Skip to Content
HeadGym PABLO
Skip to Content
PostsDeep Dives Tools Technologies ArchitecturesSelf-Improving LLM Harnesses: A Practical Guide
Tags:#ai_and_agents#software_engineering

LLM Harnesses, Explained for Software Engineers

If you spend enough time around AI systems, you start hearing the same pattern in different forms.

One team says they built an “agent.” Another says they built a “copilot.” Another says they have a “workflow engine.” Another says they have a “multi-agent runtime.”

Very often, these are all variations of the same thing: a harness around a large language model.

That word matters. A harness is not the model itself. It is the software system that surrounds the model and makes it useful. If the model is a reasoning engine with a text interface, the harness is everything that turns that engine into a usable component inside a larger product.

For software engineers, this is the right level of abstraction.

The model predicts tokens.
The harness manages work.

The model generates candidate actions.
The harness decides what context it sees, what tools it can call, what state it can read, what guardrails it must respect, and how its output gets verified before anything important happens.

This is why “LLM application” is often too vague a term. In practice, the interesting engineering is usually not in the model call itself. It is in the orchestration around it.

And once you move from a single chat interaction to agent systems, the harness stops looking like a thin wrapper and starts looking like a small platform.

What is an LLM harness?

In simple terms, an LLM harness is the control software wrapped around a language model.

It typically does some combination of the following:

  • accepts a user or system request
  • gathers relevant context
  • chooses prompts or policies
  • calls one or more models
  • invokes tools or APIs
  • stores or retrieves memory
  • checks outputs
  • logs traces and outcomes
  • routes the final result to a user, service, or downstream workflow

So when someone says, “our agent can search docs, write code, update Jira, and ask for approval before deploying,” the model is not doing all that by itself. The harness is.

The harness is the layer that says:

  • which tools exist
  • which tools are allowed
  • how tools are described
  • when the model gets another turn
  • what happens if the model fails
  • what counts as success
  • what gets persisted
  • what gets blocked
  • what gets escalated to a human

That distinction is important because it helps software engineers reason clearly about where capability really comes from.

A stronger model helps, of course. But a lot of real-world performance comes from better harness design: better context assembly, better memory handling, better tool interfaces, better verification, better retries, better decomposition, and better observability.

The model is not the system

A useful mental model is this:

The model is a stochastic component inside a deterministic envelope.

That envelope is the harness.

If you squint, it looks a lot like classical systems engineering:

  • an input arrives
  • state is loaded
  • a controller decides what to do
  • a subsystem produces a candidate output
  • validators inspect the result
  • side effects are gated
  • traces are recorded
  • feedback updates the system

This is one reason engineers who think in distributed systems, workflow engines, control planes, and event pipelines often end up having better intuitions about agent systems than people who think only in prompts.

A prompt is not a platform. A conversation is not an architecture. An “agent” is usually just a harnessed loop with memory and tools.

That is not a criticism. It is the useful simplification.

The archetypical architecture of an LLM harness

Most real harnesses vary in details, but the archetypical architecture is surprisingly consistent.

You can think of it as eleven layers.

1. Request ingress

This is where work enters the system.

It may be:

  • a chat message
  • an API request
  • a scheduled task
  • an event from another service
  • a workflow step handed off by another agent

At this layer, the harness captures identity, tenancy, permissions, request metadata, deadlines, and the basic shape of the task.

In platform terms, this is the front door.

2. Orchestrator or controller

This is the core coordinator.

Its job is not to “be intelligent.” Its job is to manage the interaction loop:

  • decide whether this request needs a model at all
  • choose which model or policy to use
  • determine whether retrieval is needed
  • decide whether tool use is allowed
  • run multi-step loops if necessary
  • stop execution when budgets, safety limits, or completion criteria are met

This layer is the heart of the harness.

In a simple system, the orchestrator may just do:

  1. build prompt
  2. call model
  3. return answer

In a more agentic system, it may do:

  1. classify task
  2. gather context
  3. call planner model
  4. execute tool
  5. call reasoning model again
  6. run verifier
  7. ask for approval
  8. commit side effects
  9. log outcome

That is no longer a wrapper. It is an execution runtime.

3. Model runtime abstraction

Most mature harnesses do not hard-code one model call everywhere.

Instead, they create an abstraction over model providers and model roles.

For example:

  • fast cheap model for classification
  • stronger model for planning
  • long-context model for synthesis
  • specialized model for code
  • local model for sensitive data
  • fallback model if the primary provider fails

This matters because once the harness matures, “the model” becomes a fleet decision, not a single API endpoint.

