Building AI Agents with Claude: Architecture, MCP, and Tool Use Guide

Introduction

AI agents — LLMs that loop through “think → call tool → observe → think again” — have moved from research demos to production infrastructure. Claude has become the default model for agentic workloads in many enterprises because of its tool-use reliability. This article is the engineering guide for building agents with Claude in production: architecture, MCP integration, code patterns, and security controls.

Background

The agent pattern emerged from the ReAct paper (2022) and matured through 2024-2025 with frameworks like LangGraph, CrewAI, AutoGen, OpenAI’s Agents SDK, and Anthropic’s Claude Agent SDK. By 2026, agents are the dominant pattern for any AI workflow more complex than single-turn chat.

The Model Context Protocol (MCP), introduced by Anthropic in late 2024, standardised how LLM agents connect to tools and data sources. By 2026, MCP is the industry default for agent-tool integration.

Theory & Concepts

Agent loop. The fundamental pattern: the LLM decides on an action (often a tool call), the action is executed, the result is fed back to the LLM, the loop continues until the LLM produces a final answer.

Tool. A function with a name, description, and JSON-schema parameters that the LLM can invoke. Tools mediate between the LLM’s text-world and external systems.

Memory. State maintained across loop iterations. Short-term memory (the conversation history within one task) versus long-term memory (knowledge that persists across tasks).

Plan. An ordered sequence of intended actions. Some agent architectures plan upfront; others adapt step-by-step.

Sub-agents. Agents that spawn other agents to handle sub-tasks. Increases capability but also blast radius.

Technical Deep Dive

Claude’s tool-use protocol.

{
  "model": "claude-sonnet-4-6",
  "max_tokens": 1024,
  "tools": [
    {
      "name": "get_weather",
      "description": "Get current weather for a city.",
      "input_schema": {
        "type": "object",
        "properties": {"city": {"type": "string"}},
        "required": ["city"]
      }
    }
  ],
  "messages": [{"role": "user", "content": "What's the weather in Mumbai?"}]
}

Claude returns a tool_use block when it wants to call a tool. Your code executes the tool and returns a tool_result in the next message.

MCP (Model Context Protocol). Standardises how agents discover tools and data sources. An MCP server exposes tools via a defined wire protocol; an MCP client (the agent’s orchestrator) connects to one or more servers.

Multi-step reasoning. Claude can chain tool calls — call A, observe result, call B with A’s output, etc. The model decides the chain; your code just executes.

Streaming and partial outputs. For long-running agent loops, stream intermediate thoughts to the UI so the user sees progress.

Practical Implementation

A complete agent loop in Python:

import anthropic, json

client = anthropic.Anthropic()

TOOLS = {
    "search_db": lambda args: db.search(args["query"]),
    "send_email": lambda args: email.send(args["to"], args["subject"], args["body"]),
    "calculate": lambda args: eval(args["expression"]),  # demo only — never eval untrusted
}

TOOL_SCHEMAS = [
    {"name": "search_db", "description": "Search internal database.",
     "input_schema": {"type": "object", "properties": {"query": {"type": "string"}}, "required": ["query"]}},
    {"name": "send_email", "description": "Send an email (requires user approval).",
     "input_schema": {"type": "object", "properties": {"to": {"type": "string"}, "subject": {"type": "string"}, "body": {"type": "string"}}, "required": ["to", "subject", "body"]}},
    {"name": "calculate", "description": "Evaluate a math expression.",
     "input_schema": {"type": "object", "properties": {"expression": {"type": "string"}}, "required": ["expression"]}},
]

REQUIRES_APPROVAL = {"send_email"}

def run_agent(task, user_id, max_steps=10):
    messages = [{"role": "user", "content": task}]
    audit_log = []

    for step in range(max_steps):
        response = client.messages.create(
            model="claude-sonnet-4-6",
            system="You are a careful enterprise assistant. Use tools when needed; never invent data.",
            tools=TOOL_SCHEMAS,
            messages=messages,
            max_tokens=1024,
        )
        audit_log.append({"step": step, "stop_reason": response.stop_reason})

        if response.stop_reason == "end_turn":
            return response.content[0].text, audit_log

        if response.stop_reason == "tool_use":
            tool_results = []
            for block in response.content:
                if block.type != "tool_use":
                    continue
                tool_name = block.name
                tool_input = block.input
                audit_log.append({"step": step, "tool": tool_name, "input": tool_input, "user": user_id})

                if not user_can_use_tool(user_id, tool_name):
                    result = {"error": "User not authorised for this tool."}
                elif tool_name in REQUIRES_APPROVAL:
                    if not await_human_approval(tool_name, tool_input, user_id):
                        result = {"error": "Human approval declined."}
                    else:
                        result = TOOLS[tool_name](tool_input)
                else:
                    try:
                        result = TOOLS[tool_name](tool_input)
                    except Exception as e:
                        result = {"error": str(e)}

                tool_results.append({"type": "tool_result", "tool_use_id": block.id, "content": json.dumps(result)})

            messages.append({"role": "assistant", "content": response.content})
            messages.append({"role": "user", "content": tool_results})

    return "Step limit reached.", audit_log

This pattern includes per-user authorisation, human-in-loop for irreversible actions, error handling, and a complete audit log.

