Production Architecture for AI Systems: Reliability First
CTO-level architecture decisions for AI systems—designing for scalability, implementing proper error handling, and maintaining system stability.
Why AI Systems Fail in Production
After spending years building and scaling AI-powered products, I've observed a consistent pattern: most AI systems that work beautifully in development struggle in production. Not because the models are wrong, but because the architecture surrounding them isn't built for reality.
A model that achieves 95% accuracy in testing can still bring down your entire platform if it times out on 10% of requests, consumes unbounded memory, or fails silently when external APIs are unavailable. Production AI systems require architectural discipline that goes far beyond training accurate models.
This article outlines the architectural principles and patterns I've learned from deploying AI systems at scale—from startups processing thousands of requests per day to platforms handling millions.
Principle 1: Design for Failure
Traditional software has well-understood failure modes: database connection lost, API timeout, out of memory. AI systems introduce entirely new categories of failure:
- Model timeouts: An inference that should take 100ms occasionally takes 30 seconds
- Non-deterministic errors: The same input works 99 times and fails on the 100th
- Gradual degradation: Model accuracy slowly drifts as real-world data diverges from training data
- Cascading failures: One model's output feeds another model, amplifying errors exponentially
- External dependency failures: Third-party AI services (OpenAI, Anthropic, etc.) rate limit, timeout, or return errors
Timeout Everything
Set aggressive timeouts on all AI inference operations. If your p99 latency is 500ms, set a hard timeout at 2-3 seconds. Don't let a single slow inference block your entire system.
async function callModelWithTimeout<T>(
modelFn: () => Promise<T>,
timeoutMs: number = 3000
): Promise<T> {
const timeoutPromise = new Promise<never>((_, reject) => {
setTimeout(() => reject(new Error('Model inference timeout')), timeoutMs);
});
try {
return await Promise.race([modelFn(), timeoutPromise]);
} catch (error) {
// Log the timeout for monitoring
logger.error('Model timeout', { timeoutMs, error });
throw error;
}
}Implement Circuit Breakers
When a model or external AI service starts failing consistently, stop calling it. Circuit breakers prevent cascading failures by failing fast instead of letting errors pile up.
class CircuitBreaker {
private failures = 0;
private lastFailureTime = 0;
private state: 'CLOSED' | 'OPEN' | 'HALF_OPEN' = 'CLOSED';
constructor(
private threshold = 5,
private resetTimeoutMs = 60000
) {}
async execute<T>(operation: () => Promise<T>): Promise<T> {
if (this.state === 'OPEN') {
if (Date.now() - this.lastFailureTime > this.resetTimeoutMs) {
this.state = 'HALF_OPEN';
} else {
throw new Error('Circuit breaker is OPEN');
}
}
try {
const result = await operation();
this.onSuccess();
return result;
} catch (error) {
this.onFailure();
throw error;
}
}
private onSuccess() {
this.failures = 0;
this.state = 'CLOSED';
}
private onFailure() {
this.failures++;
this.lastFailureTime = Date.now();
if (this.failures >= this.threshold) {
this.state = 'OPEN';
}
}
}Principle 2: Build Fallback Strategies
Production AI systems should never have a single point of failure. Design fallback strategies for every critical component.
Model Fallbacks
If your primary model fails or times out, have a simpler, faster model as a fallback. A less accurate but reliable response is often better than no response.
async function classifyWithFallback(text: string) {
try {
// Try primary model (GPT-4, slower but more accurate)
return await callModelWithTimeout(
() => gpt4.classify(text),
3000
);
} catch (error) {
logger.warn('Primary model failed, using fallback', { error });
try {
// Fallback to faster model (GPT-3.5)
return await callModelWithTimeout(
() => gpt35.classify(text),
1000
);
} catch (fallbackError) {
logger.error('Fallback model also failed', { fallbackError });
// Final fallback to rule-based classifier
return ruleBasedClassifier(text);
}
}
}External Service Fallbacks
When using external AI APIs (OpenAI, Anthropic, Cohere), implement provider fallbacks. If OpenAI is down, automatically switch to Anthropic.
const providers = [
{ name: 'openai', client: openaiClient },
{ name: 'anthropic', client: anthropicClient },
{ name: 'cohere', client: cohereClient }
];
async function generateWithFallback(prompt: string) {
for (const provider of providers) {
try {
return await provider.client.generate(prompt);
} catch (error) {
logger.warn(`Provider ${provider.name} failed, trying next`, { error });
continue;
}
}
throw new Error('All AI providers failed');
}Principle 3: Queue Everything
AI inference can be expensive and slow. Don't block user requests waiting for it. Use asynchronous processing with job queues.
