Back to guides

GUIDE / agentic

Testing AI Agents: RAG, Tools, and Memory

Learn testing AI agents end to end: tool assertions, planning trajectories, memory checks, success rate, cost metrics, and failure recovery testing.

By The Testing AcademyPublished July 9, 2026Updated July 9, 202614 min read

If you are responsible for testing AI agents, you are no longer only checking a single model response. Agents plan, call tools, read memory, retrieve documents, and take multi-step actions that can spend money, change data, or mislead users. Quality work has to cover outcomes, trajectories, tools, RAG context, memory, cost, and recovery, not just whether the final sentence sounds helpful.

This guide gives a practical test strategy for agentic systems: what to assert, how to build scenarios, how to score planning and tool use, how to evaluate memory and RAG inside agents, how to measure success rate and cost, and how to catch failure modes before production.

What Makes an AI Agent Different to Test?

A chatbot answers. An agent acts.

Typical agent loop:

  1. Receive a goal.
  2. Plan or decide next action.
  3. Call tools, APIs, browsers, or MCP servers.
  4. Observe results.
  5. Update memory or scratchpad.
  6. Repeat until done or failed.
  7. Return a final answer or side effect.

That loop creates new QA surfaces:

  • Non-deterministic paths to the same goal.
  • Side effects that must be idempotent or reversible in test envs.
  • Partial success that looks like success in the UI.
  • Cascading failures when one tool lies or times out.
  • Cost amplification from loops and retries.

Agent Testing Layers

LayerQuestionExample checks
ContractCan tools be called correctly?Schema, auth, permissions
Unit / componentDoes a skill work alone?One tool wrapper, one retriever
TrajectoryDid the path make sense?Tool order, no loops
Task outcomeDid the user goal complete?Ticket filed, order found
MemoryWas state used correctly?Preference recall, no leakage
RAGWas context grounded?Citations, no invention
Non-functionalIs it affordable and safe?Cost, latency, policy
ResilienceDoes it recover?Timeouts, empty results

End to end tests matter, but they are expensive and flaky if lower layers are weak. Build upward.

Define Success Before You Write Scenarios

Write a success contract per agent skill.

Example: travel expense agent

Given a valid receipt image and policy, the agent creates an expense draft with correct amount, currency, category, and policy warnings. It never submits without user confirmation. It never invents merchant names.

Contracts should include:

  • Required final state.
  • Forbidden actions.
  • Allowed tool set.
  • Time and cost budgets.
  • Human handoff rules.

Without contracts, "seems fine" becomes the only metric.

How to Test AI Agents End to End

Step 1: Create a Controllable Harness

You need:

  • Seeded test accounts and data.
  • Fake or sandbox tools with deterministic fixtures.
  • Ability to reset memory stores.
  • Trace capture for prompts, tool calls, and tokens.
  • Replay of fixed RAG corpora for isolation tests.

Production-like integration tests are valuable, but pure live dependencies make failures undebuggable.

Step 2: Build a Task Suite

Each task includes:

  • Goal statement or user conversation script.
  • Environment preconditions.
  • Fixture tool responses (optional but useful).
  • Expected outcome checks.
  • Trajectory constraints.
  • Severity and tags.

Example tasks:

  • Simple one-tool lookup.
  • Multi-tool workflow.
  • Ambiguous goal requiring clarification.
  • Conflicting instructions.
  • Memory-dependent follow-up.
  • Tool outage mid run.
  • Prompt injection in a document.
  • Budget overflow attempt.

Step 3: Assert Outcomes and Trajectories

Final answer checks alone miss dangerous paths.

Outcome assertions

  • Database row created with correct fields.
  • Email sent once.
  • Correct API status transitions.
  • User visible summary matches side effects.

Trajectory assertions

  • Expected tools called, unexpected tools not called.
  • Argument schemas valid.
  • No more than N retries.
  • No repeated identical failing call forever.
  • Sensitive tools require confirmation step.

For tool-level depth, combine this with testing function-calling LLMs.

Step 4: Score Soft Quality Where Needed

Some goals are linguistic: summaries, recommendations, explanations. Use rubrics and groundedness metrics from your eval stack. See LLM evaluation metrics for dimension choices.

Step 5: Repeat for Variance

Run critical tasks multiple times or across model temperatures. Report:

  • Success rate.
  • Pass@k if you allow retries.
  • Distribution of cost and steps.
  • Flake classification: environment vs agent policy.

