HomeAI AgentsAI Agent Observability: Traces, Evals and Costs

AI Agent Observability: Traces, Evals and Costs

Last updated: July 14, 2026 · By Ignacy Kwiecien, founder & editor-in-chief, DecodeTheFuture.org

Quick answer: AI agent observability is the practice of collecting enough evidence to explain what an agent did, whether the result was good, how much it cost, how long it took and whether it crossed a safety boundary. Start with one end-to-end trace per task, then add nested spans for model calls, retrieval, tool calls, handoffs, approvals and errors. Combine traces with deterministic checks, sampled human review and repeatable evals. Do not treat a dashboard or a raw token count as proof of reliability.

Scope note: This is an implementation guide, not a ranking of observability vendors. The companion Best LLM Observability Tools 2026 compares platforms. Here the central question is what evidence your own agent system must emit before a tool call, model change or prompt edit can be trusted.

What is AI agent observability?

AI agent observability is the instrumentation and operating practice used to understand an agentic application from the outside. It covers telemetry, trace structure, quality signals, privacy controls, alerting and the workflow for turning a failed run into a verified fix.

A conventional request often has a short path: HTTP request, application code, database query and response. An agent can add model selection, context assembly, retrieval, planning, tool calls, retries, handoffs, approvals and a final answer. A single “request succeeded” metric hides too much. The HTTP request may have returned 200 while the agent called the wrong tool, leaked sensitive context, exceeded its budget or produced an answer that failed the business task.

Observability therefore has to preserve the shape of the run. A useful record answers five questions:

  1. What happened? Which workflow, agent, model, prompt version, tools and data sources were involved?
  2. Where did time and money go? Which model call, retrieval step or tool dominated latency and cost?
  3. Was the result useful? Did it satisfy a deterministic contract, a rubric or a human reviewer?
  4. Was the run safe? Did it expose private data, attempt a disallowed action or bypass an approval boundary?
  5. Can we reproduce the diagnosis? Can an engineer find the same trace, prompt version, tool result and evaluation after deployment?

Why agent telemetry needs a trace tree

A trace is the end-to-end record for one logical task. Spans are the timed child operations inside it. The exact names vary by framework, but the hierarchy should make the execution legible. For the broader production stack, see AI Architecture for Production; for trust boundaries around tools and approvals, see AI Agent Security 2026.

AI agent observability trace treeOne workflow trace contains model, retrieval, tool, handoff, approval and evaluation spans. AI agent observability trace treeDecodeTheFuture.orgAI agent observability, tracing, evaluations, OpenTelemetryTrace and span hierarchy for a production agent run.Diagramimage/svg+xmlen© DecodeTheFuture.org workflow trace model retrieval tool handoff approval guardrail tokens + latency quality score privacy + errors

The most valuable trace is not necessarily the most verbose trace. Capturing every prompt, retrieved document and tool payload can create privacy, retention and cost problems. The design goal is diagnostic sufficiency: enough structured evidence to explain a decision, with redaction and sampling rules that make the telemetry safe to store.

The minimum event model

Before choosing a platform, define a small internal vocabulary. Vendor dashboards can map their fields to it, while OpenTelemetry can carry the common infrastructure context. The OpenTelemetry GenAI conventions are still evolving, so record the convention version and keep application-owned fields namespaced rather than pretending every field is stable.

LayerMinimum fieldsWhy it matters
Task tracetrace ID, workflow name, tenant or request class, start/end time, outcomeGroups the complete user task and supports incident lookup.
Model spanprovider, model, operation, prompt version, input/output tokens, finish reasonExplains quality, latency and spend changes after a model or prompt update.
Retrieval spanindex, query ID, filters, result count, top-k, document version, retrieval latencySeparates retrieval failure from generation failure without logging an entire corpus.
Tool spantool name, schema version, arguments hash, result status, duration, approval stateShows whether the agent selected the right capability and whether execution succeeded.
Control spanhandoff target, retry number, guardrail result, human decision, cancellation reasonMakes agent loops, escalation and safety boundaries measurable.
Quality eventmetric name, score, evaluator version, label source, evidence pointerConnects “what happened” to “was it good?” without mixing evaluation with raw traces.

