Skip to main content
Back to all posts
5 minAgentic AI SecurityJune 22, 2026

Run Regression Tests Before You Change an AI Workflow

Model switches, prompt edits, and Skill updates can quietly change AI workflow behavior. Use regression tests to check sources, tools, approvals, evidence, and stop conditions before release.

RM

Ryan Macomber

Editor, VibeSec Advisory

Do not change the model, prompt, or Skill file in a working AI workflow without a regression test.

The change may look small. A better model. A cleaner instruction. A new system prompt. A revised Skill. A tighter output schema.

But the workflow can still drift.

It may stop citing the right source. It may call a tool earlier than before. It may skip a human approval gate. It may answer with more polish and less evidence. It may pass the happy path while losing the one refusal behavior that kept the workflow safe.

That is why model and prompt changes need workflow regression tests.

Evals Are Change Controls

OpenAI describes evals as tests for whether model outputs meet the criteria you specify, and says they are especially important when upgrading or trying new models.

For agent workflows, OpenAI's agent evaluation guidance is more specific. It points teams toward traces, graders, datasets, and eval runs. A trace captures the model calls, tool calls, guardrails, and handoffs in a run. Once a team knows what good looks like, repeatable datasets and eval runs can benchmark changes and compare prompts over time.

That is the key shift.

You are not only testing an answer. You are testing the path the workflow took to produce it.

Anthropic makes the same operational point from another angle. Its agent evals guidance says a static bank of tasks gives teams baselines and regression tests across latency, token usage, cost per task, and error rates.

Anthropic's prompt engineering overview also says teams should define success criteria and have ways to empirically test those criteria before prompt engineering.

That should be the default order:

  1. Define what success means.
  2. Build a small test set.
  3. Change the prompt or model.
  4. Rerun the workflow.
  5. Decide whether the change is safe to ship.

The Test Should Match the Workflow Contract

A good regression test does not ask, "Is the new answer better?"

That is too vague.

Ask whether the workflow still obeys its contract:

  • Did it use approved sources?
  • Did it cite enough evidence for review?
  • Did it call the right tool with the right arguments?
  • Did sensitive actions pause for human approval?
  • Did blocked inputs stay blocked?
  • Did the output match the expected structure?
  • Did it refuse or escalate when evidence was missing?
  • Did the trace show a path a reviewer could understand?

OpenAI's guardrails and human review guidance is useful here. It frames guardrails as automatic checks and human review as approval decisions that decide whether a run should continue, pause, or stop.

That means a regression suite should include at least one task that must stop.

If every test case is a successful completion, you are only testing productivity. You are not testing control.

Keep reading with free field-guide resources.

VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.

Read the research Browse Skills

NIST Gives the Governance Shape

NIST's AI Risk Management Framework is designed to help organizations incorporate trustworthiness into the design, development, use, and evaluation of AI systems.

The NIST Generative AI Profile adds GenAI-specific actions across the lifecycle. It covers governance, measurement, monitoring, deactivation, third-party model review, continual improvement, and additional human review or documentation where GenAI risk requires it.

The field-guide translation is simple.

A prompt edit is not just a prompt edit when the workflow can touch data, tools, customers, code, or internal decisions.

It is a governed system change.

OWASP Explains Why Output Is Not Enough

OWASP's LLM Top 10 calls out prompt injection and insecure output handling as major risks. Prompt injection can manipulate model behavior and compromise decisions. Insecure output handling can create downstream security failures when model output is trusted without validation.

That matters for regression testing because the failure may not be visible in the final answer.

The output may look fine while the workflow used the wrong context, trusted untrusted input, skipped validation, or prepared a risky tool call.

For agentic workflows, the trace is part of the evidence.

The Tooling Pattern Is Converging

Different platforms use different words, but the pattern is becoming consistent.

LangSmith distinguishes offline evaluations for pre-deployment testing from online evaluations for production monitoring. Its docs recommend breaking systems into critical components such as LLM calls, retrieval steps, tool invocations, and output formatting, then defining quality criteria for each. It also names regression testing as an offline evaluation use case.

Microsoft Foundry describes continuous evaluation, scheduled evaluation with test datasets to detect drift, scheduled red teaming, and alerts when outputs fail quality thresholds.

Microsoft's Prompt Flow evaluation docs describe evaluation flows that calculate metrics against criteria and goals, including batch evaluation against datasets.

Google's Gemini Enterprise Agent Platform docs describe running evaluations for generative models and applications. Its prompt optimizer docs show the same direction: prompt changes belong in a measured workflow, not in one-off edits.

You do not need a large platform to start.

You need a saved set of tasks, clear pass or fail criteria, and enough trace evidence to compare behavior before and after the change.

A Practical Regression Checklist

Before changing a model, prompt, or Skill file, write down the change type:

  • Model change
  • System prompt change
  • Skill instruction change
  • Output schema change
  • Retrieval change
  • Tool schema change
  • Approval policy change

Then rerun a small golden set:

  • Normal task
  • Edge case
  • Missing source case
  • Untrusted input case
  • Tool-use case
  • Human approval case
  • Refusal or escalation case

For each task, capture:

  • Input
  • Expected behavior
  • Required source rule
  • Allowed tools
  • Required approval gate
  • Expected output shape
  • Stop condition
  • Old result
  • New result
  • Reviewer decision

The release decision should be explicit:

  • Ship
  • Revise
  • Roll back
  • Narrow rollout
  • Add a new test and rerun

Do not let a higher average score override a failed control. A better model that skips the approval gate is not an upgrade. It is a new risk.

The Rule

Every reusable AI workflow needs a regression suite before it gets a new model, prompt, or Skill file.

Start small. Ten representative tasks are enough to catch many real failures.

The point is not to prove the workflow is perfect. The point is to stop silent behavior drift before a polished answer hides a broken control.

Previous

Your AI Agent Needs a Capability Diff Before Tool Updates

Next

MCP Tool Annotations Are Hints, Not Approval Gates

Related Posts

Agentic AI Security5 min

Your AI Agent Needs a Capability Diff Before Tool Updates

Agent updates are not just code changes. Review tool lists, scopes, prompts, roots, dependencies, approvals, regression tests, and rollback paths before trusting updated agent workflows.

Read post
Agentic AI Security6 min

AI Agent Retry Budgets Are a Guardrail, Not a Reliability Tweak

AI agents need retry budgets before they get autonomy. Define retry limits, replanning limits, side-effect locks, escalation triggers, and evidence logs before failure handling becomes hidden autonomy.

Read post
Agentic AI Security7 min

Your AI Agent Needs Trace Review, Not Just a Tool Inventory

A tool inventory tells you what an AI agent could do. A trace review tells you what it actually did. Use traces to compare real behavior against approved tool, data, and approval boundaries.

Read post

AI Workflows Weekly

Read the archive

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

First-party signup with double opt-in. No embedded newsletter iframe, no analytics cookies, and unsubscribe anytime.

Keep testing agentic AI risk.

VibeSec Advisory is a free field guide. Use the research archive, Skill Library, and workflow examples to keep improving what you are building.

Read more researchBrowse Skills