Following the existing pattern of the gen_ai.* namespace in opentelemetry-semantic-conventions-ai, I would like to propose a small set of standardized span event and attribute names for AI-agent threat detection signals. The goal is to make detection events emitted by external scanners interoperable across observability backends, consistent with how the package already normalizes vendor differences for chat, embeddings, and vector DB operations.
Today, when an agent threat is detected upstream of the model call (prompt injection, tool exfiltration, jailbreak frame, etc.), there is no agreed namespace for the resulting span event. Each scanner emits its own attribute names, which makes downstream querying and alerting brittle. A small additive schema on the Events and EventAttributes enums would solve this without changing any instrumentation behavior or shipping detection logic.
Proposed additions, mirroring the existing style:
Events enum
- gen_ai.security.threat.detected
EventAttributes enum
- gen_ai.security.threat.rule_id (string, e.g. "instruction-override")
- gen_ai.security.threat.category (string, e.g. "prompt-injection")
- gen_ai.security.threat.severity (string, low / medium / high / critical)
- gen_ai.security.threat.scanner_name (string, e.g. "atr", vendor name)
- gen_ai.security.threat.scanner_version (string)
- gen_ai.security.threat.action (string, "blocked" / "warned" / "logged")
The rule_id and scanner_name fields explicitly support multiple sources. Open standards such as Agent Threat Rules at https://github.com/Agent-Threat-Rule/agent-threat-rules (Apache-2.0, 330 rules) can populate these attributes, as can closed-source scanners.
This proposal intentionally limits scope to event and attribute names. It does not propose dashboards, evaluator helpers, or detection logic. It is an additive schema PR analogous to past additions like the LANGGRAPH_COMMAND_GOTO_NODES and DB_QUERY_RESULT_* attributes.
Happy to open a PR with the additions if the maintainers are open to this direction. Please advise on whether you would prefer the rule_id namespace under gen_ai.security.threat.* as proposed, or under a different prefix.
Following the existing pattern of the
gen_ai.*namespace inopentelemetry-semantic-conventions-ai, I would like to propose a small set of standardized span event and attribute names for AI-agent threat detection signals. The goal is to make detection events emitted by external scanners interoperable across observability backends, consistent with how the package already normalizes vendor differences for chat, embeddings, and vector DB operations.Today, when an agent threat is detected upstream of the model call (prompt injection, tool exfiltration, jailbreak frame, etc.), there is no agreed namespace for the resulting span event. Each scanner emits its own attribute names, which makes downstream querying and alerting brittle. A small additive schema on the
EventsandEventAttributesenums would solve this without changing any instrumentation behavior or shipping detection logic.Proposed additions, mirroring the existing style:
Events enum
EventAttributes enum
The rule_id and scanner_name fields explicitly support multiple sources. Open standards such as Agent Threat Rules at https://github.com/Agent-Threat-Rule/agent-threat-rules (Apache-2.0, 330 rules) can populate these attributes, as can closed-source scanners.
This proposal intentionally limits scope to event and attribute names. It does not propose dashboards, evaluator helpers, or detection logic. It is an additive schema PR analogous to past additions like the LANGGRAPH_COMMAND_GOTO_NODES and DB_QUERY_RESULT_* attributes.
Happy to open a PR with the additions if the maintainers are open to this direction. Please advise on whether you would prefer the rule_id namespace under gen_ai.security.threat.* as proposed, or under a different prefix.