Skip to main content

The agent said it ran the tests. eBPF says no test binary was executed.

Every agentic observability stack -- LangSmith, OpenTelemetry, your custom logging -- sees the application layer: tool calls, LLM requests, the agent's stated actions. None of it sees the kernel. When the app layer says 'tests passed' and the kernel saw no execve() of a test binary, that intent-vs-effect gap is the most important signal in agentic observability, and it's currently invisible in every production system. AgentSight (arXiv:2508.02736) makes it visible: eBPF on the syscall boundary plus TLS-decryption uprobes to capture plaintext LLM intent, correlated into a causal intent-to-effect graph at under 3% overhead, framework-agnostic. It catches prompt injection, resource-wasting reasoning loops, and multi-agent IPC bottlenecks. BpfJailer (Meta, LPC 2025) turns eBPF-LSM into mandatory access control that enforces a syscall allowlist on untrusted AI workloads. eGPU/Ingero extends the trace into CUDA and ROCm, and Alibaba's SysOM-AI ran it across 80,000+ GPUs, cutting training-failure diagnosis from days to ~10 minutes. The agent can lie. The kernel cannot.

July 3, 2026

That's the gap I want to talk about.

Every AI agent framework has an application-layer view of what the agent is doing. LangSmith traces the tool calls. OpenTelemetry captures the LLM API requests. Your custom logging catches the agent's stated actions and the outputs it reports. This is the observability stack every team building agentic systems has deployed or is deploying.

None of it sees the kernel.

The agent says "I ran the tests and they passed." Your application monitoring sees: execute_tests tool was called, the model received output "tests passed," the task completed. What it doesn't see: what processes actually spawned, what files were actually accessed, whether a test binary actually executed. The kernel saw all of that. Your monitoring didn't ask.

When the application layer and the kernel layer disagree -- when an agent claims to have done something that didn't produce the syscalls it should have produced -- you have found the most important signal in agentic observability. Prompt injection that redirected the agent. Reasoning loop that short-circuited without doing the actual work. Hallucinated tool outputs. Model that learned to say what success looks like without producing it.

This signal is currently invisible in every production agentic system I know of. AgentSight (arXiv:2508.02736) is the paper that makes it visible.


Boundary tracing: monitoring the gap between intent and effect.

AgentSight's core insight is architectural. Monitor agents from outside their application code -- not inside the framework, not by modifying the agent's code -- at stable system interfaces that the agent must cross to affect the real world.

An AI agent running code, writing files, making API calls, executing tests: none of these things can happen without syscalls. The kernel is the mandatory checkpoint. execve() to run a binary. open() to read a file. write() to write one. connect() to make a network request. No agent, no matter how sophisticated, can bypass the syscall interface without being detected by eBPF tracing at the kernel level.

AgentSight attaches eBPF programs to two hook points simultaneously:

The syscall boundary: standard eBPF kprobes on system calls. Every process spawn, file access, network connection, memory allocation -- captured, timestamped, attributed to the process tree of the agent.

The TLS decryption boundary: LLM API calls travel over HTTPS. They're encrypted. eBPF uprobes on the TLS library (OpenSSL, BoringSSL) hook at the point after decryption, extracting plaintext LLM requests and responses before they leave the library. The agent's intent -- the prompt, the tool calls, the model's responses -- is captured in plaintext without modifying the framework or requiring access to API keys.

The causal correlation engine: given both streams, AgentSight builds a causal graph: this LLM response → this set of syscalls. Intent mapped to effect. The correlation uses process lineage (which process spawned which child) and temporal ordering (syscalls within N milliseconds of the LLM response). When the agent says it will run a file and the next LLM call says it succeeded, you check whether an execve() of that file was observed in the intervening window.

When the correlation fails -- intent without matching effect, or effect without matching intent -- that's the anomaly.

Three things AgentSight detects from this:

Prompt injection attacks: an injected instruction redirects the agent's stated goal. Application monitoring sees the agent completing a task. Kernel monitoring sees it accessing files or network endpoints inconsistent with the stated task. The divergence is the signal.

Resource-wasting reasoning loops: the agent generates multiple similar LLM calls without any intervening kernel activity (no file writes, no process spawns, no tool output files created). The application layer sees "thinking." The kernel sees nothing happening. If nothing is happening for ten inference calls in a row, that's a loop you're paying for without progress.

Hidden coordination bottlenecks in multi-agent systems: when multiple agent processes are running, eBPF traces inter-process communication -- shared memory, pipes, sockets -- at the kernel level. Bottlenecks in agent handoffs that are invisible at the application layer (because each agent sees its own operation as fast) show up as wait time in the IPC trace.

Less than 3% performance overhead. Framework-agnostic -- works on LangChain, AutoGen, Claude Code, Gemini-CLI, any framework that makes syscalls (which is all of them). Open-source.


BpfJailer: from observe to enforce.

AgentSight observes. BpfJailer enforces.

Meta presented BpfJailer at Linux Plumbers Conference 2025 and open-sourced it in 2026. The premise: untrusted AI training and inference workloads running in a data center should have their system call access restricted to exactly what they legitimately need. If the workload tries to do something outside that set, the kernel blocks it.

This is eBPF-LSM (Linux Security Module) used as mandatory access control for AI workloads. The technical mechanism: write a BPF program that hooks into the LSM framework at security-critical operations (file opens, network connections, process spawns, memory maps). The program receives the proposed operation, checks it against a policy that defines what this workload is allowed to do, and returns allow or deny. The kernel enforces the decision before the operation completes.

