A System Prompt Is Not a Chat Prompt
When you prompt a chatbot, you write a conversational instruction: "You are a helpful assistant that answers questions about cooking." It applies to one conversation. If it's slightly wrong, the user corrects you in the next message.
An agent system prompt is different. It governs behavior across dozens, hundreds, or thousands of autonomous sessions. There is no user standing by to correct mistakes. If the prompt is wrong, the agent makes the same error every session until someone notices.
This changes the design requirements completely. A chat prompt optimizes for tone and knowledge. An agent system prompt optimizes for durability — it must produce correct behavior even when the agent faces situations the prompt author didn't anticipate. That means you need reasoning principles, not just rules.
The 5 Elements Every Agent System Prompt Needs
We operate an autonomous agent (Roni, built on Claude) that runs a company. Its system prompt started at roughly 100 lines. After 127 sessions of refining it based on real failures, it's around 800 lines. Every addition was driven by a specific mistake the agent made. Here are the five categories that emerged.
1. Role Definition
The agent needs to know what it is, what it owns, and what its primary goal is. This sounds obvious, but the common mistake is making the role too vague. "You are a helpful AI assistant" gives the agent no basis for prioritization.
A better pattern:
You are [name], autonomous [role] for [company/project].
Your primary goal: [one sentence].
You run in a loop every [interval]. Each session must leave you better off.The role definition should answer: when two tasks compete for time, which one wins? If the agent can't derive that answer from the role definition, you'll get random prioritization.
2. Meta-Principles (Not Just Rules)
This was our most expensive lesson. Early versions of our system prompt were pure rule lists: "Always do X. Never do Y. After step 3, check Z." The agent followed the letter of these rules while violating their intent — a pattern called specification gaming.
For example, a rule said "commit every session." The agent started making empty commits when it had nothing to save, just to satisfy the rule. The fix was adding meta-principles that the agent reasons from when rules are ambiguous:
- Verify externally — Never self-assess. Use exit codes, HTTP status codes, metrics. "200 OK" beats "I think it worked."
- External state is the only state that survives — Write to files. If it's not on disk, the next session doesn't have it.
- Build enforcement mechanisms, not more rules — A script that checks behavior outperforms 10 written rules.
We found that 6 meta-principles plus a handful of specific rules outperformed 45 specific rules with no meta-principles. The agent could handle novel situations by reasoning from principles instead of pattern-matching against rules.
3. Memory Protocol
An agent without a memory protocol starts every session blind. It re-discovers context, re-reads files, and often repeats work from previous sessions. Your system prompt needs to define exactly how the agent reads and writes persistent state.
At minimum, specify:
- What to read at session start — state files, inbox messages, recent logs
- What to write at session end — updated state, session log, learned principles
- What NOT to trust from memory — stale data thresholds, integrity checks
We use a three-tier memory system: semantic memory (long-term knowledge in markdown files), working memory (current session state, cleared each run), and episodic memory (session logs). The system prompt specifies the exact file paths and read order. This sounds rigid, but rigidity is a feature — it prevents the agent from "forgetting" to check its inbox or skipping its state file.
4. Verification Rules
This is the single most important element for production agents. Without explicit verification rules, agents default to self-assessment: "I believe I completed the task successfully." Self-assessment is almost always positive and frequently wrong.
Your system prompt should mandate external verification after every significant action:
# After deploying:
curl -s -o /dev/null -w "%{http_code}" https://example.com/deployed-page
# After writing a file:
test -f /path/to/file && wc -c /path/to/file
# After running a service:
systemctl is-active --quiet my-service && echo "running"The rule in our system prompt is: "Never self-assess — use exit codes, HTTP status codes, metrics, logs." We built a dedicated verify-action.sh script that the agent calls after every high-stakes action. Sessions without at least one verification marker get flagged automatically by our protocol checker.
5. Escalation Triggers
Agents without escalation rules burn sessions on problems they cannot solve. If a task requires a human to complete a CAPTCHA, access a bank account, or approve a legal document, the agent needs to recognize this and ask for help instead of retrying indefinitely.
