top of page

Your AI Agent Has an Org Chart: Don't Think Agentic Design Patterns, Think Organizational Design.

  • Apr 11
  • 10 min read

Most articles about agentic AI read like a medical textbook on cellular biology.

They explain the synapses, the nervous system, and the metabolic pathways: ReAct loops, reflection, tool calling, routing, planning, and multi-agent orchestration. Useful, yes. But if you are a chief medical officer running a busy hospital, your first question isn't “How do the individual neurons fire?”

Your first question is: Do we need a rapid-response triage team, a methodical surgical unit, or an investigative diagnostic board?

That is why I wrote this article.



When people discuss agentic design patterns, they often treat them as purely technical choices. But in real life, choosing an agentic pattern is not just a software decision. It is an operating model decision.


I come from a security organization with two very different types of workforces. One is a uniformed workforce, where hierarchy, chain of command, escalation, discipline, and clear authority matter. The other is a civilian and office-based workforce, where the structure is flatter, more collaborative, more cross-functional, and often driven by expertise rather than rank.

These two environments cannot blindly be served by the same agentic design.

  • A command-centre agent should not behave like a brainstorming assistant.

  • A field-operations agent should not bypass rank and escalation.

  • A civilian productivity agent should not be trapped in unnecessary digital bureaucracy.

  • A multi-agent workflow should not devolve into a committee meeting with API access.


So the real question is not only: Which agentic pattern should we use?

The better question is: What kind of digital organization are we creating?

Because once agents can use tools, assign tasks, critique outputs, remember context, and recommend actions, they are no longer just software components. They start to behave like digital workers, reviewers, dispatchers, investigators, planners, and managers.

That is the non-technical view of agentic design patterns that too few people are talking about.


The problem with the current agentic AI conversation

The mainstream conversation around agentic design patterns is still very technical.

Most articles focus on things like:

- Reflection loops
- ReAct loops
- Tool calling
- Planning agents
- Routing agents
- Multi-agent collaboration
- Function calling
- Vector databases
- Agent frameworks

These are important. Andrew Ng’s agentic AI framing helped popularize patterns thinking in agent design. Modern frameworks such as OpenAI Agents SDK, LangGraph, CrewAI, Microsoft Agent Framework, AutoGen, LlamaIndex, and others now make these patterns easier to implement.


But here is the problem:

Technical diagrams explain how agents move information.They do not explain how agents should behave inside an organization.

That matters because every agentic system quietly answers organizational questions:

Who decides? Who checks? Who can act? Who escalates? Who owns the result? Who is accountable when something goes wrong?

These questions are especially important in security operations.

In a command centre, authority matters. In a SOC, evidence matters. In vulnerability management, ownership matters. In field operations, escalation matters. In executive reporting, accountability matters.

If we ignore these realities, we do not get intelligent automation. We get digital confusion.


The central idea: every agent system has an invisible org chart

Every agentic system has an org chart, even if we do not draw one.

Say we have a simple workflow like below:

User -> Dispatcher -> Manager -> Worker with system access -> Quality reviewer -> Final report

If we try to convert above into agentic map, it goes:

User -> Router Agent -> Planner Agent -> Tool Agent -> Reviewer Agent -> Final Response

That is no longer just software architecture.

That is organizational design.

Once we see this, the design conversation changes.

We stop asking only:

Can the agent complete the task?

We start asking:

Should this agent have the authority to complete the task?

That distinction is critical.


Why hierarchy versus flat structure matters

In a uniformed security workforce, hierarchy exists for a reason.

There is a chain of command. There are ranks, duty roles, escalation thresholds, standard operating procedures, and incident commanders. In this environment, speed matters, but disciplined speed matters more. A decision made by the wrong person, or by an AI system with unclear authority, can create operational and safety risks.

So in a hierarchical environment, agents should support command, not replace command.

They can gather facts. They can summarize incidents. They can recommend actions. They can draft reports. They can monitor escalation triggers.

