Skip to main content

Overview

Many AI agent platforms already emit structured telemetry via OpenTelemetry (OTEL). Rather than requiring agents to integrate an AARM-specific SDK, implementations can ingest existing OTLP data and transform it into AARM event types. This pattern complements AARM’s Telemetry Exporter (which handles output to SIEMs) by defining how to receive agent telemetry as input.

When to Use

ScenarioFit
Agent platform emits OTLP logs/tracesStrong — direct ingestion
Agent has no telemetry but supports MCPUse MCP Gateway instead
You need inline enforcementCombine with SDK or Gateway pattern
You only need observational monitoringThis pattern alone is sufficient
This is an observational pattern. It enables detection and alerting but not inline enforcement. For blocking capabilities, combine with the MCP Gateway or SDK architecture.

Architecture

┌──────────────┐     OTLP gRPC/HTTP         ┌─────────────────┐
│  AI Agent    │ ────────────────────────►  │  AARM Receiver  │
│ (Claude Code,│   Logs, Metrics, Traces    │  (OTLP Endpoint)│
│  Copilot,    │                            └────────┬────────┘
│  custom)     │                                     │
└──────────────┘                            ┌────────▼────────┐
                                            │  Action Parser  │
                                            │  • Tool events  │
                                            │  • Meta-tool    │
                                            │    unwrapping   │
                                            │  • HITL signals │
                                            └────────┬────────┘

                                            ┌────────▼────────┐
                                            │ Policy Engine   │
                                            │ (OPA / custom)  │
                                            └────────┬────────┘

                                       ┌─────────────┼─────────────┐
                                       ▼             ▼             ▼
                               ┌───────────┐  ┌──────────┐  ┌──────────┐
                               │ Storage   │  │ Alerting │  │ Telemetry│
                               │(ClickHouse│  │(Slack,   │  │ Exporter │
                               │ Elastic)  │  │ PagerDuty│  │ (SIEM)   │
                               └───────────┘  └──────────┘  └──────────┘

OTLP-to-AARM Event Mapping

Tool Invocation → Action Event

OTLP log records from agent platforms typically contain tool invocation data. Map these to aarm.action events:
OTLP AttributeAARM FieldNotes
tool_name or tool.nameaction.toolMay require meta-tool resolution (see below)
tool_parametersaction.parameters_hashHash for security; raw for analysis
event.nameUsed for filteringtool_result, tool_use indicate tool events
session.idsession_idCorrelation key for context accumulation
sourcedecision.resultMaps HITL approval status (see below)
service.nameidentity.serviceAgent platform identifier

HITL Approval → Decision Context

Some agent platforms include human-in-the-loop approval status directly in telemetry. For example, Claude Code includes a source attribute:
source ValueAARM Interpretation
user_permanentUser approved and added to allowlist
user_temporaryUser approved for this invocation only
user_rejectUser denied the tool call
user_abortUser cancelled the operation
(empty/absent)Tool ran without human approval prompt
This data can populate both aarm.action events (with decision.result derived from the source) and aarm.approval events (with response timing derived from event timestamps).
HITL approval data in telemetry means an AARM implementation doesn’t always need a separate Approval Service — the approval decisions may already be captured in the agent’s own telemetry stream.

Meta-Tool Resolution

The Problem

Agent platforms frequently use meta-tools — wrapper invocations where the actual tool identity is embedded in the parameters rather than the tool name. Without resolution, policies cannot distinguish between different tools.

Examples

Skill meta-tool (Claude Code): 
{
  "tool_name": "Skill",
  "tool_parameters": "{\"skill\": \"superpowers:brainstorming\"}"
}
The declared tool is Skill, but the actual tool is superpowers:brainstorming. MCP meta-tool (Claude Code): 
{
  "tool_name": "mcp_tool",
  "tool_parameters": "{\"mcp_server_name\": \"linear-server\", \"mcp_tool_name\": \"list_issues\"}"
}
The declared tool is mcp_tool, but the actual tool is linear-server.list_issues.

Resolution Requirement

AARM implementations receiving OTLP data MUST:
  1. Detect meta-tools by matching tool_name against known wrapper patterns
  2. Extract the actual tool identity from tool_parameters JSON
  3. Rewrite the action to reference the resolved tool, not the wrapper
  4. Preserve the original tool name for audit purposes
The Action Mediation Layer’s normalization step should include meta-tool resolution before policy evaluation.

Domain-Specific Drift Profiles

The Context Accumulator uses semantic distance to detect intent drift. However, the appropriate threshold varies significantly by agent domain:
Agent TypeExpected Semantic RangeRecommended Threshold
Customer serviceNarrow (stays on topic)0.6 - 0.7
Coding assistantVery wide (reads, writes, tests, deploys)0.85 - 0.95
Data analystModerate (query → visualize → report)0.7 - 0.8
Research agentWide (search → read → synthesize)0.8 - 0.9
A coding agent asked to “refactor the auth module” will legitimately read files, run tests, modify imports, edit configs, and execute shell commands — all semantically distant from “refactor auth” but entirely appropriate. The 0.7 default threshold would generate constant false positives. Implementations SHOULD support configurable drift profiles per agent type or deployment context.

Standards Convergence

This pattern sits at the intersection of three emerging standards:
StandardFocusOverlap with AARM
OpenTelemetry GenAI SIGAgent observability (performance, debugging)Telemetry format and semantic conventions
OCSFCybersecurity event schemaOutput format for SIEM integration
OWASP AOSAgent observability + security bridgeMaps OTEL traces to OCSF security events
An AARM implementation can ingest via OTLP (this pattern), evaluate with its Policy Engine, and export in OCSF format (via the Telemetry Exporter) — bridging the observability and security domains.

Next Steps

Telemetry Exporter

Export AARM events to SIEM platforms

MCP Gateway

Add inline enforcement for MCP tools

Action Mediation

Normalize and classify agent actions

Context Accumulator

Track session context and detect drift