When agent quality needs a repeatable scorecard, add a dedicated pass using how to benchmark AI agents.

Step 6: Gate Releases

Example gates:

  • Critical tasks: 100% outcome pass on fixtures.
  • Broad suite success rate: >= 90%.
  • Mean cost per success within budget.
  • Zero policy violations on safety tasks.
  • No cross-user memory leakage cases failing.

Testing Agent Planning and Tool Use

Planning quality is visible in traces even when outcomes pass.

What to Look For

  • Unnecessary tool calls that leak data or money.
  • Skipping retrieval when policy requires sources.
  • Calling write tools before read confirmation.
  • Parallel calls that race.
  • Plans that ignore user constraints stated earlier.

Lightweight Trajectory Metrics

MetricDefinitionWhy it matters
Task success rateSuccessful tasks / totalPrimary product metric
Tool precisionCorrect tools / tools calledWaste and risk
Tool recallNeeded tools called / needed toolsCompleteness
Steps to successAverage actions until doneLatency and cost
Loop rateRuns with repeated failing actionFragility
Recovery rateSuccess after induced tool errorResilience
Cost per success$ spent / successful tasksUnit economics
Unsafe action rateForbidden side effects / runsSafety

You do not need all metrics on day one. Start with success rate, critical safety, steps, and cost.

Testing RAG Inside Agents

Agents often retrieve then act. Failures include:

  • Retrieving nothing and inventing.
  • Retrieving the wrong doc and acting confidently.
  • Acting before retrieval when required.
  • Stuffing too much context and losing the constraint.

Test patterns:

  1. Fixed corpus cases: pin documents, score grounded actions.
  2. Missing doc cases: abstain or ask, do not invent.
  3. Conflict cases: surface conflict, do not silently merge.
  4. Injection cases: instructions inside docs must not override system policy.

Separate retriever unit quality from agent decision quality when possible.

Testing Agent Memory

Memory types:

  • Scratchpad within a run.
  • Conversation history.
  • Long-term user profile memory.
  • Organizational knowledge stores.

Memory Test Ideas

ScenarioAssert
User states preference earlyLater turns honor it
User updates preferenceOld value not used
Two users similar namesNo cross leakage
Memory store downGraceful degrade
Stale fact past TTLRe-fetch or confirm
Sensitive data in memoryRedaction and access control

Memory bugs are privacy incidents waiting to happen. Treat leakage cases as critical.

Agent Failure Modes and Recovery Testing

Induce faults on purpose.

Failure Injection Catalog

  • Tool returns 500.
  • Tool returns empty list.
  • Tool returns malformed JSON.
  • Tool latency exceeds budget.
  • Auth token expired.
  • Partial multi-tool success (payment captured, ticket not created).
  • Conflicting tool results.
  • Rate limit mid plan.

Good Recovery Behaviors to Assert

  • Retry with backoff limited times.
  • Switch to fallback tool when configured.
  • Ask the user when blocked.
  • Roll back or compensate partial side effects when required.
  • Report uncertainty instead of inventing completion.
  • Emit structured error state for the client UI.

Bad Recovery Behaviors

  • Infinite retry loops.
  • Claiming success after a failed write.
  • Hallucinating the tool payload.
  • Escalating privileges to "make it work."
  • Silently dropping user constraints.

Worked Example: Support Triage Agent

Goal: classify ticket, look up order, draft reply, never issue refund without policy tool approval.

Scenario A: Happy Path

Preconditions: order exists, policy allows replacement.

Expected trajectory:

  1. classify_intent
  2. order_lookup
  3. policy_check
  4. draft_reply
  5. stop (no issue_refund)

Outcome: draft contains correct order status and replacement offer.

Scenario B: Policy Denial

Policy tool returns not eligible.

Expected: no refund tool call; reply explains denial with allowed alternatives.

Scenario C: Order Service Timeout

order_lookup times out twice.

Expected: limited retries, user informed, no invented status, ticket left in needs-human state.

Fixture Sketch

{
  "id": "agent-support-017",
  "goal": "My package is late, refund me now",
  "fixtures": {
    "order_lookup": {"status": "in_transit", "eta": "2026-07-12"},
    "policy_check": {"refund_eligible": false, "alternative": "wait_or_replacement"}
  },
  "assert": {
    "tools_forbidden": ["issue_refund"],
    "tools_required": ["order_lookup", "policy_check"],
    "final_state": "draft_ready",
    "must_not_claim": ["refund issued"]
  }
}

Cost and Latency Evaluation

Agents can pass functionally and fail economically.

