DEV Community

willamhou
willamhou

Posted on

Claude Managed Agents Has Built-in Tracing. Here's What It Can't Do.

#ai #security #agents #claude

Claude Managed Agents Has Built-in Tracing. Here's What It Can't Do.

Anthropic shipped Claude Managed Agents last week. The pitch: production-grade agents with sandboxing, scoped permissions, and session tracing — built in, no setup required.

The tracing feature specifically: "Session tracing, integration analytics, and troubleshooting guidance are built directly into the Claude Console, so you can inspect every tool call, decision, and failure mode."

This is genuinely useful. If you're debugging a multi-step agent workflow, having every tool call logged in a console is miles better than parsing stderr.

But there's a distinction worth making — one that matters in exactly the situations where it matters most.

"Anthropic Recorded It" vs. "You Can Prove It"

Claude Managed Agents is cloud-hosted. The tracing data lives in Claude Console, on Anthropic's infrastructure.

That means the audit trail is: Anthropic says this happened.

For most debugging use cases, that's fine. You trust Anthropic. They trust you. The logs are accurate. Nobody is lying.

But consider the situations where audit trails actually get pulled:

Your agent made an unauthorized transfer. The question isn't "what does the console say" — it's "can you prove, to a third party, that the agent executed this action with these parameters at this time, and that this record hasn't been modified?"

A compliance audit. SOC 2, HIPAA, GDPR. The auditor asks for evidence of agent actions on sensitive data. "Here are logs from Anthropic's console" is not the same as "here is a cryptographically signed chain of records that I hold and you can independently verify."

An incident investigation. After a breach, forensic investigators need evidence that is tamper-evident and independently verifiable. If the evidence lives on the infrastructure that may have been compromised — or that a vendor controls — its integrity cannot be assumed.

The distinction isn't about trust in Anthropic. It's about the difference between a record and evidence.

What Cryptographic Signing Adds

A signed audit trail works differently.

Each tool call generates a receipt: the action, the parameters, the timestamp, the agent identity — all hashed and signed with the agent's private Ed25519 key. Receipts chain together: each receipt includes the hash of the previous one. Modifying any record breaks the chain. Deleting a record is detectable.

The key difference: you hold the proof, not a vendor.

from signet_auth import SigningAgent

agent = SigningAgent.create("procurement-bot", owner="ops-team")
receipt = agent.sign("marketplace_purchase",
    params={"item": "GPU-A100", "quantity": 2, "price": 15000})

# This receipt is a cryptographic artifact.
# You hold it. Anthropic doesn't.
# Any third party can verify it without contacting anyone.
assert agent.verify(receipt)
Enter fullscreen mode Exit fullscreen mode

When an auditor asks "prove this agent executed this action with these parameters," you hand them the receipt and the public key. They verify it offline. No Anthropic console access required. No vendor dependency in the evidence chain.

The Three Gaps

1. Vendor-held vs. self-held evidence

Managed Agents tracing: logs live in Claude Console. Anthropic controls the data.

Signed receipts: cryptographic artifacts you hold locally. No third party in the verification chain.

2. Log integrity vs. cryptographic integrity

Managed Agents: session logs. Accurate under normal conditions. But a log file — even a well-managed one — can be modified. There's no mechanism in a standard log that makes tampering detectable after the fact.

Signed receipts: hash-chained. Tamper with any entry and the chain breaks. Detect deletions. Detect reordering. The integrity guarantee is mathematical, not administrative.

3. Single-party vs. bilateral proof

Managed Agents: Anthropic logs what happened on their infrastructure.

Bilateral signing (Signet v0.4+): the agent signs the request, the server independently signs the response. One tamper-evident record, two signatures, two trust domains. Rewriting the chain requires compromising both keys on separate machines.

What Managed Agents Does Well

To be clear about what this is not: this is not a criticism of Managed Agents as a product.

For developers building Claude-based agents who need to go to production quickly, Managed Agents is a compelling offer. Sandboxing, authentication, session persistence, scoped permissions, multi-agent coordination — real infrastructure problems, solved. The tracing in Console is useful for development and operational debugging.

The gaps above only matter in specific contexts:

  • Regulated industries (finance, healthcare, legal) where audit evidence must be third-party verifiable
  • Incident response and forensics where evidence integrity must be demonstrable
  • Enterprise compliance where "trust the vendor" isn't an accepted audit answer
  • Cross-vendor or multi-agent workflows where a single vendor doesn't control the full chain

For consumer applications, hobby projects, or internal tools where you trust Anthropic and compliance requirements are light: Managed Agents tracing is probably sufficient.

The Complementary Stack

Managed Agents and signed audit trails aren't competitors. They operate at different layers.

Managed Agents handles: infrastructure, sandboxing, session management, permission scoping, operational tracing.

Signed receipts handle: cryptographic proof of what happened, independently verifiable by any third party, held by you, not a vendor.

Signet works with Managed Agents. Claude Managed Agents uses MCP to connect to external tools — Signet's @signet-auth/mcp intercepts at the MCP transport layer and signs every tool call before it executes. The two layers stack.

Claude Managed Agents
  └── MCP tool calls
        └── Signet SigningTransport  ← signs here
              └── your tool server
Enter fullscreen mode Exit fullscreen mode

The Console shows you what happened. The signed receipts prove it.

The Bottom Line

Claude Managed Agents ships a real, useful tracing feature. If you're using it, your debugging workflow just got better.

But "Anthropic recorded it" and "you can prove it" are different claims. In the situations where audit trails matter most — compliance, incident response, regulated industries — the difference is significant.

Signing is the layer that converts logs into evidence.

Signet adds Ed25519 signing and tamper-evident audit chains to AI agent tool calls. Works with Claude Managed Agents, LangChain, CrewAI, AutoGen, and 7 other frameworks. Apache-2.0 + MIT.

Now on the official Claude Code plugin marketplace: /plugin install signet@claude-plugins-official

Top comments (0)