How you attach determines what you observe
Every agent does two separate things: what it says (its reasoning, its stated intent) and what it does (the actions with real effects). Kaizen only ever decides on the doing. It never trusts the model's narration, because generated text can be wrong or deliberately misleading.
The harder question is how much of the doing you can actually see, and how hard it is for an agent to do something you cannot see. That is set entirely by where you attach Kaizen.
Saying vs doing
- Saying is tokens: "I'll look up the order." It is not evidence.
- Doing is the side effect: the tool that actually ran, the connection that actually opened, the data that was actually touched.
The further down the stack you observe, the closer you get to the doing, and the less room an agent has to say one thing and do another.
The attach ladder
| How you attach | What it can observe | Can the agent act around it? | Effort |
|---|---|---|---|
SDK inspect() in-process |
only what you route through it | yes, it is cooperative | trivial |
| Framework adapter (OpenAI Agents, LangChain, CrewAI, Semantic Kernel, LlamaIndex, Pydantic AI, Vercel) | every tool call and its real arguments | partly, non-tool paths are invisible | one line |
| MCP shim (proxy in front of the server) | every MCP call on the wire, language-agnostic | hard, if MCP is the only tool path | a proxy in front |
| Egress gateway (network proxy) | the real outbound connections and payloads | hard, all egress is routed through it | network config |
| In-tenant collector (eBPF / sandbox) | actual syscalls, connections, files | no, it sits below the agent, out of band | a collector in your runtime |
The top of the ladder watches what the agent reports through the path you handed it. The bottom watches what the machine actually did, and the agent cannot opt out, because the collector is underneath it.
Where your agent runs
Which rung you can actually reach depends on how much of the agent's environment you control. You cannot put a kernel probe inside a managed SaaS agent.
| Where the agent runs | What you can observe | How |
|---|---|---|
| You build and host it (your containers, VMs, Kubernetes) | real syscalls, files, connections | an in-tenant collector (eBPF / sandbox) |
| You control its network, not the host (a proxy in the path) | the real outbound connections and payloads | an egress proxy, no kernel access needed |
| Fully managed SaaS (Copilot, Agent 365, a third-party agent) | what the platform exposes | the platform's audit or event API |
For most teams the practical deep layer is the egress proxy: it captures the actual connections an agent makes and works anywhere you can route its traffic, without kernel privileges. The in-tenant eBPF collector is the strongest rung, reserved for runtimes you fully control. For a fully managed SaaS agent you observe the platform's own record of what it did, which is the ceiling there.
Kaizen observes at the deepest layer your agent's environment permits, and tells you which layer that is. To deploy the egress rung, see the Egress proxy.
Same Observer, any rung
The behavioral Observer and the verdict contract do not change between rungs. You only change how actions reach them. So you can start light, a framework adapter in minutes, and deepen to an in-tenant collector later without re-platforming. The on-ramp and the strong form are the same product.
Pick the rung for the stakes
Be honest about what each rung gives you:
- A cooperative attach (SDK, framework adapter) gives you visibility and behavioral baselines. It is excellent for understanding and alerting, but an agent that wants to evade can act outside the path you instrumented.
- A chokepoint attach (MCP shim, egress gateway) sees everything that flows through one funnel.
- A ground-truth attach (eBPF, sandbox) observes the real effects out of band and cannot be evaded.
Your assurance is exactly as strong as your attach depth. Match the rung to the consequence.
Detecting saying vs doing
The deepest signal comes from having both views at once. When Kaizen knows the agent's declared action and the actual effect, the gap between them is the alarm. The agent says it is querying the orders database; the collector observes a connection to an unfamiliar address. You do not need to infer intent, you measure the distance between what was claimed and what happened. A model can narrate anything; it cannot make a packet arrive somewhere other than where it actually goes.