Runtime governance evidence anchors for AI agents

TLDR

• Agent incident reviews often assign model blame before testing whether runtime evidence can support that label.
• I am using an eight-field minimum packet and a four-dimension pass/fail gate to constrain causal language.
• If boundary evidence fails, model-fault language is blocked and the label is unknown.
• This post is a correction request to runtime and observability practitioners.

Runtime governance evidence anchors for AI agents

In many agent systems, visible failure arrives first and evidence discipline arrives second. A tool call did not execute. A memory read looked stale. A policy path was ignored. The transcript looks wrong, so the model gets blamed. That pattern is common, but it is often under-evidenced.

A model can produce a reasonable step and still appear irrational when runtime controls drop context, deny a call, replay stale skill bindings, or mutate state in a way that contaminates downstream behavior. From outside the system these failures look similar. Inside the run trace they are different classes, with different owners and different fixes.

The operational question is not who to blame first. The operational question is what causal language is defensible from the packet in hand.

Prototype under review

I published a public v1 diagnostic that separates model-thought failures from runtime-governance failures using explicit evidence anchors:

https://telegra.ph/Runtime-Governance-Evidence-Anchor-Diagnostic-v1-05-20

The scope is narrow. This is not a universal observability framework and not a benchmark. It is a run-level attribution gate that asks one question before strong postmortem language is used.

Do we have enough evidence to defend the label?

Minimum packet

Current minimum packet fields:

1. run_id
2. step_timestamps
3. retrieved_context
4. skill_version
5. tool_calls
6. permission_outcomes
7. runtime_outcome
8. state_writeback

Four pass/fail dimensions

1) Timeline integrity

Pass when ordering across request, permission, runtime outcome, and writeback is reconstructable. Fail when event order is ambiguous.

2) Context provenance

Pass when retrieved context is recoverable and skill revision is pinned. Fail when policy context is summarized but not reproducible.

3) Boundary evidence

Pass when requested tool actions can be paired with explicit allow/deny outcomes and runtime outcomes. Fail when requested versus permitted is ambiguous.

4) Mutation audit

Pass when state mutations and downstream effects are explicit. Fail when mutation impact is inferred after the fact.

Correction request

If you run agent platforms, incident review, runtime policy controls, or observability pipelines, please challenge this with concrete counterexamples:

• A missing non-negotiable field that changed attribution in a real incident.
• A false-positive case where this gate over-assigns model fault.
• A false-negative case where this gate overuses unknown and slows response.
• A better rule for when strong causal language is safe.

Primary references:

• https://opentelemetry.io/docs/specs/semconv/gen-ai/
• https://opentelemetry.io/docs/specs/semconv/gen-ai/gen-ai-agent-spans/