OTEP: Agent threat detection semantic conventions

[eeee2345]

Per discussion in semantic-conventions-genai#132 with @AgentGymLeader and @luckyPipewrench, this PR opens an OTEP for an agent.threat.detection.* attribute namespace.

Summary

The OTEP introduces five attributes for recording the outcome of runtime threat-detection evaluations on AI agent spans:

• agent.threat.detection.rule_id
• agent.threat.detection.ruleset
• agent.threat.detection.severity, enum low | medium | high | critical
• agent.threat.detection.action, enum allow | block | warn | ask
• agent.threat.detection.correlation_id, optional and opaque

Reviewer feedback on issue #132 pushed the namespace from gen_ai.threat.* to agent.threat.detection., on the grounds that some detection layers (for example, MCP firewalls) are agent-aware but not strictly GenAI-API-aware. The OTEP keeps that placement. The attributes are composable with the existing gen_ai. conventions without overlap, and they also apply to non-GenAI agent operations.

The OTEP file is at oteps/NNNN-agent-threat-detection.md and will be renumbered once a PR number is assigned. Word count is approximately 1440.

Scope

This OTEP standardizes the attribute shape only. It does not standardize any specific ruleset. Any detection layer, proprietary or open source, can populate the attributes.

Evidence that detection layers with stable rule IDs are already operating in production

These are listed as concrete examples that the proposed schema fits real deployments. The OTEP itself does not depend on any of them.

• feat(examples): add ATR community security rules for PolicyEvaluator microsoft/agent-governance-toolkit#908, merged 2026-04-13
• feat: Add ATR community rule pack — 34 rules for MCP tool poisoning, multi-agent attacks, and advanced injection cisco-ai-defense/skill-scanner#79, merged 2026-04-03
• Add agent-threat-rules taxonomy MISP/misp-taxonomies#323, merged
• feat(scenarios): add Agent Threat Rules derived regression scenarios OWASP/Agent-Security-Regression-Harness#74, merged

Related issues

• semantic-conventions-genai#132 (origin of this OTEP)
• semantic-conventions-genai#94 (agent workflow grouping)
• semantic-conventions-genai#95 (MCP tool approval, motivates the action = ask enum value)
• semantic-conventions-genai#89 (agent failure repair, motivates correlation_id)

Open questions called out in the OTEP

• Severity alignment with CVSS qualitative bands or kept abstract
• Whether action = warn and action = ask should remain separate values
• Whether correlation_id is better modeled as a span link than a string attribute

Happy to iterate on namespace, enum values, and attribute requirements based on review feedback.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: eeee2345 / name: Adam Lin (00d2fa8, 858273f)

[Copilot]

Pull request overview

This pull request adds a new OTEP proposing an agent.threat.detection.* semantic attribute namespace to record outcomes of runtime threat-detection evaluations on AI agent spans in a vendor-/ruleset-agnostic way.

Changes:

• Introduces a draft OTEP defining five agent.threat.detection.* attributes (rule ID, ruleset, severity, action, correlation ID).
• Describes intended usage patterns (on spans vs. span events / dedicated detection spans) and interaction with existing gen_ai.* and error.* conventions.
• Documents trade-offs, alternatives, open questions, and example prior art/prototypes.

Comments suppressed due to low confidence (2)

oteps/5098-agent-threat-detection.md:57

• In the “child span” case, saying that correlation_id links to the parent operation is potentially misleading/redundant because the parent/child relationship already provides that linkage within a trace. Consider clarifying that correlation_id is intended to correlate across traces/systems (or to external tickets), and/or that it’s primarily for asynchronous/out-of-band detections where trace relationships aren’t sufficient.

1. **On the existing operation span.** A guardrail wrapped around `execute_tool` sets the attributes directly on the `execute_tool` span. This is the common case when the detection layer is in-process and the operation does not duplicate.
2. **On a span event or a dedicated detection span.** When the detection is asynchronous (for example, an out-of-band scanner that re-reads a tool output) or when multiple rules fire on one operation, each detection is a span event under the operation span, or a child span with the same attributes plus `correlation_id` linking to the parent operation.

oteps/5098-agent-threat-detection.md:50

• The document describes correlation_id as “not intended for high-cardinality joins inside a tracing backend” but later calls it “the natural join key” to related repair spans. Consider reconciling this guidance (e.g., clarify that correlation is for external systems/offline analysis, or recommend span links for in-backend correlation while keeping the attribute optional/low-impact).

Cardinality is bounded by ruleset size, which is operationally small for production rulesets (today on the order of 10^2 to 10^3). The `correlation_id` is opaque and is not intended for high-cardinality joins inside a tracing backend.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[luckyPipewrench]

Please remove named implementation prototypes from this OTEP, or replace them with category-level examples such as open community rulesets, vendor proprietary rulesets, and local policy packs. The convention should not make one ruleset look privileged before the attribute shape is accepted.

This follows from the namespace-neutrality discussion on open-telemetry/semantic-conventions-genai#132. The same way ruleset is documented as namespace-neutral, the OTEP body and Prototypes section should read that way too.

[trask]

hi @eeee2345! we don't generally use OTEPs for semantic convention work, I'd suggest continuing the discussion in the semantic-conventions-genai repository, or if you think it should be broader, then in the semantic-conventions repository. There are also weekly SIG meetings for both of those repositories (see here and here) which are open to all if you are able to attend and raise the topic there it can often help to get more discussion going. thanks!

[eeee2345]

Thanks @trask, that makes sense. Closing this and consolidating into semantic-conventions-genai#132, which is the right repo for semantic-convention work and already open.

For continuity, the OTEP content here covered gen_ai.threat.detection.* span attributes for runtime threat detection on agent spans (detection.rule_id, detection.ruleset, detection.severity, detection.action, detection.matched_pattern). I'll port the substance over there as discussion comments plus a draft PR against semantic-conventions-genai when the attribute shape is settled.

To @luckyPipewrench's point about not privileging any one ruleset in the naming — the genai-repo migration will use category-level examples (open community rulesets, vendor proprietary rulesets, local policy packs) rather than naming specific implementations. Will keep the discussion neutral until the attribute shape lands.

No action needed on this PR. Closing.