Agent drift: how to read coding agent output
How to spot agent drift in coding output: the reading habits, receipts, and scope checks that catch it before the merge.

Agent drift is the gap that grows between what you asked a coding agent to do and what its output actually does. You catch it by reading the output against a written scope, not by trusting the agent's own summary. The tools here are Cursor, Anysphere's AI code editor, plus its CLI cousins Claude Code and Codex CLI, and they all share the same failure mode: a diff that looks reasonable on its own while quietly touching a path nobody asked about.
The unsettling part is how clean drift looks in review. The output reads a little too smooth. It agrees a little too fast. It edits one file outside the brief, and that file becomes the new normal for the next run. Nobody flags it, so it ships, and the incident report later calls it foreseeable.
Read the output against a written baseline
Drift is a gap, and a gap needs two edges. If the only edge you have is the agent's output, every deviation reads like a decision the agent was right to make.
The second edge is a written scope: what the run was supposed to touch, which connectors it was allowed to call, and which rules file governed it. Put that in writing before the run, and deviation becomes visible the moment you compare.
This is why a transcript matters more than a green check. A passing test tells you the code works. The transcript tells you what the agent did to get there, and that is where drift hides.
Set up the four fixes that make drift visible
Four patterns cover the common drift sources. Each one turns an invisible deviation into something a reviewer can see.
Claude permission creep. Bash approvals turn into muscle memory, and each silent yes widens what the next session treats as normal. The fix is a supremacy clause at the top of CLAUDE.md: state which hooks win, which folders need human eyes, and where temporary overrides live. When the baseline is written, deviation stands out.
Codex replay gaps. A green Codex CLI run merges while reviewers never see the commands it ran. The fix is a replay sandwich in AGENTS.md: an intent line, the command transcript, then a diff summary, in that order. Reading the sandwich top to bottom is the drift check.
MCP blast radius. A connector touches data nobody put on the diagram, and the transcript is the only record. The fix is a connector card, one markdown card per MCP server listing allowed actions, forbidden actions, owner, and rollback. An unexpected connector firing becomes a stop signal instead of a curiosity.
Recursive handoff blur. Child agents summarize away the paths they own, so the parent reads prose while the drift lives in the diff. The fix is a child receipt block: every child returns the paths it touched, the commands it ran, and the tests proving its regression guards held.
Here is a delegation snapshot you can drop in and adapt to your repo:
---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
- "**/*"
alwaysApply: false
---
- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.
Run every agent PR through four gates
You do not need to read every line an agent writes. You need to read the receipts. These four questions take a couple of minutes and catch most drift before it merges.
| Gate | Question |
|---|---|
| Receipt match | Does the PR body list scopes + verification transcript? |
| Rules precedence | Which .mdc, SKILL.md, or CLAUDE.md governed behavior? |
| Connector truth | Which MCP servers fired, and were they expected? |
| Reviewer path | Can someone unfamiliar trace intent without chat replay? |
If everyone, human and agent, agrees instantly, you probably forgot a constraint. Instant agreement from an agent deserves the same suspicion you would give a teammate who rubber-stamps a risky change.
Some decisions stay human no matter how clean the output reads: threat models, customer promises, and anything that changes blast radius. Keep those off autopilot.
Common questions
How do you detect agent drift before it merges? Read the output against a written baseline: the scope ledger, the connector card, and the precedence file. Drift is a gap, and a gap needs two edges. If the only edge you have is the output itself, every deviation looks like a decision the agent was entitled to make rather than something worth flagging.
What are the early signals of drift in agent output? Paths outside the stated scope, a connector firing that nobody expected, a summary that compresses the riskiest part of the work, and instant agreement with a flawed brief. Each is small on its own. Normalized together over a few runs, they become the first paragraph of an incident report.
Do we need to read every line an agent writes? No, you read the receipts. The child receipt block, the command transcript, and the diff summary compress a run into minutes of reading. Save line-by-line review for protected folders and for any run whose receipts disagree with the scope it was handed.
Which fix should a team adopt first? Start with the one matching your loudest pain. Claude bash creep points to the CLAUDE.md supremacy clause; unreviewed Codex runs point to the replay sandwich; surprise data access points to the connector card. Pick one, ship it as a real artifact, and add the next after a week of runs.
Further reading
- Claude Code docs: getting started
- OpenAI Developers: Codex quickstart
- OWASP Top 10 for Large Language Model Applications
- NIST AI Risk Management Framework
- Google Search Central: helpful, people-first content
- OpenAI Skills repository
Start with one run
Drift reading is a habit you build live, on your own agent runs, with reviewers in the room. Pick one open PR today, walk it through the four gates, and see what the receipts do not yet tell you. When you want to drill it as a team, bring it to team training.
Related training topics
Related research

Coding plans that lower agent cost
A field guide to coding plans that lower agent cost: scope ledgers, decision stubs, and replay receipts that cut rework, not corners.

Codex workspace agents need repo rules
Codex workspace agents and Cursor cloud agents need repo rules: scoped boundary files, connector cards, and replay receipts reviewers can check.

Agentic coding governance for engineering teams
Agentic coding governance for engineering teams: the written contracts, decision stubs, scope ledgers, and replay receipts, that keep agent diffs explainable.