture Algomox's AI-native stack is built around: a shared data foundation, a governed action layer, and role-separated reasoning on top, rather than a single model with broad tool access and no internal checks.
The Planner: decomposition, tool selection, and replanning
A production-grade Planner is not "an LLM with a big system prompt." It is a component with a constrained output schema, a curated set of allowed plan primitives, and explicit replanning triggers. The schema typically forces the model to emit, for each step: a stated hypothesis being tested, the specific tool or API to invoke, the parameters, the expected signal that would confirm or refute the hypothesis, an estimated blast radius (read-only, reversible-write, destructive), and a rollback action if applicable. Forcing this level of structure at generation time is itself a reliability mechanism — a model that must specify a rollback action for a destructive step is measurably less likely to propose a step for which no rollback exists.
Tool selection is where a lot of naive implementations quietly fail. Giving the Planner a flat list of forty tools and asking it to pick the right one invites both wrong selection and prompt-length-driven cost. The pattern that scales is a two-tier selection: a fast retrieval step (semantic search or a rules-based filter over tool descriptions, scoped by the alert type, asset class, and current investigation stage) narrows the candidate tools to a handful, and only that narrowed set is placed in the Planner's context for the actual step-selection reasoning. In a SOC context, this means an identity-related alert surfaces IAM and directory-query tools, not firewall configuration tools; in an ITMox context, a database-latency alert surfaces query-plan and connection-pool tools, not DNS tools.
Replanning is the Planner capability most often missing from early designs. A plan is a hypothesis about the world at the moment it was generated; execution results and Verifier findings are new evidence that can invalidate it. The Planner needs an explicit re-entry point triggered by three conditions: a step's expected signal did not materialize (hypothesis refuted), the Critic rejected a step and returned a specific objection, or the Verifier found that a previously "successful" action did not achieve ground truth. On any of these, the orchestrator routes back to the Planner with the accumulated case log, and the Planner is explicitly prompted to revise rather than to defend the prior plan — this framing matters, because a Planner asked to "continue" tends to rationalize the existing path, while a Planner asked to "given this new evidence, what is the best next step" produces genuinely revised reasoning.
A second Planner responsibility that is easy to overlook is stopping criteria. An autonomous Planner without an explicit "done" condition and a maximum step budget will keep generating plausible-looking next steps indefinitely, especially on ambiguous incidents. Production Planners should be given a hard step ceiling per case, a wall-clock budget, and a confidence threshold below which the correct plan output is "escalate to human" rather than "keep investigating." Encoding escalation as a first-class plan outcome, not a failure state, is what makes human-in-the-loop actually work in practice rather than being bolted on as an afterthought.
The Executor: safe, precise, idempotent action
The Executor's entire value proposition is narrow reliability: given a well-specified step, execute it correctly, capture everything that happened, and do not improvise. This narrowness is a feature. An Executor that "helpfully" adjusts parameters because it thinks it knows better than the plan reintroduces exactly the compounding-error problem the role separation was designed to eliminate.
Three engineering properties separate a production Executor from a demo one. First, idempotency and pre-condition checks: before running a write action, the Executor should confirm the system is in the state the plan assumed (the process it is about to kill is still running with the PID the Planner saw; the firewall rule it is about to add does not already exist), because incident timelines are long enough that state drifts between planning and execution, especially when a Critic review or human approval step introduces delay. Second, bounded blast radius via typed tool wrappers: rather than giving the Executor raw shell access or unrestricted API scopes, every tool it can call should be a wrapper that enforces parameter validation, rate limits, and scope restrictions server-side, so that even a misfiring Executor cannot exceed the permission envelope defined for that tool regardless of what the model generates. Third, faithful capture of raw output: the Executor should log the actual API response, exit code, and stdout/stderr verbatim into the case log, not a paraphrased summary, because the Verifier and any human reviewer need the unaltered evidence, and paraphrasing by an LLM at this stage is exactly where quiet fabrication creeps in.
Execution in security response deserves an additional layer of caution: containment actions (isolating a host, disabling a credential, blocking an IP) are usually reversible but disruptive, so the Executor should default to the least disruptive action that satisfies the plan's stated objective, and any action above a defined disruption threshold should require the Critic's explicit sign-off, not just its non-objection. In practice this looks like a tiered permission model: read-only queries execute automatically, reversible soft actions (disable account, quarantine email) execute after Critic pass, and hard actions (isolate production host, block a business-critical IP range) require both Critic pass and human approval regardless of the agent's confidence score. This tiering is the backbone of how agentic SOC deployments keep automation aggressive on the ninety percent of low-risk, high-volume alert handling while keeping a human firmly in the loop on the ten percent that can hurt the business.
