Back to Research

Agent drift: how to read coding agent output

How to spot agent drift in coding output: the reading habits, receipts, and scope checks that catch it before the merge.

Landscape between Storms, landscape painting by Pierre-Auguste Renoir (1874).
Rogier MullerApril 23, 20266 min read

Agent drift is the gap that grows between what you asked a coding agent to do and what its output actually does. You catch it by reading the output against a written scope, not by trusting the agent's own summary. The tools here are Cursor, Anysphere's AI code editor, plus its CLI cousins Claude Code and Codex CLI, and they all share the same failure mode: a diff that looks reasonable on its own while quietly touching a path nobody asked about.

The unsettling part is how clean drift looks in review. The output reads a little too smooth. It agrees a little too fast. It edits one file outside the brief, and that file becomes the new normal for the next run. Nobody flags it, so it ships, and the incident report later calls it foreseeable.

Read the output against a written baseline

Drift is a gap, and a gap needs two edges. If the only edge you have is the agent's output, every deviation reads like a decision the agent was right to make.

The second edge is a written scope: what the run was supposed to touch, which connectors it was allowed to call, and which rules file governed it. Put that in writing before the run, and deviation becomes visible the moment you compare.

This is why a transcript matters more than a green check. A passing test tells you the code works. The transcript tells you what the agent did to get there, and that is where drift hides.

Set up the four fixes that make drift visible

Four patterns cover the common drift sources. Each one turns an invisible deviation into something a reviewer can see.

Claude permission creep. Bash approvals turn into muscle memory, and each silent yes widens what the next session treats as normal. The fix is a supremacy clause at the top of CLAUDE.md: state which hooks win, which folders need human eyes, and where temporary overrides live. When the baseline is written, deviation stands out.

Codex replay gaps. A green Codex CLI run merges while reviewers never see the commands it ran. The fix is a replay sandwich in AGENTS.md: an intent line, the command transcript, then a diff summary, in that order. Reading the sandwich top to bottom is the drift check.

MCP blast radius. A connector touches data nobody put on the diagram, and the transcript is the only record. The fix is a connector card, one markdown card per MCP server listing allowed actions, forbidden actions, owner, and rollback. An unexpected connector firing becomes a stop signal instead of a curiosity.

Recursive handoff blur. Child agents summarize away the paths they own, so the parent reads prose while the drift lives in the diff. The fix is a child receipt block: every child returns the paths it touched, the commands it ran, and the tests proving its regression guards held.

Here is a delegation snapshot you can drop in and adapt to your repo:

---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
  - "**/*"
alwaysApply: false
---

- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.

Run every agent PR through four gates

You do not need to read every line an agent writes. You need to read the receipts. These four questions take a couple of minutes and catch most drift before it merges.

Gate Question
Receipt match Does the PR body list scopes + verification transcript?
Rules precedence Which .mdc, SKILL.md, or CLAUDE.md governed behavior?
Connector truth Which MCP servers fired, and were they expected?
Reviewer path Can someone unfamiliar trace intent without chat replay?

If everyone, human and agent, agrees instantly, you probably forgot a constraint. Instant agreement from an agent deserves the same suspicion you would give a teammate who rubber-stamps a risky change.

Some decisions stay human no matter how clean the output reads: threat models, customer promises, and anything that changes blast radius. Keep those off autopilot.

Common questions

How do you detect agent drift before it merges? Read the output against a written baseline: the scope ledger, the connector card, and the precedence file. Drift is a gap, and a gap needs two edges. If the only edge you have is the output itself, every deviation looks like a decision the agent was entitled to make rather than something worth flagging.

What are the early signals of drift in agent output? Paths outside the stated scope, a connector firing that nobody expected, a summary that compresses the riskiest part of the work, and instant agreement with a flawed brief. Each is small on its own. Normalized together over a few runs, they become the first paragraph of an incident report.

Do we need to read every line an agent writes? No, you read the receipts. The child receipt block, the command transcript, and the diff summary compress a run into minutes of reading. Save line-by-line review for protected folders and for any run whose receipts disagree with the scope it was handed.

Which fix should a team adopt first? Start with the one matching your loudest pain. Claude bash creep points to the CLAUDE.md supremacy clause; unreviewed Codex runs point to the replay sandwich; surprise data access points to the connector card. Pick one, ship it as a real artifact, and add the next after a week of runs.

Further reading

Start with one run

Drift reading is a habit you build live, on your own agent runs, with reviewers in the room. Pick one open PR today, walk it through the four gates, and see what the receipts do not yet tell you. When you want to drill it as a team, bring it to team training.

Related training topics

Related research

Ready to start?

Transform how your team builds software.

Book a 15-minute sync