But they should not freely declare major incidents, dispatch resources, close cases, notify external stakeholders, or trigger high-impact actions unless the authority boundary is very clear.

In a civilian or office-based workforce, the structure is often flatter. People work across departments. Expertise may matter more than rank. Collaboration and speed are important. Here, agentic systems can be more networked. They can route tasks to specialist agents, run parallel analysis, compare options, and help teams move faster.

But the risk is different.

In flat structures, accountability can disappear.

Everyone contributes. Everyone comments. Everyone reviews. But nobody owns the decision.

So the design principle changes by environment:

In hierarchical operations: Use AI to strengthen command. In flat office environments: Use AI to widen expertise, but preserve accountability.

This is why agentic design patterns should not be copied blindly from blog posts or framework demos.

The same pattern can behave very differently depending on the organization it enters.


Agentic patterns, translated into organizational language

Let us now simplify the common patterns.

Not as computer science diagrams.

As organizational roles.

I summarise (in my own ways) into below table:

Pattern

Organizational role

Best used for

Main risk

Reflection

Reviewer

Better-quality output

Rubber-stamp review

Tool use

Privileged employee

Accessing real systems

Excessive permission

ReAct

Investigator

Step-by-step investigation

Rabbit holes

Planning

Operations planner

Multi-step work

Stale plans

Routing

Dispatcher

Assigning work

Misrouting

Parallelization

Specialist squad

Fast independent checks

Conflicting outputs

Multi-agent

Committee / command team

Complex cross-domain work

Accountability fog

Memory

Institutional knowledge

Repeated context

Outdated assumptions

Human-in-loop

Command authority

High-impact decisions

Approval theatre

The key point here:

Agentic patterns are not just ways to move tokens.They are ways to distribute authority.

A quick word on today’s frameworks

The technology has moved fast. We no longer need to hand-code every agent loop from scratch. There are now mature frameworks and protocols that make it easier to build agents, connect tools, manage workflows, and observe execution.

But frameworks do not remove the need for design judgment.

They give us better building blocks.They do not tell us what kind of organization to build.

Some current options include:

Technology / framework

What it is good for

Practical consideration

OpenAI Agents SDK

Building agents with tools, handoffs, guardrails, and tracing

Good fit when you want a structured agent runtime with visibility into tool calls and handoffs.

LangGraph

Stateful, long-running, graph-based agent workflows

Useful when you need durable execution, human-in-the-loop control, persistence, and explicit workflow state.

CrewAI

Role-based multi-agent collaboration

Useful when you want to model agents as crews, roles, tasks, and flows, with features such as memory, knowledge, guardrails, and observability.

Microsoft Agent Framework / Semantic Kernel

Enterprise agent development, workflows, tools, and multi-turn applications

Relevant for Microsoft-centric enterprise environments.

LlamaIndex

Data-centric agents and RAG workflows

Strong when the agent needs to work with enterprise documents, indexes, retrieval, data connectors, and context augmentation.

MCP

Standardized connection between AI apps and external tools/data

Useful as an integration pattern. Open standard for connecting AI applications to external systems, including data sources, tools, and workflows.

The decision should not start with:

Which framework is most popular?

It should start with:

What operating model do we need?

For example:

Need strict state and approvals? Consider graph-based workflows.
Need multi-agent collaboration? Consider crew or conversation-based frameworks.
Need enterprise knowledge access? Focus on RAG, indexing, permissions, and retrieval quality.
Need tool interoperability? Look at MCP-style integration.
Need auditability? Prioritize tracing, logs, evaluation, and permission control.

Framework choice is important. But it is secondary.

The real design choice is the agency model.


Key technology considerations before building

Before choosing a framework, answer these questions.


1. Deterministic workflow or flexible agent?

Not every problem needs a fully autonomous agent.

