AgentSight: watching agents from the kernel

Every agent framework ships its own logging, and every one of those logs shares a defect: the agent is reporting on itself. Instrumentation lives inside the application, sees what the framework chooses to expose, and breaks on the next API change. AgentSight moves the observer somewhere the agent cannot reach. It watches from the kernel via eBPF, intercepting TLS-encrypted LLM traffic to recover what the agent intended and tracking system events to record what it actually did.

The authors call the approach boundary tracing. Two streams get captured outside the application: the semantic stream, prompts and responses pulled from encrypted traffic at the TLS layer, plus the effect stream, kernel-level events like file access, process spawns, and network connections. A correlation engine joins the two across process boundaries, then a secondary LLM reads the joined trace to flag problems. Reported overhead is under 3%. The whole thing is open source and framework-agnostic: no agent code is modified, which lets it survive framework upgrades that would shred in-process instrumentation.

The three failure classes it demonstrably catches are the right ones. Prompt injection shows up as a divergence between stated intent and observed effect: the conversation says “summarize this document” while the kernel sees a curl to an unfamiliar host. Reasoning loops show up as token spend with no forward progress, the agent burning budget re-deliberating the same step. Multi-agent coordination stalls show up as idle hand-off patterns no single agent’s log would reveal, because each agent is locally fine and the system is collectively stuck.

The desk relevance is direct. It is the reason this note exists. The moment an agent touches order management, research databases, or client data, “what did it actually do” becomes a compliance question rather than a debugging one. An audit trail produced by the audited system is worth little; supervision has to come from a layer the supervised process cannot rewrite. Finance has organized around that principle for decades, separate risk systems, independent reconciliation, surveillance that reads the wire rather than the trader’s notes. Kernel-level tracing is the same control philosophy applied to agents, arriving just as protocol-standardized tool access multiplies what an agent can reach.

There is also a quieter operational payoff. Reliability work needs ground truth, and benchmarks like tau-bench showed how much agent failure hides in variance across reruns of the same task. A boundary trace gives you the forensic record to diagnose those failures in production: which tool call diverged, which retry loop ate the latency budget, which sub-agent went quiet. The same trace that satisfies an auditor shortens the debugging loop.

The caveats are real but unglamorous. Intercepting TLS at the boundary is itself a privileged capability that needs governing: the observability layer sees every prompt, inheriting the data-sensitivity problem it helps police. The secondary-LLM analysis step reintroduces a model’s judgment into the control chain, fine for flagging, wrong for blocking, until its false-positive behavior is characterized. And eBPF means Linux; a shop running agents across managed cloud services will cover only part of its surface this way.

None of that changes the direction. Agents are processes that spend money and touch systems, and processes that spend money get watched by something they do not control. Treat agent observability as a control-plane decision, made independently of whichever agent framework the research team happens to like this quarter. AgentSight is the first credible open implementation of that posture, with overhead low enough to leave on.

AgentSight watches agents from the kernel, joining what the model said to what the process did at under 3% overhead: independent supervision for systems that should never grade their own homework.