Engineering16 min read

Real-Time Monitoring for Agentic Workflows

Logs are not enough. This deep dive explains why the next generation of observability has to model intent, not just events, and shows the architecture, instrumentation, and detection patterns that work in production agent stacks.

WTA
Watch Tower Agents
Glowing emerald telemetry streams arcing over a dark observability dashboard

Traditional observability assumes a request-response model: something happens, you log it, you graph it. Agents break that assumption from the first hop. A single user prompt can fan out into dozens of tool calls, retrievals, sub-agent invocations, and recursive plans — most of which only make sense in the context of the original intent. A trace that captures the spans but loses the intent is a pile of events; a trace that preserves intent is a story you can read.

This article is for the platform engineer or security engineer who is instrumenting an agent stack for the first time, or who has logs but no insight. It covers the data model, the collection pipeline, the detection layer, and the operational practices that turn telemetry into action. The examples draw on production deployments at scale, but the patterns are vendor-neutral and apply whether you are building on WatchTower, a commercial APM with agent extensions, or open-source primitives like OpenTelemetry plus a stream processor.

Intent-first traces: the data model that works

We model every agent run as a trace rooted in the user's stated goal, captured verbatim and attached to the root span as a structured attribute. Each subsequent span — a model call, a retrieval, a tool invocation, a sub-agent message — carries three additional attributes: the policy decisions that allowed or denied it, the trust labels on its inputs, and a link back to the reasoning step that produced it. That is what lets a security analyst answer 'why did this agent email a vendor at 2am' in under a minute instead of stitching log lines together for an hour.

Intent is not always a single string. Multi-turn conversations evolve goals, and sub-agents inherit goals from their parents. We recommend a stack-based representation: every span knows its current intent and its parent intent, and policy can be written against either. This is what makes it possible to write a rule like 'no agent operating under a customer-support intent may call the wire-transfer tool, even if a sub-agent rewrites its own goal mid-run.'

Collection pipeline: from agent to detection in sub-second

The pipeline has three stages: emit, transport, and evaluate. Emit happens inside the agent runtime, ideally through an OpenTelemetry-compatible SDK so you do not bind yourself to a single vendor. Transport runs over a streaming bus — Kafka, NATS, or a managed equivalent — with at-least-once semantics and millisecond-grade latency. Evaluate runs as a stream processor that holds a window of recent spans per trace, applies detection rules, and emits actions: allow, deny, quarantine, alert.

The trap teams fall into is treating the pipeline as a log shipper feeding a warehouse. By the time the trace lands in your data lake, the tool call has already executed and the damage is done. Detection that protects has to live in the path. Detection that explains can live downstream. Build both; do not confuse them.

Streaming detections that catch real attacks

Three classes of detection consistently catch real incidents in production. First, intent-violation detections: a span requests a tool that is incompatible with the root intent. Second, provenance-violation detections: a high-impact action's justification cites untrusted context. Third, behavioral anomaly detections: a trace shape (depth, fanout, tool mix) deviates significantly from the agent's historical envelope. The first two are deterministic and cheap; the third requires a baseline but catches the novel attacks the deterministic rules miss.

Latency budgets matter. Detections that wait for log shipping happen after the malicious tool call has already executed. Sub-second streaming evaluation against the live trace is the only way to quarantine in time. Architect for the budget from day one — retrofitting latency is harder than retrofitting features.

What good telemetry looks like

A good agent trace is searchable by intent, replayable end-to-end against a frozen model snapshot, joinable with your existing SIEM through a shared correlation identifier, and exportable as compliance evidence without engineering involvement. If your platform forces analysts to stitch agent activity together from raw logs, the detection job has already lost; if it forces engineers to build custom exports for every audit, the compliance job has already lost. The same telemetry should serve both audiences.

Replayability and post-incident forensics

Incidents you cannot replay are incidents you cannot learn from. The minimum bar: every trace can be re-executed against the original model version and tool snapshot to reproduce the decision sequence. The higher bar, which we recommend for regulated industries: traces are stored with cryptographic hashes that prove the trace was not modified after capture, and replay is a first-class operation in the platform UI. WatchTower implements both; if you are building your own, plan for hashes from the start because retrofitting integrity is expensive.

Operational practices that turn telemetry into action

Telemetry without an on-call rotation is decoration. Treat agent traces the same way you treat production application traces: define SLOs for detection latency and false-positive rate, route alerts through the same paging system, run weekly anomaly reviews, and tie every confirmed incident to a policy or code change. The teams that get value from agent observability are the ones that operationalized it; the teams that have dashboards nobody watches are still in the demonstration phase.

Frequently asked questions

How is agent observability different from microservice tracing?

Microservice traces are deterministic, shallow, and bounded by a known service graph. Agent traces fan out unpredictably based on model reasoning, mix tool calls with reasoning steps, and need to be searchable by intent rather than just by service name. The data model and the detection layer both have to accommodate that non-determinism.

What latency do agent detections need to run at?

Sub-second from span emission to action. Detections that wait for log shipping happen after the malicious tool call has already executed. Streaming evaluation against the live trace is the only way to quarantine in time, which is why the collection pipeline cannot be a log-shipper retrofit.

Can I use OpenTelemetry for agent observability?

Yes, and you should. OpenTelemetry's data model accommodates intent and trust labels as span attributes, and using it keeps you portable across vendors. WatchTower's SDK is OTel-compatible, and most modern agent frameworks ship OTel emitters out of the box.

How long should I retain agent traces?

Hot retention for at least 30 days to support incident response and replay. Warm retention for one year to support audit cycles and trend analysis. Cold retention for the period required by your regulatory regime — for financial services this is often seven years for traces involving customer transactions.

Do I need a separate SIEM for agent activity?

No. Forward agent events to your existing SIEM through the same correlation identifier you use for application logs. The detection layer that gates tool calls lives in your agent platform; the long-term storage, correlation, and analyst workflow lives in your SIEM.

How do I baseline behavioral anomaly detection without false positives?

Run in observe-only mode for at least two weeks per agent to learn the trace-shape envelope. Tune thresholds against the false-positive rate, not the true-positive rate, because analyst trust is the scarce resource. Re-baseline whenever the agent's capability or model changes materially.

Govern your agents before they ship

See WatchTower running on your stack in a 30-minute walkthrough.