Instrument the workflow before the model

A common mistake is to add a model callback and call the system observable. That captures token counts but not the business operation around the model. Start at the workflow boundary, then instrument each meaningful transition.

  1. Define the trace boundary. One customer request, scheduled job or batch item should have one stable trace. Use a group or conversation identifier only when several traces belong to one user journey.
  2. Propagate context. Pass the trace context through queues, async tasks, tool workers and HTTP calls. A tool executed in another service should remain a child or linked span, not an unrelated log line.
  3. Separate planned from executed actions. Record the agent’s proposed tool call and the actual tool result as different events. This helps identify schema errors, policy blocks and external failures.
  4. Version prompts and policies. A prompt hash is not enough when the prompt is assembled from retrieved instructions. Store a stable prompt or policy version and the identifiers of the components that were selected.
  5. Capture errors structurally. Record timeout, rate limit, validation failure, refusal, policy block and business rejection as distinct outcomes. “Exception” is too broad for an agent runbook.

OpenAI’s Agents SDK is an example of a framework that creates traces and spans for agent runs, generations, function tools, guardrails and handoffs. It also exposes a setting that disables sensitive data capture. The framework-specific surface is useful, but the operating principle is portable: the trace should mirror the execution graph.

Python — sensitive-data-aware tracing
from agents import Agent, Runner, RunConfig

agent = Agent(
    name="support_triage",
    instructions="Classify the request and use approved tools only.",
)

result = await Runner.run(
    agent,
    input="Classify this support request",
    run_config=RunConfig(
        workflow_name="support-triage",
        group_id="conversation-123",
        trace_include_sensitive_data=False,
        trace_metadata={"prompt_version": "triage-2026-07-14"},
    ),
)
print(result.final_output)

Do not copy this example into production without checking the SDK version and your own data policy. A flag that prevents sensitive payload capture is helpful, but it does not decide which identifiers, tool outputs or application logs are safe. That remains an architectural responsibility.

OpenTelemetry, native SDKs and the portability decision

There are three practical instrumentation strategies:

StrategyStrengthTrade-offGood fit
Native framework tracingFastest path to rich spans for one agent framework.Field names, retention and export behavior are framework-specific.A team standardizing on one SDK and one backend.
OpenTelemetry-firstCommon propagation, collectors and correlation with normal services.GenAI conventions and instrumentation quality are still uneven across libraries.Platform teams that need vendor choice and distributed tracing.
Dual exportDeveloper-friendly agent UI plus central infrastructure telemetry.Duplicate storage, cost and governance paths must be controlled.Teams that need both agent debugging and existing APM operations.

OpenTelemetry’s GenAI work gives teams a shared direction for provider, model, token, operation and evaluation signals, but the specification includes development-status areas. Treat it as a contract to monitor, not a reason to delete your own compatibility layer. Keep an internal event schema and map it to the exporters you use.

LangSmith documents tracing, monitoring, alerts, automations and online evaluations. Phoenix is built on OpenTelemetry and OpenInference and combines tracing with evaluations, datasets and experiments. Langfuse, covered in the companion roundup, is another option for teams that want open-source or self-hosted control. These tools can be useful destinations; none removes the need to define what a successful task means.

What to measure: reliability, quality, cost and safety

Agent observability becomes operationally useful when every metric is tied to a decision. A dashboard with dozens of time series can still fail to answer whether the product is improving.

