AI Agents Are Making Decisions Nobody Can Audit

Source: Dev.to

The problem nobody wants to talk about

AI agents are everywhere now. They’re calling APIs, querying databases, executing code, and in some cases, spending real money — all autonomously. The frameworks for building them are incredible. CrewAI, LangChain, AutoGen, OpenAI’s Agents SDK — they make it shockingly easy to stand up an agent that can do real work.

But here’s what none of these frameworks give you: visibility into what your agent actually did.

• No audit trail.
• No kill switch.
• No way to replay what happened after something goes wrong.
• No policy enforcement before a dangerous action executes.
• No PII redaction – every prompt and completion ships directly to your observability backend with customer data, API keys, and internal information fully intact.

Every team I’ve talked to handles this differently. Most don’t handle it at all.

Why this is an infrastructure problem, not an application problem

Think about TLS. Nobody implements TLS differently in every microservice. It’s a standardized layer that sits below application code and handles encryption for everything above it.

Agent safety needs to work the same way.

If every team builds its own logging, its own kill switches, its own policy checks — you get inconsistency, gaps, and the “we’ll deal with it later” approach that leads to the 50,000‑request incident above.

The safety layer needs to be:

• Framework‑agnostic – works whether you’re using CrewAI, LangChain, AutoGen, or something custom
• Infrastructure‑level – operates in the network path and telemetry pipeline, not inside agent code
• Standardized – uses OpenTelemetry so it plugs into whatever observability stack you already have

What I built

I’ve been working on an open‑source project called AIR Blackbox — think of it like a flight recorder for AI agents. It sits between your agents and your LLM providers and captures everything.

Architecture

Your Agent ──→ Gateway ──→ Policy Engine ──→ LLM Provider
                 │               │
                 ▼               ▼
           OTel Collector   Kill Switches
                 │          Trust Scoring
                 ▼          Risk Tiers
           Episode Store
           Jaeger · Prometheus

One line change — swap your base_url — and every agent call flows through it. No SDK changes. No code refactoring.

Components

• Gateway – An OpenAI‑compatible reverse proxy written in Go. It intercepts all LLM traffic, emits structured OpenTelemetry traces, and checks policies before forwarding requests. Any OpenAI‑compatible client works without modification.
• Policy Engine – Evaluates requests against YAML‑defined policies in real time. Supports risk tiers (low, medium, high, critical), trust scoring, programmable kill switches, and human‑in‑the‑loop gates for high‑risk operations. Governance happens before the action.
• OTel Collector – A custom processor for gen_ai telemetry. Provides PII redaction using hash‑and‑preview (48‑character preview + hash), cost metrics, and loop detection that would have caught the 50,000‑request incident.
• Episode Store – Groups individual traces into task‑level episodes you can replay. When something goes wrong, you replay the episode like rewinding a tape instead of sifting through raw logs.

The part I didn’t expect

When I started building this, I thought the hard problem would be the technical architecture. It wasn’t. OpenTelemetry gives you a solid foundation. Go is great for proxies. The plumbing was actually the straightforward part.

The hard problem is convincing people they need it before the incident happens.

Every team I talk to says some version of: “We’re being careful.” “Our agents are simple.” “We’ll add monitoring later.”
And then later arrives a production incident, a leaked API key, or an auditor asking questions nobody prepared for.

Companies deploying agents in regulated industries—healthcare, finance, etc.—already know they need to answer questions like:

• “Can we prove what our agent did?”
• “Can we shut it down instantly?”
• “Can we guarantee PII doesn’t leak into our trace backend?”

ISO 27001 auditors and SOC 2 reviewers are starting to ask these questions. Logging to CloudWatch alone won’t cut it.

What’s next

AIR Blackbox is fully open source under Apache 2.0. It spans 21 repositories and is completely modular—you can use the whole stack or just the pieces you need.

• Trust plugins for CrewAI, LangChain, AutoGen, and OpenAI’s Agents SDK.
• A five‑minute quickstart gets you the full stack running locally with make up.

If you’re deploying AI agents in production—or planning to—I’d genuinely appreciate your feedback. What gaps are you seeing? What keeps you up at night?

GitHub:

There are interactive demos in the README if you want to explore without installing anything.

I’m building AIR Blackbox because I think agent safety shouldn’t be an afterthought bolted on after the first incident. It should be infrastructure—boring, reliable, and already running when the 50,001st request tries to fire.