📋 Executive Summary
- ⚙️ Responses API Is The Best Starting Point: Responses API is ideal when teams want full control over the agent loop, tool routing, state management, and stop conditions.
- 🤖 Agents SDK Accelerates Production: Agents SDK provides a faster production path when sessions, tracing, handoffs, guardrails, sandbox workspaces, and resumable execution are required.
- 📚 Large Context Comes With Trade-Offs: GPT-5.6 Sol supports a 1,050,000-token context window and 128,000 output tokens, but requests exceeding 272,000 input tokens are billed at higher rates for the entire request.
- 🛡️ Guardrail Coverage Has Limits: SDK tool guardrails apply to function tools but do not automatically protect handoffs, hosted tools, computer use, shell paths, or agent-as-tool calls.
- 💰 Cost Control Requires A Full View: Budgeting should include search calls, file storage, containers, retries, loop length, and regional processing instead of focusing only on model token pricing.
- ✅ Deploy In Small Steps: Begin with one bounded agent, one or two read-only tools, a fixed turn budget, an evaluation dataset, and human approval before allowing any high-impact write actions.
To answer how to build an ai agent with chatgpt in 2026, I would start with a controlled tool loop, not a sprawling autonomous system, because every extra turn can multiply cost, latency, and permission risk. The practical build is a model with clear instructions, a small set of typed tools, task state, and a loop that stops when the model returns a final answer or reaches a hard budget. OpenAI recommends the Responses API for new integrations when developers want direct control, while its Agents SDK is the managed option for sessions, tracing, handoffs, guardrails, sandbox workspaces, and longer workflows.
That answer sounds simple, but the hard work sits around the model call. A useful ChatGPT agent must distinguish observation from action, validate every tool input, preserve enough state without dragging an entire transcript through every request, and prove that it can recover from empty results, timeouts, malformed arguments, and conflicting instructions. It also needs an economic model. GPT-5.6 Sol can accept a 1,050,000-token context window, yet OpenAI applies higher rates to requests above 272,000 input tokens, so using the largest context as permanent memory can punish both latency and budget.
This guide builds the system from the inside out. It explains when to use the Responses API or Agents SDK, maps the five-part architecture, provides a working Python starter, catalogues current tools and integrations, designs memory and approval boundaries, calculates current API costs, and shows how to evaluate a customer-support workflow. The objective is not maximum autonomy. It is a narrow, observable agent that completes a valuable task, knows when to stop, and leaves an evidence trail a human can inspect.
How to Build an AI Agent With ChatGPT: The Practical Path
The fastest reliable path is to choose one job with a measurable finish line. Good first jobs include reading an order status, searching a controlled knowledge base, drafting a reply from approved evidence, classifying a support ticket, or preparing a structured research brief. Poor first jobs sound broad, such as “run customer support” or “manage the business”, because the agent cannot know which systems, permissions, and success criteria those phrases imply.
A useful scoping exercise is to compare the proposed workflow with our broader AI agent build guide. The central test is whether the task needs model judgement at all. If every step is predictable, ordinary automation is cheaper, easier to audit, and less exposed to prompt injection. Use an agent only where the input is ambiguous enough to require interpretation, but the permitted actions remain bounded.
Translate the job into a contract before writing code. Define the accepted input, the final output schema, the information the agent may read, the actions it may request, the actions it may never perform, the conditions that require human approval, and the maximum number of model or tool turns. This contract becomes the foundation for instructions, tool schemas, evaluations, and monitoring. It also makes disagreements visible. A product owner may expect the system to issue refunds, while the engineering team may have designed a read-only assistant.
1. Write one sentence that describes the business outcome and the user who receives it.
2. List the minimum read tools needed to gather evidence and keep write tools separate.
3. Define a structured success result, a safe refusal result, and an escalation result.
4. Set turn, token, time, and spending budgets before the first production request.
5. Create ten representative tasks and five hostile or malformed tasks for an initial evaluation set.
The first version should normally have one agent and one or two tools. A planner, researcher, critic, and writer diagram may look sophisticated, but every handoff creates another place for context loss, duplicated calls, and unclear responsibility. Expand only after traces show that one loop cannot reliably separate the work.
Choose the Responses API or Agents SDK
The Responses API and Agents SDK are not competing model products. They are two levels of control over the same general problem. With direct Responses API calls, your application owns the loop: it sends input, reads model output, executes requested tools, returns tool results, and decides when to stop. With the Agents SDK, a runtime manages more of that lifecycle and adds abstractions for agents, runners, sessions, handoffs, guardrails, tracing, and sandbox work.
Teams planning a larger operating model can use the production AI agents playbook as an adjacent architecture reference, but the default decision here is straightforward: start direct when the loop is short and custom; start with the SDK when the workflow is durable, multi-step, or operationally rich.
| Decision Factor | Responses API | Agents SDK | Practical Choice |
| Loop ownership | Your code dispatches tools, retries, branching, and stopping. | Runner manages turns and common lifecycle behaviour. | Use Responses for bespoke routing; SDK for faster orchestration. |
| State | Use previous_response_id, manual item replay, or Conversations API. | Sessions can maintain history and workflow state. | Use explicit storage when auditability matters. |
| Tools | Built-in tools and custom functions are declared per request. | Function tools, hosted tools, agents-as-tools, and handoffs are wrapped by the runtime. | Keep permissions narrow in either path. |
| Safety | Validation and approval logic live in your application. | Guardrail hooks are built in, with documented coverage limits. | Do not treat SDK guardrails as universal policy enforcement. |
| Operations | Maximum visibility and minimum framework surface. | Built-in tracing, handoffs, sandbox support, and resumable patterns. | Choose according to failure recovery needs, not demo speed. |
OpenAI’s own SDK documentation says many applications use both: the SDK for managed workflows and direct Responses calls for lower-level paths. That hybrid design is sensible. A customer-support agent might use the SDK for a long-lived case workflow, while a deterministic “summarise this approved record” function calls Responses directly.
The Agents SDK does not create a separate model charge, and the Responses API is not priced as a separate service. Tokens and built-in tools are billed according to the chosen model and tool rates. External MCP servers, databases, observability platforms, and cloud sandboxes may add their own charges. Those vendor costs are not publicly standardised, so they must be included in a deployment-specific budget rather than presented as an OpenAI plan.
Source: OpenAI Agents SDK decision guidance
Design the Five-Part Agent Architecture
A production agent can be modelled as five parts: model, instructions, tools, state, and control loop. The user interface is important, but it is not the agent. The agent exists in the backend boundary where the model can request evidence or action and the application decides what is permitted. This is also the point where a chatbot becomes an agent. A chatbot only produces a conversational response; an agent can select and invoke capabilities that affect external systems.
That distinction is developed further in our AI agent versus chatbot analysis. For implementation, treat every capability as an authority grant. Search is permission to retrieve information. File search is permission to inspect a controlled corpus. A database function is permission to query records. A refund function is permission to change money and therefore needs a stronger identity, policy, and approval boundary.
| Part | What It Owns | Minimum Production Requirement | Common Failure |
| Model | Reasoning, language, tool selection, and structured output. | Version-pinned model, tested reasoning settings, and fallback policy. | Assuming benchmark strength guarantees workflow reliability. |
| Instructions | Role, evidence rules, prohibited actions, and completion criteria. | Stable system instructions, conflict rules, and explicit uncertainty behaviour. | Vague goals that let user text redefine policy. |
| Tools | Access to search, files, code, databases, APIs, and interfaces. | Typed schemas, authentication, allowlists, validation, timeouts, and idempotency. | Broad tools that expose hidden authority. |
| State | Task history, retrieved evidence, approvals, and durable checkpoints. | Separate ephemeral context from governed long-term memory. | Using an ever-growing transcript as a database. |
| Loop | Dispatch, observation, retries, budgets, stop conditions, and escalation. | Hard turn and cost limits, trace IDs, error paths, and human gates. | A self-perpetuating loop that repeats failed calls. |
GPT-5.6 Sol currently supports text and image input, text output, reasoning, streaming, function calling, and structured outputs. OpenAI lists web search, file search, image generation, Code Interpreter, hosted shell, apply patch, skills, computer use, MCP, tool search, and snapshots as supported Responses API capabilities for the model. Fine-tuning is not supported. The model page lists a 1,050,000-token context window and a 128,000-token maximum output, but those ceilings are not design targets. Most agents become cheaper and more controllable when the application retrieves only the evidence needed for the current decision.