Retry and timeout handling also belongs squarely in the Executor, not the Planner. Transient failures (a rate-limited API, a momentarily unreachable agent on an endpoint) should be retried with backoff by the Executor itself using deterministic logic, without going back to the Planner for "should I retry" — that is a waste of a model call and introduces nondeterminism into what should be a mechanical decision. Only genuine failures (the tool returned a definitive error, the pre-condition check failed) should be escalated back into the case log for the Planner or Critic to reason about.
The Critic: adversarial review before action
The Critic is the role most directly borrowed from the "LLM-as-judge" and constitutional-AI literature, adapted to operations. Its job is not to be agreeable. A Critic prompt that asks "does this plan look reasonable" will rubber-stamp almost everything, because the same distributional biases that produced a plausible-sounding plan will find it plausible on review. Effective Critic prompts instead ask targeted, adversarial questions: what evidence in the case log contradicts this hypothesis; what is the worst plausible outcome if this step's assumption is wrong; does this step's blast radius exceed what is justified by current confidence; is there a policy, compliance rule, or prior incident that forbids this action on this asset class; is there a cheaper diagnostic step that should run first to raise confidence before taking a destructive action.
Policy grounding is what makes the Critic more than a second opinion from the same model family. The Critic should have retrieval access to a policy corpus — change-management windows, regulatory constraints (data residency for a sovereign or air-gapped deployment, segregation-of-duties rules), asset criticality tiers, prior post-incident-review findings — and its verdict should cite the specific policy or precedent it is applying, not just a vibe-based approval. This is what turns the Critic from "a second LLM call" into an actual governance control that a compliance team can audit.
A mature Critic implementation also tracks disagreement rate as a first-class signal. If the Critic is rejecting a very high fraction of Planner outputs for a given alert category, that is a signal the Planner's prompt, retrieval context, or tool set is miscalibrated for that category, and it should route to a human review of the pipeline itself, not just the individual case. Conversely, a Critic with a near-zero rejection rate over thousands of cases is a red flag that it has degenerated into a rubber stamp, whether due to prompt drift, a model update, or a design flaw in how objections are scored. Teams running this in production should track Critic reject rate per alert category on a rolling basis and alert on both extremes.
One design choice worth making explicitly is whether the Critic is the same model as the Planner (with a different prompt and context) or a genuinely different model or model family. There is real evidence from both the reasoning literature and from operational experience that using a different model — even a smaller, cheaper one specialized for classification-style judgment rather than open-ended generation — reduces correlated failure, because the two models are less likely to share the same blind spots. For high-stakes action classes (anything touching production identity, production databases, or crossing a network segmentation boundary), running the Critic on a different model from the Planner is worth the extra cost.
The Verifier: ground truth after action
If the Critic is the pre-action conscience, the Verifier is the post-action auditor, and it is the role most teams under-build because it is the least glamorous. The Verifier's core discipline is refusing to trust the Executor's own report of success and instead querying an independent source of truth for the specific outcome the plan claimed to achieve.
Concretely, if a step's stated objective was "reduce p99 database latency below 200ms," the Verifier does not accept "restart command returned exit code 0" as evidence — it queries the actual latency metric from the monitoring system, waits an appropriate settling window, and compares against the threshold. If a step's stated objective was "terminate the malicious process on host X," the Verifier queries the EDR platform's live process list for that host, not the Executor's claim that a kill command was issued. This distinction between "the action was taken" and "the desired state was achieved" is the single most important discipline in the entire four-role pattern, because it is the difference between a system that reports accurate outcomes and one that reports optimistic ones.
Verification needs its own notion of settling time and false-negative tolerance. Checking too soon after an action produces false failures (the metric has not caught up yet); checking with too loose a tolerance produces false successes (a metric that improved but has not actually crossed the target threshold gets counted as resolved). Well-built Verifiers encode a per-action-type settling window and confirm the outcome is stable across a short observation period, not just a single point-in-time read, since transient dips or spikes are common in live telemetry.