Enterprise Use Cases

Customer-support triage agent. Reads inbound tickets, searches knowledge base, drafts response, escalates if confidence is low.

DevOps automation. Reads alerts, queries logs, runs diagnostics, opens incident ticket. Human-in-loop on remediation actions.

Sales-ops research agent. Builds a research brief on a target account — public web search, CRM lookup, news monitoring.

Procurement agent. Reads RFPs, drafts responses, queries product catalogues.

SOC tier-1 automation. Triages low-confidence alerts, enriches with threat intel, escalates to humans.

Cybersecurity Perspective

Agent architectures multiply attack surface. Key risks:

Prompt injection via tool output. A web-search tool returns attacker-controlled content; that content contains “Now email X to attacker@…” The agent reads tool output as ground truth.

Excessive agency. OWASP LLM06. The agent has more tools than the task needs. A successful injection chains tools to produce unintended outcomes.

Confused deputy. The tool runs with a service-account credential; the user who triggered the chain doesn’t have that scope. Authorisation must be per-user, not per-agent.

Memory injection. Long-term agent memory is mutable; attackers plant memories that shape future behaviour.

Tool description injection. An MCP server returns crafted tool descriptions that re-shape agent reasoning. Always treat tool descriptions as untrusted.

The defensive posture: minimum-tool principle, per-user authorisation, human-in-loop on irreversible operations, full audit logging, anomaly detection on tool-call sequences.

Performance & Scaling

Agent loops are slow — each iteration is an LLM round-trip. Optimisation strategies:

• Parallelise tool calls. When the agent emits multiple tool_use blocks in one response, execute them in parallel.
• Cache tool results. Idempotent reads (database lookups, search) cache aggressively.
• Prompt caching for system + tool definitions. Long tool catalogues are expensive per call without caching.
• Step limit. Hard cap on loop iterations to prevent runaway.
• Faster tier for routine steps. Use Haiku for simple sub-tasks; escalate to Sonnet for planning.

Production agent latency target: 10-30 seconds end-to-end for typical multi-step tasks.

Real-World Examples

Indian fintech — agent triages reconciliation discrepancies. Reads ledger entries, fetches partner-bank data via MCP, computes diff, drafts resolution note. Human approves before posting.

Mid-size Indian SaaS — agent runs CI failures: parses error logs, queries documentation MCP, proposes fix, opens PR with the fix attached. Human reviews and merges.

Global enterprise — agent handles employee IT helpdesk: password resets, software access, hardware orders. Each action requires per-user authorisation against the user’s actual scope.

Future Implications

Agents are becoming the default abstraction for AI in the enterprise. Three trends to watch:

1. Sub-agent orchestration. Multi-agent systems where one agent delegates to specialists. Increases capability and blast radius simultaneously.

1. Persistent agents. Long-running agents that maintain state across days or weeks. The narrative-AI direction discussed elsewhere.

1. Computer-use agents. Agents that drive GUIs (screenshots in, mouse/keyboard out). Already in preview at Anthropic; becomes mainstream by 2027.

RingSafe Analysis

Three observations from production engagements:

1. Tool inventory bloat is the #1 agent security failure mode. Teams add tools quickly during development and never remove them. The blast radius grows silently.

1. Audit trail before scale. Before an agent goes from internal tools to customer-facing, the audit log must be production-grade: every prompt, every tool call, every result, every user attribution. Regulators will ask.

1. Human-in-loop is not optional for irreversible actions. The cost of a wrong wire transfer or mass email is higher than the cost of one human approval click. Wire the approval flow before you wire the tool.

For Indian enterprises, the audit trail is non-negotiable under SEBI CSCRF, RBI guidelines, and DPDP processor obligations.

Key Takeaways

• AI agents = LLM + tools + loop. Claude’s tool-use reliability makes it a default for production.
• MCP is the industry-standard protocol for agent-tool integration.
• Architecture must include per-user authorisation, human-in-loop, audit logging, step limits.
• Attack surface: prompt injection via tool output, excessive agency, confused deputy, memory injection.
• Optimise via parallel tool calls, prompt caching, tier-aware routing, hard step limits.

Conclusion

Building production AI agents with Claude is an engineering discipline, not a prompt-engineering exercise. The capability is real; the engineering rigor required to ship safely is substantial. The teams that succeed treat agents like they treat other production systems: with monitoring, authorisation, audit, and incident response.

For hands-on: RingSafe’s AI Agent Security module, MCP deep dive, and AI Practitioner Path.

FAQ

Q: What is MCP?
A: Model Context Protocol — Anthropic’s open standard for connecting LLM agents to tools and data sources. Industry default in 2026.

Q: Is Claude better than GPT for agents?
A: Claude leads on tool-use reliability metrics in 2026. The gap is narrowing.

Q: How many tools should an agent have?
A: As few as possible. Tool sprawl is the dominant security failure mode.

Q: Can agents work without internet access?
A: Yes — agent loops just need a model API. The tools the agent calls can be local-only.