Local-agent observability gap

AI teams can now trace cloud model calls in detail, but the software layer running on laptops and local connectors still often sits outside those logs. (technadu.com) That gap sits in the “local agent” layer: desktop agents, device-side preprocessors, and Model Context Protocol connectors that read files, reshape prompts, and pass data to remote models before most security tools ever see the request. (technadu.com) Observability is the practice of reconstructing what a system did after the fact, using traces, logs, and metrics. In an agent workflow, that means following one task from local input handling to tool calls, model responses, retries, and the final action. (f5.com; docs.datadoghq.com) Security teams have pushed for that visibility because agent systems do not behave like fixed software. F5 wrote in February 2026 that investigators increasingly need “clear, defensible evidence” of how artificial intelligence decisions were made and controlled. (f5.com) The problem is sharper for collaboration agents that touch email, documents, chat, and software-as-a-service tools in one run. TechNadu reported on April 24, 2026, that defenders may see the cloud model call but miss the local preprocessing and connector activity that shaped it. (technadu.com) Dottle, a startup selling monitoring for production agents, is pitching one answer: trace every session, tool call, and large language model interaction, then flag silent failures, loops, drift, and complaint spikes. Its site says teams can instrument the product with “2 lines” and start from a free tier while the company remains in open beta. (dottle.dev) The company’s product pitch goes beyond uptime. Dottle says it correlates user complaints with agent-run failures in real time and shows root causes instead of raw logs, while also surfacing token and cost data that standard app monitoring can miss. (dottle.dev; docs.datadoghq.com) That cost angle has become part of observability because agent failures are not always crashes. Datadog’s documentation and other 2026 observability guides now treat token usage, latency, and spend as first-class signals alongside errors and traces. (docs.datadoghq.com; openlayer.com) The same trace data also helps answer security questions after an incident: what data entered the run, which tool touched it, which model saw it, and what action the agent took next. That is the audit trail defenders have been asking for as agents move from chatbots to software that can act without a person clicking every step. (technadu.com; f5.com) For teams shipping agents today, the practical change is simple to describe and harder to implement: instrument the whole path, not just the model endpoint. If the local layer stays dark, the cleanest cloud trace can still leave out the step that actually broke the run. (technadu.com; dottle.dev)