The harness decides which cognitive engine to invoke for which subtask.

4. Prompt and policy layer

This is where many teams stop too early. They think the system prompt is the architecture.

It is not.

Still, prompts matter. This layer includes:

  • system instructions
  • developer instructions
  • task templates
  • role framing
  • output schemas
  • refusal policies
  • compliance constraints
  • escalation rules

It is better to think of this as a policy layer, not just a prompt layer. The wording presented to the model is only one representation of the policy. The real policy also lives in code, validators, permissions, and execution rules outside the model.

Good harnesses separate these concerns. Bad harnesses bury platform policy inside one giant prompt and then act surprised when behavior drifts.

5. Context assembly

This is one of the highest-leverage parts of the system.

The harness decides what the model sees.

That may include:

  • the current user request
  • prior conversation state
  • relevant documents
  • system state
  • execution history
  • tool results
  • organizational rules
  • task-specific examples

The model can only reason over the context window it gets. So context assembly is effectively a query planning problem for cognition.

A weak model with the right context often beats a strong model with the wrong context.

This is why so much agent engineering turns into information architecture: What should be retrieved? What should be summarized? What should be omitted? What should be pinned as durable context? What belongs in transient scratch space rather than long-term memory?

6. Retrieval and memory subsystem

People often lump these together, but they are not the same.

Retrieval is about fetching relevant external knowledge for a task.
Memory is about maintaining continuity over time.

Retrieval may pull from:

  • vector indexes
  • keyword search
  • knowledge graphs
  • SQL databases
  • event logs
  • code indexes
  • ticketing systems
  • wikis and docs

Memory may include:

  • conversation summaries
  • user preferences
  • prior plans
  • prior tool outcomes
  • learned facts about entities
  • task histories
  • episodic records of past runs

In agent systems, memory is one of the biggest sources of hidden complexity. It sounds easy in demos. In production, it becomes a serious data modeling problem.

What exactly is remembered? At what granularity? With what expiry rules? Who can read or update it? How do you prevent memory from becoming polluted, stale, contradictory, or manipulable?

A harness with weak memory discipline often becomes less useful over time, not more.

7. Tool registry and execution substrate

This is where the system crosses from “generate text” into “take action.”

Tools may include:

  • web search
  • code execution
  • file operations
  • browser automation
  • database queries
  • CRM updates
  • ticket creation
  • internal APIs
  • UI interactions
  • other agents

The harness usually maintains a registry that defines:

  • tool names
  • tool descriptions
  • input schemas
  • permissions
  • rate limits
  • idempotency expectations
  • timeout rules
  • logging requirements

This is one reason platform architecture matters. Once many agents share tools, the tool layer becomes common infrastructure.

A good tool substrate behaves less like an ad hoc bag of functions and more like a governed service mesh for machine actors.

8. State store

Not every piece of state should be in the prompt.

The harness usually needs structured state outside the model, such as:

  • workflow status
  • execution checkpoints
  • budgets
  • approval states
  • partial plans
  • retries
  • task ownership
  • transaction records

Without explicit state handling, agent systems become fragile. They lose continuity between turns, cannot recover cleanly from failure, and are hard to replay.

Engineers should treat this seriously. If an agent can act in the world, then its control state is a real systems concern, not an implementation detail.

9. Guardrails and permissions

This is the boundary between “interesting demo” and “production system.”

The harness must enforce things the model should not control by itself:

  • access permissions
  • tenant isolation
  • tool allowlists
  • write restrictions
  • approval gates
  • content safety
  • policy compliance
  • rate and cost budgets

A common beginner mistake is to ask the model to police itself in natural language.

For example: “Only make safe changes.” That is not a control mechanism. That is a suggestion.

Real control lives in the harness:

  • the model is not given dangerous tools by default
  • the model cannot directly commit irreversible side effects without approval
  • tool schemas constrain input shape
  • execution sandboxes limit blast radius
  • writes are scoped
  • high-risk actions require deterministic checks

The safer the system must be, the more control moves out of the model and into the harness.

10. Verification and evaluation layer

This is where the harness asks: “Did the system actually do the right thing?”

Verification may include:

  • schema validation
  • unit-style checks
  • citations present and grounded
  • tool output consistency
  • policy checks
  • secondary model critique
  • deterministic business-rule validation
  • simulation or dry-run execution
  • human approval

This layer becomes essential in agent systems because the model’s confidence is not a trustworthy metric.