Signal familyExamplesDecision it supports
Reliabilitytask success, tool success, schema-valid calls, retry rate, timeout rate, fallback rateShould the workflow or integration be redesigned?
Qualitygroundedness, answer correctness, policy adherence, human acceptance, task completionDid a model, prompt or retrieval change improve the product?
Latencytime to first token, end-to-end p50/p95, tool duration, queue wait, model durationWhere should latency budgets be spent?
Costinput/output tokens, cached tokens, provider cost, tool cost, cost per successful taskIs the system becoming cheaper per useful outcome?
Safetyblocked actions, approval rate, sensitive-data detections, prompt-injection indicators, abnormal tool sequencesDid the system cross a boundary or require a policy change?
Operationsdeployment version, model availability, rate limits, queue depth, exporter healthIs the application or its dependencies degraded?

Agent-specific metrics that ordinary APM misses

  • Steps per successful task: an increasing step count can signal prompt drift, weak routing or a loop.
  • Tool selection accuracy: compare the selected tool with a labelled or deterministic expected capability.
  • Replan and retry rate: distinguish a useful recovery from repeated attempts that only increase spend.
  • Handoff rate: measure how often a task moves between agents and whether the handoff improves completion.
  • Approval friction: count approvals requested, approved, rejected and timed out; a low approval rate can be a product or policy problem.
  • Cost per successful task: total tokens divided by successful outcomes is more informative than average tokens per request.

Traces show behaviour; evals show quality

A trace can prove that the agent retrieved three documents and called a CRM tool. It cannot prove that the answer was correct or that the right customer record was updated. Evaluation adds a repeatable quality signal to the trace.

Use several evaluator types:

  • Deterministic checks: JSON schema validation, required citations, permission checks, exact fields, status transitions and numerical invariants.
  • Model-based graders: rubric-scored correctness, relevance, groundedness, style or tool-use quality. Treat judge output as a signal, not an objective truth.
  • Human review: a sampled queue for ambiguous, high-impact or safety-sensitive tasks.
  • Outcome labels: the business result, such as accepted resolution, successful deployment, resolved ticket or corrected transaction.

Arize Phoenix documents both code-based and LLM-based evaluators and supports evaluation on traces, datasets and experiments. This is the right mental model: evaluations should be able to inspect the same evidence that an engineer uses during debugging.

Practical rule: every production quality metric should have a trace or evidence pointer behind it. If an alert says groundedness fell, an engineer should be able to open representative runs, see the retrieved context and identify whether the failure came from retrieval, synthesis or the evaluator.

Build an eval loop from real traces

  1. Sample runs deliberately. Include successes, failures, long-tail latency, tool errors, guardrail blocks and high-value customer segments. Random samples alone underrepresent rare failures.
  2. Redact before dataset creation. Remove secrets and personal data, or replace them with stable placeholders that preserve the test structure.
  3. Freeze a baseline. Keep a versioned dataset, evaluator version, model identifier and prompt version. A score without these dimensions is not comparable.
  4. Run offline regression tests. Test the candidate prompt, model or tool schema against the same cases before rollout.
  5. Use shadow or canary traffic. Compare production-like traces without giving the candidate system authority to perform irreversible actions.
  6. Close the loop. Turn confirmed failures into a regression case. Do not rely on a one-off prompt tweak that cannot be tested again.

Cost and latency budgets for agent loops

Agents turn small inefficiencies into compound spend. If a task takes several model calls, retries and tool invocations, the average cost per request can conceal a costly tail. Track both total cost and cost per successful task.

A simple internal budget can be expressed as:

Task cost = model input + model output + retrieval/embedding + tool execution + platform overhead
Then report cost per successful task separately from cost per attempted task.

Set limits in code, not only in the prompt: maximum model turns, maximum tool calls, maximum wall-clock duration, maximum estimated spend and a clear fallback. When a limit is reached, emit a structured outcome such as budget_exceeded rather than a generic timeout.

Latency needs the same treatment. A p95 end-to-end target can be decomposed into model, retrieval, tool and queue budgets. The decomposition helps you decide whether to cache, parallelize retrieval, choose a smaller model or remove an unnecessary agent step.

