Every platform logs agent events differently. One team emits tool_invoked. The next ships ToolCallStarted. A third buries the same fact inside a JSON blob nobody queries twice. Multiply that across a dozen frameworks and a few homegrown wrappers, and you arrive at the quiet problem underneath most agent deployments: you cannot score, audit, or prove what you have not named consistently.
This is a developer's guide to the other side of that problem — a fixed vocabulary of agent behaviors where each event you send does triple duty. The thesis is simple: instrument once, and trust scoring, policy decisions, and an audit trail fall out of the same event stream for free.
The instrumentation layer is the weak link
Agents are in production at scale. LangChain's April 2026 State of Agent Engineering report put 57% of surveyed organizations running agents in production, with another 30% actively building toward deployment. But the same body of survey work keeps surfacing the same soft spot: observability and instrumentation are the lowest-rated parts of the agent stack, and only about a third of teams say they're satisfied with what they've got.
The industry already agrees standardization is the cure. OpenTelemetry's GenAI semantic conventions — the gen_ai.* namespace — are converging across vendors like Datadog, Honeycomb, and New Relic, and frameworks like LangChain, CrewAI, and AutoGen now emit compliant spans. As of mid-2026 those conventions are still officially in development, but the direction is settled: a shared event vocabulary beats per-vendor fragmentation every time.
Here's the gap, and it's the one that matters for trust. OpenTelemetry standardizes what happened — latency, token counts, span hierarchies, errors. It does not standardize what it means for whether you can trust the agent. A gen_ai.* span tells you a tool was called and how long it took. It does not tell you that the call was unauthorized, that it leaked a credential, or that the agent's reliability just dropped below your deploy threshold. Those are behavioral judgments, and they need their own vocabulary.
You can't fix a class of failure you haven't given a name. UC Berkeley's MAST study (Why Do Multi-Agent LLM Systems Fail?) made that concrete by hand-annotating 200+ execution traces across seven open-source frameworks and distilling them into 14 distinct failure modes across three categories — system-design failures (44.2%), inter-agent misalignment (32.3%), and task verification and termination (the remainder). The lesson under the numbers: failures are categorizable. A standard taxonomy is the precondition for catching them systematically instead of one incident at a time.
24 event types, 7 categories
VeriSwarm Gate ingests agent behavior through a fixed taxonomy: 24 canonical event types grouped into seven categories.
tool_usage—tool.call.success,tool.call.failure,tool.call.blocked,tool.call.unauthorizedcontent—content.generated,content.flagged,content.correctedtask—task.started,task.completed,task.failed,task.delegatedsecurity—security.credential_exposed,security.policy_violation,security.rate_limit_hit,security.suspicious_patternidentity—identity.registered,identity.ownership_claimed,identity.domain_verified,identity.manifest_published,identity.key_rotatedinteraction—interaction.agent_to_agent,interaction.human_overridecalibration—agent.confidence_reported,agent.task_outcome
Each type carries two things: a short list of required fields that the platform validates on ingest, and a signal map that says how the event moves an agent's scores. A tool.call.unauthorized event raises the policy-violation and deception signals that feed the risk dimension. A task.completed raises the task-success signal that feeds reliability. An identity.domain_verified adds a large, durable boost to the identity dimension. A security.credential_exposed is flagged as a severe incident — it doesn't just nudge a score, it drops the agent into the lockout tier immediately.
That mapping is the whole point. Events are not log lines you hope to grep later. They are inputs to a scoring function with defined behavior.
One event stream, four payoffs
Send the taxonomy once and you get four things downstream without a second integration:
- Multi-dimensional scoring. Every event rolls into the four trust dimensions — identity, risk, reliability, autonomy — plus a fifth, calibration, for profiles that enable it. You get a diagnosis (which axis moved) instead of a single opaque number.
- Policy decisions. Those dimension scores resolve into an allow / review / deny tier on every decision check. A spike in risk or a severe incident auto-demotes the agent; nobody has to write the if-statement.
- An audit trail. The same events that drive scoring are recorded to Vault's hash-chained ledger, where each entry is cryptographically linked to the last. The instrumentation you did for scoring is also your tamper-evident record.
- Compliance evidence. Because the ledger is built from standardized, validated events, exports map cleanly onto record-keeping obligations instead of being reconstructed after the fact.
Trust scoring and event ingestion run on the free Gate tier; the immutable ledger and exports live on the Vault side of the suite. The instrumentation is identical either way — you don't rewire anything to move up.
Instrument once, extend without breaking
The reason a fixed vocabulary is worth adopting is that it absorbs change instead of fracturing under it.
Legacy names auto-map. If your stack already emits older event names, Gate normalizes them into the taxonomy on the way in — credential.exposed resolves to security.credential_exposed, task.success to task.completed. You don't rename your emitters to start scoring.
Unknown types don't break ingest. Send an event type the taxonomy doesn't recognize and it's accepted and stored, simply skipped by the scoring accumulator rather than rejected. Your pipeline stays forward-compatible while the vocabulary grows.
And it does grow. The taxonomy was 22 types until the calibration category — agent.confidence_reported and agent.task_outcome, the pair that powers the fifth scoring dimension — was added in late May. Every existing integration kept working untouched. That's the dividend of standardizing: new behavior types extend the vocabulary; they don't invalidate the instrumentation you already shipped.
The integration
One event, with the SDK doing the auth and transport:
from veriswarm import VeriSwarmClient
client = VeriSwarmClient(base_url="https://api.veriswarm.ai", api_key="vsk_...")
client.ingest_event(
event_id="evt_9f2a1c",
agent_id="agt_123",
source_type="platform",
event_type="task.completed",
occurred_at="2026-06-25T15:04:00Z",
payload={"task_type": "ticket_resolution", "duration_ms": 1840},
)
High-volume agents batch — up to 50 events in a single call:
client.ingest_events_batch([
{"event_id": "evt_1", "agent_id": "agt_123", "source_type": "platform",
"event_type": "tool.call.success", "occurred_at": "2026-06-25T15:04:01Z",
"payload": {"tool_name": "search_db"}},
{"event_id": "evt_2", "agent_id": "agt_123", "source_type": "platform",
"event_type": "tool.call.unauthorized", "occurred_at": "2026-06-25T15:04:02Z",
"payload": {"tool_name": "wire_transfer", "attempted_action": "execute"}},
])
That's the entire surface area. Pick the event type that matches the behavior, fill the required fields, send it. Scoring, tiering, and the audit record are handled on the other side of the wire.
Start instrumenting
pip install veriswarm, point your agents at the 24-type taxonomy, and you're sending behavioral events that score themselves on the free Gate tier — unlimited event ingestion, no credit card. The full taxonomy reference, required fields per type, and the Node equivalent are in the VeriSwarm SDK on GitHub. Instrument once. Let the vocabulary do the rest.