The Verifier is also where regression checking belongs: confirming a fix did not break something adjacent. A firewall rule change that successfully blocks the malicious IP but also cuts off a legitimate partner integration is a Verifier catch, not a Critic catch, because the side effect is only observable after the action executed. This means the Verifier's evidence set should include not just the target metric but a small set of guardrail metrics relevant to the action class — for a network change, check adjacent traffic flows; for a database configuration change, check adjacent query classes; for an identity action, check for authentication failure spikes on related accounts.
When verification fails, the case must route back to the Planner with the specific discrepancy, not simply be marked "failed" and closed. A well-designed Verifier output includes the expected value, the observed value, and the specific evidence query used, so the Planner's next iteration has concrete new information rather than a vague "step failed" signal. This closes the loop shown in the earlier architecture diagram and is what lets these systems genuinely learn within a single incident rather than just retry the same action blindly.
Worked example: SOC alert triage end to end
Consider a credential-stuffing alert firing on an authentication gateway: two hundred failed logins across fifteen user accounts from a single ASN in under three minutes. Here is how the four roles move through the case.
The Planner receives the alert plus current context (asset criticality of the affected identity provider, recent similar alerts, the ASN's reputation history) and produces a plan: step one, query the identity provider for the full list of affected accounts and whether any login succeeded; step two, check whether the source ASN has a prior benign classification (e.g., a known corporate VPN egress) or is unclassified; step three, if any login succeeded, pull that account's subsequent activity; step four, based on findings, either close as automated-scanner noise, or escalate to soft containment (force password reset on affected accounts, rate-limit the source), or escalate to hard containment (block ASN at the edge, force session invalidation across the tenant).
The Critic reviews this plan before any action beyond the read-only steps: it confirms steps one through three are read-only and auto-approved, flags that step four's hard-containment branch would affect production traffic and therefore requires human approval per the tiered permission policy for this asset's criticality tier, and checks the case log for any active change freeze that would block a firewall edit on this system this week.
The Executor runs steps one through three, capturing raw API responses: two hundred failed logins, zero successes, source ASN unclassified but geographically consistent with a known scanning provider. The Verifier confirms these read-only findings by independently re-querying the identity provider's audit log for the same time window and getting a matching count, which matters because a single flawed API call at the Executor stage should not silently become the basis for the whole case.
Given zero successful logins, the Planner revises down from hard containment to the soft-containment branch: rate-limit the source ASN and flag the fifteen accounts for optional password rotation, rather than a full tenant-wide session invalidation. The Critic approves this narrower action as proportionate. The Executor applies the rate limit. The Verifier then checks, after a five-minute settling window, that failed login attempts from that ASN have dropped to near zero and that legitimate traffic from adjacent, differently-classified ASNs is unaffected — the guardrail check that catches an overly broad rate-limit rule before it becomes its own incident. The case closes with a full audit trail: hypothesis, evidence, policy citations, and independently verified outcome, feeding the kind of alert-triage pipeline described in Algomox's AI-driven XDR alert triage approach and the broader XDR detection and response capability.
Worked example: IT incident remediation
Now consider a NOC scenario: an ITMox-monitored e-commerce checkout service is alerting on elevated p99 latency and a rising 5xx error rate. The Planner's first hypothesis, based on a correlated spike in database connection-pool wait time, is connection pool exhaustion caused by a slow query rather than raw traffic volume, since request volume telemetry shows no unusual increase.
The plan: step one, query the database for currently running queries sorted by duration; step two, if a long-running query is found, check whether it correlates with a recent deployment or schema migration; step three, if correlated, evaluate whether killing the query versus rolling back the deployment is lower risk; step four, execute the lower-risk option and monitor recovery; step five, if not correlated with a deployment, escalate as a data-growth or indexing issue requiring engineering review rather than an automated fix.
The Critic's review here focuses on the choice between killing a live query and rolling back a deployment: it notes that killing an in-flight query on this particular database has, per a stored post-incident-review record from a prior case, previously caused a connection storm as retried transactions piled up, and recommends the rollback path as lower risk despite it having a broader immediate blast radius, since it is a well-tested, reversible action versus an ad hoc kill with known side effects. This is a clear illustration of why the Critic needs access to institutional memory, not just the current incident's facts.
