The first AI incident usually exposes an observability problem before it exposes a model problem. Teams discover that they retained a chat transcript but cannot prove which identity acted, which retrieved content influenced the answer, which policy allowed a tool, or what changed in the target system.
1. Start with investigation questions
Telemetry should answer concrete questions under pressure: Who initiated the run? Which agent and configuration executed? What instructions were effective? What data was retrieved? Which tools were offered, requested, approved, and executed? What did the target system record?
If an event cannot help establish authorization, sequence, scope, or impact, reconsider whether collecting it justifies its privacy and storage cost.
2. Use one correlation chain
Assign an immutable run identifier at the workflow boundary and propagate it through the model gateway, retrieval layer, policy engine, tool broker, approval service, and downstream audit logs. Add a parent identifier when agents delegate work or retry a step.
| FIELD | PURPOSE | EXAMPLE |
|---|---|---|
| run_id | Connect the full workflow | Unique, non-semantic identifier |
| parent_run_id | Trace delegation and retries | Calling agent run |
| actor | Establish effective identity | User, workload, tenant |
| component_version | Reproduce behavior | Agent, prompt, policy, model |
| event_time | Build an authoritative timeline | UTC with millisecond precision |
3. Capture six event classes
Identity and session
Record the authenticated user, tenant, workload identity, delegated credential reference, session identifier, authorization result, and relevant risk signals. Never log raw secrets or bearer tokens.
Instructions and configuration
Record immutable references or hashes for system and developer instructions, agent definition, model, parameters, enabled tools, policy bundle, and deployment version. Preserve the effective ordering of instructions.
Retrieval
Capture the query, authorized corpus, document identifiers, chunk identifiers, ranking scores, filtering decisions, and access-control result. Store sensitive retrieved content only when necessary and permitted; identifiers often provide a safer investigative pivot.
Model interaction
Record model and gateway identifiers, timestamps, token counts, safety and policy outcomes, tool-call proposals, stop reason, and response reference. Treat full prompt and response capture as sensitive evidence with explicit retention rules.
Tools and downstream systems
Capture the offered tool schema version, requested action, normalized arguments or a protected reference, policy decision, execution identity, target, result, latency, and downstream audit-event identifier. Distinguish a proposed call from a completed side effect.
Human approval
Record who approved or rejected, what exact action they reviewed, the risk context shown, the decision time, and whether arguments changed after approval. An approval without an immutable action digest is weak evidence.
4. Protect the telemetry
- Separate operational logs from sensitive prompt or content stores.
- Encrypt evidence, restrict investigator access, and audit every read.
- Hash or tokenize stable identifiers where plaintext is unnecessary.
- Define retention by event class rather than keeping everything indefinitely.
- Use append-only or tamper-evident storage for high-value control-plane events.
- Redact secrets before ingestion and test redaction failure paths.
5. Validate before launch
Run a tabletop with a known prompt-injection attempt and one authorized tool action. Ask an investigator who did not build the system to reconstruct the initiating identity, retrieved evidence, effective instructions, policy path, approval, tool execution, and downstream impact.