Walk into any team that has shipped an agent into a workflow with real consequences and ask them to draw the deployment. They will draw six boxes. A prompt-rewriting layer in front. An output classifier behind. An RBAC patch on the side. A custom audit pipeline catching tool calls into a separate datastore. A manual approval queue for anything that smells expensive. And a Slack channel where the on-call sees the alerts, in theory.
Each of those boxes was added because the previous one was not enough on its own. Each of them has a separate vendor, a separate dashboard, and a separate set of incidents. None of them were designed to talk to each other. The team that runs the agent is now also the team that runs the integration of six things that do not really integrate.
Then the auditor asks a simple question. "Show me, for this specific action that happened on this specific day, what authority the agent had, what it attempted, what it was permitted to do, and the signed record of the result." The answer requires correlating logs across all six boxes, plus the IAM state at the time, plus the prompt revision that was live. Sometimes the answer is reconstructible. Often it is not. Always it is expensive.
This is what we mean when we say the audit trail should be a property of the runtime. Not because audit pipelines are uninteresting — they are — but because building one outside the runtime means the people running the runtime are also running an integration project they did not budget for, against systems that were not designed for it, with a deadline set by whoever is auditing them next.
The shape of "production-ready agent" today is the shape of a security team's exhaustion. We think the shape is worth rethinking before more teams ship more agents into more workflows under more regulation. That is the work.