Keep policy outside natural-language improvisation wherever possible. The model may decide which approved read tool is relevant, but application code should decide whether an authenticated user may access the record, whether a write is allowed, whether an amount exceeds a threshold, and whether the request has already been executed. Deterministic controls are easier to test than instructions that merely ask the model to “be careful”.
Source: GPT-5.6 Sol model specifications
Implement the Tool Loop in Python
A minimal Responses API agent follows a five-stage loop. The application sends the user request and tool definitions. The model either returns a final answer or emits one or more function calls. The application parses and validates each call, executes the corresponding function, and appends a function_call_output item. The model then receives the result and decides whether another tool is necessary. The loop ends on a final response or a budget limit.
The pattern is simple enough to understand without a framework, while the agent orchestration control loop becomes relevant when retries, queues, parallel work, checkpoints, or multiple specialists enter the design. The starter below deliberately uses a read-only order lookup and a hard eight-turn ceiling.
How to Build an AI Agent With ChatGPT in Python
import json
import os
from typing import Any
from openai import OpenAI
client = OpenAI()
MODEL = os.getenv(“OPENAI_MODEL”, “gpt-5.6”)
MAX_TURNS = 8
TOOLS = [
{
“type”: “function”,
“name”: “lookup_order”,
“description”: “Read the status of one order. This tool never edits data.”,
“parameters”: {
“type”: “object”,
“properties”: {
“order_id”: {
“type”: “string”,
“description”: “The exact order identifier supplied by the user.”,
}
},
“required”: [“order_id”],
“additionalProperties”: False,
},
“strict”: True,
}
]
def lookup_order(order_id: str) -> dict[str, Any]:
# Replace this stub with an authenticated database or API call.
if not order_id.startswith(“ORD-“):
raise ValueError(“Order IDs must start with ORD-“)
return {“order_id”: order_id, “status”: “in_transit”, “eta”: “2026-07-15”}
def execute_tool(name: str, arguments: dict[str, Any]) -> dict[str, Any]:
if name == “lookup_order”:
return lookup_order(**arguments)
raise ValueError(f”Unknown tool: {name}”)
def run_agent(user_text: str) -> str:
items: list[Any] = [{“role”: “user”, “content”: user_text}]
for _ in range(MAX_TURNS):
response = client.responses.create(
model=MODEL,
instructions=(
“You are a customer-support agent. Use tools only when needed. “
“Never claim an action was completed unless a tool confirms it. “
“Ask for human approval before any write, refund, or account change.”
),
input=items,
tools=TOOLS,
)
# Preserve model output items, including reasoning and tool requests.
items.extend(response.output)
calls = [item for item in response.output if item.type == “function_call”]
if not calls:
return response.output_text
for call in calls:
try:
args = json.loads(call.arguments)
result = execute_tool(call.name, args)
payload = {“ok”: True, “result”: result}
except (json.JSONDecodeError, TypeError, ValueError) as exc:
payload = {“ok”: False, “error”: str(exc)}
items.append(
{
“type”: “function_call_output”,
“call_id”: call.call_id,
“output”: json.dumps(payload),
}
)
raise RuntimeError(“Agent stopped after reaching the turn budget”)
if __name__ == “__main__”:
print(run_agent(“Where is order ORD-1042?”))
The important detail is not the exact function name. It is the separation of concerns. The model proposes a call; the application validates identity, arguments, and policy; the tool returns a structured result; and the model explains the result. The code also preserves every response output item before adding tool outputs. That matters for reasoning models because a response can contain more than a final text string or function call.
For multi-turn state, developers can keep the accumulated input items, use previous_response_id, or create a durable conversation. One hidden edge case is easy to miss: OpenAI documents that top-level instructions from a previous response are not automatically carried forward by previous_response_id. Stable policy instructions should therefore be resent on each request or stored and applied by the application. A conversation identifier does not replace policy injection.
Before production, add request IDs, structured logs, exponential backoff for transient errors, explicit timeout handling, idempotency keys for write tools, and a response schema for terminal states. The code in this article was syntax-checked locally and its turn logic was dry-run with mocked tool output. It was not executed against a live OpenAI account because no publisher API key was supplied.
