Production operations
AI Agent Observability: Events, Traces, and Release Metrics
An observable agent links one user task to every retrieval, model call, tool proposal, policy decision, approval, side effect, retry, and final acceptance result. Start with stable business events and outcome metrics, then map framework-native spans into that model. Do not make raw prompts, screenshots, or tool payloads the default debugging record.
How this guide was produced
Original telemetry and acceptance-metric model synthesized from OpenTelemetry, NIST, OpenAI Agents SDK, and LangSmith documentation. It is framework-neutral guidance, not a vendor benchmark.
AI assisted with research organization and editing. It is not treated as a source. Product capabilities and prices can change; verify the linked primary sources before making a purchase or production decision.
Observability starts with the accepted outcome
A trace viewer full of model calls can still fail to answer the incident question: what did the user ask, what changed outside the system, and was the result accepted? Agent observability must cover both the reasoning runtime and the surrounding application. The task is the top-level unit. Model generations, retrieval requests, tool calls, approvals, and validations are child operations.
This differs from ordinary request monitoring because an agent can take a variable number of steps, choose different tools, wait for a person, resume after deployment, and produce a plausible response while failing the real job. Record enough structured evidence to reconstruct these transitions without depending on a transcript that may be incomplete, expensive, or unsafe to retain.
A vendor-neutral event contract
Use low-cardinality event names and put unique values in attributes. Give each task a stable identifier, then propagate trace and task context through queues, approval systems, tool gateways, and validation jobs. Version the workflow, prompt, tool contract, policy, and acceptance criteria so a later replay can explain which behavior was active.
| Event | Minimum fields | Question answered |
|---|---|---|
| task.received | task_id, workflow_version, channel, risk_class | Start the business outcome, not just an LLM call |
| evidence.retrieved | source_ids, index_version, result_count, latency_ms | Explain what evidence was available |
| model.completed | provider, model, prompt_version, usage, latency, status | Measure model behavior without relying on raw text |
| tool.proposed | tool_name, target_class, action_class, argument_hash | Separate model proposal from execution |
| policy.decided | policy_version, decision, reason_code, approval_required | Show why an action was allowed or blocked |
| approval.resolved | approval_id, role, decision, wait_ms | Measure oversight load and delays |
| tool.completed | tool_name, idempotency_key, status, latency_ms | Reconstruct side effects and retries |
| task.validated | acceptance_version, result, failure_class, reviewer | Connect telemetry to accepted outcomes |
Do not put user IDs, document titles, full URLs with query strings, prompts, or raw tool arguments into metric labels. These values are high-cardinality and may be sensitive. Use internal identifiers, bounded categories, hashes where appropriate, and controlled drill-down storage with stricter access.
Design the trace hierarchy
- Task span: one attempt to satisfy a user goal, carrying workflow and risk versions.
- Stage span: planning, retrieval, execution, validation, or escalation. Stages remain stable even when frameworks change.
- Operation span: model request, search, database call, tool invocation, approval wait, or output validation.
- Event: a point-in-time decision such as policy blocked, budget reached, approval requested, or fallback selected.
Framework tracing can populate the operation layer. The OpenAI Agents SDK, for example, documents spans for agents, model generations, functions, guardrails, and handoffs. Other platforms use runs or nodes. Preserve those details, but translate them into stable task and stage names that match the application's operating model. This keeps dashboards and incident rules useful during framework or provider changes.
Separate proposal, authorization, and execution
A single “tool call succeeded” span hides the most important control boundary. Record when the model proposed an action, when policy evaluated it, whether human approval was required, and when the tool actually executed. This reveals whether a failure came from model choice, validation, authorization, user rejection, integration behavior, or result handling.
For a send-email tool, store bounded fields such as action class, recipient domain class, attachment count, data classification, policy outcome, and tool status. Do not store the message body by default. For destructive or financial operations, add target scope, idempotency key, approval identity or role, and an immutable external transaction reference.
Acceptance metrics that operators can use
| Dimension | Core metric | Interpretation rule |
|---|---|---|
| Quality | Accepted outcomes / attempted tasks | Segment by workflow, version, risk, and input class |
| Policy | Blocked unsafe proposals; executed policy violations | A block is often a successful control, not a task failure |
| Reliability | Tool errors, retry exhaustion, duplicate side effects | Distinguish upstream failure from orchestration failure |
| Intervention | Approvals and manual corrections per accepted outcome | High intervention may expose weak automation economics |
| Latency | p50/p95 task time and approval wait time | Break down model, retrieval, tools, queues, and people |
| Cost | Full cost per accepted outcome | Include models, tools, infrastructure, review, and failure handling |
Use a shared denominator: accepted outcomes. A cheaper model is not economical if it produces more retries and manual corrections. A faster workflow is not healthy if policy blocks rise. A lower intervention rate is not success if users reject the final result. Pair every optimization metric with a quality or control metric.