The Executor performs the rollback via the deployment pipeline's own rollback API rather than a manual database action, capturing the rollback job ID and status. The Verifier does not accept "rollback job completed" as sufficient: it independently polls the p99 latency metric and 5xx error rate over the following ten minutes, confirms both return to their pre-incident baseline and remain stable (not just a momentary dip), and additionally checks a guardrail metric — checkout completion rate — to confirm the rollback did not silently break a feature that depends on the rolled-back code. Only once all three independently verified signals are within bounds does the case close, with the plan, the Critic's precedent-based override of the original kill-query hypothesis, and the verification evidence all preserved in the case log for the next post-incident review. This pattern of correlated, cross-domain verification — treating IT and security telemetry as one connected picture rather than siloed tools — is the operating principle behind an integrated NOC-SOC model.
Guardrails and failure modes
Every role in this architecture has characteristic failure modes, and designing guardrails means anticipating each one specifically rather than relying on a generic "add more safety prompting" approach.
- Planner failure — hypothesis lock-in. The Planner anchors on its first hypothesis and reframes contradicting evidence to fit it rather than revising. Guardrail: require the Planner to explicitly state a confidence score per hypothesis and mandate a structured revision prompt whenever Verifier or Critic evidence contradicts the current leading hypothesis, rather than allowing silent reinterpretation.
- Planner failure — unbounded investigation. Without a step budget, ambiguous cases generate endless additional diagnostic steps. Guardrail: hard step and wall-clock ceilings per case tier, with escalation-to-human as an explicit, first-class plan outcome rather than a fallback.
- Executor failure — stale pre-conditions. Time elapses between planning and execution (especially when human approval is in the loop), and the environment drifts. Guardrail: mandatory pre-condition re-check immediately before any write action, aborting and re-planning if state has changed materially.
- Executor failure — scope creep via tool flexibility. A model given a generic API client will occasionally call endpoints or pass parameters outside the intended scope of the step. Guardrail: typed, narrow tool wrappers with server-side parameter validation and hard scope limits, never raw API or shell access.
- Critic failure — rubber-stamping. Discussed above; guardrail is monitoring reject rate as a leading indicator, plus periodic red-team testing where deliberately flawed plans are injected to confirm the Critic still catches them.
- Critic failure — over-blocking. An overly conservative Critic routes everything to human review, destroying the automation's value and training operators to rubber-stamp its escalations without real scrutiny (automation-induced complacency). Guardrail: track human-override agreement rate — if humans agree with the Critic's escalation recommendation less than some threshold of the time, the Critic's thresholds need retuning.
- Verifier failure — premature confirmation. Checking ground truth before the system has settled produces false all-clears. Guardrail: enforce per-action-type minimum settling windows and require signal stability across a short observation period, not a single read.
- Verifier failure — narrow success criteria. Confirming only the target metric while missing a regression in an adjacent system. Guardrail: maintain a per-action-class guardrail-metric set that the Verifier always checks alongside the primary objective.
Across all four roles, the single highest-leverage cross-cutting guardrail is the tiered permission model referenced earlier: every action a system can take is classified in advance (read-only, reversible-soft, reversible-hard, irreversible) and the required approval chain for each tier is fixed in configuration, not left to the agent's own judgment about how risky its own action is. Agents are not reliable judges of their own risk-taking, and building the risk tier into the platform rather than into the prompt is what makes the system governable at scale, including in identity and privileged access contexts where an over-broad action can directly create a security exposure rather than just an availability one.
Read-only
Queries, log pulls, telemetry checks. Executes automatically, no Critic gate required beyond scope validation.
Reversible-soft
Password reset, rate limiting, quarantine. Requires Critic pass; auto-executes if approved.
Reversible-hard
Host isolation, firewall edit, service restart. Requires Critic pass plus human approval.
Irreversible
Data deletion, credential revocation at scale. Requires human approval regardless of agent confidence.
Metrics and evaluation framework
Evaluating a role-separated agent system requires metrics at both the role level and the pipeline level, because an aggregate "percentage of incidents resolved automatically" number hides exactly the failure modes described above.
