Agent build tests need fixed baselines

AWS’s AgentCore dataset workflow shows why agent evaluation needs versioned test suites, ground truth, and regression checks built from production failures

2026-05-28 GIGATAP Team #security
#AI#Agent Evaluation#AWS

Amazon’s point is blunt: agent evaluation fails when the test set keeps moving. A useful build test for an AI agent needs two things at once — live signals from real use, and a stable offline baseline that does not shift between runs.

The AWS Machine Learning Blog frames dataset management in Amazon Bedrock AgentCore as a way to bring versioned test fixtures into agent evaluation. Teams can define scenarios with inputs, expected outputs, assertions, and tool sequences, then publish immutable numbered dataset versions. Drafts remain editable until a checkpoint is locked.

That matters because agents do not behave like ordinary deterministic services. The same prompt can produce different answers across runs. If the test inputs also change, a higher score says very little. The agent may have improved. The questions may have become easier. The model may have sampled differently.

What changed#

The AWS post describes a workflow for building a test suite around an agent using dataset management in Amazon Bedrock AgentCore. The example is a financial market-intelligence agent for investment brokers. The agent identifies a broker, remembers preferences through AgentCore Memory, retrieves stock price data, searches market news sources, and returns a personalized briefing.

The important part is not the finance demo. It is the evaluation pattern.

AWS describes taking production traces, curating failures into a dataset, publishing a locked version, running an evaluation, changing the agent, and evaluating again against the same inputs. A production failure can become a permanent test case. Future builds are then checked against that known failure instead of relying on whatever prompts happen to be nearby.

That is the operational shift. The test suite grows from real agent behavior, but published baselines stay fixed long enough to compare changes.

This is close to how serious software teams already treat regression tests. The difference is that agent behavior needs more than input-output comparison. A language model judge can rate whether a response sounds useful. It cannot reliably prove that a stock price was correct, that the right tool was called in the right order, or that personally identifiable information did not leak between sessions. For those checks, the dataset needs ground truth: expected outcomes, required tool sequences, and assertions that must hold even if the wording changes.

Why the build test matters#

The weak point in many agent evaluation setups is not the absence of tests. It is the absence of stable tests.

During development, teams often test against recent prompts, saved conversations, or examples someone wrote last week. That can be useful for exploration. It is poor evidence for release decisions. If a developer changes a tool description and the score improves, the team needs to know whether the agent got better or the evaluation set changed under it.

A versioned dataset gives the build and test process a fixed target. The inner loop can remain flexible: developers can add failures, adjust draft scenarios, and experiment. The outer loop needs discipline: a published dataset version becomes the release gate.

This is where the security operations angle becomes practical. Agents increasingly call tools, handle user context, and touch sensitive data. A response that sounds polished can still be wrong in the only ways that matter: it may use stale data, skip a required workflow, mix memory between users, or expose private information. Evaluation that only checks surface quality will miss those failures.

For open source security and internal platform teams, the lesson is familiar. A build that passes because the test inputs changed is not evidence of safety. It is a blind spot with a green checkmark.

GigaTap has made a similar point in other supply-chain contexts: coverage is useful only when it is operational, not decorative. See also: 100% package test coverage is the point, not the slogan and OpenSSF’s April signal: make security artifacts operational.

What to check before acting on this#

The AWS post describes two scenario types for AgentCore datasets.

Predefined scenarios are explicit test cases. The team knows the user query, the expected response, the required tool sequence, and the assertions that must pass. These belong in the release gate because they are repeatable. Once a failure is formalized as a predefined scenario, it can remain in future evaluation runs.

User simulation scenarios are less scripted. A team defines a persona, goal, and communication style. An LLM-backed actor then drives a multi-turn conversation with the agent until the goal is met or a turn limit is reached. This can expose paths that scripted tests do not cover, but it is a different kind of evidence. It tests whether an agent can satisfy a class of user across varied interaction paths, not whether it handled one exact input correctly.

Before adopting this pattern, teams should check a few concrete things:

  • Is there a stable dataset version used in the release pipeline, or are evaluations run against changing prompts?
  • Do test cases include ground truth, not just judge scores?
  • Are tool calls and tool order part of the assertions where workflow correctness matters?
  • Are privacy risk checks explicit, especially around memory, session boundaries, and PII leakage?
  • Can production failures be promoted into permanent regression tests without manual archaeology?
  • Are simulated-user scenarios separated from hard release gates, or are teams treating exploratory coverage as deterministic proof?

The last point is easy to miss. Simulation is valuable because it explores. A release gate is valuable because it repeats. Mixing those roles can make the test suite look more sophisticated while weakening the decision it is supposed to support.

What not to overclaim#

This is not proof that an agent is safe, correct, or production-ready. A versioned dataset only tests what the team captured and encoded. If the ground truth is wrong, shallow, or missing the real failure mode, the evaluation will inherit that weakness.

It also does not remove the problem of model variance. Stable inputs make runs comparable, but they do not make the agent deterministic. Teams still need to interpret scores carefully, especially when changes are small or when LLM judges are part of the evaluation path.

The stronger claim is narrower and more useful: dataset management can make agent evaluation more like a real build test. It gives teams immutable baselines, explicit assertions, and a path for turning production failures into regression checks.

That is enough to matter. As agent systems gain tools, memory, and access to business workflows, the difference between “the answer looked good” and “the required facts, calls, and privacy constraints were verified” becomes operational, not academic.