A polished wrong answer is still wrong. A plausible plan may still violate policy. A correctly formatted API call may still target the wrong object.

Self-improving systems especially depend on this layer, because improvement requires a signal. Without evaluation, there is no grounded notion of “better.”

11. Tracing, telemetry, and replay

This is the part almost everyone underestimates until something breaks.

If you cannot inspect:

  • what context was assembled
  • which prompt version was used
  • what model was called
  • what tools were invoked
  • what outputs were returned
  • what validator failed
  • what state changed

then you do not really have an operable system.

You have a black box with side effects.

Good harnesses make every run inspectable. They store traces, decisions, timings, token usage, tool calls, and outcomes. They support replay. They expose failure clusters. They let engineers compare versions.

At scale, this is not a debugging luxury. It is the foundation of continuous improvement.

A request lifecycle walkthrough

Let’s make this concrete.

Suppose a user asks:

“Find the three customers most likely to churn this quarter, explain why, and draft outreach plans for the account team.”

A mature harness might do something like this:

  1. Ingress

    • authenticate user
    • determine tenant
    • load permissions
    • create task record

  2. Task classification

    • this is not a pure chat response
    • it needs data access, reasoning, and document generation

  3. Policy selection

    • customer data is sensitive
    • only approved internal tools may be used
    • outputs must be tagged as draft recommendations

  4. Context assembly

    • load CRM schema
    • recent churn signals
    • account notes
    • playbooks for outreach
    • prior user preferences

  5. Planning call

    • ask the model to propose an analysis plan or choose tool sequence

  6. Tool execution

    • query churn-risk features
    • fetch recent customer interactions
    • gather open support issues
    • pull account metadata

  7. Intermediate reasoning

    • synthesize which signals matter
    • rank candidates
    • draft rationales

  8. Verification

    • check that all claims reference retrieved data
    • ensure no unsupported statistics were invented
    • ensure only authorized customer records were accessed

  9. Output shaping

    • format for account-team consumption
    • separate evidence from recommendation
    • label confidence and missing data

  10. Logging and memory

  • store trace
  • record whether the user accepted or edited the output
  • optionally store preference signals for future runs

The important thing to notice is that the actual model generation is only one phase in a much larger lifecycle.

That larger lifecycle is the harness.

Common harness archetypes

Not every harness needs the full architecture.

Here are a few recurring archetypes.

The chat harness

The simplest form.

It mostly manages:

  • conversation state
  • prompt templates
  • response formatting
  • basic safety filters

Useful for assistants, internal Q&A, and low-risk chat applications.

The retrieval harness

This adds document or knowledge access.

It focuses on:

  • indexing
  • retrieval
  • ranking
  • grounding
  • citation handling
  • context packing

This is the common shape of many enterprise assistants.

The tool-using harness

This adds action.

It needs:

  • tool schemas
  • permission checks
  • retries
  • failure handling
  • result summarization
  • guardrails around writes

This is where systems start to feel agentic.

The workflow harness

This embeds the model in a larger deterministic flow.

The model handles fuzzy parts, while the workflow engine handles:

  • step sequencing
  • state management
  • retries
  • SLAs
  • approvals
  • compensating actions

This is often the most production-friendly pattern.

The multi-agent harness

This is really a harness of harnesses.

Now the platform must support:

  • role specialization
  • inter-agent messaging
  • shared or partitioned memory
  • handoff rules
  • task decomposition
  • arbitration
  • observability across many actors

At this point, you are building an agent platform, not just an app.

Why agent systems turn harnesses into platforms

Once you have multiple agents, shared tools, persistent memory, and long-lived tasks, the harness naturally becomes platform infrastructure.

Why?

Because the same concerns repeat everywhere:

  • identity
  • permissions
  • context plumbing
  • tool governance
  • tracing
  • evaluation
  • budget enforcement
  • memory policy
  • model routing
  • failure recovery

This is exactly how platforms emerge in software more broadly. Repeated patterns harden into shared infrastructure.

So a mature agent platform usually offers common primitives:

  • model gateway
  • tool registry
  • memory services
  • task runtime
  • policy engine
  • observability stack
  • eval harness
  • approval workflows
  • sandboxed execution environments

That is why the phrase “agent system” can be misleading if it evokes an autonomous being with a personality.

