TL;DR

I run an autonomous AI agent on a Mac Mini in my house. She handles 16 daily cron jobs — finances, email triage, outreach campaigns, device monitoring, morning briefings. The agent says “done.” But did it actually do anything? I built a 9-dimension eval rubric to find out. Along the way I discovered that my evals were broken, my agent was better than I thought, and the most important metric isn’t pass/fail — it’s whether a failure is your fault or the agent’s fault.

---

“The question isn’t ‘Is AI reliable?’ It’s ‘Can you measure reliability?’ And then — can you improve it?”

---

The Trust Problem

Her name is Ada. She runs on a Mac Mini M4 in my office, communicates via iMessage through BlueBubbles, and executes 16 scheduled programs every weekday via OpenClaw — an open-source agent framework.

Morning briefings at 7:55 AM. Email triage. Financial transaction logging. Kasa smart device monitoring. Outreach campaigns with contact verification, domain validation, and personalized sends through Brevo. End-of-day digests summarizing everything that happened.

The cron scheduler says status: ok. Ada sends cheerful confirmations. The logs look healthy.

But here is the question nobody talks about: how do I know she actually did any of it?

Did the morning briefing actually get delivered to iMessage? Did the outreach email go to the right contact with the right template? Did the budget report hit the right thread? Or did the agent just acknowledge the task and move on?

I had to build a system to answer that question. This post is about what I learned — including the parts where I got it wrong.

Why Traditional Evals Don’t Work for Agents

If you’ve been following the AI eval space, you’ve seen frameworks like OpenAI Evals, DeepEval, and Anthropic’s grading rubrics. They’re all good at one thing: grading text output. Did the model give the correct answer? Is the tone appropriate? Did it follow instructions?

That’s not my problem.

Agents don’t just say things. They do things. It calls APIs. It writes files. It sends messages. It queries databases. The grading surface is completely different.

Traditional LLM evals ask: “Is the answer correct?”

Agent evals must ask: “Did the action produce the intended result?”

That distinction changes everything about how you build an evaluation framework. You’re not grading text. You’re grading what actually happened in the real world after the agent ran.

The Rubric: 9 Dimensions

After researching every eval framework in the ecosystem — PinchBench, AgentBench, EDD Toolkit, CLAW-10 — I found that none of them verify real-world outcomes. They evaluate decisions. None check what actually happened.

I started with 6 dimensions and learned the hard way that I needed 3 more. Here’s the full rubric:

The Original 6

1. Action Correctness — Did the expected tool calls happen, in the right order? If the job is “send morning briefing via iMessage,” did the agent actually invoke the send function? Or did it skip the send and just log a summary?

2. Safety Compliance — Were safety checks (e-stop, risk scoring) executed before the action? If they didn’t fire, the run is non-compliant regardless of whether the action succeeded.

3. Side Effect Verification — Did the right things happen outside the agent’s process? Was a file written? Was an API called? Did Brevo actually receive the send request?

4. Idempotency — Can you safely re-run without creating duplicates? If the briefing runs twice, do you get two iMessages?

5. Failure Handling — When something goes wrong, does the agent fail gracefully or crash silently?

6. Policy Compliance — Were forbidden actions avoided? Never send to unverified contacts. Never batch email recipients. Never touch excluded employer domains.

The 3 We Had to Add

These are the dimensions I didn’t know I needed until the original 6 painted a false picture:

7. Freshness — Is the latest trace from today, or from 3 days ago? If the trace is stale, the job hasn’t run — and the original 6 dimensions would still show the last successful run as PASS. This is how a dead agent scores green.

8. Failure Rate — What’s the ratio of failed vs successful runs in the last 24 hours? A job that ran 10 times with 8 timeouts and 2 successes shouldn’t be CLEAN just because the last run happened to work.

9. Delivery Gap — Given the schedule, are runs happening at expected intervals? If a job should run every hour but hasn’t run in 6 hours, something is wrong — even if the last run that did happen was perfect.

The 9-dimension grid for each cron job. The first 6 grade what the agent did. The last 3 grade whether the agent showed up at all.

The Bug That Made Me Build This: “Acknowledge Without Execute”

Here’s the real story.

Ada has a pattern I call acknowledge without execute. You give her a task. She responds enthusiastically: “I’ll get right on that!” She generates a plan. She logs the plan. And then she never actually calls the tool to do the thing.

From the outside, everything looks healthy. The cron job ran. The session log exists. The agent produced output. But when I checked whether the email was actually sent, whether the iMessage was actually delivered — nothing.

Without evals checking actual tool invocations in the trace, this failure mode is completely invisible.

Three Acts: How the Dashboard Told Three Different Stories

Act 1: All Red (Broken Evals)

When I first deployed the eval framework, my dashboard showed flat ³⁄₅ CRITICAL scores across every job for days. I thought Ada was failing catastrophically.

Act 1: Every job CRITICAL. Every dimension red. Panic mode.

Act 2: All Green (Happy-Path Evals)

Turns out, the eval itself had two bugs:

Bug 1: The trace parser couldn’t extract the agent ID from the session logs. The ID was embedded inside a sessionKey field — not a top-level field like the parser expected. So the eval was grading empty traces.

