Home

Donate
Perspective

We Can’t Monitor AI Agents at Scale. Here’s What It Will Take.

Madhulika Srikumar, Vinh X. Nguyen / Jul 16, 2026
Republish

Major regulators and AI developers now agree that to safely roll out AI agents we need to be able to monitor these systems real-time. Once agents are deployed, we should be able to observe them, detect failures, and intervene before things go wrong. But the infrastructure to actually monitor agents at scale isn't being built fast enough. It doesn't exist yet in any mature form for the volume and complexity at which agents are being deployed.

As more enterprises, from banking to healthcare, deploy agents in critical functions, they don’t have the monitoring infrastructure that regulators and safety experts are assuming exists. Take the EU AI Act, which requires that high-risk AI systems be “effectively overseen” by humans. Or the 2026 edition of International AI Safety Report, which calls for monitoring not just the inputs and outputs of agents but also its “chain-of-thought” for signs of unsafe plans well before any actions are undertaken. Google DeepMind published a roadmap last month to monitor its own internal agents that write code and act on internal systems. Even with vast resources, Google noted that “it will take increasingly costly measures to contain and oversee them.” The risks are real—in March, an internal Meta agent exposed sensitive user and company data for two hours before it was caught.

We have seen a version of this problem before. In cybersecurity, as enterprises moved more of their operations online, they had to monitor a growing volume of activity and detect intrusions in real time. Only they had decades to build shared tools, standards and expertise around what to log and threats to monitor for. With agents, we don’t have that long to get it right.

We’re working on a short timeline. The share of “action” tools that agents use to directly edit files, run code, or execute financial transactions rose from 27% to 65% between November 2024 to February 2026. And agents are already failing in ways both predictable and unpredictable. Last year, a “prompt injection” hidden in a webpage directed Perplexity's Comet agent to navigate to a user's banking site to extract their credentials. Less predictably, a zero-click vulnerability in Microsoft 365 Copilot allowed an attacker to instruct the AI agent via email to exfiltrate a user’s sensitive files. Even at major companies shipping these systems that went through safety testing, the failures slipped past.

The monitoring that could catch these failures isn't there. Building it at scale comes with real challenges.

There is the cost of “logging” what the agents are doing. Consider a bank deploying agents to handle client onboarding—verifying identities, pulling credit histories, flagging compliance risks. Log every LLM call, every reasoning step, every tool invocation, every interaction with other agents, and the costs of retaining and processing what’s happening becomes impractical. Even if the bank is willing to pay, all of this data doesn't currently reside in one server and it is distributed across actors who don’t share it.

Once you have captured what the agents are doing, companies will still need to detect failures in real time. Using AI itself to flag problems and intervene in real time will be more effective at scale, but it adds significant compute and engineering overhead. For instance, Anthropic found that real-time “constitutional classifiers” used to detect policy violations in model outputs, can increase inference costs by over 20%. For the bank using agents to handle thousands of clients onboarding each day, that overhead quickly compounds.

When automated systems flag potential failures, someone still has to review them. In cybersecurity, analysts are overwhelmed by thousands of alerts each day, with 71% of Security Operations Center (SOC) professionals experiencing burnout. Many of the alerts are false positives, and critical signals are routinely missed. When the system flags a potential compliance violation during client onboarding, a human reviewer still has to determine whether the agent made a defensible judgment call or a discriminatory one. Making that call requires domain expertise, not just the ability to triage alerts.

These problems won't get solved at once. But there's a near-term move enterprises can make on their own. They can start by tiering monitoring based on the risk each agent deployment carries.

Right now, decisions on what to monitor are driven by engineering budgets rather than risk profile. That's the equivalent of a hospital deciding which patients to monitor based on the price of sensors rather than the severity of their condition. Enterprises deploying agents in critical functions need to make two choices. The first is to capture meaningful logs at the right level of detail, not every reasoning step and tool call. The second is where to monitor heavily, applying more monitoring to high-stakes deployments and not the same level everywhere. An agent summarizing meeting notes is not the same as one running compliance checks on a loan application.

Cybersecurity learned both these moves. The industry had to pivot to sampling (e.g., log every 1 in 1000 packets) through protocols like NetFlow and tiering monitoring by where the risk lives. Anthropic recently brought the compute overhead of its constitutional classifiers down from 23% to about 1%. It did this by running a lightweight check on all traffic and reserving the expensive analysis for the small share that gets flagged as risky. Building this kind of infrastructure requires engineering investment that most enterprises haven't made yet.

But tiering at the enterprise level isn't the whole answer. A shared format for what agent traces should contain, including what model was called, what tools were invoked, and what data was accessed, would let monitoring work consistently across the industry. Privacy protections must be designed into the schema from the start, not added later. That includes what gets logged, who can access it, and how long it's retained. Still, industry-wide coordination takes time, and companies don't have to wait for it to start tiering on their own.

A reasonable objection is that monitoring is the wrong frame entirely. The argument goes that we should constrain agents architecturally, through approaches like "sandboxing" and capability limits, rather than monitor them while they act. Those approaches matter. But constraints alone assume you can predict failures. Monitoring exists for the ones you can't.

The cybersecurity industry learned that monitoring built after the breach is always more expensive than monitoring built in advance. AI agents are compressing that timeline. They're already executing transactions, accessing sensitive data, and making decisions that affect real people. The infrastructure to monitor them will get built. The only question is whether enterprises start now or wait for the high-profile public failure that forces them to.

Support Tech Policy Press
If you've found our work helpful, consider supporting us.

Authors

Madhulika Srikumar
Madhulika Srikumar leads the AI Safety Program at the Partnership on AI and serves on the Advisory Board of the Centre for the Study of Existential Risk at the University of Cambridge. Her work focuses on the governance of emerging AI systems, combining policy research, strategic foresight, and cros...
Vinh X. Nguyen
Vinh X. Nguyen is senior fellow for artificial intelligence (AI) at the Council on Foreign Relations. His mission is to partner with leaders to develop trustworthy, scalable AI infrastructure that strengthens US security and prosperity. He brings decades of experience from the highest levels of US i...

Topics

Related

Analysis
Senator Warner Makes a First Foray into Agentic AI RegulationJuly 13, 2026
Perspective
With AI Agents, 'Memory' Raises Policy and Privacy QuestionsSeptember 29, 2025