The first AI incident usually exposes an observability problem before it exposes a model problem. Teams discover that they retained a chat transcript but cannot prove which identity acted, which retrieved content influenced the answer, which policy allowed a tool, or what changed in the target system.

Operating principle: Log the decision path, not just the conversation.

1. Start with investigation questions

Telemetry should answer concrete questions under pressure: Who initiated the run? Which agent and configuration executed? What instructions were effective? What data was retrieved? Which tools were offered, requested, approved, and executed? What did the target system record?

If an event cannot help establish authorization, sequence, scope, or impact, reconsider whether collecting it justifies its privacy and storage cost.

2. Use one correlation chain

Assign an immutable run identifier at the workflow boundary and propagate it through the model gateway, retrieval layer, policy engine, tool broker, approval service, and downstream audit logs. Add a parent identifier when agents delegate work or retry a step.

FIELDPURPOSEEXAMPLE
run_idConnect the full workflowUnique, non-semantic identifier
parent_run_idTrace delegation and retriesCalling agent run
actorEstablish effective identityUser, workload, tenant
component_versionReproduce behaviorAgent, prompt, policy, model
event_timeBuild an authoritative timelineUTC with millisecond precision

3. Capture six event classes

Identity and session

Record the authenticated user, tenant, workload identity, delegated credential reference, session identifier, authorization result, and relevant risk signals. Never log raw secrets or bearer tokens.

Instructions and configuration

Record immutable references or hashes for system and developer instructions, agent definition, model, parameters, enabled tools, policy bundle, and deployment version. Preserve the effective ordering of instructions.

Retrieval

Capture the query, authorized corpus, document identifiers, chunk identifiers, ranking scores, filtering decisions, and access-control result. Store sensitive retrieved content only when necessary and permitted; identifiers often provide a safer investigative pivot.

Model interaction

Record model and gateway identifiers, timestamps, token counts, safety and policy outcomes, tool-call proposals, stop reason, and response reference. Treat full prompt and response capture as sensitive evidence with explicit retention rules.

Tools and downstream systems

Capture the offered tool schema version, requested action, normalized arguments or a protected reference, policy decision, execution identity, target, result, latency, and downstream audit-event identifier. Distinguish a proposed call from a completed side effect.

Human approval

Record who approved or rejected, what exact action they reviewed, the risk context shown, the decision time, and whether arguments changed after approval. An approval without an immutable action digest is weak evidence.

4. Protect the telemetry

  • Separate operational logs from sensitive prompt or content stores.
  • Encrypt evidence, restrict investigator access, and audit every read.
  • Hash or tokenize stable identifiers where plaintext is unnecessary.
  • Define retention by event class rather than keeping everything indefinitely.
  • Use append-only or tamper-evident storage for high-value control-plane events.
  • Redact secrets before ingestion and test redaction failure paths.

5. Validate before launch

Run a tabletop with a known prompt-injection attempt and one authorized tool action. Ask an investigator who did not build the system to reconstruct the initiating identity, retrieved evidence, effective instructions, policy path, approval, tool execution, and downstream impact.

Exit criterion: A responder can reconstruct a cross-system timeline without relying on the user-visible transcript or the memory of the engineering team.