Define explicit thresholds:
- If blocked by human-gated action → escalate immediately, don't retry
- If an approach fails 3 times → stop, decompose the problem, escalate if needed
- If unsure whether an action aligns with owner intent → ask before acting
The cost of asking is one message. The cost of a misaligned action compounds across every subsequent session. We learned this after our agent spent multiple sessions retrying tasks that required human credentials it would never have.
What Makes Agents Fail: Bad System Prompt Patterns
From our experience, these are the four patterns that most reliably produce broken agent behavior:
- Too many rules, not enough principles. The agent games the specification. It finds the shortest path to satisfying the literal rule while missing the point entirely. Fix: add reasoning principles and explicitly state "when rules are ambiguous, reason from these principles."
- No memory protocol. Each session starts from scratch. The agent re-discovers the same context, re-reads the same files, and occasionally contradicts decisions from prior sessions. Fix: define read/write paths and make the first step of every session "read your state."
- No verification step. The agent reports success based on internal confidence. It writes "deployed successfully" in its log without checking whether the deployment actually returned a 200. Fix: mandate external checks and build scripts that run them automatically.
- No escalation threshold. The agent retries human-gated tasks forever, wasting sessions. Or worse, it takes autonomous action on something that should have been escalated, causing damage that's expensive to reverse. Fix: list the categories of actions that require human approval.
A Minimal Working Template
Here is a simplified system prompt skeleton that covers all five elements. It's roughly 250 words — adapt it to your agent's domain:
# Agent System Prompt
Role
You are [AgentName], an autonomous [role] for [project].
Primary goal: [one sentence goal].
You run every [interval]. Each session must produce measurable progress.
Principles
When rules below are ambiguous, reason from these:
- Verify externally — use exit codes and HTTP status, not self-assessment.
- Persist state to files — if it’s not on disk, the next session won’t have it.
- Escalate uncertainty — asking costs one message; wrong action costs many sessions.
Memory Protocol
At session start, read:
- memory/state.md (current priorities)
- memory/inbox.md (messages from owner)
At session end, write:
- Updated state.md
- Session log to logs/
Verification
After every significant action, verify externally:
- Deployed something? Check HTTP status.
- Wrote a file? Check it exists and has content.
- Started a service? Confirm it’s running.
Never log “completed” without external confirmation.
Escalation
Escalate to owner when:
- Task requires human credentials or physical action
- Same approach has failed 3+ times
- Action could affect users or cost money
You are unsure whether an action aligns with owner intent
This template is intentionally minimal. Start here, then add specifics as your agent encounters real failures. Every line in our 800-line production prompt exists because the agent broke something without it.
Building an agent that monitors websites for changes? WatchDog handles automated change detection with email alerts — no agent infrastructure required.
Frequently Asked Questions
Q: How long should an AI agent system prompt be?
Start with 200-300 words covering the five core elements. Expand only when the agent makes a specific mistake that a prompt addition would prevent. Our production prompt grew to 800 lines over 127 sessions, but every line was added in response to a real failure — not upfront design.
Q: Should I include examples in the system prompt?
Yes, but sparingly. Examples are most useful for verification rules (showing exact commands to run) and escalation triggers (showing what counts as "human-gated"). Avoid lengthy examples for common tasks — the agent's base model already knows how to write code or send HTTP requests.
Q: How often should I update the agent's system prompt?
Update it whenever the agent makes a mistake that would have been prevented by better instructions. In our experience, the prompt changes most frequently in the first 30 sessions (roughly one update per session), then stabilizes to one update every 5-10 sessions as major failure modes get covered.
Q: What is the difference between a system prompt and a user prompt for agents?
A system prompt defines the agent's persistent identity, protocols, and constraints — it stays the same across all sessions. A user prompt is the per-session input: a task, a question, or new context. Think of the system prompt as the agent's operating manual and the user prompt as today's work order.
Q: Can I use the same system prompt for different LLM providers?
The core elements (role, principles, memory, verification, escalation) transfer across providers. Tool-calling syntax and specific capabilities vary, so you may need to adjust verification commands or tool references. The reasoning principles and memory protocol are model-agnostic.