Model-Agnostic Agents: How I Build an Agent Layer That Survives Model Swaps
Every time there’s a big model release or a partnership shake‑up, the same anxiety shows up in enterprise AI conversations:
“What if we build everything on model X… and then next year model Y is better, cheaper, or mandated by policy?”
It’s a valid concern. And it’s also a signal that many teams are building agents the wrong way around.
If your agent architecture makes it painful to swap models, you’ve probably put too much business logic in the model layer.
In this post I’ll describe how I design a model‑agnostic agent layer in 2026: an approach that lets you change models (or even run multiple) without rewriting your entire system. I’ll use a Microsoft‑centric stack because that’s where I spend most of my time: Copilot as a frontend, Foundry/MCP as an orchestration layer, and real backends that enforce security and governance.
Model-agnostic doesn’t mean model-indifferent
Let’s get one misconception out of the way.
Model‑agnostic does not mean you don’t care which model you run. It means you accept reality:
- models improve quickly,
- pricing changes,
- data residency and compliance requirements differ,
- some workloads need speed, others need depth,
- and vendors will keep changing the integration story.
So you build your architecture in a way that keeps that variability manageable.
The anti-pattern: “the prompt is the program”
The most common way teams accidentally lock themselves into one model is simple:
- They put business rules into prompts.
- They let the model decide which systems to call and how.
- They rely on a model-specific tool/function calling format.
- They don’t maintain stable schemas for actions.
This works for demos. It’s fragile in production. And it’s exactly what makes a model swap painful, because your “application” is basically a pile of prompt behaviour.
A model‑agnostic approach starts with a different mindset:
Prompts are for communication and planning. Code is for policy, security, validation, and execution.
The stable core: tools, schemas, and policy
To keep agents model‑agnostic, I anchor the system around three stable things:
- Tool contracts (schemas) – what can be done, with what inputs and outputs.
- Policy and guardrails – what is allowed, for whom, under which conditions.
- Observability – logs and metrics that tell you what the agent actually did.
The model is then “just” a planner and natural language interface sitting on top of those stable primitives.
Reference architecture: Copilot frontend + agent layer + tools
This is the mental model I keep coming back to:
flowchart LR
U[User] --> F[Frontends: Copilot / Teams / Web / CLI]
F --> A[Agent Orchestrator Layer]
A --> T[Tool APIs / MCP tools]
T --> S[Systems of Record: SAP, Entra, Ticketing, Data Platforms]
The “agent orchestrator layer” can be Foundry/MCP, your own service, or both. The key is that it owns:
- tool definitions (schemas),
- authentication and permissions,
- input validation and output shaping,
- logging and auditing.
Copilot (or any other frontend) is then a client. A very good client, but still just a client.
Design principle 1: small tools beat giant “do everything” endpoints
When you expose actions to agents, keep them small and well named.
Good tools look like:
sap_get_user(userId)entra_find_user(upn)report_identity_drift(scope)create_ticket(system, summary, severity)
Bad tools look like:
call_any_http(url, payload)run_sql(query)do_everything(action, params)
The bad tools feel “flexible”, but they destroy your security model and make audits impossible. They also tie your prompts to one model’s behaviour, because you need insane prompting to keep the model from doing unsafe things.
Design principle 2: put access control in code, not in prompts
If your agent can touch systems like SAP, HR, finance, ticketing, or identity, then access control must be enforced in code.
In practice, my baseline is:
- Every tool call includes a user context (UPN / objectId, roles, groups).
- Backends filter results by ACL before the model sees any data.
- Topic guards exist for sensitive categories (compensation, layoffs, investigations).
This is also what makes model swaps easier: a new model can be “dumber” about policy and you still won’t leak data, because the backend never hands it over.
Design principle 3: treat models as interchangeable runtime dependencies
Once you have stable tools and guardrails, swapping models becomes a runtime choice:
- fast model for triage and routing,
- strong reasoning model for complex planning,
- specialized model for code generation,
- maybe an on‑prem model for sensitive content.
The agent layer can route requests based on:
- cost budget,
- latency targets,
- data sensitivity,
- workload type (summarise vs plan vs generate code).
This is where “model agnosticism” stops being theoretical. It becomes a practical operating mode.
Where Foundry/MCP fits
I like MCP because it forces you to formalise tool contracts. I like Foundry because it gives you a place to host agents/tools with environment separation and observability.
But the deeper value is architectural: you’re moving from “prompt glue” to “tools with schemas”. That’s the step that makes agents maintainable and model‑agnostic.
In a Microsoft world, I often end up with this split:
- Copilot for inside‑M365 experiences (documents, mail, Teams).
- Foundry/MCP agents for cross‑system workflows (SAP + Entra + ticketing + data platforms).
- A clear boundary where your backend owns policy and secrets.
Practical checklist: how to know you’re model-agnostic
Here are a few “smell tests” I use:
- If you swapped models tomorrow, would your access control story still hold? (It should.)
- Are your actions expressed as stable tool schemas, or as paragraphs in prompts?
- Can you replay and audit tool calls without involving the model?
- Do you have a single place to see which agents exist, who owns them, and what tools they have?
If the answer is “no” to any of these, you’re not model‑agnostic yet. You’re model‑dependent with extra steps.
My take
Models will keep changing. That’s the only stable prediction in this space.
The way to build durable agents in 2026 is to stop treating the model like your application runtime. Treat it like a planning engine that sits on top of:
- clean tool contracts,
- hard guardrails enforced in code,
- and observability you can show to a security team without embarrassment.
If you do that, you get the best of both worlds:
- you can ride the model curve (better, cheaper, more local, more compliant),
- without rebuilding your agents every time the industry changes its mind.
