What is an LLM agent?

The phrase "LLM agent" describes a control loop, not a model. The model — Claude, GPT, Gemini, Llama — is the reasoning core, but the agent is the surrounding software that decides what to do with that reasoning. The canonical loop is: receive a goal, generate a thought, choose a tool, execute the tool, observe the output, repeat. When the agent decides the goal is complete, it stops and returns a final answer.

The intellectual origin is the ReAct ("Reasoning and Acting") paper by Shunyu Yao and collaborators at Princeton and Google Research (arXiv:2210.03629), which showed that interleaving chain-of-thought reasoning with tool calls outperformed either alone on HotpotQA and ALFWorld benchmarks. A second key primitive is tool use: the model emits a structured function call (JSON arguments matching a declared schema), the runtime executes it, and the result is appended to the context. OpenAI shipped function calling in June 2023; Anthropic's tool use went GA in May 2024; both converged on JSON-schema-typed tool definitions.

Modern agents extend this loop with memory (short-term scratchpad plus long-term vector recall), planning (decomposition into subgoals, as in Plan-and-Solve, arXiv:2305.04091), and self-reflection (Reflexion, arXiv:2303.11366). Multi-agent systems compose several LLM agents with distinct roles — researcher, coder, critic — coordinated by an orchestrator. Microsoft's AutoGen framework (arXiv:2308.08155) and the open-source CrewAI library popularized this pattern in 2024.

Production deployments are real but narrow. GitHub Copilot Workspace, Cursor, Devin (Cognition Labs), Claude Code, and OpenAI's Operator are agent products shipped to paying customers. Benchmarks show the technology is improving fast but is still error-prone: on SWE-bench Verified — a curated set of 500 real GitHub issues from popular Python repos — top agents hit roughly 65-72% resolution rate as of late 2024, up from under 5% eighteen months earlier (per the SWE-bench leaderboard maintained by Princeton's NLP group). On the GAIA benchmark for general assistant tasks (arXiv:2311.12983), top agents score around 65% versus 92% for humans.

Security is the unsolved problem. The OWASP Top 10 for LLM Applications (2025 edition) lists prompt injection (LLM01), insecure output handling (LLM02), and excessive agency (LLM06) as the leading risks for agentic systems. NIST AI 600-1 (the Generative AI Profile of the AI Risk Management Framework, published July 2024) names confabulation, data poisoning, and CBRN-uplift among the twelve categories of GAI-specific risk. The agent's ability to take real-world actions — send email, transfer money, modify files, browse — multiplies the blast radius of any prompt injection.

The terminology is still settling. Anthropic's published taxonomy (Schluntz and Zhang, "Building effective AI agents," December 2024) distinguishes workflows (predetermined LLM-plus-tool chains) from agents (systems where the LLM dynamically directs its own process). Most production systems labeled "agents" today are closer to workflows; true open-ended agents remain a research frontier.