Synchronous vs Asynchronous Patterns
Synchronous (for latency-critical features):
- Real-time chatbots
- Content moderation blocking post submission
- Fraud detection during checkout
Asynchronous (for everything else):
- Document analysis and summarization
- Batch classification tasks
- Generating recommendations
- Embedding generation for search
// User uploads document
app.post('/documents/upload', async (req, res) => {
const document = await saveDocument(req.file);
// Queue AI processing instead of blocking the response
await queue.add('process-document', {
documentId: document.id,
tasks: ['summarize', 'extract-entities', 'classify']
});
// Return immediately
return res.json({
id: document.id,
status: 'processing',
message: 'Document queued for analysis'
});
});
// Worker processes the queue
queue.process('process-document', async (job) => {
const { documentId, tasks } = job.data;
for (const task of tasks) {
try {
const result = await executeAITask(task, documentId);
await saveResult(documentId, task, result);
} catch (error) {
logger.error(`Task ${task} failed for document ${documentId}`, { error });
// Continue with other tasks even if one fails
}
}
});Principle 4: Rate Limit Proactively
AI inference is expensive—both computationally and financially. Implement rate limiting to prevent cost explosions and resource exhaustion.
Per-User Rate Limits
import rateLimit from 'express-rate-limit';
const aiEndpointLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // Limit each user to 100 AI requests per window
message: 'Too many AI requests, please try again later',
standardHeaders: true,
legacyHeaders: false,
});
app.post('/api/ai/generate', aiEndpointLimiter, async (req, res) => {
// AI generation logic
});Cost-Based Rate Limiting
Rate limit based on estimated cost, not just request count. A request that generates 10,000 tokens costs 100x more than one that generates 100 tokens.
async function trackAICost(userId: string, cost: number) {
const monthlySpend = await redis.incrbyfloat(
`ai:cost:${userId}:${getCurrentMonth()}`,
cost
);
if (monthlySpend > USER_MONTHLY_AI_BUDGET) {
throw new Error('Monthly AI budget exceeded');
}
return monthlySpend;
}Principle 5: Monitor Everything
AI systems require monitoring beyond traditional application metrics. Track:
- Inference latency: p50, p95, p99 response times
- Success rate: Percentage of successful vs failed inferences
- Model accuracy drift: Track accuracy over time to detect degradation
- Token usage and costs: Monitor API costs in real-time
- Error patterns: Categorize and track different types of failures
- Fallback activation rate: How often are fallbacks being used?
async function monitoredInference(modelName: string, input: any) {
const startTime = Date.now();
try {
const result = await model.infer(input);
// Track success metrics
metrics.increment(`ai.inference.success.${modelName}`);
metrics.timing(`ai.inference.latency.${modelName}`, Date.now() - startTime);
if (result.tokensUsed) {
metrics.increment(`ai.tokens.used.${modelName}`, result.tokensUsed);
const estimatedCost = calculateCost(modelName, result.tokensUsed);
metrics.increment(`ai.cost.${modelName}`, estimatedCost);
}
return result;
} catch (error) {
// Track failure metrics
metrics.increment(`ai.inference.failure.${modelName}`);
metrics.increment(`ai.inference.failure.${modelName}.${error.code || 'unknown'}`);
throw error;
}
}Principle 6: Cache Aggressively
AI inference is expensive. Cache results whenever possible to reduce costs and latency.
Semantic Caching
For similar inputs, return cached results. Use embeddings to detect semantic similarity.
async function semanticCache(prompt: string, threshold = 0.95) {
// Generate embedding for the prompt
const promptEmbedding = await generateEmbedding(prompt);
// Search for similar cached prompts
const similarCache = await vectorDB.similaritySearch(
promptEmbedding,
{ limit: 1, minScore: threshold }
);
if (similarCache.length > 0) {
logger.info('Cache hit (semantic)', {
prompt,
cachedPrompt: similarCache[0].prompt,
similarity: similarCache[0].score
});
return similarCache[0].result;
}
// No cache hit, generate new result
const result = await generateResponse(prompt);
// Cache for future use
await vectorDB.insert({
prompt,
embedding: promptEmbedding,
result,
timestamp: Date.now()
});
return result;
}Principle 7: Version Everything
Model updates can break production. Implement proper versioning and gradual rollouts.
Model Versioning
interface ModelConfig {
name: string;
version: string;
endpoint: string;
rolloutPercentage: number;
}
const models: ModelConfig[] = [
{ name: 'classifier', version: 'v2', endpoint: '/v2/classify', rolloutPercentage: 20 },
{ name: 'classifier', version: 'v1', endpoint: '/v1/classify', rolloutPercentage: 80 }
];
function selectModel(modelName: string, userId: string): ModelConfig {
const modelVersions = models.filter(m => m.name === modelName);
const rand = hashUserId(userId) % 100;
let cumulative = 0;
for (const model of modelVersions) {
cumulative += model.rolloutPercentage;
if (rand < cumulative) {
return model;
}
}
return modelVersions[0];
}Principle 8: Handle Data Privacy and Security
AI systems often process sensitive user data. Implement proper security measures:
- Data minimization: Only send necessary data to AI models
- PII scrubbing: Remove or anonymize personal information before processing
- Audit logging: Track what data was processed and by whom
- Retention policies: Don't keep AI-processed data longer than necessary
function sanitizeForAI(userData: any) {
return {
// Include only necessary fields
text: userData.message,
metadata: {
language: userData.language,
// Exclude PII
// email: userData.email, ❌ Don't send
// name: userData.name, ❌ Don't send
}
};
}
async function processWithAudit(userId: string, data: any) {
const sanitized = sanitizeForAI(data);
// Log what we're sending to AI
await auditLog.create({
userId,
action: 'AI_PROCESSING',
dataHash: hash(sanitized),
timestamp: new Date(),
model: 'gpt-4'
});
const result = await ai.process(sanitized);
// Don't store the result permanently if it contains generated content
// based on user data
return result;
}Real-World Example: Building a Resilient AI Pipeline
Let's put it all together. Here's a production-ready AI processing pipeline that implements all these principles:
class ProductionAIPipeline {
private circuitBreaker = new CircuitBreaker();
private cache = new SemanticCache();
async processDocument(documentId: string, userId: string) {
// 1. Rate limiting
await this.checkRateLimit(userId);
// 2. Retrieve document
const document = await db.documents.findById(documentId);
// 3. Sanitize data
const sanitized = this.sanitizeDocument(document);
// 4. Check semantic cache
const cached = await this.cache.get(sanitized.content);
if (cached) {
return cached;
}
// 5. Process with circuit breaker and timeout
try {
const result = await this.circuitBreaker.execute(() =>
this.processWithFallback(sanitized)
);
// 6. Cache result
await this.cache.set(sanitized.content, result);
// 7. Track metrics
metrics.increment('ai.pipeline.success');
// 8. Track costs
await this.trackCost(userId, result.cost);
return result;
} catch (error) {
metrics.increment('ai.pipeline.failure');
logger.error('AI pipeline failed', { documentId, error });
// Return graceful degradation
return this.getFallbackResult(document);
}
}
private async processWithFallback(document: any) {
const providers = this.getProviders();
for (const provider of providers) {
try {
return await callModelWithTimeout(
() => provider.process(document),
5000
);
} catch (error) {
logger.warn(`Provider ${provider.name} failed`, { error });
continue;
}
}
throw new Error('All providers failed');
}
}Key Takeaways
Production AI systems require architectural discipline:
- Design for failure: Timeouts, circuit breakers, and graceful degradation
- Build fallbacks: Multiple models, multiple providers, rule-based safety nets
- Queue heavy workloads: Don't block user requests on expensive AI operations
- Rate limit proactively: Protect both costs and resources
- Monitor everything: Track latency, accuracy, costs, and error patterns
- Cache aggressively: Semantic caching reduces costs dramatically
- Version carefully: Gradual rollouts and A/B testing for model updates
- Secure user data: Minimize data sent to AI, audit everything
The difference between an AI demo and a production AI system isn't the model—it's the architecture around it. Build for reliability first, and you'll avoid the 3 AM incidents that plague poorly designed AI systems.
Building an AI-powered product and need help designing a production-ready architecture? Let's talk. We specialize in helping teams design, build, and scale reliable AI systems.