|
1 | 1 | # Audit Logs & Standardization |
2 | 2 |
|
3 | | -Defining standards for audit logging to capture critical data points such as intent, tasks, delegation chains, and related metadata. This would improve transparency, accountability, and support compliance or forensic analysis. |
4 | | -Include privacy implications on what can be captured and should not be captured. (Potential alignment with MELT-style observability and telemetry frameworks. |
| 3 | +This is the charter for the AGNTCY Identity Working Group Audit Logs & Standardization track. |
| 4 | + |
| 5 | +Our goal is to define and propose enhancements for standards for audit logging to capture valuable data points in agentic workflows such as intent, tasks, delegation chains, and related metadata. This would improve transparency, accountability, and support compliance or forensic analysis. |
| 6 | + |
| 7 | +## Personas |
| 8 | + |
| 9 | +Our primary persona is the **security professional**. In the context of agentic workflows, they care about: |
| 10 | +* where did credentials come from, |
| 11 | +* what type of credentials are they (service account, impersonation, on behalf of), |
| 12 | +* which agent used it, |
| 13 | +* what access does it represent (resource, internal vs external), |
| 14 | +* what policies were enforced, and what was the verdict (both approved and rejected access) |
| 15 | +* who is responsible for the system(s) in question (agent, resource, credential, etc.) |
| 16 | +* and that audit logs are machine-readable, and can be fed into agentic support systems |
| 17 | + |
| 18 | +A secondary persona is the **compliance professional**. In the context of agentic workflows, they care about: |
| 19 | +* are the systems involved compliant with various frameworks |
| 20 | +* what are the boundaries between internal and external systems |
| 21 | +* how is data transferred and across what geographies / jurisdictions |
| 22 | +* how are privacy and security handled in the involved systems |
| 23 | +* data retention and destruction (log storage) |
| 24 | + |
| 25 | +For the scope of this working group, we are not focused on agentic workflow developers as a persona. |
| 26 | + |
| 27 | +## Requirements |
| 28 | + |
| 29 | +In order to best serve these target personas, standards which capture audit logs for agentic interactions should be capable of the following: |
| 30 | + |
| 31 | +* Capture core attributes for agentic interactions |
| 32 | + * Capture agentic context |
| 33 | + * Agent classification (instance of agent -> type of agent) |
| 34 | + * Agentic frameworks and technologies used (LLMs, connective frameworks, etc.) |
| 35 | + * Agentic user input (prompts, documents, files) |
| 36 | + * Agentic application context (version, host, device, etc.) |
| 37 | + * Capture resource context |
| 38 | + * MCP servers and tools used |
| 39 | + * A2A agent/skills used |
| 40 | + * Shell commands used |
| 41 | + * Computer use commands |
| 42 | + * Etc. |
| 43 | + * Capture identity & authorization context |
| 44 | + * Credentials used to access resources (and type: SAML, * OAuth, API keys) |
| 45 | + * Mechanism: |
| 46 | + * Identities acting on behalf of |
| 47 | + * Delegation chains |
| 48 | + * "token exchange" of various forms |
| 49 | + * Impersonation |
| 50 | + * Policy decisions |
| 51 | + * Agentic identifiers (verifiable credentials, e.g.) |
| 52 | + * Capture non-functional characteristics of interactions |
| 53 | + * Duration |
| 54 | + * Errors |
| 55 | + * Flexibility to capture additional key/value attributes |
| 56 | +* Traceability ... can connect multiple events within: |
| 57 | + * a user session using an agent |
| 58 | + * the lifecycle of an agent |
| 59 | + * the same authorization session to one or more resources |
| 60 | + * a single request transversing a web of interconnected systems (e.g. distributed tracing) |
| 61 | +* Privacy & Security |
| 62 | + * Privacy preserving (when needed) |
| 63 | + * Does not log sensitive information (no credential leakage, e.g.) |
| 64 | + * Compliance status (e.g. list the compliance status of X system in a multi-agent system) |
0 commit comments