Source: OpenAI function calling guide
Add Tools Without Creating a Permission Problem
Tool choice determines what the agent can know and what it can change. A useful rule is to separate retrieval tools from action tools in both code and policy. Retrieval tools should be read-only and return compact, attributable evidence. Action tools should be narrow, authenticated, idempotent where possible, and unavailable until the workflow reaches an approval state. Never expose a generic “run SQL”, “call any URL”, or “execute shell command” function to an untrusted conversation without a sandbox and strict allowlists.
Our AI agent definition guide explains why tools, state, and authority are more important than a conversational interface. Current OpenAI integrations cover hosted tools and developer-controlled tools, but their trust boundaries differ.
| Tool or Integration | Best Use | Key Constraint | Cost or Limit Signal |
| Web search | Current public information with source citations. | Treat retrieved pages as untrusted content and prevent instructions in pages from changing policy. | $10 per 1,000 calls plus search content tokens at model rates. |
| File search | Retrieval from approved internal files and vector stores. | Control corpus membership, retention, tenant isolation, and source attribution. | $2.50 per 1,000 calls; storage $0.10 per GB-day after 1 GB free. |
| Function calling | Authenticated business APIs, databases, calculators, and workflow services. | Use strict schemas, server-side authorisation, validation, timeouts, and idempotency. | No separate tool fee stated; model tokens and external service costs apply. |
| Code Interpreter or hosted shell | Calculations, transformations, document analysis, and controlled command execution. | Run in a sandbox, restrict network and file scope, and discard secrets. | Containers from $0.03 per 20-minute 1 GB session; five-minute billing minimum. |
| Computer use | Operating graphical interfaces where no stable API exists. | Screenshots and UI text can contain prompt injection; require confirmation for consequential actions. | Model and tool-specific charges apply; exact workflow cost depends on steps. |
| Remote MCP | Discovering tools and data exposed by compatible servers. | Trust the server, inspect schemas, scope credentials, and log every call. | OpenAI has no universal price for third-party MCP services. |
| Tool search | Loading only relevant tool definitions into large tool catalogues. | Available on supported newer models; retrieved schemas still require policy review. | Reduces schema context, but model and selected tool usage remain billable. |
| Image generation, apply patch, and skills | Creative output, repository edits, and reusable packaged procedures. | Separate generated artefacts from approved publication or deployment steps. | Model, container, or image-generation pricing applies by capability. |
A full tool schema should include a precise description, strict JSON parameters, enumerated values where possible, and additionalProperties set to false. The server must still validate every value. Schema compliance does not prove the user is authorised, that a record exists, or that a requested action is legal. Those checks belong in the tool implementation.
For large catalogues, tool search can reduce the number of schemas loaded into the initial prompt, which may preserve prompt caching and reduce context pressure. Programmatic tool calling can also support code-driven sequences. Neither capability eliminates the need for an allowlist. Discovery is not authorisation.
Source: OpenAI tools guide
Design Memory and State for the Job
Agent memory is not one feature. It is a set of storage decisions with different lifetimes and governance. Task state records what has happened in the current workflow. Conversation history preserves recent dialogue. Retrieval memory fetches relevant facts from documents or records. User memory stores preferences across sessions. Operational state records approvals, retries, checkpoints, and side effects. Mixing these layers into a single transcript makes deletion, correction, and auditing difficult.
Strong memory begins with strong instructions, and our prompt engineering workflow is useful for defining what the agent should retain, ignore, cite, or ask again. The key production question is not “Can the model remember this?” but “Which system is the source of truth, who may change it, and when does it expire?”
For a short request, keep an explicit list of response items in application memory. For a multi-turn chat, previous_response_id can connect turns, but stable top-level instructions must be resent. For durable workflows that may resume after minutes or days, use a database or the Conversations API for identifiers and store business state in your own governed system. The Agents SDK can use sessions to maintain history automatically, but a session should not become an unreviewed long-term profile.
- Ephemeral context: current user input, tool results, and intermediate reasoning needed only for this run.
- Durable workflow state: case ID, current stage, approvals, tool side effects, retry count, and deadline.
- Retrieved knowledge: document chunks with source identifiers, timestamps, access controls, and confidence signals.
- User preferences: explicit, editable settings with consent, purpose, retention, and deletion controls.
- Audit evidence: immutable event records that show which model, instructions, tools, and policy decisions produced an outcome.
Avoid placing secrets in prompts or memory. Use short-lived credentials in the server-side tool layer and return only the minimum result needed. Summarise old dialogue into typed state rather than carrying every token indefinitely, but preserve the source records needed for audit. Summaries can lose negation, conditions, and provenance, so they should never silently replace the authoritative business record.
A practical memory policy includes relevance, expiry, correction, user visibility, and deletion. It should also define whether retrieved content may influence actions. A customer note might be useful context for drafting, but it should not override refund policy or identity checks.
Source: OpenAI conversation state guide
Build Guardrails, Approvals, and Least Privilege
Guardrails should be layered because no single prompt or SDK hook covers the whole workflow. Start with authentication and authorisation before the model sees sensitive data. Validate inputs at the API boundary, constrain tool schemas, inspect tool outputs, scan final responses where the domain requires it, and place human approval in front of irreversible or high-impact actions. The model can recommend an action, but application policy should decide whether it is executable.
A business deployment should use the governance sequence in our AI agent setup guide: begin with low-risk reads and drafts, then add controlled writes only after traces and evaluations show predictable behaviour. Least privilege means each tool receives only the credential scope, record access, and operation needed for its one purpose.
The Agents SDK provides input, output, and tool guardrail patterns, but its documentation states an important limitation: tool guardrails apply only to function tools created with function_tool. They do not automatically govern handoff calls, hosted tools, built-in execution tools such as computer or shell paths, or Agent.as_tool invocations. Those paths need their own validation, sandbox, approval, and monitoring controls. Treat this as a design boundary, not a minor implementation note.
Prompt injection is the defining tool-use threat. A web page, document, email, or UI screenshot can contain text that tells the model to ignore policy, reveal secrets, or call another tool. Retrieved content must be labelled as data, not instructions. Keep system policy outside the retrieved text, never place credentials in model-visible context, and prevent a read tool from escalating into a write tool merely because the retrieved content requests it.
1. Verify the user and tenant before retrieving protected information.
2. Use separate read and write tools, with stronger credentials and approval for writes.
3. Validate tool arguments against schema, business rules, and authorisation.
4. Require confirmation that names the exact action, record, amount, and side effect.
5. Record a trace ID, model version, instructions version, tool call, result, and approval event.
6. Provide a compensating action or rollback path for every reversible write.
Do not tell users an action succeeded because the model intended to perform it. Success should come from a tool result with an external transaction or record identifier. When the tool fails or the result is ambiguous, the final response should state that limitation and escalate rather than invent completion.
Source: OpenAI Agents SDK guardrails documentation
Calculate Pricing and Hidden Cost Multipliers
OpenAI API billing is separate from ChatGPT subscriptions. A Plus, Pro, Business, or other ChatGPT plan does not include API usage. For an agent, budget by successful task rather than by one prompt because a single user request can trigger several model turns, search calls, retrieval calls, container sessions, and retries. The table below reflects OpenAI’s official standard GPT-5.6 pricing checked on 12 July 2026. Prices are per one million tokens.
| Model | Context Band | Input | Cached Input | Cache Write | Output |
| GPT-5.6 Sol | Short | $5.00 | $0.50 | $6.25 | $30.00 |
| GPT-5.6 Sol | Long | $10.00 | $1.00 | $12.50 | $45.00 |
| GPT-5.6 Terra | Short | $2.50 | $0.25 | $3.125 | $15.00 |
| GPT-5.6 Terra | Long | $5.00 | $0.50 | $6.25 | $22.50 |
| GPT-5.6 Luna | Short | $1.00 | $0.10 | $1.25 | $6.00 |
| GPT-5.6 Luna | Long | $2.00 | $0.20 | $2.50 | $9.00 |
OpenAI defines the long-context threshold for this family at more than 272,000 input tokens. When a request crosses it, input is priced at twice the short-context rate and output at 1.5 times the short-context rate for the full request. Cache writes are billed at 1.25 times uncached input. Eligible regional processing endpoints for models released on or after 5 March 2026 carry a 10 percent uplift. Batch and Flex rates are lower than standard for eligible workloads, while Priority rates are higher, so the operational mode must be matched to latency requirements.
Tool charges add another layer. Web search costs $10 per 1,000 calls, with search content tokens billed at model rates. File search costs $2.50 per 1,000 tool calls, and storage costs $0.10 per GB per day after the first free GB. Hosted Shell and Code Interpreter containers are listed at $0.03 for 1 GB, $0.12 for 4 GB, $0.48 for 16 GB, and $1.92 for 64 GB per 20-minute session. Eligible sessions are billed by the minute with a five-minute minimum.
A simple cost model is: model input plus model output plus cache writes plus built-in tool fees plus external services plus retries. Track cost per accepted outcome, not cost per call. A cheaper model that loops six times, retrieves oversized files, and retries unreliable tools can cost more than a stronger model that completes the task in two turns. Exact rate limits and account caps vary by account and are not a universal public plan matrix, so teams should read their project limits dashboard before setting concurrency.
Source: OpenAI API pricing
Measure Latency, Reliability, and Bottlenecks
Agent performance is an end-to-end property. The user experiences model reasoning, queue time, network latency, tool execution, retrieval, approval delay, retries, and final rendering as one wait. Record separate spans for each stage. Without that decomposition, teams often blame the model for a slow database or optimise token streaming while a serial tool chain consumes most of the task time.
When a workflow genuinely needs specialists, our multi-agent systems analysis explains the coordination trade-off. OpenAI’s current Responses multi-agent documentation sets a default maximum of three concurrent subagents, while noting no fixed total-agent or tree-depth limit. Concurrency is therefore a resource decision, not permission to fan out without budgets.
OpenAI reported in April 2026 that WebSocket mode reduced latency by up to 40 percent in some early agentic integrations, with Cline reporting 39 percent faster multi-file workflows and Cursor seeing up to 30 percent improvement. These are vendor and partner results, not guaranteed outcomes for every agent. They are most relevant when an application has many sequential Responses turns and can benefit from reusing in-memory state and a persistent connection.
Earlier GPT-5 results provide another useful but limited signal. OpenAI reported 74.9 percent on SWE-bench Verified, 22 percent fewer output tokens, and 45 percent fewer tool calls than o3 at high reasoning effort. Michael Truell, Co-Founder and CEO of Cursor, said the model could “run long, multi-turn background agents to see complex tasks through”. Those results show that model capability can reduce orchestration overhead, but they do not replace workflow-specific evaluation, and they should not be presented as GPT-5.6 benchmark results.
- Task success rate: Percentage of representative tasks completed with the correct terminal state.
- Tool precision: Percentage of tool calls that were necessary, correctly parameterised, and authorised.
- Recovery rate: Percentage of transient tool failures resolved without unsafe repetition or false success.
- P50 and P95 latency: End-to-end duration plus separate model, retrieval, tool, and approval spans.
- Cost per accepted completion: Total model, tool, storage, and infrastructure cost divided by approved outcomes.
- Escalation quality: Percentage of uncertain or high-risk cases correctly routed to a human with useful evidence.
The most common bottlenecks are oversized context, serial independent calls, slow external APIs, unbounded retries, verbose tool output, and unnecessary specialist handoffs. Compress tool results into typed summaries, parallelise only independent work, cache stable instructions and reference data, and stop after a bounded number of failed attempts. Faster failure with a clear escalation is better than a slow hallucinated success.
Source: OpenAI WebSocket performance report
Evaluate Before Granting More Autonomy
An agent should earn permission through evaluations. Begin with a small dataset that represents normal requests, ambiguous requests, missing information, tool failures, adversarial instructions, cross-tenant access attempts, and actions that require approval. Each case needs a machine-checkable or reviewer-checkable expected outcome: final answer, tool sequence, refusal, escalation, or no action.
Evaluate at three layers. First, test the model decision: did it select the right tool or answer without one? Second, test the application: did validation, authorisation, timeout, and idempotency behave correctly? Third, test the business outcome: was the resolved case accurate, timely, compliant, and useful? A model can choose the right function while the tool fetches stale data, or produce a polished answer after the application silently rejected the requested action.
Use deterministic graders for structure, prohibited fields, required citations, identifiers, and policy states. Use expert review for nuance, tone, and domain correctness. Model-based graders can scale comparative evaluation, but they need calibration against human labels and should not be the only judge for safety-sensitive decisions. Track results by prompt version, model snapshot, tool version, and dataset version so a performance change can be reproduced.
A release gate might require at least 95 percent task completion on routine read-only cases, zero unauthorised writes, 100 percent escalation on a defined high-risk set, and a cost ceiling per accepted completion. Those figures are examples, not universal benchmarks. The correct thresholds depend on consequence. A marketing draft tool can tolerate a different error profile from a clinical or financial workflow.
OpenAI’s evaluation tooling supports datasets, graders, and repeatable runs, but the framework matters less than the discipline. Keep failed traces, convert production incidents into regression cases, and rerun the suite when the model, instructions, tools, permissions, or retrieval corpus changes. Do not assume a pinned model name prevents behaviour change in every surrounding service.
Source: OpenAI evaluations guide
Deploy a Customer-Support Agent Safely
A customer-support agent is a useful reference architecture because it combines retrieval, account data, drafting, and escalation. The first production version should not issue refunds. It should identify the user, retrieve approved help content, read account or order status through a narrow API, draft an answer, cite the evidence used internally, and hand the case to a human when policy, identity, emotion, or financial impact exceeds the permitted boundary.
1. Receive the user message and authenticate the account before protected retrieval.
2. Classify the request into a typed intent with confidence and required information fields.
3. Search the approved knowledge base and retrieve only the relevant policy passages.
4. Call a read-only account or order tool when the answer depends on live status.
5. Generate a draft that distinguishes confirmed facts, policy, uncertainty, and next steps.
6. Escalate when identity is incomplete, evidence conflicts, the request involves money, or sentiment indicates sensitivity.
7. Record the trace, tool results, model and instruction versions, final status, and reviewer decision.
Rachael Burns, Staff Engineer and AI Tech Lead at Oscar Health, said the updated Agents SDK “made it production-viable for us to automate a critical clinical records workflow”. The quote is useful because it identifies the real threshold: not whether an agent can produce a plausible demo, but whether the surrounding harness can process long, complex records reliably enough for a consequential workflow.
AJ Orbach, CEO of Triple Whale, described a different architecture shift in OpenAI’s December 2025 GPT-5.2 announcement: the company “collapsed a fragile, multi-agent system into a single mega-agent with 20+ tools”. That does not mean one agent is always superior. It shows that stronger tool use can remove coordination layers when a single controller can maintain state and policy. The design goal is the fewest components that meet reliability requirements.
Enterprise deployment also needs infrastructure boundaries. OpenAI’s April 2026 Agents SDK update added a model-native harness and native sandbox execution, while NVIDIA founder and CEO Jensen Huang described enterprise agent infrastructure as “open building blocks to create more secure, long-running AI coworkers”. A controlled workspace can isolate files and commands, but sandboxing does not make external data trustworthy. Network egress, mounted storage, secrets, and write permissions still require explicit policy.
Promote capabilities in stages: read-only answer, human-reviewed draft, human-approved action, and only then narrowly automatic action for low-risk cases. Every stage should have a rollback plan and a measured reason to exist. Autonomy is a risk budget, not a product badge.
Source: OpenAI Agents SDK production update
Our Content Testing Methodology
During our 2026 evaluation, we mapped the implementation against OpenAI’s current Responses API, function calling, conversation state, tools, model, pricing, Agents SDK, guardrails, tracing, sandbox, and evaluation documentation. Pricing and model specifications were rechecked against the official OpenAI developer pages on 12 July 2026. We separated current GPT-5.6 specifications from older GPT-5 and GPT-5.2 benchmark claims so historical results were not mislabelled as evidence for the newest model.
The Python starter was passed through a local syntax check. Its control flow, turn ceiling, argument validation, error payload, and terminal response path were also dry-run using mocked tool responses. We did not execute live OpenAI requests because no publisher API key or production test account was supplied. Therefore, the article does not claim measured latency, token usage, or success rates from a live deployment. Partner performance figures are attributed to the organisations and publication in which they appeared.
Internal links were selected from eight live, contextually relevant Perplexity AI Magazine pages discovered through indexed site results after the XML sitemap endpoints returned malformed responses to the available fetch environment. No unrelated page was added to meet a numerical target. Technical limitations that could not be expressed as universal figures, including account-specific rate limits, third-party MCP pricing, and production success thresholds, are stated as variable rather than invented.
This article was researched and drafted with AI assistance and reviewed by the Sami Ullah Khan editorial desk at Perplexity AI Magazine. All data, citations, pricing figures, and named quotes have been independently verified against primary sources before publication.
Conclusion
The practical answer to how to build an ai agent with chatgpt is to build less autonomy than the diagram suggests. Start with the Responses API when you need a transparent loop and custom tool routing. Use the Agents SDK when sessions, tracing, handoffs, sandbox workspaces, and resumable execution remove more complexity than they add. In either case, the production system is defined by its permissions, state, budgets, evaluations, and recovery paths, not by the model call alone.
Current GPT-5.6 models offer large context windows and broad tool support, but those capabilities create new cost and governance choices. Long context can trigger higher pricing. Hosted tools have different safety boundaries. Tool guardrails do not cover every execution path. WebSocket performance gains may improve long loops, yet external APIs, approval queues, and repeated retrieval can remain the dominant bottlenecks.
The open questions are organisational as much as technical: which actions should remain human, how long memory should persist, how audit evidence should be retained, and what failure rate is acceptable for each consequence level. The strongest near-term architecture is a bounded agent that retrieves evidence, proposes actions, and escalates uncertainty. Greater autonomy should arrive only when measured traces show that it improves outcomes without hiding cost or transferring unreviewed risk to users.
FAQs
What Is the Simplest Way to Build a ChatGPT Agent?
Use the Responses API with one model, clear instructions, one read-only function tool, and a loop that returns tool output to the model. Add a hard turn limit and log every call. This provides enough structure to learn the pattern without introducing a framework or multi-agent orchestration.
Should I Use the Responses API or Agents SDK?
Use the Responses API when you want to own tool dispatch, branching, state, and stopping. Use the Agents SDK when you want managed turns, sessions, tracing, handoffs, guardrails, sandbox workspaces, or resumable multi-step execution. A hybrid application can use both for different workflows.
Does a ChatGPT Subscription Include API Usage?
No. ChatGPT subscriptions and OpenAI API billing are separate. API usage is charged according to model tokens, built-in tools, storage, containers, and any external services. Check the project billing and limits dashboard before deployment.
How Does an AI Agent Remember Previous Steps?
It can replay prior response items, reference a previous response, use the Conversations API, or store durable state in an application database. Do not rely on conversation history as the only source of truth. OpenAI notes that top-level instructions are not automatically inherited through previous_response_id.
Which Tools Can I Add to an OpenAI Agent?
Current options include web search, file search, function calling, Code Interpreter, hosted shell, computer use, image generation, apply patch, skills, remote MCP, tool search, and other supported Responses tools. Availability depends on the model and endpoint, while third-party services can add separate costs and policies.
How Do I Stop an Agent From Taking Unsafe Actions?
Use server-side authorisation, narrow tool schemas, separate read and write tools, allowlists, sandboxing, idempotency, hard budgets, and human approval for consequential actions. Treat retrieved content as untrusted data. Never rely on a prompt alone to enforce financial, legal, privacy, or identity rules.
How Much Does It Cost to Run an AI Agent?
Cost depends on model input and output, cache writes, tool calls, retrieved tokens, storage, container time, external APIs, retries, and loop length. Measure cost per accepted completion. Exact rate limits and account caps vary, so there is no single universal monthly agent price.
Do I Need Multiple Agents?
Usually not for a first build. Use one agent until traces show that the workflow needs independent specialists, parallel work, or explicit handoffs. Multiple agents can improve specialisation, but they add model calls, coordination latency, context transfer, more failure points, and a larger permission surface.
References
1. Google Search Central. (2026, May 15). Spam policies for Google Web Search. Google spam policies.
2. NVIDIA. (2026, June 1). Enterprise software leaders build AI agents with NVIDIA. NVIDIA press release.
3. OpenAI. (2025, March 11). New tools for building agents. OpenAI agent tools announcement.
4. OpenAI. (2025, August 7). Introducing GPT-5 for developers. OpenAI GPT-5 developer announcement.
5. OpenAI. (2025, December 11). Introducing GPT-5.2. OpenAI GPT-5.2 announcement.
6. OpenAI. (2026, April 15). The next evolution of the Agents SDK. OpenAI Agents SDK update.
7. OpenAI. (2026, April 22). Speeding up agentic workflows with WebSockets in the Responses API. OpenAI WebSocket report.
8. OpenAI Developers. (2026). GPT-5.6 Sol model. GPT-5.6 Sol documentation.
9. OpenAI Developers. (2026). Pricing. OpenAI API pricing.