Agentic Telemetry Contract
Agentic AI security is moving from “did the model answer correctly?” to “can we prove what context, tool, identity, policy, approval, egress decision, verifier, and incident signal shaped the run?” The Agentic Telemetry Contract turns that into a generated artifact that a platform team can hand to observability, SIEM, MCP gateway, GRC, and acquisition diligence reviewers.
Generated artifact
- Profile:
data/assurance/agentic-telemetry-contract-profile.json - Generator:
scripts/generate_agentic_telemetry_contract.py - Runtime evaluator:
scripts/evaluate_agentic_telemetry_event.py - Evidence pack:
data/evidence/agentic-telemetry-contract.json - MCP tools:
recipes_agentic_telemetry_contractandrecipes_evaluate_agentic_telemetry_event
Regenerate and validate:
python3 scripts/generate_agentic_telemetry_contract.py
python3 scripts/generate_agentic_telemetry_contract.py --checkEvaluate one telemetry event:
python3 scripts/evaluate_agentic_telemetry_event.py \
--workflow-id vulnerable-dependency-remediation \
--event-class mcp.tools.call \
--attribute service.name=security-recipes-mcp \
--attribute deployment.environment=production \
--attribute trace_id=trace-ci \
--attribute span_id=span-ci \
--attribute workflow_id=vulnerable-dependency-remediation \
--attribute run_id=run-ci \
--attribute agent_id=sr-agent::vulnerable-dependency-remediation::codex \
--attribute identity_id=sr-agent::vulnerable-dependency-remediation::codex \
--attribute correlation_id=ci-correlation \
--attribute receipt_id=sr-run-receipt::vulnerable-dependency-remediation \
--attribute telemetry.redaction_state=metadata_only \
--attribute gen_ai.operation.name=execute_tool \
--attribute gen_ai.tool.name=repo.contents.patch \
--attribute mcp.protocol.version=2025-11-25 \
--attribute mcp.session.id=session-ci \
--attribute mcp.method.name=tools/call \
--attribute jsonrpc.request.id=req-ci \
--attribute network.transport=tcp \
--attribute policy.decision=allow \
--attribute authorization.decision=allow_authorized_mcp_request \
--expect-decision telemetry_readySignal classes
| Signal | What must be reconstructable |
|---|---|
| Agent session | Workflow, run, agent, identity, tenant, correlation, and receipt linkage. |
| Model call | Provider/model operation and redaction state without raw prompt capture by default. |
| MCP tool call | JSON-RPC request id, method, session, protocol, transport, tool, policy, and authorization evidence. |
| Context retrieval | Source ids, source hashes, package hash, poisoning scan state, and retrieval decision. |
| Policy decision | Policy pack hash, rule, gate phase, MCP namespace, access mode, and decision. |
| Egress decision | Destination class, data class, policy hash, tenant, and allow/hold/deny/kill result. |
| Human approval | Approval system, actor, decision, expiry, and risk acceptance linkage. |
| Verifier result | Test, eval, scanner, or red-team result linked to receipt and artifact hash. |
| Incident signal | Incident class, severity, containment, replay case, and correlation evidence. |
Enterprise default
The default state is
untrusted_until_required_trace_fields_present. Raw prompt text, model
outputs, tool arguments, tool results, MCP resource URIs, and HTTP bodies
are opt-in only. Credentials, bearer tokens, private keys, seed phrases,
unredacted PII, customer secrets, and cross-tenant context force a
kill_session_on_secret_telemetry decision.
This makes AI easier for enterprises because platform teams do not have to choose between blind agents and unsafe logging. They get a small contract: emit metadata, hashes, policy decisions, and receipt links by default; capture content only with explicit redaction and retention controls.
Source anchors
- OpenTelemetry GenAI semantic conventions
- OpenTelemetry MCP semantic conventions
- MCP Authorization specification
- MCP Transports specification
- MCP Security Best Practices
- NIST AI RMF Generative AI Profile
- CISA AI Data Security Best Practices
- OWASP Top 10 for LLM Applications 2025