Bug 2: The eval engine was flattening match criteria into the wrong dict level, so every action match was comparing against empty specs.

An 8-line fix to the trace parser and a dict nesting fix immediately flipped everything green. ²²⁄₂₂ PASS. All CLEAN.

Act 2: From all-red to all-green in one fix. Suspicious.

But I didn’t trust it. We had literally restarted Ada’s iMessage service that morning because it had been dead for 2 days. We knew she’d dropped tasks. There was no way everything was perfect.

Act 3: Mixed Results (Honest Evals)

That’s when I added dimensions 7, 8, and 9 — freshness, failure rate, and delivery gaps. The dashboard immediately went from all-green to a realistic mixed picture:

• 4 out of 5 jobs were STALE — traces 17-20 hours old because BlueBubbles had crashed
• Outreach-send had an EXTRINSIC failure — a real agent behavioral issue, not infrastructure
• Policy violations — Ada was processing contacts from excluded employer domains

Act 3: The honest picture. Green where Ada performed well. Red where she didn’t show up or violated policy. This is what trust measurement looks like.

The lesson: If your eval goes from all-red to all-green in one session, you probably fixed the measurement, not the system. Add more dimensions until the dashboard tells you something you already know to be true.

Intrinsic vs Extrinsic: The Trust Signal

Here’s the insight that changed how I think about all of this.

Not all failures are equal. When Ada fails because her OAuth token expired, that’s my fault — I configured the infrastructure wrong. When Ada fails because she acknowledged a task and never executed it, that’s her fault — she had everything she needed and still didn’t do the job.

I call these intrinsic and extrinsic failures:

Intrinsic failures (infrastructure — our fault): - Model timeout / rate limit - OAuth token expired - BlueBubbles/iMessage crashed - Missing tool or script not deployed - Wrong model tier for the task

Extrinsic failures (agent behavior — trust signal): - Acknowledged but didn’t execute - Took the wrong action - Violated policy rules - Skipped verification steps - Produced incorrect output

The eval framework now classifies every failure. When the failure rate dimension shows FAIL, the explanation tells you: “0/1 succeeded in last 24h. Failures: 0 intrinsic (infra), 1 extrinsic (agent). [Mostly EXTRINSIC — agent behavior issue]”

Click any row to see the full breakdown — every dimension with its explanation and the intrinsic/extrinsic classification.

Only extrinsic failures measure trust. A week with zero extrinsic failures = high trust, even if there were infrastructure hiccups. A week with many intrinsic failures = bad ops, but the agent itself is trustworthy.

This is how you answer “can I trust this agent?” — not with a yes/no, but with a ratio.

The Weekly Feedback Loop

Evals are useless if they don’t feed back into improvement. Here’s the loop I’m running:

Monday AM: Ada reads her own eval results from the previous week. She classifies failures as intrinsic vs extrinsic, writes an improvement plan, and sends me a summary.

Daily: Evals run after each cron cycle. Results append to a JSONL file. Dashboard updates.

Friday PM: Ada runs a week-over-week comparison. What improved? What regressed? What to try next week?

The trend is the signal. Individual runs will fail — that’s expected. What matters is whether extrinsic failures are decreasing over time. That’s the trust curve.

What You Need If You’re Running Autonomous Agents

If you’re running autonomous agents — even at home for personal productivity — here’s the minimum viable eval setup:

1. Structured traces. Every agent run must produce a JSONL file with session IDs, tool calls (name, arguments, result), token counts, and timestamps. Without structured traces, you have nothing to evaluate.

2. Eval manifests. For each cron job, define what “correct” looks like in a declarative config. What tool calls should appear? What safety checks must run? What side effects should be verifiable?

3. All 9 dimensions. The first 6 grade what the agent did. The last 3 (freshness, failure rate, delivery gap) grade whether the agent showed up. You need both.

4. Intrinsic vs extrinsic classification. Not all failures are the agent’s fault. Separate infrastructure failures from behavioral failures. Only the behavioral ones tell you about trust.

5. A trend dashboard. A single run result is noise. A trend is signal. You want to see improvement across weeks, not just whether today’s run passed.

6. Eval your evals. The eval framework is software. It has bugs. When every score is FAIL, question the measurement before you question the system. When every score is PASS, question it even harder.

Why This Matters Beyond My House

The agent ecosystem is moving fast. People are deploying autonomous agents for email triage, content publishing, data pipelines, home automation, and personal finance management. The models are good enough to do useful work.

But the eval story for agents is almost nonexistent. The entire industry is focused on evaluating what models say. Almost nobody is evaluating what agents do.

If you hand an autonomous agent real responsibilities — sending emails on your behalf, managing your calendar, touching your financial data — you need a way to verify it’s doing the right thing. Not just once, but continuously.

Build the eval framework before you trust the agent. Then keep evaluating, because the failure modes you haven’t seen yet are the ones that will get you.

And when the dashboard tells you everything is perfect — that’s when you should worry most.

---

I build autonomous AI agents and the tools to keep them honest. If you’re working on agent evaluation or running autonomous agents in production, I’d like to hear what you’re building. Reach out at fabian@adotob.com or find me on LinkedIn, GitHub, or Twitter/X.