CURRENT | Foundations

Field Guide

Why Teams Keep Choosing the Wrong Web Infrastructure

By Rina Takahashi— January 22, 2026

Feature image for article: Why Teams Keep Choosing the Wrong Web Infrastructure

The production incident starts the same way: a team's web infrastructure hits scale and something fundamental breaks. Not a bug they can patch—an architectural mismatch they can't fix without rebuilding. They chose extraction tools for orchestration work, or automation frameworks for workflows that need reasoning. The system collapses because the foundation was wrong from the start.

Vendors and practitioners use three distinct technical terms as synonyms. Teams pick infrastructure based on marketing categories, discover the gap when systems fail at scale. By then they're deep in production with architecture that can't deliver what they actually need. The terminological sloppiness costs real money.

Field Guide

Why Teams Keep Choosing the Wrong Web Infrastructure

The production incident starts the same way: a team's web infrastructure hits scale and something fundamental breaks. Not a bug they can patch—an architectural mismatch they can't fix without rebuilding. They chose extraction tools for orchestration work, or automation frameworks for workflows that need reasoning. The system collapses because the foundation was wrong from the start.

Vendors and practitioners use three distinct technical terms as synonyms. Teams pick infrastructure based on marketing categories, discover the gap when systems fail at scale. By then they're deep in production with architecture that can't deliver what they actually need. The terminological sloppiness costs real money.

Rina Takahashi

Rina Takahashi, 37, former marketplace operations engineer turned enterprise AI writer. Built and maintained web-facing automations at scale for travel and e-commerce platforms. Now writes about reliable web agents, observability, and production-grade AI infrastructure at TinyFish.

Tools & Techniques

Tools in Context

When You Need to See Exactly What the Browser Saw

Authentication fails on fifteen Japanese hotel sites. Succeeds everywhere else. The logs say "session timeout"—but that's not what happened. Something about regional redirects and cookie state went wrong in a way you can't reproduce locally. Traditional debugging assumes reproducibility. Web agents at scale generate contextual events that happen once, under conditions you didn't anticipate. When failures depend on production context you can't control, you need to see exactly what the browser saw.

Tools in Context

When You Need to Understand Patterns Across 1,000 Failures

Fifteen authentication failures surface across a thousand concurrent sessions. The operational question: do these represent a systemic pattern—new bot detection, changed authentication flows—or fifteen independent issues that happen to coincide temporally? Traditional observability collects metrics and logs. Manually correlating dashboard data, looking for patterns in noise. At scale, you need infrastructure that recognizes whether failures cluster around specific conditions. Pattern recognition across chaos becomes essential when individual precision isn't enough.

Tools & Techniques

Tools in Context

When You Need to See Exactly What the Browser Saw

Authentication fails on fifteen Japanese hotel sites. Succeeds everywhere else. The logs say "session timeout"—but that's not what happened. Something about regional redirects and cookie state went wrong in a way you can't reproduce locally. Traditional debugging assumes reproducibility. Web agents at scale generate contextual events that happen once, under conditions you didn't anticipate. When failures depend on production context you can't control, you need to see exactly what the browser saw.

Tools in Context

When You Need to Understand Patterns Across 1,000 Failures

Fifteen authentication failures surface across a thousand concurrent sessions. The operational question: do these represent a systemic pattern—new bot detection, changed authentication flows—or fifteen independent issues that happen to coincide temporally? Traditional observability collects metrics and logs. Manually correlating dashboard data, looking for patterns in noise. At scale, you need infrastructure that recognizes whether failures cluster around specific conditions. Pattern recognition across chaos becomes essential when individual precision isn't enough.

Tools & Techniques

Tools in Context

When You Need to See Exactly What the Browser Saw

Authentication fails on fifteen Japanese hotel sites. Succeeds everywhere else. The logs say "session timeout"—but that's not what happened. Something about regional redirects and cookie state went wrong in a way you can't reproduce locally. Traditional debugging assumes reproducibility. Web agents at scale generate contextual events that happen once, under conditions you didn't anticipate. When failures depend on production context you can't control, you need to see exactly what the browser saw.

Tools in Context

When You Need to Understand Patterns Across 1,000 Failures

Fifteen authentication failures surface across a thousand concurrent sessions. The operational question: do these represent a systemic pattern—new bot detection, changed authentication flows—or fifteen independent issues that happen to coincide temporally? Traditional observability collects metrics and logs. Manually correlating dashboard data, looking for patterns in noise. At scale, you need infrastructure that recognizes whether failures cluster around specific conditions. Pattern recognition across chaos becomes essential when individual precision isn't enough.