| Role | Key metric | What it reveals | Healthy signal |
|---|---|---|---|
| Planner | Hypothesis revision rate | Whether new evidence actually changes the plan | Non-zero, proportional to contradicting evidence volume |
| Planner | Escalation-to-human rate by confidence band | Whether low-confidence cases route out correctly | Escalation rate rises sharply below the confidence threshold |
| Critic | Plan reject rate | Rubber-stamping vs. genuine review | Stable, non-zero, non-saturating rate per alert category |
| Critic | Human agreement with Critic verdicts | Calibration of the Critic's risk judgment | High agreement on both approvals and rejections |
| Executor | Pre-condition abort rate | Whether stale-state checks are catching drift | Non-zero; a persistent zero suggests the check is not wired in |
| Executor | Retry success rate | Health of transient-failure handling | Majority of retries succeed within 2 attempts |
| Verifier | Verification failure rate on "successful" executions | Gap between reported and actual success | Tracked over time; sudden increases flag a regression upstream |
| Verifier | Mean time-to-verified-resolution | End-to-end trustworthy MTTR, not just action time | Distinguished from MTTA and raw action latency |
| Pipeline | Fully-automated resolution rate (verified) | True autonomous throughput, filtered for real success | Reported only against Verifier-confirmed outcomes, never Executor self-reports |
The most important discipline in this table is the last row: any organization-level automation metric — the number leadership sees, the number used to justify further investment — must be computed from Verifier-confirmed outcomes, never from Executor completion status. An agent stack that reports "94% of alerts auto-resolved" based on tool-call success codes is measuring something closer to "API uptime" than "problems actually fixed," and the gap between those two numbers is exactly where operational trust erodes once a few unverified closures turn out to be false.
It is also worth tracking these metrics segmented by alert or incident category, since a pipeline that performs well in aggregate can be masking one category (say, identity-related alerts) where the Critic reject rate is near zero and the Verifier failure rate is climbing — a combination that indicates the pipeline is confidently automating a category it should not yet trust unsupervised.
Adoption roadmap and decision framework
Organizations rarely need to build all four roles at full sophistication on day one, and doing so is usually a mistake — it front-loads engineering effort into categories of alerts where a simpler automation would have sufficed, and it delays getting real production feedback that should be shaping the Critic's policy corpus and the Verifier's guardrail-metric sets.
A pragmatic rollout sequence starts with the Verifier and Executor on a narrow, well-understood, high-volume, low-risk alert category — something like duplicate ticket suppression or known-benign scanner traffic — where the action space is small and the ground-truth check is simple. This proves out the case-log architecture and the discipline of independent verification before any Planner autonomy is introduced. Only after that foundation is stable should the Planner's decomposition and replanning logic be introduced for a broader set of hypotheses within the same narrow category, followed by the Critic once there is a real policy corpus and enough historical cases to define meaningful reject criteria rather than generic ones.
Expansion to new alert or incident categories should follow the same sequence each time, resisting the temptation to widen scope purely because the model "seems capable" of handling adjacent cases — capability demonstrated in isolated testing does not equal calibrated risk-awareness in the tiered permission sense described above, and that calibration only comes from the Critic and Verifier accumulating real category-specific evidence.
Two build-versus-buy considerations recur in nearly every adoption conversation. First, the data foundation — unified telemetry, asset context, identity graph — is almost always the long pole, not the four-role orchestration logic itself; platforms like MoxDB exist specifically because stitching together log, metric, and identity data from a dozen point tools is the actual bottleneck to giving a Planner and Verifier trustworthy ground truth to reason over. Second, air-gapped and sovereign environments impose constraints — no external model API calls, strict data residency, offline policy corpora — that need to be designed into the Critic's policy retrieval and the Verifier's evidence sources from the start, not retrofitted later, since a design that assumes always-on external connectivity for any of the four roles will need substantial rework to run in a disconnected deployment.
Governance ownership is worth settling explicitly before rollout, not after an incident forces the question. The Critic's policy corpus should be owned and versioned by whichever team owns change management and compliance, not by the engineering team building the agent, because the Critic is functioning as an automated policy-enforcement point and its rules need the same review rigor as any other compliance control. Likewise, the tiered permission model's approval chains should map onto existing organizational authority, not a new shadow approval process invented for the agent system.
Beyond four roles: when to add more
The four-role pattern is a floor, not a ceiling, and mature deployments often add specialized roles once the base pattern is stable. A common addition is a dedicated Retriever or research role that the Planner delegates to for gathering external threat intelligence or historical precedent, kept separate so the Planner's core reasoning context does not bloat with retrieval noise. Another common addition is a Communicator role responsible solely for translating the technical case log into a stakeholder-appropriate update — a ticket comment, an executive summary, a customer notification — since the writing style and audience for that output is different enough from internal reasoning that mixing the two degrades both.