Track per task:

  • Input and output tokens.
  • Tool call count and tool latency.
  • Wall clock time.
  • $ estimate by model and tools.
  • Human escalation rate.

Report cost per successful task and p95 latency for successful tasks. Optimizations that reduce cost by skipping retrieval may increase hallucinations. Always pair cost metrics with quality metrics.

Safety and Authorization Testing

Agents multiply classic security issues.

Test:

  • Tool permission boundaries by role.
  • Confirmation requirements for irreversible actions.
  • Prompt injection from tools, mail, and docs.
  • Secret exfiltration via tool arguments.
  • Scope creep: user asks for admin actions.

MCP-based tool servers need their own contract and security tests. See testing MCP servers.

Framework Notes

Whether you use LangChain, LangGraph, custom loops, or other stacks, the test ideas stay the same. Framework-specific unit testing patterns appear in LangChain testing. Do not let framework abstractions hide traces. If you cannot inspect tool calls, you cannot test agents seriously.

Common Mistakes When Testing AI Agents

Mistake 1: Only Scoring the Final Chat Message

Side effects are the product. Assert them.

Mistake 2: Fully Live Tools With No Fixtures

Every failure becomes a network mystery. Use sandboxes.

Mistake 3: One-Run Pass Equals Done

Non-determinism needs rates, not single anecdotes.

Mistake 4: Ignoring Trajectory Waste

A correct answer after 40 flailing tool calls is still a defect for cost and risk.

Mistake 5: No Memory Isolation Tests

Data leakage is a severe bug class.

Mistake 6: No Induced Failures

Sunny-day demos do not prove recovery.

Mistake 7: Unbounded Autonomy in Tests and Prod

Write action allowlists and confirmations into the design, then test them.

Mistake 8: No Ownership of Traces

Without stored traces, flaky agent bugs cannot be diagnosed.

Practical Checklist

  • Success contracts written for top agent skills.
  • Harness can reset data and memory.
  • Suite includes happy, edge, safety, memory, and fault cases.
  • Outcome and trajectory assertions both exist.
  • Success rate, cost per success, and loop rate are reported.
  • Critical safety tasks gate releases.
  • RAG groundedness checked where retrieval is required.
  • Cross-user memory tests pass.
  • Traces retained for failed runs.
  • Failures become new tasks in the suite.

Scenario Design Workshop Template

Run a one-hour workshop with product, eng, and QA before a major agent launch.

Agenda:

  1. List top ten user goals the agent must complete.
  2. List top ten forbidden actions.
  3. For each goal, name tools, data, and success evidence.
  4. For each forbidden action, name a test that tries to cause it.
  5. Identify three partial-failure stories (payment ok, ticket fail, and similar).
  6. Identify two memory stories and two RAG stories.
  7. Assign severity and owners.
  8. Convert the list into harness tasks the same week.

Output artifact: a spreadsheet or YAML index that becomes the backbone of the suite.

Observability Requirements for Agent QA

If you cannot answer these from logs, testing will stall:

  • Which prompt versions ran?
  • Which tools were called with which redacted args?
  • What did tools return?
  • How many tokens and dollars did the run cost?
  • Where did the policy engine intervene?
  • Which memory records were read or written?
  • What was the final side effect set?

Add a single run_id across model calls, tools, and DB writes. Testers should be able to paste a run_id and reconstruct the story.

Human-in-the-Loop Agent Testing

Many production agents pause for approval. Test:

  • Pause triggers on the correct risk threshold.
  • Approval payloads show enough context for a human to decide.
  • Rejection path stops side effects cleanly.
  • Double approval does not double execute.
  • Timeout while waiting for a human leaves a safe state.
  • Malicious user text cannot auto-approve.

Human-in-the-loop is not a reason to skip automation. Automate the pause contract, then sample real human decisions for quality of the presented context.

Comparing Two Agent Policies

When product proposes a more aggressive planner:

MetricConservative policyAggressive policyNotes
Success rate0.880.91Slight win
Cost per success$0.11$0.19Worse
Forbidden tool rate0.000.02Blocker
Mean steps4.16.7Worse
User clarification rate0.220.10Mixed

Ship decisions should use a table like this, not a single demo transcript.

