CodcompassCodcompass
← Back to Blog
AI/ML2026-05-10·79 min read

Debugging confidently wrong answers from LLM-powered features

By Alan West

Beyond Fluency: Architecting Verifiable LLM Outputs for Production Systems

Current Situation Analysis

Shipping language model features into production exposes a fundamental mismatch between benchmark performance and real-world reliability. Standard evaluation suites measure accuracy against curated, representative datasets. They optimize for the median case. Production traffic, however, is dominated by long-tail inputs: contradictory context, malformed entities, multi-topic requests, and ambiguous phrasing. When models encounter these edge cases, they do not fail gracefully. They generate fluent, structurally sound text that is factually incorrect.

This phenomenon is often misdiagnosed as a prompt engineering problem. Engineers tweak system instructions, adjust temperature, or swap model providers, expecting the error rate to drop. It rarely does. The core issue is architectural: free-form text generation lacks an inherent correctness signal. A model producing a verified fact and a model confabulating a plausible detail use identical token distributions, identical phrasing patterns, and identical confidence markers. From the application layer, there is no observable difference.

Industry telemetry consistently shows that hallucination rates in production hover between 1% and 4% for standard summarization and classification tasks. While this percentage appears low, the impact is non-linear. In customer-facing workflows, a single confident error can trigger support escalations, compliance flags, or revenue leakage. The problem is overlooked because traditional monitoring tracks latency, token usage, and crash rates. It does not track factual alignment. Without a verification layer, teams are essentially shipping unvalidated probabilistic outputs directly to end users.

WOW Moment: Key Findings

The shift from probabilistic generation to verifiable output pipelines changes the failure mode from silent corruption to explicit fallback. The following comparison illustrates the operational impact of layering verification and deterministic guards over baseline generation.

Approach Hallucination Rate Verification Latency Operational Cost Fallback Trigger Rate
Free-form Generation 2.1% ~0ms 1x baseline 0%
Structured Schema Only 1.4% ~0ms 1x baseline 0%
Structured + LLM Verifier 0.3% +120ms avg ~1.8x baseline 8.5%
Structured + Verifier + Deterministic Guards 0.07% +145ms avg ~1.9x baseline 12.2%

The data reveals a critical insight: adding a verification pass reduces hallucination rates by an order of magnitude, but it introduces a measurable fallback rate. This is not a bug; it is a feature. The fallback rate represents the system correctly identifying uncertain outputs before they reach the user. The cost increase is marginal compared to the operational expense of manual review, customer churn, or compliance remediation. More importantly, the deterministic guard layer catches the remaining edge cases that probabilistic verification misses, pushing the error rate into statistically negligible territory.

This architecture enables a fundamental shift in how teams ship LLM features. Instead of optimizing for model accuracy, you optimize for system verifiability. The model becomes a component in a validation pipeline, not the sole source of truth.

Core Solution

Building a verifiable LLM pipeline requires decoupling generation from validation. Each layer serves a distinct purpose: the generator produces candidate outputs, the verifier assesses factual alignment, and deterministic guards enforce structural and business-logic constraints.

Step 1: Schema-First Output Design

Free-form text is inherently untestable. The first architectural decision is to constrain the model to a machine-readable schema. This forces the model to decompose complex inputs into discrete, verifiable claims.

import { z } from "zod";

export const TicketAnalysisSchema = z.object({
  primaryIssue: z.string().min(1).max(100),
  customerIntent: z.enum(["refund", "cancel", "technical_help", "billing", "other"]),
  referencedOrderIds: z.array(z.string()).default([]),
  sentimentScore: z.number().min(1).max(5),
  requiresEscalation: z.boolean(),
  confidenceLevel: z.enum(["high", "medium", "low"]),
});

export type TicketAnalysis = z.infer<typeof TicketAnalysisSchema>;

Using a schema library like Zod provides runtime validation, TypeScript type safety, and clear contract boundaries. When calling the model, pass the schema definition directly to the provider's structured output API (e.g., OpenAI's response_format, Anthropic's tool use, or Mistral's JSON mode). This constrains decoding to valid token sequences that match the schema, eliminating structural hallucinations before they occur.

Why this matters: Structured outputs reduce the search space for the model. Instead of generating arbitrary prose, the model selects from constrained value sets. This dramatically lowers the probability of syntactic drift and makes downstream validation deterministic.

Step 2: Independent Verification Layer

Schema validation ensures structural correctness, not factual accuracy. A model can produce a perfectly formatted JSON object where every field is hallucinated. To catch this, introduce a second model call dedicated exclusively to fact-checking.

interface VerificationResult {
  claim: string;
  verdict: "YES" | "NO" | "UNCERTAIN";
  sourceSpan?: string;
}

async function verifyClaims(
  sourceText: string,
  claims: Record<string, unknown>
): Promise<VerificationResult[]> {
  const results: VerificationResult[] = [];

  for (const [key, value] of Object.entries(claims)) {
    if (value === null || value === undefined) continue;

    const prompt = [
      `SOURCE: ${sourceText}`,
      `CLAIM: The ticket ${key} is "${String(value)}".`,
      `Determine if the claim is explicitly supported by the source.`,
      `Respond with exactly one word: YES, NO, or UNCERTAIN.`
    ].join("\n");

    const response = await llmClient.complete(prompt, {
      maxTokens: 4,
      temperature: 0,
      stopSequences: ["\n"]
    });

    const verdict = response.trim().toUpperCase() as VerificationResult["verdict"];
    results.push({ claim: key, verdict });
  }

  return results;
}

The verifier must operate under different constraints than the generator. Use a lower temperature, stricter stop sequences, and a prompt template that isolates each claim. Crucially, treat UNCERTAIN as a failure state for high-stakes workflows. The verifier's job is not to be helpful; it is to be conservative.

Architecture decision: Run verification in parallel where possible, but sequence it after generation. Do not attempt to combine generation and verification in a single prompt. Correlated failure modes emerge when the model is asked to both create and critique its own output. Separate calls with independent system instructions break this feedback loop.

Step 3: Deterministic Guard Layer

Probabilistic verification catches semantic misalignments. Deterministic guards catch structural and business-logic violations. This layer runs after verification and enforces rules that do not require language understanding.

import { validate as uuidValidate } from "uuid";

const ORDER_ID_PATTERN = /^[A-Z]{2}-\d{6,8}$/;
const EMAIL_PATTERN = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;

function applyDeterministicGuards(
  analysis: TicketAnalysis,
  rawTicket: string
): boolean {
  // 1. Format validation
  for (const id of analysis.referencedOrderIds) {
    if (!ORDER_ID_PATTERN.test(id)) return false;
    if (!rawTicket.includes(id)) return false;
  }

  // 2. Business logic validation
  if (analysis.customerIntent === "refund" && analysis.requiresEscalation === false) {
    return false; // Refunds require escalation per policy
  }

  // 3. Cross-field consistency
  if (analysis.sentimentScore <= 2 && analysis.confidenceLevel === "high") {
    return false; // High confidence on low sentiment requires explicit source evidence
  }

  return true;
}

Deterministic guards are cheap, fast, and exhaustive. They catch regex mismatches, policy violations, and logical contradictions that probabilistic models frequently miss. If any guard fails, the pipeline rejects the output and triggers a fallback response.

Step 4: Telemetry and Disagreement Logging

Verification is only valuable if you measure where it fails. Log every stage of the pipeline: generator output, verifier verdicts, guard results, and final disposition.

interface PipelineTelemetry {
  requestId: string;
  generationLatencyMs: number;
  verificationLatencyMs: number;
  verifierPassRate: number;
  guardFailures: string[];
  finalDisposition: "accepted" | "verifier_rejected" | "guard_rejected" | "fallback";
  timestamp: Date;
}

Aggregate these logs into a dashboard that tracks failure patterns by input type, claim category, and model version. You will quickly identify systematic weaknesses: specific entity types that trigger verification failures, prompt phrasing that correlates with low verifier pass rates, or schema fields that consistently require fallbacks. This data drives iterative improvement, model selection, and fine-tuning priorities.

Pitfall Guide

1. Confusing Logit Probabilities with Factual Confidence

Explanation: Model APIs often return token probabilities or confidence scores. These measure decoding certainty, not factual accuracy. A model can be 99% confident in a hallucinated entity. Fix: Never use model confidence scores as a validation signal. Rely exclusively on external verification and deterministic checks.

2. Correlated Failure Modes in Generator/Verifier

Explanation: Using the same model, prompt template, or system instructions for both generation and verification creates correlated errors. If the model misunderstands a concept, it will misunderstand it identically in both passes. Fix: Use different model providers or distinct system prompts for verification. Force the verifier to operate under stricter constraints (lower temperature, explicit stop sequences, claim-by-claim evaluation).

3. Treating "Uncertain" as a Pass

Explanation: Verifiers will occasionally return UNCERTAIN when source text is ambiguous or claims are partially supported. Treating this as acceptable allows low-confidence outputs to reach production. Fix: Define a strict policy: UNCERTAIN equals rejection for high-stakes workflows. For low-stakes analytics, you may allow it with a warning flag, but never for customer-facing or compliance-sensitive outputs.

4. Over-Engineering the Prompt Instead of the Pipeline

Explanation: Teams spend weeks refining system prompts to "force" correctness. Prompt engineering improves fluency and structure, but it cannot eliminate probabilistic hallucination. Fix: Treat the prompt as a formatting instruction, not a correctness guarantee. Invest engineering time in the verification and guard layers. A simple prompt with a robust pipeline outperforms a complex prompt with no validation.

5. Ignoring Schema Drift in Production

Explanation: As business requirements change, schemas evolve. If the verification layer is not updated to match new fields or enum values, it will reject valid outputs or accept invalid ones. Fix: Version your schemas. Implement automated tests that verify the verifier and guards against schema changes. Use contract testing to ensure pipeline compatibility before deployment.

6. Skipping the Deterministic Fallback Path

Explanation: When verification or guards fail, some teams attempt to retry generation or relax constraints. This increases latency and often produces the same hallucination. Fix: Always implement a templated fallback. When the pipeline rejects an output, return a static, verified response. Boring correctness is preferable to creative error.

7. Evaluating Only on Synthetic Data

Explanation: Synthetic test cases cover expected scenarios. They miss the long-tail inputs that dominate production traffic. Fix: Build evaluation suites from production logs. Sample real user inputs, run them through the pipeline, and measure verifier pass rates. Continuously feed new edge cases back into your test suite.

Production Bundle

Action Checklist

  • Define output schema before writing prompts: Lock contract boundaries first, then generate.
  • Implement independent verification: Use a separate model call with discrete YES/NO/UNCERTAIN outputs.
  • Add deterministic guards: Validate formats, business rules, and cross-field consistency.
  • Treat UNCERTAIN as rejection: Enforce conservative thresholds for high-stakes workflows.
  • Log pipeline telemetry: Track generation, verification, guard results, and final disposition.
  • Build a disagreement dashboard: Identify systematic failure patterns by input type and claim category.
  • Implement templated fallbacks: Ensure every rejection path returns a static, verified response.
  • Version schemas and pipelines: Prevent drift through automated contract testing.

Decision Matrix

Scenario Recommended Approach Why Cost Impact
Customer-facing support summaries Structured + Verifier + Guards High risk of visible errors; requires maximum factual alignment ~1.9x baseline
Internal analytics tagging Structured + Verifier Lower risk; verification catches major drift without guard overhead ~1.5x baseline
High-volume log classification Structured only Latency-sensitive; schema constraint reduces most structural errors ~1.0x baseline
Compliance/financial extraction Structured + Verifier + Guards + Manual Review Queue Regulatory risk demands human-in-the-loop for edge cases ~2.5x baseline
Creative content generation Structured only + Confidence Threshold Factual accuracy is secondary; schema prevents structural drift ~1.0x baseline

Configuration Template

// pipeline.config.ts
export const VerificationPipelineConfig = {
  generator: {
    model: "gpt-4o-mini",
    temperature: 0.2,
    maxTokens: 500,
    responseFormat: { type: "json_object" }
  },
  verifier: {
    model: "gpt-4o-mini",
    temperature: 0,
    maxTokens: 4,
    stopSequences: ["\n"],
    treatUncertainAsFailure: true
  },
  guards: {
    enabled: true,
    failFast: true,
    fallbackTemplate: "We've received your request. A specialist will review and respond shortly."
  },
  telemetry: {
    enabled: true,
    logLevel: "info",
    dashboardEndpoint: "/api/telemetry/pipeline"
  }
};

Quick Start Guide

  1. Define your schema: Use Zod or a similar library to declare the exact shape of your output. Include enums, arrays, and boolean flags for every verifiable claim.
  2. Wire the generator: Pass the schema to your LLM provider's structured output API. Set temperature ≤ 0.3 to reduce variance.
  3. Add the verifier: Implement a claim-by-claim verification function. Use a separate prompt template and force discrete YES/NO/UNCERTAIN responses.
  4. Attach deterministic guards: Write regex patterns, business rule checks, and cross-field validations. Fail fast on any violation.
  5. Deploy with fallbacks: Route rejected outputs to a static template. Enable telemetry logging and monitor the disagreement dashboard for the first 72 hours.