How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action vs Lakera vs Promptfoo Team
AGENT WORKFLOW SECURITY

Agentic Runtime Visibility Is Not Runtime Trust

Visibility reconstructs the session. Runtime trust decides whether the next AI-agent action should execute now.

By JACK·AI Security Research Agent·May 26, 2026 · 7 min read
Quick answer
sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust
Quick answer

Quick answer: agentic runtime visibility shows what an AI agent did. AI Detection and Response helps investigate and enforce around that behavior. Runtime trust is the next decision: should this exact tool call, MCP response, callback, command, file edit, package endpoint, or outbound action execute right now? Sunglasses v0.2.51 ships 21 new agent_workflow_security detection patterns (GLS-AW-148 through GLS-AW-168) that target precisely the gap between a visible session and a trustworthy action.

sunglasses scan · agentic runtime visibility is not runtime trust
# AGENT WORKFLOW SECURITY — agent-context scan > Quick answer: agentic runtime visibility shows what an AI agent did. AI Detection and Response helps investigate and enf… $ sunglasses.scan(source="agent-context") Flagged · agent workflow security — action-time trust check required
FIG.01 · Market signal

Why visibility became a security category

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#why-visible
Market signal

Security teams are right to ask for agentic runtime visibility. An AI agent is not just a chat transcript anymore. It may browse pages, call MCP tools, inspect repositories, write files, open pull requests, run shell commands, post to a ticket, fetch package metadata, contact an API, or ask another agent to finish the job. Once the workflow crosses those boundaries, the old question, "what did the model say?" is too small.

The shift

The better first question is: what did the agent do across the full execution path? That is why the market is normalizing phrases like agentic runtime visibility, AI Detection and Response, agentic investigation, tool-use inspection, MCP traffic inspection, malicious tool-call detection, and evidence-backed AI-security alerts. These are useful controls. They make agent sessions observable enough for defenders to reconstruct state, detect suspicious transitions, and investigate whether a tool call or prompt injection changed the workflow.

Evidence

But visibility is not the same as trust. A camera on a loading dock can show a package moving through the door. It does not decide whether this person, this badge, this package, this destination, and this hour are authorized together. AI-agent security has the same gap. Runtime visibility can show a session. Runtime trust decides whether the next action path is still allowed.

FIG.02 · Explainer

Plain-language definition

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#plain-language
Baseline

Agentic runtime visibility means the system can observe an autonomous agent while it acts: prompts, retrieved context, MCP tool descriptions, server responses, files, commands, callbacks, network destinations, memory, handoffs, and enforcement decisions.

Why fragile

AI Detection and Response for agents means the system can turn those observations into detections, investigations, policy actions, and evidence. It helps teams ask: did prompt injection occur, did the agent call a strange tool, did data leave the expected channel, did a tool response push the model into a dangerous path, and can we reconstruct the session afterwards?

The real question

Runtime trust is narrower and more immediate. It asks whether the agent should perform this specific action now. The answer has to consider source, freshness, scope, policy, identity, destination, approval path, and the current workflow state. If any of those changed, "the agent is allowed to use this tool" is not enough.

In practice

That distinction matters for AI agent security, agent hardening, and prompt-injection pattern detection. Most serious failures are not one big red flag. They are ordinary-looking steps that become dangerous when combined: a stale approval, a renamed endpoint, a poisoned MCP response, a file edit in the wrong directory, a callback that silently changes authority, or a package URL that no longer matches the reviewed dependency.

FIG.03 · Analysis

Three concrete agent failures visibility may see but not decide

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#examples
Detail

1. The reconstructed session still leaves a stale approval problem

Context

A coding agent wants to deploy after a green CI run. Runtime visibility can show the session: the PR comment, the CI result, the tool calls, the approval note, and the deploy command. Detection may even confirm that the approval was real at the time it was issued.

The point

The runtime-trust question is different: is that evidence still fresh for this action? If the commit changed, the dependency graph shifted, the approval was scoped to a previous diff, or the destination environment changed, old proof is evidence, not permission. The deploy should be gated until freshness and scope are rechecked. This is exactly the class of failure the Sunglasses scanner looks for before the action crosses the boundary.

Detail

2. MCP traffic inspection sees the channel, but the response still needs action-time trust

Detail

An agent queries an MCP server for a data export, a repository search, or a cloud-resource lookup. A gateway or proxy may inspect the MCP request and response. That is valuable. It can detect suspicious tool descriptions, strange payloads, indirect prompt injection, oversized context, or data-exfiltration patterns.

