Observe-only at the OS level is the right design! You can't trust the agent to report what it actually did. This is part of why I think monolithic agent platforms won't last. Auditing has to be independent of the thing being audited.

I wrote about the layer split happening in agent tooling: https://philippdubach.com/posts/dont-go-monolithic-the-agent...