Some workflows are better as fixed chains:

Extract data → Validate → Summarize → Send for approval

Others need flexibility:

Investigate alert → Choose next query → Observe result → Decide next step

Use deterministic workflows when the process is known.Use flexible agents when the path depends on discovery.


2. What is the tool permission model?

Avoid giving agents generic superpowers.

Bad tool design:

run_sql_query()
execute_command()
update_any_ticket()
send_any_email()

Better tool design:

get_recent_access_events(site_id, time_window)
create_incident_draft(summary, severity, evidence)
request_dispatch_approval(location, reason)
get_vulnerability_status(asset_id)

Narrow tools reduce blast radius.


3. Where does human approval sit?

Do not add human approval at the end as a formality.

Put it at the point where judgment is needed.

Examples:

Before dispatch
Before containment
Before external notification
Before risk acceptance
Before incident closure

The approval screen should show:

- Recommendation
- Evidence
- Confidence
- Assumptions
- Alternatives
- Risk of action
- Risk of inaction

4. How will you trace decisions?

In traditional software, a stack trace helps identify what failed.

In agentic systems, you need an “agency trace.”

That means logging:

- User request
- Agent reasoning summary
- Tool calls
- Retrieved evidence
- Intermediate outputs
- Human approvals
- Final action
- Timestamp
- Responsible owner

Without this, accountability becomes foggy.


5. How will you evaluate the agent?

Do not evaluate only whether the answer sounds good.

Evaluate whether the agent behaves correctly.

Test cases should include:

- Normal cases
- Edge cases
- Ambiguous cases
- Prompt injection attempts
- Wrong or missing data
- Conflicting evidence
- High-severity incidents
- False positives
- Permission boundary tests

For security organizations, this is especially important because an agent may be technically correct but operationally unsafe.


The biggest risk: digital bureaucracy

Once we model agents as digital organizations, a new risk appears.

Bureaucracy.

In human organizations, bureaucracy looks like too many meetings, too many approvals, too many handoffs, and too little action.

In agentic systems, bureaucracy looks like this:

Agent A summarizes.
Agent B critiques.
Agent C routes.
Agent D rewrites.
Agent E reviews.
Agent F synthesizes.
No system was checked.
No decision was made.
No action moved forward.

That is not intelligence.

That is token bureaucracy.

The agentic version of a meeting that should have been an email.

A useful metric is the coordination-to-action ratio:

Coordination-to-action ratio 
= effort spent on agent-to-agent discussion ÷ effort spent gathering evidence or completing useful work

In a command centre, this ratio must be low.

During an incident, you do not want a digital committee debating endlessly. You want fast evidence gathering, clear recommendations, and accountable decisions.


Common anti-patterns to avoid

1. The middle-management bot

Too many agents exist only to pass messages around.

This adds latency without adding value.

Fix: Flatten the design. Add hierarchy only where it improves accountability.


2. Context laundering

An uncertain statement becomes more certain as it passes through agents.

Original log: Possible anomaly. 
Agent summary: Suspicious activity. 
Final report: Confirmed compromise.

Fix: Preserve uncertainty.

Every output should separate:

Confirmed fact
Inference
Assumption
Unknown

3. Accountability fog

Many agents contribute, but nobody owns the decision.

Planner Agent recommended.
Risk Agent reviewed.
Execution Agent acted.
Human was notified.

But who was accountable?

Fix: Use agentic RACI.

Responsible: Which agent performs the work?
Accountable: Which human role owns the decision?
Consulted: Which agents or tools provide input?
Informed: Who receives the update?

4. Excessive agency

The agent has more authority than the task requires.

For example, an agent that only needs to summarize alerts also has permission to close tickets, notify executives, or disable users.

Fix: Match authority to purpose.

Give enough authority to be useful.Not enough authority to surprise the organization.

A practical model: the Agent Organization Stack

Most technical teams start at the bottom: model, prompt, tool, API.

That is necessary, but incomplete.

For enterprise and security environments, I suggest designing agents across five layers.

5. Accountability Layer  [Who owns the decision and outcome?]
4. Authority Layer   	[What can the agent recommend, trigger, or execute?]
3. Coordination Layer   	[How do agents route, delegate, debate, and escalate?]
2. Cognition Layer   	[How do agents reason, reflect, plan, and remember?]
1. Tool Layer   			[What systems, APIs, databases, and workflows can agents access?]

Most blog posts focus on layers 1 and 2.

But most real-world failures happen because layers 3, 4, and 5 were not designed.

The agent had tools, but no authority boundary.The agent had reasoning, but no accountability.The agent had memory, but no owner.The agent had autonomy, but no escalation discipline.

That is why agentic design is organizational design.


Security use case 1: Command Centre Situation-Awareness Copilot

A command centre receives an intrusion alarm from a restricted site.

A weak AI design says:

Alarm received. Recommend dispatch.

A stronger agentic design behaves like a digital chief of staff.

1. Routing Agent classifies the incident.
2. Tool Agent checks alarm, access logs, site risk, camera status, and patrol records.
3. ReAct Agent investigates missing context.
4. Situation Agent drafts the current incident picture.
5. Risk Agent checks escalation criteria.
6. Reflection Agent verifies evidence and missing fields.
7. Human Duty Commander approves dispatch or escalation.

Output:

Incident: Forced-door alarm
Location: Site A, Gate 3
Time: 21:42
Confidence: Medium

Confirmed facts:
- Door sensor triggered at 21:42.
- No valid access-card event within two minutes.
- Nearby camera offline since 21:30.
- Last patrol checkpoint completed at 21:10.

Unknowns:
- Actual intrusion or sensor fault.
- Whether maintenance activity was scheduled.

Recommended actions:
1. Dispatch nearest patrol team.
2. Contact site supervisor.
3. Check backup camera feed.
4. Escalate if no patrol acknowledgement within three minutes.

Human approval required:
- Dispatch: Yes
- Major incident declaration: Yes

This design respects hierarchy.

The AI does not become the commander.It improves the commander’s awareness.


Security use case 2: SOC Alert Triage Cell

A SOC receives a suspicious login alert.

A hierarchical design may be too slow. A flat specialist-cell design may work better.

Alert Router 
↓
Identity Agent
Endpoint Agent
Network Agent
Threat Intel Agent
Asset Criticality Agent
↓
Evidence Synthesis Agent   
↓
Triage Recommendation   
↓
Human approval for containment

This is a good use of parallelization.

Each agent checks a different evidence source. The synthesis agent combines the findings. The human analyst reviews the recommendation before high-impact action.

The agent may autonomously:

- Enrich the alert
- Build a timeline
- Draft a ticket
- Recommend severity

But it should be controlled when it comes to:

- Disabling an account
- Isolating an endpoint
- Blocking a network connection
- Declaring a major incident

This is the right boundary:

Autonomous evidence gathering: acceptable.
Autonomous high-impact action: tightly controlled.

Final thought: do not just build agents; design their chain of command

Agentic AI is usually presented as a technical breakthrough.

Models can now reason. They can call tools. They can plan. They can reflect. They can collaborate.

All true.

But the deeper shift is organizational.

When we build agentic systems, we are creating digital workers, reviewers, dispatchers, investigators, planners, and committees. We are deciding how authority flows through software.

For a security organization, this is not abstract.

Some environments require command and control.Some require flat collaboration. Some require speed. Some require evidence. Some require strict approval. Most require a hybrid.

So the future of agentic AI will not be won by teams that simply add more agents.

It will be won by teams that know where agency should stop.

The best agentic system is not the one with the most autonomy.

It is the one that knows its role, respects its authority boundary, supports the humans around it, and preserves accountability when the stakes are high.

In short:

Do not just build AI agents. Design the organization they are becoming.

 
 
 

Comments


bottom of page