Agent Monitoring

Traditional application monitoring tracks requests, errors, latency, and infrastructure health. Agent monitoring needs those basics plus reasoning-specific and tool-specific signals. A single user request may trigger multiple model calls, searches, file reads, API calls, browser actions, validation steps, and approvals. If you only log the final answer, you lose the evidence needed to debug reliability and security failures.

At minimum, log a trace for each agent run. The trace should include the user goal, agent version, prompt version, model, token usage, tool calls, tool inputs summarized safely, tool outputs summarized safely, approval decisions, memory reads, memory writes, and final status. The trace should also include enough identifiers to connect the run to product analytics without exposing secrets or unnecessary personal data.

A trace is a timeline of what happened inside an agent run. It answers questions like: which model call decided to use a tool, which tool returned bad data, which approval was skipped, and which memory record influenced the final response? Without traces, teams argue about whether a failure was caused by the prompt, the model, the retrieval source, the tool, the user request, or the product UI.

Trace quality matters more than trace volume. Store structured events instead of only raw text. Redact secrets. Capture references to prompts and datasets so you can reproduce behavior after a release. Keep enough context for debugging but avoid turning monitoring into a privacy risk. A good trace should let an engineer reconstruct the decision path without exposing every private token in the system.

Agent reliability is not a single accuracy score. It includes task completion, correct tool selection, successful tool execution, acceptable latency, stable cost, safe refusal, recovery from partial failure, and user satisfaction. A code-review agent, a research agent, and a customer-support agent need different metrics, but they all need a distinction between 'the agent answered' and 'the workflow succeeded'.

Measure both automated and human-reviewed outcomes. Automated metrics can detect tool errors, timeouts, schema violations, missing citations, or failed validations. Human review can score usefulness, tone, completeness, and whether the agent should have asked for clarification. The evaluation framework at /guides/agent-evaluation-framework/ explains how to turn these metrics into repeatable test sets.

Prompt injection monitoring looks for suspicious instruction patterns, unusual tool requests, attempts to reveal hidden prompts, requests for credentials, and conflicts between user intent and retrieved content. The goal is not to perfectly classify every attack. The goal is to surface risky runs before they become external actions or durable memory writes.

Useful signals include tool calls triggered immediately after reading untrusted content, requests to access unrelated data, attempts to change the agent's role, instructions that mention policy bypass, and sudden increases in write actions. When possible, tag the content source that preceded a risky decision. If an agent reads a web page and then tries to email secrets, the trace should make that chain obvious.

Cost monitoring belongs in the same dashboard as reliability. An agent that completes tasks but burns too many tokens may be operationally unusable. Track input tokens, output tokens, model choice, retries, tool loops, daily requests, and cost per successful task. The AI Cost Calculator at /tools/ai-cost-calculator/ can help estimate scenarios before launch, while production monitoring confirms the real distribution.

Cost anomalies often reveal product or reliability problems. A spike may mean a tool loop, an overly broad retrieval query, a prompt that includes too much context, or a user segment using the agent differently than expected. The agent cost management guide at /guides/agent-cost-management/ covers routing, caching, prompt trimming, and budget limits in more detail.

Memory operations should be observable because memory changes future behavior. Log when the agent reads memory, when it proposes a new memory, when it updates or deletes memory, and whether the source was trusted. If memory writes are invisible, prompt injection can become persistent: malicious content causes a memory write today, and the agent behaves incorrectly tomorrow.

The memory systems guide at /guides/agent-memory-systems/ recommends separating preferences, project facts, task state, and sensitive records. Monitoring should reflect that separation. A preference update has different risk from a billing permission update. Tagging memory type, source, confidence, and expiration makes audits possible.

A useful dashboard separates executive health, engineering debug, and security review. Executive health shows volume, completion rate, cost, and satisfaction. Engineering debug shows traces, errors, latency, model versions, and tool failures. Security review shows blocked actions, suspicious prompts, high-risk tool use, memory writes, and approval bypass attempts.

Alert fatigue is a real risk. Do not page humans for every odd prompt. Start with alerts tied to high-impact outcomes: destructive tool attempts, external sends, production writes, credential exposure, severe cost spikes, repeated tool loops, and failed safety checks. Then review weekly trend reports for lower-risk anomalies and use them to improve prompts, tools, and evaluations.