All posts
June 16, 20263 min read

Nested agents: what they mean for your audit trail

An orchestrator agent spawns a researcher sub-agent, which spawns a tool-running sub-agent, which queries your database. Three layers later, something touches production, and your audit trail records whatever the chain chose to tell you about itself. That is the new problem with nested agents. The familiar problem is just attribution. The genuinely new one is that the actor writing the story is the actor you are trying to audit. It is worth separating the two, because the familiar risk has fami

Free White Paper

Audit Trail Requirements + Mean Time to Detect (MTTD): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An orchestrator agent spawns a researcher sub-agent, which spawns a tool-running sub-agent, which queries your database. Three layers later, something touches production, and your audit trail records whatever the chain chose to tell you about itself. That is the new problem with nested agents. The familiar problem is just attribution. The genuinely new one is that the actor writing the story is the actor you are trying to audit.

It is worth separating the two, because the familiar risk has familiar answers and the new risk does not.

The familiar risk versus the new one

The familiar risk: a non-human identity acts and you struggle to tie the action to a responsible principal. You already know to attribute and record per identity. Nested agents make this harder, but it is the same kind of problem.

The new risk is structural. When agents spawn agents, the call chain cannot be trusted to report on itself. A sub-agent's log of what it did is only as honest as the sub-agent. If a layer is buggy, manipulated, or simply summarizes loosely, your audit trail inherits that distortion. You are trusting the suspect to write the police report.

Why in-chain logging cannot fix it

You might try to make each agent log its own actions and its children's actions. It does not hold:

  • A compromised or confused layer can omit or rewrite what it reports.
  • Each layer sees only its own view, so the trail is stitched from inconsistent fragments.
  • Depth is dynamic. New sub-agents appear at runtime, and your logging assumptions do not.

An audit trail assembled by the chain is a self-report, and self-reports are not evidence.

Continue reading? Get the full guide.

Audit Trail Requirements + Mean Time to Detect (MTTD): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Record outside the agent chain, on the connection

The architectural requirement falls out directly: the audit trail has to be captured outside the agent chain, at the point where the chain touches real infrastructure. No matter how deep the nesting, every layer eventually has to make an actual connection to a database, cluster, or service to do anything that matters. That connection is where you record.

hoop.dev is an open-source access gateway between identities and infrastructure. Every connection a nested agent makes, at any depth, passes through it and is recorded at the command level against a named principal. The record does not depend on what the orchestrator or any sub-agent reports, because the gateway sees the actual command on the wire. The audit trail becomes independent of the chain's self-narration. See how identity attribution works in the getting-started guide.

What an independent audit trail looks like

For a three-layer chain that ends in a database write, the gateway record shows the connection, the exact statement, the principal it resolved to, any approval that gated it, and the result. You no longer ask the orchestrator what its grandchild did. You read what actually hit the database. That is an audit trail an incident responder can stand on. The identity-aware model is described on the hoop.dev site.

The difference shows up most during an incident. When something goes wrong in a nested system, the chain's own logs send you on a hunt: the orchestrator points at a sub-agent, which points at another, and each account is partial. A connection-level record skips that entirely. You filter to the connection and the time window and read the exact commands that ran, in order, with the principal attached. The investigation starts from facts instead of from each layer's account of itself.

FAQ

Can we just log at the orchestrator?

The orchestrator only knows what its children report up. If a deeper layer misbehaves, the orchestrator's log is wrong. Record at the connection, where the action is real.

Does this require changing the agents?

No. The record is captured on the access path the agents use, not by instrumenting each agent. Adding or removing sub-agents does not change where the trail comes from.

What about actions that never touch infrastructure?

Pure reasoning that touches nothing leaves no infrastructure footprint and changes nothing. The audit trail concerns actions against real systems, which is where harm happens.

To keep an audit trail that does not depend on nested agents narrating themselves, read the open-source gateway on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot