LangChain and LangGraph in Production: A PSF Domain Assessment

Assessment Summary

LangGraph ratings reflect what becomes achievable when using LangGraph atop LangChain — some domains improve meaningfully with the graph-based execution model.

LangChain: Prompt templates provide structural input governance but no semantic validation or sanitisation.

LangChain's prompt templates enforce a consistent structure for inputs, and LCEL chains allow developers to insert pre-processing steps before the LLM call. However, LangChain does not provide native prompt injection detection, PII identification in incoming requests, or semantic classification of user inputs against a permitted-use policy. A user can send adversarial instructions through the standard input pathway without any built-in interception. For PSF Domain 1 compliance, practitioners must explicitly add an input governance step — either a classification LLM call, a guardrails library, or a rule-based filter — before the primary inference step. Many production incidents with LangChain deployments trace back to the absence of this step: the chain processes inputs it was never designed to handle.

LangChain: Output parsers (Pydantic, JSON, XML) provide structural validation for structured outputs. Free-text outputs have no native semantic validation.

LangChain's output parser ecosystem is genuinely useful for structured tasks. If you need a chain to return a specific JSON schema, a Pydantic model parser enforces that structure and retries on format failure. This is real output validation for deterministic-format workflows. The gap is significant for free-text outputs and for any workflow where the semantic correctness of the output matters — not just its structure. A chain that summarises a legal document, answers a customer support question, or classifies a transaction can return a structurally valid response that is factually wrong, inappropriately confident, or harmful. LangChain provides no mechanism to detect this. PSF Domain 2 requires output contracts that specify not just format but permitted content, confidence expression, and handling of uncertain cases. The practitioner must build this.

LangChain: No native PII detection, data classification, or output scrubbing. LangSmith tracing will log PII unless explicitly configured not to.

LangChain does not perform any classification or handling of sensitive data. If a user submits a request containing a social security number, a medical diagnosis, or payment card information, LangChain passes it through — to the LLM, to any tool calls, and (by default) to LangSmith traces. For teams subject to GDPR, HIPAA, CCPA, or PCI DSS, this creates a significant compliance risk that is invisible until an audit or breach. The most common data protection failure mode in LangChain deployments is the LangSmith tracing configuration: developers enable tracing for debugging, forget to exclude PII, and end up with months of sensitive data in a third-party logging system. PSF Domain 3 requires data classification at ingestion, PII handling procedures, and output scrubbing before data leaves the system. All of this must be implemented explicitly.

LangChain: LangSmith provides excellent trace-level observability — one of LangChain's strongest production properties.

LangGraph: LangGraph's checkpointing adds state-level observability across multi-step agent runs.

Observability is LangChain's strongest PSF domain. LangSmith captures full execution traces — every prompt, every model response, every tool call, latency at each step, token usage, and cost. This is the kind of visibility that most AI teams building without LangChain have to construct from scratch. For production incidents, LangSmith traces provide the evidence needed for root-cause analysis: you can reconstruct exactly what the chain was processing when a failure occurred. LangGraph adds another layer: its checkpointing mechanism persists the agent's state at each node in the graph, which means multi-step agent runs can be replayed, inspected, and (where configured) resumed after interruption. For PSF Domain 4, a LangChain + LangSmith deployment satisfies the observability requirement more completely than almost any alternative stack. The main caveat is the PII risk noted in Domain 3 — tracing must be configured thoughtfully in sensitive data environments.

LangChain: LCEL provides structured chain composition. LangServe enables deployment. Neither provides native blast-radius controls or circuit breakers.

LangGraph: LangGraph's interrupt/resume and conditional edge patterns support deployment-safety architectures, but require explicit implementation.

LangChain Expression Language (LCEL) encourages developers to think in terms of explicit pipelines rather than ad-hoc prompt chains — this is a deployment safety benefit, because the execution path is defined and inspectable rather than emergent. LangServe makes deploying chains as REST APIs straightforward. These are useful but narrow deployment safety properties. PSF Domain 5 requires controls on autonomous action scope: blast-radius limits (the maximum consequence a single run can have), rate limits (preventing runaway loops from escalating costs or external API consumption), and circuit-breaker patterns (halting execution when anomalous behaviour is detected). None of these are provided out of the box. A misconfigured LangGraph agent in an infinite loop will continue executing — making LLM calls, invoking tools, incurring costs — until an external system stops it or the budget is exhausted.

LangChain: LangGraph provides first-class human-in-the-loop primitives — interrupt/resume, approval nodes, and state persistence across sessions.

LangGraph is one of the few agent frameworks that treats human oversight as a first-class architectural concern rather than an afterthought. Its interrupt mechanism allows a graph to pause execution at a defined node, serialise state, and wait for human input before resuming. This enables approval workflows that are stateful across sessions — a human can review a pending action hours after the agent proposed it, and the agent resumes with the decision context intact. Conditional edges allow routing based on human input (approve/reject/modify), creating genuinely branching workflows rather than binary halt-or-continue patterns. For PSF Domain 6, a LangGraph deployment can fully satisfy the oversight requirement if the practitioner designs the interrupt points appropriately. The key design discipline is identifying which decisions in the workflow require human judgment and building interrupt nodes at those points before deployment — not adding them reactively after an incident.

LangChain: No native security controls. Prompt injection protection, credential management, and access control require explicit implementation.

LangChain provides no built-in protection against prompt injection — the most common and consequential attack vector against agentic systems. A user who can influence the prompt context can, in an unprotected LangChain deployment, instruct the agent to ignore its instructions, exfiltrate information from its context window, or invoke tools with attacker-controlled parameters. Credential management is the responsibility of the deployment team — LangChain passes whatever environment variables or secrets the developer provides to LLM calls and tool invocations. There is no architectural separation between the agent's operational context and its credentials. For PSF Domain 7, LangChain requires the practitioner to implement a complete security model: input sanitisation to resist injection, secrets management that keeps credentials out of agent context, output filtering to prevent data exfiltration, and access controls on the deployment endpoint.

LangChain: LangChain's model-agnostic architecture is a genuine vendor resilience strength — switching LLM providers requires minimal code changes.

LangChain was designed from the start to be model-agnostic. Swapping from OpenAI GPT-4 to Anthropic Claude to Google Gemini to a locally hosted Llama model is an interface-level change, not an architectural one. This is a meaningful vendor resilience property: if an LLM provider experiences an outage, raises prices significantly, or degrades quality, the migration path is well-defined and low-risk. LangChain supports multi-provider fallback configurations natively — you can define a primary provider and one or more fallbacks, with automatic routing on failure. For PSF Domain 8, this makes LangChain-based deployments substantially more resilient than stacks that are tightly coupled to a single provider's API. The vendor resilience concern shifts from LLM dependency to LangChain itself — but given LangChain is open source and the core abstractions are stable, this is a much lower-risk dependency than a proprietary API.

PSF-Compliant LangChain Stack

LangChain and LangGraph do not provide a PSF-compliant deployment out of the box. The following companion tools close the primary gaps. This is not a prescriptive stack — alternatives exist for each component — but represents a reasonable starting point for practitioners building toward PSF compliance.

Related Assessments