Multi-agent collaboration across domains is where this compounds further: a security-focused Planner investigating a compromised host may need to hand off a sub-task to an IT-operations Planner to check whether a suspicious configuration change was actually a legitimate, scheduled maintenance action, illustrating why the message-passing architecture and case-log format need to be consistent and interoperable across what might otherwise be separately built SOC and NOC agent stacks. This is the practical argument for treating security exposure and operational health as one connected surface, reflected in how continuous threat exposure management and day-to-day IT operations increasingly need to share context rather than operate as isolated pipelines, and it is a core reason Algomox designs ITMox, CyberMox, and Norra around a common agentic core rather than as siloed products bolted together after the fact.
Whatever additional roles get added, the discipline that must not erode is the separation between deciding, doing, and checking. It is tempting, once a Planner-Executor-Critic-Verifier pipeline is working well, to fold roles back together for latency or cost reasons — skip the Critic for "obviously safe" categories, let the Executor self-verify for "simple" actions. Every one of these shortcuts reintroduces the exact compounding-error dynamic the architecture was built to eliminate, and the categories that look obviously safe today are usually the ones where a novel failure mode shows up first, precisely because they were the ones nobody was watching closely.
Key takeaways
- Monolithic agents fail because the same reasoning that produces a flawed plan is used to judge it; role separation introduces the independent checks that catch errors before they compound.
- Planner decides what to do, Executor does it, Critic judges intent before action, Verifier confirms outcome after action against independent ground truth — conflating Critic and Verifier is the most common design mistake.
- An append-only, typed case log plus a deterministic (non-LLM) orchestrator is what makes the pipeline auditable and debuggable, versus opaque free-text agent chatter.
- Executors must enforce idempotency, pre-condition checks, and narrow typed tool wrappers rather than raw API or shell access, to keep blast radius bounded regardless of what the model generates.
- Verifiers must query independent ground truth, respect settling-time windows, and check adjacent guardrail metrics — never accept an Executor's own success report as proof of outcome.
- Tiered permission models (read-only, reversible-soft, reversible-hard, irreversible) belong in platform configuration, not agent judgment, and should govern the approval chain for every action class.
- Track role-level metrics — Critic reject rate, human agreement rate, Verifier failure rate on "successful" executions — not just aggregate resolution rate, and always report automation success against Verifier-confirmed outcomes.
- Roll out narrow and low-risk first, prove the Verifier and case-log discipline, then expand Planner autonomy and Critic policy scope category by category rather than broadly on day one.
Frequently asked questions
Do all four roles need to be separate models, or can one model play multiple roles with different prompts?
One model can technically serve multiple roles with different prompts and context windows, and this is a reasonable starting point for cost reasons. However, for high-stakes action classes, using a genuinely different model or model family for the Critic and Verifier meaningfully reduces correlated failure, since a single model is more likely to share blind spots with itself across roles than two independently trained models are. The architectural separation of context and responsibility matters more than the model-count separation, but both help.
How is this different from a standard ReAct-style think-act-observe loop?
A ReAct loop uses one context and one implicit "judgment" embedded in the same reasoning trace that generated the action, with no independent adversarial review and no ground-truth check distinct from the model's own observation of the tool's return value. The four-role pattern makes the review and verification steps explicit, independently prompted, and in mature implementations independently modeled, with a persistent case log that survives beyond a single context window and supports replanning based on structured evidence rather than continued free-form chain-of-thought.
What is the biggest implementation mistake teams make when adopting this pattern?
Skipping or under-building the Verifier. Teams often implement a capable Planner, a functional Executor, and a Critic that gates risky actions, then declare an incident "auto-resolved" based on the Executor's own success report. This is the gap where false resolutions accumulate silently, because nothing in the pipeline is independently checking that the intended outcome actually occurred versus the tool call merely completing without error.
How do you handle human-in-the-loop without slowing everything down?
Tier actions in advance by reversibility and blast radius, and only route the highest tiers through mandatory human approval, letting read-only and low-risk reversible actions execute automatically once they pass the Critic. Track human agreement rate with Critic and Verifier decisions over time; as agreement rate stays consistently high for a given action class, that is the evidence needed to responsibly lower the tier for that class, rather than lowering thresholds by default assumption.
Ready to see role-separated agents in your environment?
Algomox builds Planner, Executor, Critic, and Verifier roles into the agentic core of ITMox, CyberMox, and Norra — with the governance, audit trail, and tiered permissions operations teams need to trust autonomous action in production.
Talk to us