Privacy and security are part of observability

Agent traces can contain the most sensitive data in a system: user prompts, retrieved documents, account identifiers, tool arguments and model outputs. More telemetry is not automatically better telemetry.

  • Classify trace fields before enabling capture. Treat prompts, completions and tool payloads as potentially sensitive by default.
  • Prefer hashes, IDs and references when the raw payload is not necessary for diagnosis.
  • Redact secrets at the instrumentation boundary, not only in a dashboard view.
  • Separate debug retention from long-term aggregate metrics.
  • Restrict access to traces and log every export or sharing action.
  • Test that a blocked tool call and a prompt-injection attempt do not leave sensitive content in an unintended sink.
Do not confuse trace filtering with authorization. Hiding a tool span or selecting a subset of Skills does not prevent the underlying application from accessing data. Authorization, sandboxing and approval gates must be enforced by the runtime and tool layer.

Failure budgets and an agent runbook

Traditional SLOs often start with availability. For agents, an operational contract should include quality and safety. A service that is available but produces wrong tool actions is not healthy.

BudgetExample objectiveWhen it burnsFirst response
Task successAt least 96% of labelled low-risk tasks completeOutcome evaluator or human review marks a failureOpen representative traces and compare prompt/model versions.
Tool correctnessAt least 99% of calls pass schema and permission checksWrong tool, invalid arguments or blocked actionInspect tool selection, schema version and context assembly.
Latencyp95 under the product targetEnd-to-end or component percentile exceeds budgetBreak the trace into queue, model, retrieval and tool spans.
CostCost per successful task below the unit-economics ceilingRetries, long contexts or model routing increase spendInspect token distribution and steps per successful task.
SafetyZero unauthorized irreversible actionsApproval, policy or authorization invariant failsFreeze the capability, preserve evidence and investigate access control.

A useful incident sequence is alert → trace → span → evidence → regression test → guarded rollout. The alert identifies a changed signal. The trace identifies the affected execution. The span narrows the component. Evidence identifies the failure mechanism. The regression test prevents recurrence. The guarded rollout verifies the fix without giving a new agent unrestricted authority.

Reference architecture for production

A sensible first version has five layers: application instrumentation, an OpenTelemetry collector or native exporter, a trace and metrics backend, an evaluation pipeline, and an operational control plane. The quality and safety layer should read from traces but should not be allowed to rewrite them silently.

LayerResponsibilityAnti-pattern to avoid
Agent runtimeCreates trace/span context and emits model, retrieval, tool and control events.Logging only the final answer.
CollectionRedacts, batches, samples and routes telemetry.Sending every raw payload to every backend.
AnalysisShows traces, service health, costs, evaluations and cohorts.One dashboard with no stable event definitions.
Quality loopBuilds datasets, runs evaluators and stores versioned scores.Changing judge prompts without versioning them.
Control planeManages budgets, approvals, rollback, policy and access.Assuming observability itself is an authorization layer.

Implementation checklist

Before calling an agent observable, check each item:

  1. Every logical task has a stable trace ID and workflow name.
  2. Model, retrieval, tool, handoff, guardrail and approval operations appear as separate spans or events.
  3. Prompt, policy, tool-schema and model versions are queryable.
  4. Tokens, latency, retries, errors and estimated cost are recorded per task.
  5. At least one deterministic evaluator and one human or model-based quality signal exist.
  6. Representative failed runs can be promoted into a versioned regression set.
  7. Trace retention, redaction and access controls are documented.
  8. Budgets stop or degrade the agent before it can loop indefinitely.
  9. Alerts link to an evidence-bearing trace, not only an aggregate number.
  10. A model or prompt rollout has a canary, rollback and post-deployment comparison plan.