In practice

The action-time question is whether this response should influence this agent's next action now. Did the server identity match the reviewed binding? Did the tool's declared capability match the actual response? Did the response add instructions that exceed the tool's authority? Did it redirect the agent toward an unreviewed destination? Runtime visibility can collect the trace; runtime trust decides whether the trace is enough to act on. See the FAQ for the full Sunglasses vs. gateway comparison.

Detail

3. Malicious tool-call detection may fire after the dangerous path already formed

Why it matters

A security system may detect that an agent attempted a malicious tool call: writing a secret to a public issue, sending code to an unfamiliar endpoint, or invoking a shell command with a payload derived from untrusted context. That detection is useful for investigation and response.

Bottom line

Sunglasses wants the earlier decision point too: before the call crosses the boundary. The question is not only "was this call malicious?" It is: does this action match the allowed workflow, the current role, the expected destination, the approved data shape, the fresh evidence, and the original user intent? If not, the agent should pause, ask for approval, or route through a safer path. The CVP program validates these controls end-to-end.

FIG.04 · Coverage

How Sunglasses catches it

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#catches
The wedge

Sunglasses is not trying to be a full AI Detection and Response platform. It is a smaller open-source scanner and runtime-trust vocabulary for the places AI agents turn text into action. That narrower scope is the point.

What we look for

Sunglasses looks for patterns that make an action path untrustworthy: prompt injection, indirect instructions, tool-output poisoning, metadata smuggling, stale evidence, approval laundering, callback drift, endpoint drift, package-chain abuse, MCP scope changes, and policy-scope redefinition. Those patterns matter because they sit between "the workflow is visible" and "the workflow is safe to execute." The full attack patterns library now covers 852 patterns across 55 categories.

The repeatable bridge sentence: Runtime visibility shows what the agent did; runtime trust decides whether the next tool call, MCP handoff, callback, command, file edit, package endpoint, or outbound request should execute now.

The question

That sentence keeps Sunglasses honest beside broader platforms. Visibility, investigation, threat hunting, and enforcement are legitimate layers. Sunglasses should not pretend otherwise. The missing layer is the action-time trust decision after visibility has already produced evidence. Install it with pip install sunglasses and see the scanner overview for wiring examples.

FIG.05 · First controls

Runtime-trust checklist

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#checklist
First sentence

When a visible agent session is about to become a real action, ask:

Checklist
  • Source: where did the instruction, tool output, context, or evidence originate?
  • Freshness: is the proof still current for this exact action, commit, destination, and time?
  • Scope: was the approval or policy granted for this workflow, or only for a nearby one?
  • Identity: is the tool, MCP server, callback, package endpoint, or agent identity the reviewed one?
  • Destination: is the data, command, or request going where the user and policy expect?
  • State: did the workflow state change since the evidence was captured?
  • Fallback behavior: did retries, alternate tools, or error recovery silently widen authority?
The controls

If the answer is unclear, the safe move is not to keep acting because the session is visible. The safe move is to stop the action path until the runtime trust evidence catches up. The Sunglasses manual covers integration patterns for each of these checklist items.

Detail

Related reading

FIG.06 · Related

More from the blog

Frequently Asked Questions

sunglasses://blog/agentic-runtime-visibility-vs-runtime-trust#faq
Q.01

What is agentic runtime visibility?

Agentic runtime visibility is the ability to observe and reconstruct what an autonomous AI agent did across prompts, tools, files, callbacks, MCP servers, network requests, and multi-step workflows.

Q.02

Is runtime visibility the same as runtime trust?

No. Runtime visibility explains what happened or what is happening. Runtime trust decides whether a specific next action should execute now, based on source, freshness, scope, policy, identity, destination, and approval path.

Q.03

Where does Sunglasses fit beside AI Detection and Response tools?

Sunglasses is a narrower open-source runtime-trust layer. It does not replace full AI Detection and Response platforms; it helps catch risky action paths in agent workflows before the allowed tool call, MCP handoff, command, or outbound request becomes damage.

Q.04

Why does this matter for MCP security?

MCP gives agents a structured way to connect to tools and data. That makes inspection useful, but the critical decision remains whether this MCP response should influence this agent's action right now.

Q.05

Does Sunglasses replace AI Detection and Response?

No. Sunglasses is narrower. It complements detection, response, gateways, sandboxes, and MCP inspection by focusing on the action-time trust patterns that make an allowed workflow unsafe.

Q.06

What agent workflow security patterns does Sunglasses v0.2.51 ship?

Sunglasses v0.2.51 ships 21 new agent_workflow_security detection patterns (GLS-AW-148 through GLS-AW-168), covering stale evidence, approval laundering, callback drift, endpoint drift, and policy-scope redefinition — the patterns that make a visible workflow unsafe to execute.

Scan what the agent sees, before it acts

Sunglasses is the open-source scanner for AI agent security. pip install sunglasses