From a software architecture perspective, an agent system is often better understood as:

a platform for running bounded, tool-using, stateful, language-mediated control loops.

That sounds less romantic, but it is a lot more useful.

What is a self-improving harness?

Now we get to the interesting part.

A self-improving harness is a harness that uses feedback from its own operation to get better over time.

Importantly, this does not have to mean the system rewrites itself like science fiction.

Usually it means something more concrete:

  • it learns which prompts work better
  • it improves retrieval choices
  • it routes tasks to better models
  • it chooses better tools for certain task types
  • it compresses memory more effectively
  • it learns where verification fails
  • it updates policies or heuristics based on observed outcomes

So the question is not “can the AI recursively self-improve?” The practical question is:

Which parts of the harness can adapt safely, and based on what feedback signals?

That is a much better engineering question.

The main dimensions of self-improvement

1. Prompt improvement

The system observes traces and outcomes, then updates prompt templates or exemplars.

For example:

  • if a planning prompt often produces vague plans, add stronger structure
  • if a summarization prompt drops key fields, add schema constraints
  • if certain task classes benefit from examples, add task-specific few-shot context

This can be human-driven, evaluator-driven, or semi-automated.

But prompt improvement is only one small part of the space.

2. Retrieval improvement

Many failures are really retrieval failures.

A self-improving harness may learn:

  • which indexes are useful for which tasks
  • which retrieval strategy to try first
  • how much context to include
  • when to summarize versus pass raw material
  • which documents were repeatedly helpful
  • which sources tend to poison or distract the model

This can dramatically improve system quality without changing the model at all.

3. Tool selection improvement

Over time, the harness can learn better policies for tool use.

Examples:

  • task type A usually needs SQL before CRM lookup
  • task type B should never use web search because internal systems are canonical
  • model X overuses a slow tool for a class of queries
  • certain tool sequences often fail and should be avoided

This starts to look like a routing or policy optimization problem.

4. Memory shaping

Memory is not just storage. It is selection.

A self-improving harness can refine:

  • what gets remembered
  • how memories are summarized
  • how conflicts are resolved
  • when memory is decayed or deleted
  • how entity-level knowledge is updated
  • which memories are pinned as durable

This matters because bad memory hurts performance more than no memory.

5. Evaluation-driven improvement

This is the most important form.

The harness runs tasks, scores outcomes, clusters failures, and adjusts components accordingly.

For instance:

  • if answers are often factually unsupported, tighten grounding policy
  • if plans are correct but too expensive, change model routing
  • if users often edit tone but not substance, update formatting templates
  • if verifiers catch the same issue repeatedly, add an earlier guardrail

This makes the system improve as an operational feedback loop, not as mythology.

6. Planner and critic adaptation

Some systems use internal roles like planner, executor, and critic.

A self-improving harness may learn:

  • which tasks benefit from a planner at all
  • when critique helps versus adds latency
  • what kind of critique catches real errors
  • when a deterministic rule should replace a model-based critic

The mature pattern is not “add more agents.” It is “learn which reasoning scaffolds pay for themselves.”

The design space of self-improving harnesses

There are several broad designs.

Offline improvement loops

This is the safest and most common.

The system collects traces, outcomes, and human feedback. Engineers or optimization jobs analyze them offline and update harness components in controlled releases.

Examples:

  • new prompt version
  • new routing policy
  • improved retrieval strategy
  • better validator
  • new memory compaction rule

This is boring in the best way. It is inspectable, testable, and reversible.

Online adaptation

Here the harness adapts while the system is live.

Examples:

  • dynamically choose between models based on observed latency
  • adjust retrieval depth based on prior success rates
  • personalize output style to user edits
  • learn which tool order works best for a recurring task pattern

This can work well, but it requires careful boundaries. Online adaptation can easily create drift, hidden coupling, or irreproducible behavior.

Human-in-the-loop improvement

In many enterprise systems, this is the sweet spot.

The harness proposes updates or learns from:

  • accepted versus rejected outputs
  • edited drafts
  • approval decisions
  • operator annotations
  • postmortem analysis

This gives richer feedback than simple thumbs-up/down and keeps humans in control of consequential changes.

Learned evaluators and routers

Some harnesses use models to judge outputs or route tasks.

For example:

  • a router model chooses the best underlying model
  • an evaluator model scores grounding quality
  • a critic model checks whether a tool result supports the answer

This can be powerful, but it introduces second-order problems: who evaluates the evaluator? If the judge drifts, the system may optimize for the wrong target.

Constrained self-modification

This is the version people often mean when they say “self-improving agents.”

A harness may be allowed to modify parts of itself, but only within narrow bounds, such as:

  • updating prompt snippets
  • changing retrieval weights
  • reordering tool preferences
  • suggesting new examples
  • adjusting memory compression rules

Crucially, these changes are usually staged, evaluated, and approved before broad rollout.

That is very different from unconstrained autonomous self-rewrite.

Why unconstrained self-improvement is overrated

There is a persistent fantasy that the best agent system is one that rewrites itself continuously until it becomes vastly smarter.

In production engineering, this is usually the wrong goal.

Why?

Because most valuable systems do not fail because they lack raw recursive intelligence. They fail because they lack:

  • clean data access
  • grounded context
  • strong permissions
  • reliable tools
  • observability
  • good evals
  • deterministic safeguards
  • clear state management

In other words, they fail because the harness is weak.

A stronger harness often beats a more autonomous one.

A system that improves retrieval quality, tool governance, and verification may deliver more real business value than a system that endlessly rewrites prompts in search of magic.

Failure modes of self-improving harnesses

This area is full of traps.

Reward hacking

If the harness optimizes against a narrow metric, it may learn to score well without becoming genuinely useful.

Classic examples:

  • answers become shorter because brevity correlates with approval
  • citations are added mechanically but do not support claims
  • the system learns to avoid hard tasks to protect success rate

Overfitting to evals

If improvement is driven by a fixed benchmark, the harness may get better at that benchmark while getting worse in the real world.

This is especially dangerous with synthetic evals that do not capture messy operational reality.

Memory corruption

A system that updates memory aggressively may accumulate false, redundant, or adversarial information.

Over time, the harness can poison its own future context.

Cost and latency spirals

A self-improving harness may discover that extra tool calls, extra critiques, and extra retrieval passes improve quality.

True. But maybe only slightly.

Without budgets, the system can evolve toward expensive overthinking.

Loss of reproducibility

If live adaptation changes routing, prompts, or memory behavior constantly, debugging becomes much harder.

The engineer’s basic question — “why did it do that?” — becomes difficult to answer.

Hidden complexity

Every adaptive component interacts with every other one.

Prompt changes affect retrieval needs. Retrieval changes affect model behavior. Memory changes affect planning. Evaluator changes affect optimization.

At some point, the harness becomes a coupled adaptive system. That can be powerful, but it also means local improvements can produce global regressions.

What good engineering looks like

If you are building one of these systems, a few principles go a long way.

Version everything

Version:

  • prompts
  • retrieval policies
  • tool schemas
  • memory logic
  • validators
  • routing policies
  • evaluator models

If it changes behavior, it should be versioned.

Store traces by default

You want full-fidelity records of:

  • inputs
  • assembled context
  • model calls
  • tool calls
  • outputs
  • validations
  • final outcomes

No trace, no reliable improvement.

Separate policy from prose

Do not hide critical control logic in prompt wording alone.

Permissions, budgets, approvals, and write boundaries should be enforced in code and infrastructure.

Prefer bounded adaptation

Let the harness improve, but inside explicit envelopes.

For example:

  • it may choose among approved prompts
  • it may reorder safe tools
  • it may tune retrieval depth within a budget
  • it may suggest policy changes for review

Bounded adaptation is much easier to trust.

Build evals early

Improvement requires a scorecard. Not just generic benchmarks, but task-specific evals tied to your real workflows.

Treat agents like actors in a system, not magical coworkers

This mindset helps a lot.

An agent is not an employee. It is a software actor with partial autonomy, incomplete context, and probabilistic reasoning. That framing naturally leads to better architecture: message boundaries, permissions, observability, and failure handling.

The deeper point

The phrase “LLM harness” may sound modest, but it points to something important.

The harness is where software engineering re-enters the picture.

It is where we turn a probabilistic model into a governed system. It is where platform architecture matters more than demo fluency. It is where agents stop being chatbots with ambition and start becoming components in a serious runtime.

And this is probably where a lot of durable value will be built.

Not merely in having access to a model. Not merely in wrapping a model with a prompt. But in building the harness — the platform around the model — that can reliably route work, gather context, enforce policy, call tools, learn from traces, and improve without becoming ungovernable.

That is the opportunity.

The model may be the engine.
But the harness is the vehicle.

Last updated on
The Ghosts in the MachineARQuest: Adaptive Underwriting Architecture