In Dialogue With Complexity

An Interview With The GDPR Exemption That Never Exempts Anyone

In Dialogue With Complexity

An Interview With The GDPR Exemption That Never Exempts Anyone

Pattern Recognition

Agents Break Authorization's Core Assumption

Four security vendors shipped agent identity solutions this month. CrowdStrike bought SGNL. Microsoft released Entra Agent ID. Qualys and Exabeam launched competing products. They're racing to solve the same problem.

Traditional authorization assumes users request resources directly. Agents break that model. When a marketing employee asks an agent to analyze customer data, the agent executes using its own permissions. The employee gets information they couldn't access directly. No misconfiguration. No policy violation. The authorization system just can't see the real requester.

Audit trails show agent activity, not who made the request. Permission boundaries dissolve when agents act as intermediaries.

Pattern Recognition

Agents Break Authorization's Core Assumption

Four security vendors shipped agent identity solutions this month. CrowdStrike bought SGNL. Microsoft released Entra Agent ID. Qualys and Exabeam launched competing products. They're racing to solve the same problem.

Traditional authorization assumes users request resources directly. Agents break that model. When a marketing employee asks an agent to analyze customer data, the agent executes using its own permissions. The employee gets information they couldn't access directly. No misconfiguration. No policy violation. The authorization system just can't see the real requester.

Audit trails show agent activity, not who made the request. Permission boundaries dissolve when agents act as intermediaries.

IN SUMMARY

Pattern observed:

Every major IAM vendor shipped agent-specific controls in January because traditional role-based access can't attribute actions when agents mediate requests between users and resources.

Evidence surfacing:

NIST opened an RFI on agent security through March, while system prompt extraction became Q4's dominant attack vector, exposing role definitions for privilege escalation.

Scale revealing:

Gartner projects 40% of enterprise apps will integrate agents by year-end, up from under 5% last year, making this an infrastructure-wide authorization crisis.

Lesson learned:

Authorization models designed for direct user-resource access fail when intermediaries execute actions, requiring new primitives that track intent chains, not just execution identity.

Building approach:

Implement request attribution that logs both the agent identity and originating user context, treating agent actions as delegated authority requiring dual verification at policy enforcement.

Questions Worth Asking

Building an AI agent feels straightforward until production arrives. Your agent meets real users, real data, real constraints. Things start breaking in ways demos never revealed.

We've learned that the questions you ask before deployment predict whether you'll scale successfully or spend months debugging surprises. These aren't theoretical concerns. They're the specific gaps between "works on my machine" and "handles production traffic reliably."

The questions below cut through marketing to what actually matters at scale. They're what we ask ourselves when evaluating options, born from watching patterns of what works and what fails.

Questions Worth Asking

Building an AI agent feels straightforward until production arrives. Your agent meets real users, real data, real constraints. Things start breaking in ways demos never revealed.

We've learned that the questions you ask before deployment predict whether you'll scale successfully or spend months debugging surprises. These aren't theoretical concerns. They're the specific gaps between "works on my machine" and "handles production traffic reliably."

The questions below cut through marketing to what actually matters at scale. They're what we ask ourselves when evaluating options, born from watching patterns of what works and what fails.

Processing Time

What's Your P95 Latency?

Five seconds versus forty-five seconds per request. That gap determines whether you meet SLAs or create backlogs. Demos show median performance. Production runs on your worst-case latency under load. That's what breaks customer experience and operational capacity.

Output Consistency

Does It Give Different Answers?

Run the same query three times. High variance means brittleness. Your agent is overly sensitive to minor prompt variations. Production systems need predictable behavior. If answers drift across identical inputs, you have a reliability problem before you scale.

Cost Visibility

Can You Track Per-Request Costs?

LLM calls, vector storage, cloud compute. It adds up fast at scale. If you can't measure cost per interaction now, you won't catch runaway expenses until they've already happened. Cost-blind optimization leads to bloated infrastructure nobody budgeted for.

External Dependencies

What Happens When APIs Fail?

External tools introduce latency and failure modes you don't control. When a third-party API times out or returns errors, does your agent degrade gracefully, retry intelligently, or cascade failures? Tool dependencies require evaluating reliability alongside functionality.

Performance Drift

How Will You Detect Degradation?

Roughly 91% of ML models degrade over time. Seasonal behavior shifts, data distribution changes, environmental factors. Performance erodes silently. Without continuous monitoring and drift detection, you discover problems only after users complain or business metrics drop.

Evaluation Validity

Does Your LLM Judge Match Humans?

Automated evaluation scales beautifully but only if it correlates with human judgment. Teams optimize for LLM-as-judge scores without validating them against real user assessment. Then production performance disappoints. Human evaluation is slow and expensive. It's also the gold standard.