Build a failure taxonomy before alerts
Alerts are more actionable when failures have stable reason codes. Start with input invalid, evidence missing, retrieval irrelevant, model invalid output, wrong tool proposed, policy blocked, approval expired, tool unavailable, tool rejected input, duplicate prevented, validation failed, budget exceeded, and user rejected. Add categories only when they change ownership or remediation.
Attach the first meaningful failure to the task while retaining downstream consequences. For example, a malformed retrieval result may cause a model refusal and a timeout; the root failure is retrieval, while refusal and timeout remain observable. This avoids on-call dashboards that count one incident three times.
Privacy, security, and retention controls
Agent traces can be more sensitive than ordinary application logs because they may include user messages, retrieved documents, tool arguments, model outputs, browser screenshots, or credentials accidentally exposed by an integration. The OpenAI Agents SDK documentation explicitly notes sensitive data in generation and function spans. Treat any framework default as a configuration to review, not a policy decision already made for you.
- Classify every telemetry field as required, optional, restricted, or prohibited.
- Collect structured metadata by default and raw content only for sampled, authorized investigations.
- Redact secrets before export; do not rely only on viewer-side masking.
- Separate production trace access from general analytics access and record access to restricted traces.
- Set retention by purpose. Debug samples, audit events, and aggregate metrics do not need the same lifetime.
- Test deletion across the primary store, exports, datasets, backups, and third-party observability products.
Release gate for telemetry coverage
- Run a successful task and locate every model, retrieval, tool, approval, and validation operation under one task ID.
- Force each major failure class and verify it produces a stable owner and reason code.
- Retry after a tool side effect and confirm the trace distinguishes replay from a new user request.
- Resume an approval after a deployment and confirm the workflow and policy versions remain visible.
- Inspect exported telemetry for secrets, personal data, raw document content, and unsafe URLs.
- Calculate accepted-outcome rate, policy violations, p95 latency, intervention, and full cost from the same task population.
- Change one prompt or model version and confirm dashboards and regression comparisons still align.
If operators cannot answer “what happened, why, what changed, who approved it, what external side effect occurred, and whether the user accepted the result,” observability is not complete enough for production autonomy.
Retention and replay are different decisions
A replayable system needs inputs, versions, state transitions, and deterministic fixtures; it does not necessarily need every raw production prompt forever. Preserve evaluation cases separately from production traces. When a production incident becomes a regression test, remove or synthesize sensitive data, document the expected constraint, and place the case in a governed dataset.
Also distinguish workflow replay from side-effect replay. Re-running a model or retrieval step may be safe. Re-sending a message, placing an order, or modifying a record may not be. The trace should expose idempotency and the external result so the runtime can recover without repeating irreversible work.
Limitations
This guide defines an application-level contract, not a complete OpenTelemetry specification or product configuration. GenAI semantic conventions and vendor tracing models continue to evolve, so teams should pin versions and maintain a translation layer. Regulated, safety-critical, employment, health, or financial systems require additional domain controls and may restrict content capture more aggressively.
Observability also cannot prove correctness by itself. A detailed trace can faithfully show an unsafe design. Pair telemetry with authorization, adversarial evaluation, incident response, and human accountability.
Related implementation guides
Define release cases with the framework selection checklist and architecture boundaries with RAG vs agents. Apply the security checklist, calculate outcome economics with the automation cost model, and use the readiness checklist before granting production access.
Primary sources
Sources were checked on . Follow the links for current product details.
- OpenTelemetry semantic conventions
Common naming concepts for traces, metrics, logs, events, and resources.
- OpenTelemetry GenAI attribute registry
Current GenAI attributes, tool concepts, token usage fields, and stability context.
- OpenAI Agents SDK tracing
Trace and span coverage plus sensitive-data and processor configuration.
- OpenAI Agents SDK usage
Per-run and per-request usage fields for cost monitoring.
- LangSmith observability concepts
Projects, traces, runs, threads, feedback, metadata, and retention concepts.
- NIST AI RMF 1.0
Risk measurement and management throughout the AI system lifecycle.