Distributed Tracing Shows You What Happened. It Cannot Prove It to a Regulator.
Engineers instrumenting AI agents with OpenTelemetry make a reasonable assumption: if I can trace every tool call, model invocation, and decision branch, I have an audit trail. Regulators under the EU AI Act will disagree. The distinction matters, and it is structural.
What Distributed Tracing Actually Captures
A typical OpenTelemetry span for an AI agent call looks like this:
{
"traceId": "4bf92f3577b34da6",
"parentId": "a44120f958f34b3a",
"id": "a44120f958f34b3a",
"name": "Tool: Calculator",
"kind": "SPAN_KIND_INTERNAL",
"startTimeUnixNano": "1693454168083388000",
"endTimeUnixNano": "1693454168105611000",
"attributes": {
"tool.name": "Calculator",
"tool.input": "2+2",
"tool.output": "4",
"ai.agent.name": "Math Tutor"
}
}
This span details a specific event: the AI agent named "Math Tutor" invoked a tool called "Calculator" with the input "2+2" and received the output "4". This is invaluable for debugging and understanding runtime behavior. It shows what happened during a specific operation. For an engineer, this is a window into the agent's execution flow, revealing which tools were called, with what parameters, and what results they returned. It’s like having a detailed logbook for every decision the AI made, down to the tool level.
However, the EU AI Act, particularly Articles 9 and 13, demands more than just a record of execution. These articles focus on transparency, human oversight, and the ability to demonstrate compliance with safety and ethical guidelines. They require a level of assurance that distributed tracing alone does not provide.
The EU AI Act's Requirements: Beyond Visibility
Article 9 of the EU AI Act mandates that AI systems intended to interact with natural persons must be designed to allow for human oversight. This means there must be mechanisms to detect and respond to potential risks or errors. Article 13 requires providers of general-purpose AI models to provide comprehensive documentation, including information on the model's capabilities, limitations, and the training data used. Crucially, it also requires them to document the model's performance and how it was tested.
While OpenTelemetry provides a detailed execution log, it doesn't inherently prove:
- The intent or reasoning behind a decision: The trace shows a tool was called, but not necessarily why that specific tool was chosen over others, or if the choice was appropriate given broader context not captured in the span.
- The effectiveness of human oversight: A trace might show a human reviewed an AI's output, but it cannot prove the review was meaningful, thorough, or that the human understood the AI's internal state.
- Compliance with specific regulatory thresholds: For example, if the AI Act requires a certain accuracy rate for a specific task, a trace might show the task was performed, but not definitively prove the accuracy met the legal standard without additional validation.
- The integrity of the data: While traces record inputs and outputs, they don't verify the source or integrity of the data itself.
Think of distributed tracing like a detailed security camera feed in a bank. You can see every transaction, every person entering and leaving, and every movement. This is invaluable for understanding what happened during a robbery. But if a regulator asks to prove that the bank's internal compliance policies were followed at all times, the camera feed alone isn't enough. You'd need signed checklists, audit reports, and perhaps testimony from staff to demonstrate compliance with procedural rules.

Closing the Gap: Beyond Spans
To meet regulatory demands, particularly under the EU AI Act, developers need to augment their distributed tracing with additional layers of evidence. This means moving from simply recording what happened to actively proving how and why it complies.
Structured Logging for Compliance
While OpenTelemetry excels at tracing, structured logging can capture more nuanced information. Logs can be designed to specifically record:
- Decision Rationale: Beyond just the tool output, log the AI's reasoning for selecting a particular tool or response, especially if it deviates from expected behavior.
- Confidence Scores: Record the AI's confidence level in its output or decision. This can be crucial for demonstrating appropriate levels of oversight.
- Human Oversight Actions: Log when human review occurs, who performed it, what actions they took (e.g., approved, rejected, modified), and their assessment of the AI's output.
- Data Provenance: Log the source and integrity checks performed on data inputs used by the AI.
These logs should be immutable, timestamped, and stored securely to serve as a verifiable record.
Formal Verification and Testing Artifacts
The EU AI Act emphasizes rigorous testing and validation. This requires artifacts beyond runtime traces:
- Formal Verification Reports: For critical components, mathematical proofs demonstrating that certain properties hold true under specified conditions.
- Comprehensive Test Suites: Detailed results from adversarial testing, bias detection tests, and performance benchmarks against specific regulatory requirements.
- Training Data Documentation: Detailed descriptions of datasets used, including their origin, preprocessing steps, and any known biases, as mandated by Article 13.
- Risk Assessments: Documented evaluations of potential risks associated with the AI system and the mitigation strategies employed.
These artifacts provide the evidence that the system was designed and tested with regulatory compliance in mind, not just operational efficiency.
The Structural Difference: Trace vs. Proof
The fundamental difference lies in purpose and audience. Distributed tracing is engineered for developers and operators to understand and optimize system performance. It's an internal-facing tool. Regulatory compliance, on the other hand, is external-facing. It requires evidence that is:
- Verifiable: The data must be trustworthy and resistant to tampering.
- Auditable: It must be possible for a third party (a regulator) to examine the evidence and confirm compliance.
- Contextual: It must demonstrate not just what happened, but why it aligns with legal requirements.
OpenTelemetry spans are excellent breadcrumbs on the execution path. They show the journey. But to satisfy regulators, you need a notarized map with signed attestations at every critical junction, proving that the journey adhered to the established rules of the road.
If you are building AI systems subject to the EU AI Act, simply relying on existing observability tools is insufficient. You must proactively design your systems to generate and store compliance-specific evidence, augmenting your tracing data with structured logs, formal test results, and comprehensive documentation. The time to build this bridge between technical visibility and regulatory proof is now.
