Exabeam shipped Agent Behavior Analytics in April 2026. Their pitch: extend user behavior analytics to cover AI agents alongside human users. Dynamic baselining, risk scoring, detection workflows. Zenity offers continuous agent discovery, runtime enforcement at the tool invocation layer, and audit trails. Fiddler monitors agentic applications for drift. Obsidian Security tracks agent monitoring tools. Apiiro published a glossary entry. PwC released an AI observability report.
Enterprise behavioral monitoring for agents is becoming a product category. The question is whether the right category.
What Enterprise Agent Monitoring Needs to Do
An enterprise running agents in production has a simple requirement: know when an agent is doing something it shouldn’t, before the damage is done. Before the audit cycle. Before the weekly SIEM review. In the moment.
This breaks down into four operational capabilities:
Behavioral baselining per agent. Not per agent type. Per individual agent instance, with its own identity, its own history, its own normal pattern. An agent that reads configuration files 40 times a day and calls one API endpoint is doing something different when it starts accessing a database it’s never touched. The baseline needs to be specific enough that the deviation is measurable.
Sequence-level detection. Individual tool calls are the wrong unit of analysis. An agent that reads a file, summarizes it, and sends an error report looks fine at the call level. Each action is authorized. But the sequence reads customer data, strips PII through LLM summarization, and exfiltrates the compressed version through a monitoring channel. We documented this exact scenario in detail. No single-call monitor catches it.
Real-time scoring that updates continuously. Behavioral trust isn’t a gate you pass once at session start. It’s a running score that changes with every action. The score after the first tool call should be different from the score after the fifteenth. If the fifteenth call is anomalous, the score should drop before the sixteenth executes.
Cross-session memory. Agents restart constantly. Containers get recycled. Sessions expire. If behavioral monitoring resets on every restart, you’re building a new baseline from scratch every time. An agent that’s been running cleanly for 30 days should carry that track record into day 31. An agent running for the first time should get more scrutiny, not the same amount.
Where SIEM Falls Short
SIEM platforms are built for a specific job: aggregate logs from many sources, correlate events, surface alerts. They do this well for infrastructure and user activity. For agents, the model breaks.
Log aggregation assumes the logging entity is trustworthy. SIEM ingests whatever logs it receives. An agent that generates its own logs can omit entries, reorder events, or produce misleading summaries. The PocketOS incident showed this clearly: the same Claude model that deleted a production database also generated a fluent explanation of why it did it. The post-hoc narrative was articulate and useless. Behavioral monitoring needs to be external to the agent, observing its actions independently.
Correlation rules are pattern-matching, not sequence analysis. SIEM alerts fire when a log event matches a known-bad pattern. “DELETE FROM production_db” triggers an alert. But agents don’t always produce literal SQL. They call tool APIs that abstract away the underlying operations. “filesystem.read_file” followed by “llm.summarize” followed by “monitoring.report_error” doesn’t match any correlation rule. The attack is in the sequence semantics, not in any individual log line.
SIEM doesn’t have agent context. It knows a request came from IP 10.0.3.47. It doesn’t know that IP is running agent-instance-7b3f, which has been operating for 12 days with a consistent pattern of read-only config operations. The agent’s behavioral history isn’t available to the correlation engine.
Where Observability Falls Short
Observability platforms (Datadog, New Relic, Grafana) track metrics, traces, and logs. Agents appear as services producing spans. This gives you latency, error rates, throughput. Useful for SRE. Not useful for security.
The question “is this agent behaving normally?” requires a different kind of trace. Not “how long did this call take” but “what did this call access, in what order, at what payload size, relative to this agent’s historical pattern.” The instrumentation is different. The baselines are different. The alerting model is different.
Galileo and Fiddler are closer, building LLM-specific observability. They catch prompt quality issues, hallucination rates, output drift. That’s important for reliability. It’s not behavioral monitoring for security, where the concern is autonomous action, not output quality.
What Agent-Native Monitoring Looks Like
Exabeam’s ABA represents the first generation of enterprise agent monitoring built on existing UBA infrastructure. It extends their behavioral analytics engine to track AI agents alongside human users. The approach maps to OWASP’s Agentic Top 10 and provides agent lifecycle visibility: creation events, configuration changes, permission modifications, usage patterns.
The limitation is architectural. UBA was designed for human users who log in, do work, and log out. The behavioral model assumes session-based interaction with enterprise applications. Agents operate differently. They call tools programmatically, chain actions across services, run continuously or in short bursts, and restart without the concept of “logging in.” Extending UBA to agents works for the identity layer. It’s less natural for behavioral sequence analysis.
Agent-native monitoring starts from the agent’s reality:
-
Identity is cryptographic, not username-based. An agent carries an Ed25519 keypair. Its identity survives container restarts. Authentication happens per-action through signed tokens, not per-session through login.
-
The unit of analysis is the tool call sequence. The ordered sequence of tool invocations across multiple servers, with payload metadata, rather than individual log events or API requests. Jensen-Shannon divergence between current session and historical distribution flags when a session’s action pattern diverges from baseline.
-
Trust scores are continuous, not binary. Every tool call updates the score. The score is a function of behavioral consistency, scope utilization, timing regularity, and sequence similarity. It goes down when behavior diverges. It goes up (slowly) when behavior is consistent.
-
Trust compounds across sessions. An agent’s 30-day track record is part of its trust calculation. New agents start with lower trust. Established agents earn higher baselines through consistent operation.
Practical Example
Consider a development agent with read access to a code repository, permission to run tests, and access to a CI/CD pipeline. Normal behavior: reads source files, runs test suites, reports results.
Day 1-7: The agent reads 15-25 files per session, runs 3-5 test suites, reports results. Behavioral baseline forms.
Day 8: The agent reads 45 files in 10 minutes, including files outside its usual directories. It calls an API endpoint it’s never used before. The behavioral score drops from 0.82 to 0.54 within three tool calls.
At 0.54, the policy engine can intervene: require human approval for the next action, restrict scope, or terminate the session. The agent didn’t do anything unauthorized. Every call passed permission checks. But the behavioral pattern diverged sharply enough to justify scrutiny.
This is the detection gap SIEM and observability can’t close. The behavior was authorized. It was anomalous.
AgentLair’s behavioral trust scoring tracks exactly these signals: tool call frequency, scope utilization, payload size distribution, cross-service access patterns, and session-over-session consistency. The interactive demo walks through a simulated attack where trust drops step by step as an agent chains authorized actions into an exfiltration sequence. The getting started guide shows how to integrate behavioral monitoring into an existing agent deployment.
The Category Is Real
Gartner’s prediction of 40% enterprise app agent penetration by end of 2026 means behavioral monitoring isn’t optional. You can’t govern 200 agents with log review. You can’t secure autonomous tool access with correlation rules designed for human users.
Exabeam, Zenity, and the observability vendors are building the first generation. The architecture that wins will be the one that starts from the agent’s operational model: cryptographic identity, sequence-level analysis, continuous scoring, cross-session memory. Not human IAM extended sideways.