From Black Box to Glass Box
Your agent spent $4,200 at 3am. The CISO has five questions. You have until the morning standup to answer them.
- Was the agent authorized to make this purchase?
- Was the authorization still valid at execution time?
- Did the agent stay within its approved scope?
- Is there cryptographic proof of the decision chain?
- Does anything look anomalous compared to baseline behavior?
In most organizations today, answering these questions takes four hours, three teams, and produces an incomplete picture held together by developer confidence. “I’m pretty sure the agent was authorized. Let me check the logs.”
That is a black box.
The Four-Hour Investigation
Here is what the investigation looks like without a forensic framework:
Hour 1 — Find the right logs. The agent runs on Cloud Run, logs go to Cloud Logging, but the purchasing events are in a different project. You find the service logs but they show HTTP requests, not business decisions. Where is the mandate? Where is the authorization chain?
Hour 2 — Correlate manually. You have a session ID from the logs. You search Firestore for the session document. You find events, but they are raw — no correlation between the trigger, the mandate check, the compliance verification, and the execution. You reconstruct the sequence by timestamp, hoping nothing is out of order.
Hour 3 — Check authorization. You find a mandate document in Firestore. It looks valid. But was it valid at execution time? The mandate has an expiry. The execution was at 3:14am. The mandate expires at… you need to do timezone math. And was the rate limit respected? You need to count previous executions.
Hour 4 — Write the report. “Based on our investigation, we believe the agent was authorized. The logs are consistent with a valid mandate. We did not find evidence of anomalous behavior.” The CISO reads it. “Believe? Consistent? Didn’t find evidence?” None of those are proof. The answer is still “trust us.”
The 12-Minute Investigation
Here is the same investigation with a forensic observatory — a structured query surface over the agent’s decision history.
Step 1 — Session Inventory (2 minutes). One query returns every session in the time window with metadata: user, agent, start time, event count, status. You find the session. It ran 47 events over 12 minutes.
Step 2 — Event Timeline (2 minutes). One query returns the full event sequence for that session: trigger evaluation, mandate validation, stock analysis, compliance verification, execution, attestation. Every event typed, timestamped, and correlated. The delegation chain is visible — which agent invoked which sub-agent, which tool was called, what the response was.
Step 3 — Mandate Verification (2 minutes). One query cross-correlates the execution with the mandate ledger. The mandate was issued 3 days ago, expires in 4 days. The spending ceiling is $5,000. This execution spent $4,200 — within scope. The rate limit allows one execution per 24 hours. The last execution was 36 hours ago — within cadence. All constraints verified against the signed mandate, not reconstructed from scattered state.
Step 4 — Attestation Integrity (3 minutes). One query checks the attestation chain. L1 cleartext claims present. L2 cryptographic signature verified — KMS key, ES256 algorithm, signature valid. Four dimension digests computed: identity (agent credential), supply chain (application provenance), behavioral (event fingerprint), association (tool binding). The attestation is tamper-evident — any modification would invalidate the signature.
Step 5 — Behavioral Baseline (2 minutes). One query compares this session against the behavioral baseline for this agent type. Execution time: typical (3am is within the configured autonomous window). Event count: 47 (baseline mean: 42, within 1 standard deviation). Spend amount: $4,200 (baseline mean: $3,800, within normal range). No anomalies detected.
Step 6 — Export Proof (1 minute). Export the attestation chain as a self-contained verification artifact. Anyone with the public key can verify independently — no platform access required, no shared state, no callbacks. The proof outlasts the investigation.
Twelve minutes. Six queries. Cryptographic certainty.
The Difference
The difference between the black box and the glass box is not the data — both investigations have access to the same underlying events. The difference is the query surface.
The black box scatters evidence across logging services, databases, and developer memory. Reconstruction requires manual correlation, timezone arithmetic, and institutional knowledge about which service stores which fact.
The glass box pre-correlates evidence into a forensic schema designed for investigation. Session inventory, event timeline, mandate ledger, attestation coverage, behavioral baseline — each table answers a specific forensic question. The queries are saved, tested, and repeatable.
| Black Box | Glass Box | |
|---|---|---|
| Time to answer | 4+ hours | 12 minutes |
| Evidence type | Logs (mutable, scattered) | Attestation (signed, correlated) |
| Confidence level | “We believe…” | “Here is the signed proof” |
| Reproducibility | Depends on who investigates | Same queries, same answers |
| Independent verification | Not possible | Self-contained artifact |
Observability Is Not Logging
Logging answers “what happened.” Observability answers “what happened, why, and can you prove it.”
The distinction matters because autonomous agents create decisions that outlive the session. A purchase has financial consequences. An infrastructure change has operational consequences. A data access has compliance consequences. Each of these decisions may need to be reconstructed weeks, months, or years later — for audit, for dispute resolution, for regulatory inquiry.
Logs decay. They rotate, they get deleted, they lack correlation. Attestations persist. They are signed at creation time, independently verifiable, and structurally correlated to the decision chain that produced them.
The glass box is not a better log viewer. It is a forensic reconstruction engine backed by cryptographic proof.
This is Part 7 of the “Zero Trust for Agentic AI” series — extending beyond the core framework. Previously: From Trust Us to Verify It Yourself.
The full model is grounded in a larger document corpus backed by a live implementation.