What to build first

If the system is currently invisible, do not start with an elaborate platform migration. Instrument one critical workflow end to end. Capture the trace, model spans, tool calls, cost, latency, outcome and a small redacted sample of inputs. Add one deterministic check and one human review queue. After that baseline exists, decide whether native tracing, OpenTelemetry, a self-hosted platform or an enterprise APM destination is the best operational fit.

The most important design decision is not which vendor has the most features. It is whether the team can connect a user-visible failure to an execution step, a quality signal and a code or policy change. That is the difference between an agent dashboard and an observability system.

FAQ

What is AI agent observability?

It is the collection and operation of traces, metrics, logs and evaluation signals that explain an agent run, including model calls, retrieval, tools, handoffs, cost, latency, quality and safety outcomes.

What should an AI agent trace contain?

At minimum, capture the workflow trace, model calls, prompt and model versions, retrieval steps, tool calls, approvals, errors, retries, latency, token usage and a pointer to the quality or business outcome.

Is OpenTelemetry enough for AI agents?

OpenTelemetry is useful for propagation, collection and correlation with normal services, but teams still need application-specific event definitions, quality evaluators, privacy controls and agent-loop metrics.

What is the difference between LLM tracing and agent observability?

LLM tracing records model interactions. Agent observability includes those interactions plus retrieval, tools, control flow, handoffs, approvals, budgets, business outcomes and safety signals.

How do you evaluate an AI agent in production?

Sample representative traces, redact sensitive data, apply deterministic checks, add rubric-based or human evaluation, version the dataset and evaluator, and turn confirmed failures into regression tests.

Should traces include prompts and tool results?

Only when the diagnostic value justifies the privacy and retention risk. Prefer redaction, hashes and evidence pointers where possible, and enforce access controls at the telemetry pipeline.

What metrics matter most for agent reliability?

Track task success, tool correctness, schema-valid calls, retry and loop rates, p95 latency, cost per successful task, handoff outcomes, guardrail blocks and unauthorized-action attempts.

Bibliography

Sources prioritise official framework documentation and OpenTelemetry project material. Vendor feature claims are treated as vendor-published unless independently audited. Links accessed July 14, 2026.

  1. OpenTelemetry. GenAI semantic conventions. Common attributes and metrics for generative AI telemetry, including provider, model, tokens and operation signals. github.com/open-telemetry/semantic-conventions-genai
  2. OpenTelemetry. Semantic conventions for generative AI metrics. Development-status metrics for token usage, operation duration and time-to-first-token. github.com/open-telemetry/semantic-conventions
  3. OpenAI Agents SDK. Tracing. Built-in traces and spans for agents, generations, tools, guardrails and handoffs, plus sensitive-data controls. openai.github.io/openai-agents-python/tracing
  4. OpenAI Agents SDK. Running agents: tracing and observability. Workflow names, trace IDs, group IDs, metadata and per-run tracing controls. openai.github.io/openai-agents-python/running_agents
  5. LangChain. LangSmith Observability. Tracing, trace views, monitoring, alerts, automations, feedback and online evaluations. docs.langchain.com/langsmith/observability
  6. Arize AI. What is Phoenix? OpenTelemetry and OpenInference-based tracing, evaluations, datasets and experiments for AI applications. arize.com/docs/phoenix
  7. Arize AI. Evaluation. Deterministic and LLM-based evaluators on traces, datasets and experiments. arize.com/docs/phoenix/evaluation/evals
  8. OpenInference. How Tracing Works in Phoenix. Instrumentation, exporters, OTLP and trace collection architecture. arize.com/docs/phoenix/tracing
  9. Anthropic. Building effective agents. Guidance on simple, observable workflows and agentic systems. anthropic.com/research/building-effective-agents
  10. OWASP. LLM Top 10. Security risks including prompt injection, excessive agency and insecure output handling. owasp.org/www-project-top-10-for-large-language-model-applications
  11. NIST. AI Risk Management Framework. Risk-management vocabulary and governance context for AI systems. nist.gov/itl/ai-risk-management-framework
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments