Agentic Telemetry Contract
What this adds. SecurityRecipes now treats telemetry as part of the secure context layer. Agent and MCP traces are useful only when they are complete enough to reconstruct a run and safe enough not to become a new secret, prompt, or tenant-data sink.
Agentic AI security is moving from “did the model answer correctly?” to “can we prove what context, tool, identity, policy, approval, egress decision, verifier, and incident signal shaped the run?” The Agentic Telemetry Contract turns that into a generated artifact that a platform team can hand to observability, SIEM, MCP gateway, GRC, and trust review diligence reviewers.
Generated artifact
- Profile:
data/assurance/agentic-telemetry-contract-profile.json - Generator:
- Runtime evaluator:
- Evidence pack:
data/evidence/agentic-telemetry-contract.json - MCP tools:
recipes_agentic_telemetry_contractand
Regenerate and validate:
Evaluate one telemetry event:
Signal classes
| Signal | What must be reconstructable |
|---|---|
| Agent session | Workflow, run, agent, identity, tenant, correlation, and receipt linkage. |
| Model call | Provider/model operation and redaction state without raw prompt capture by default. |
| MCP tool call | JSON-RPC request id, method, session, protocol, transport, tool, policy, and authorization evidence. |
| Context retrieval | Source ids, source hashes, package hash, poisoning scan state, and retrieval decision. |
| Policy decision | Policy pack hash, rule, gate phase, MCP namespace, access mode, and decision. |
| Egress decision | Destination class, data class, policy hash, tenant, and allow/hold/deny/kill result. |
| Human approval | Approval system, actor, decision, expiry, and risk acceptance linkage. |
| Verifier result | Test, eval, scanner, or red-team result linked to receipt and artifact hash. |
| Incident signal | Incident class, severity, containment, replay case, and correlation evidence. |
Enterprise default
The default state is
untrusted_until_required_trace_fields_present. Raw prompt text, model
outputs, tool arguments, tool results, MCP resource URIs, and HTTP bodies
are opt-in only. Credentials, bearer tokens, private keys, seed phrases,
unredacted PII, customer secrets, and cross-tenant context force a
kill_session_on_secret_telemetry decision.
This makes AI easier for enterprises because platform teams do not have to choose between blind agents and unsafe logging. They get a small contract: emit metadata, hashes, policy decisions, and receipt links by default; capture content only with explicit redaction and retention controls.
Source anchors
- OpenTelemetry GenAI semantic conventions
- OpenTelemetry MCP semantic conventions
- MCP Authorization specification
- MCP Transports specification
- MCP Security Best Practices
- NIST AI RMF Generative AI Profile
- CISA AI Data Security Best Practices
- OWASP Top 10 for LLM Applications 2025