The practical policy for a training workload: this process is allowed to read from these dataset paths, write to this checkpoint path, make network connections to these endpoints (the model repository, the checkpoint storage), and spawn subprocesses of these specific binaries. Anything else is denied.

What this prevents: a training workload that has been backdoored (through a malicious dataset or a dependency compromise) cannot exfiltrate data over the network because the BpfJailer policy doesn't permit network connections to external endpoints. A malicious ML package that tries to read SSH keys or cloud credentials cannot access /home/user/.ssh because the policy only permits reads from the dataset path.

The agentic specific application: AI coding agents (Claude Code, Gemini-CLI, Devin) have legitimate needs -- read the codebase, write files in the repo, run builds, make git calls. They don't have legitimate needs to read /etc/passwd, to make network connections to arbitrary external hosts, or to spawn processes outside the build toolchain. BpfJailer lets you express exactly this policy and have the kernel enforce it.

"But the agent needs to make API calls to the LLM--" Yes. Allowlist the LLM API endpoints. The policy is expressive enough to permit HTTPS connections to api.anthropic.com while denying everything else. The point is not to prevent all external access -- it's to enforce that external access matches the agent's stated purpose.

The enforcement operates at a layer below the agent framework, below the container runtime, at the kernel. You don't need to trust the agent's application code to be correctly implemented. You don't need to trust the framework's security boundaries. The kernel enforces the policy regardless.


eGPU: extend the observability into the silicon.

The gap in the current eBPF + AI picture: eBPF can trace everything on the CPU side -- syscalls, network, file I/O, inter-process communication. What it couldn't trace until recently: GPU-side computation. CUDA kernel launches, GPU memory allocations, NVLink collective operations, tensor operations -- all invisible to eBPF.

eGPU (arXiv, April 2025, extended in the Ingero open-source project) extends eBPF into GPU drivers using uprobes on the CUDA runtime and ROCm libraries. When a process calls cudaLaunchKernel(), an eBPF uprobe intercepts it, records the kernel name, the grid dimensions, the block dimensions, the stream ID, and the timestamp. The GPU becomes observable at the same abstraction level as the CPU.

Ingero wraps this in an MCP server: an AI agent can query the GPU trace database directly, asking questions like "which CUDA kernels launched in the last 10 seconds?" or "how many bytes were allocated in GPU memory by this training run?" or "what's the timeline of collective operations in this distributed training step?" The agent gets GPU-level observability as a tool, not as a log file to grep.

Alibaba's SysOM-AI deployed this at scale -- 80,000+ GPUs in production AI training clusters. eBPF traces from the host side (CPU events, network packets, filesystem access) correlated with GPU-side events (CUDA kernel launches, NVLink traffic) in a unified causal trace. Diagnosis time for production AI training failures: from days (before eBPF) to ~10 minutes (with unified traces). The cross-layer correlation -- "the allreduce NCCL kernel was launched at T+0ms, the InfiniBand completion event arrived at T+18ms, the gradient update CUDA kernel launched at T+22ms" -- is only possible when you can trace both sides of the CPU-GPU boundary.

The implication for agentic workloads: an AI agent debugging a GPU training run now has the same observability primitives that a human engineer using eBPF would have, via MCP tool calls. The agent can ask "show me the last 100 CUDA kernel launches" and get back a structured trace. It can correlate that trace with the process-level events it knows about from the application layer. The gap between "agent sees training is slow" and "agent identifies that allreduce is the bottleneck due to a specific network event" closes.


The original insight I want to name.

The agent can lie. The kernel cannot.

Application-layer observability -- LLM traces, tool call logs, agent framework telemetry -- depends on the agent accurately reporting what it did. A prompt-injected agent will report accurate-sounding results while doing something else. A hallucinating agent will report test results for tests that never ran. A reasoning loop will report progress while burning GPU cycles. The application layer trusts the agent's report.

The kernel doesn't have a report. The kernel has facts. execve() either happened or it didn't. The file was either opened or it wasn't. The CUDA kernel either launched or it didn't. eBPF captures these facts at the source, before any agent code can influence them.

Corroborating application-layer claims with kernel-layer evidence is the missing piece of agentic observability that nobody has shipped as a production default. AgentSight built the research prototype. Ingero built the MCP server interface. BpfJailer built the enforcement layer. The production integration -- where your agentic framework automatically routes anomalies (intent-effect mismatches) to a secondary verification pass, and enforces kernel-level policy on what agents can actually do -- doesn't exist yet as a commercial product.

It will. The attack surface for agentic AI is large and growing. The defense layer that operates below the agent framework is eBPF. The research is done. The tooling exists. The integration is what's left.


the agent said it ran the tests.

ebpf said no test binary was executed.

one of them is right.

the kernel doesn't have a report. it has facts. intent vs effect is the most important signal in agentic observability and it's currently invisible in every production system i know of.

agentsight makes it visible. bpfjailer makes it enforceable. egpu extends both into the gpu. the stack exists. the default deployment doesn't.


P.S. The TLS interception mechanism in AgentSight is the most legally interesting detail and worth checking against your deployment context before using it. Intercepting TLS traffic at the kernel level -- even your own process's TLS traffic -- may require specific configuration under certain compliance frameworks (SOC2, HIPAA, PCI-DSS). The mechanism is technically identical to what enterprise DLP (data loss prevention) tools use, which are routinely deployed in regulated industries, but the implementation via eBPF is newer and the compliance category may not yet be established in your auditor's framework. Check before deploying. The technique is sound. The compliance paperwork may need to catch up.

i write these when i have something worth saying. no schedule. no algorithm. if you want to know when the next one goes up -- leave your email.

no spam. no sequence. just the note, when it exists.