What is the safest interpretation of network use under AGPL in SaaS?

[Charles61]

I'm a developer at a startup that's building a commercial SaaS product which incorporates several open-source libraries, and I'm trying to ensure our compliance is airtight but the nuances of copyleft licenses like the AGPL are giving me serious anxiety. Our product is cloud-based, and I'm unclear on whether linking to an AGPL-licensed library constitutes creating a derivative work that would force us to open-source our entire codebase. For developers or legal experts who have navigated this, what's the safest interpretation of network use under strong copyleft licenses in a SaaS context? Are there established best practices for auditing dependencies and isolating licensed code, and how do you handle the risk when a critical library you depend on changes its license to a more restrictive one mid-development?