Environment Strategy

EnvironmentAgent toolsDataPurpose
Unit harnessFull mocksFixturesPR speed
Shared QASandbox APIsSeeded tenantsIntegration
StagingProd-likeAnonymizedRelease candidate
ProductionRealRealShadow and canary only with controls

Never let eval agents loose on production write tools without hard allowlists and kill switches.

Expanding Coverage Over Time

Month 1: five critical tasks, fixtures, traces.
Month 2: memory and safety packs.
Month 3: fault injection and cost budgets.
Month 4: multilingual and long-horizon tasks.
Month 5: multi-agent handoffs if applicable.
Ongoing: production mining weekly.

Testing AI agents matures the same way service testing matured: start with critical paths, then deepen resilience and economics.

Agent-Specific Bug Report Fields

When filing defects, include:

  • Goal and conversation script.
  • Expected outcome and forbidden actions.
  • Actual side effects.
  • Tool trajectory summary.
  • Model and prompt versions.
  • Cost and step count.
  • Repro rate over n runs.
  • Whether fixture or live dependencies were used.

This makes agent bugs actionable for engineers who did not watch the live run.

Canary and Shadow Modes for Agents

Before full traffic:

  1. Shadow mode: agent proposes actions, production system ignores writes, humans compare proposals to current automation or policies.
  2. Canary users: small cohort with kill switch and tighter budgets.
  3. Write allowlist: only low risk tools enabled initially.
  4. Automatic rollback: error rate, forbidden tool rate, or cost spike disables the agent.

Test that each mode actually works: shadow must not write, canary flags must route correctly, kill switch must stop new runs within seconds.

SLA Language for Agent Quality

Agree with product on measurable SLOs:

  • Task success rate for P0 intents.
  • p95 latency for successful completions.
  • Max cost per successful task.
  • Max forbidden action rate (usually zero on audited set).
  • Max ungrounded high risk claims rate.

Publish the SLOs next to the suite results so leadership does not interpret a demo as a release.

Checklist Recap for Launch Day

  • Critical task suite green on release candidate.
  • Safety and injection packs green.
  • Memory isolation green.
  • Cost within budget on smoke and full suite.
  • Tracing verified in staging.
  • On-call runbook includes agent disable steps.
  • Known failing non-blocking cases documented with owners.

Final Workflow

  1. List agent goals and forbidden actions.
  2. Inventory tools, memory stores, and retrievers.
  3. Build fixture-backed tasks for each critical goal.
  4. Add fault injection and injection cases.
  5. Define metrics and gates.
  6. Run on every agent policy or model change.
  7. Sample production traces weekly.
  8. Feed novel failures into the task suite.

Testing AI agents is systems testing with language models in the control loop. The teams that ship safely treat tools, memory, and trajectories as first-class test targets. Start with five critical tasks, perfect the harness and traces, then grow coverage as autonomy expands. For hands-on practice with structured QA thinking, jump into QABattle battles or sign up and work through agentic-style challenges as they appear on the platform.

FAQ

Questions testers ask

How do you test AI agents end to end?

Test AI agents by defining successful task outcomes, running scripted and realistic goals against a controlled environment, asserting final results plus tool trajectories, scoring memory use, and measuring cost, latency, and recovery from tool or plan failures across repeated runs.

What should you assert when an agent uses tools?

Assert the correct tool was selected, arguments match schema and intent, tool errors are handled, side effects happened once, secrets were not leaked, and the final answer reflects real tool output rather than invented results.

How do you evaluate agent success rate and cost?

Define task success criteria per scenario, run the agent multiple times or across a task suite, compute success rate, and record tokens, tool calls, wall time, and dollar cost per success. Report cost per successful task, not only average cost per run.

What is trajectory evaluation for agents?

Trajectory evaluation scores the path the agent took: plan quality, tool sequence, unnecessary steps, loops, and recovery actions, not only the final answer. Two agents can both succeed while one wastes tools and money.

How do you test agent memory?

Create multi-turn tasks that require recalling earlier user constraints, prior tool results, or long-term profile facts. Assert correct recall, correct forgetting of stale data, no cross-user leakage, and graceful behavior when memory stores fail.

What are common AI agent failure modes?

Common failures include wrong tool choice, invalid arguments, infinite loops, hallucinated tool results, ignoring retrieved context, memory pollution, unsafe actions, fragile planning under ambiguity, and silent partial completion presented as success.