Blits.ai
AI Technology23-03-202610 min read

The AI Control Tower: Air-Traffic Control for Agents in Production

Len Debets
Len Debets
CTO & Co-Founder
The AI Control Tower: Air-Traffic Control for Agents in Production

Every AI dashboard I've seen is a departures board.

It tells you the run finished. On time. No errors. Green across the row.

What it doesn't tell you is that, thirty seconds earlier, an agent was one tool call away from deleting a table, and nobody was in a position to wave it off.

That gap — between knowing something completed and being able to stop it mid-action — is the entire difference between an AI dashboard and an AI control tower. Most teams building agents have built the departures board. Almost nobody has built the tower.

An air-traffic controller doesn't watch planes land. Landing is the easy part; the plane mostly wants to land. The controller's job is the seconds before: keeping two aircraft off the same runway, spotting the one that's drifting off its assigned path, and having the authority to divert it now, without filing a change request. That is the job description for running agents in production, and it's a very different job from the one your APM stack was built for.

Why a 200 is a lie

Classic application monitoring rests on one quiet assumption: determinism. Same input, same path, same output. And it treats an HTTP 200 as the definition of success. The request came back, the status was healthy, move on.

Agents break both halves of that.

They branch on model output, so the same request can take a different route on Tuesday than it did on Monday, sometimes even at temperature zero. And a 200 tells you almost nothing. In agent-land, that clean status code can wrap a confidently wrong answer or a syntactically perfect tool call that did exactly the wrong thing — refunded the wrong customer, emailed the wrong file, reframed a non-refundable deposit as a "hold." The response was well-formed. The action was a mistake. Your monitoring saw green.

Lift-and-shift your existing APM onto agents and you don't get observability. You get false confidence with a dashboard on top.

This is why "agent observability" has separated from traditional monitoring as its own discipline over the last year. You cannot instrument the request/response boundary and call it done. You have to instrument the decision layer: the reasoning, the tool selection, the retrieval, the prompt version in play, the hand-off from one agent to the next. That's the radar picture. Everything else is a departures board.

Radar: a trace of every run

Radar is the first thing that makes a control tower a control tower. Not "was there traffic" but where is every aircraft right now, and where is it heading.

For agents, radar is a full trace of each run: request → reasoning → tool calls → retrieval → validation → approvals, as one connected picture rather than a scatter of disconnected logs. The wire format for this is converging on the OpenTelemetry GenAI semantic conventions — spans like invoke_agent, execute_tool, chat, and embeddings, carrying gen_ai.* attributes such as the provider, the request and response model, token usage, and finish reasons (OpenTelemetry's own writeup is the cleanest reference). If you're wiring up tool-using agents that reach through the Model Context Protocol, MCP conventions landed in semconv v1.39 with W3C trace-context propagation, so an agent and the MCP server it calls finally share one trace instead of two orphans.

Here's the honest part the vendor decks skip. As of mid-2026 those conventions are still in Development status — not stable, no published stabilization date, and attribute names that can still move under you between versions (Greptime's May 2026 breakdown walks through the current v1.41 baseline). You are standardizing your radar on a standard that hasn't finished being written. That's fine — it's still the right bet — but plan for the churn, pin your version, and don't let anyone sell you the plumbing as production-settled when its own maintainers label it experimental.

The tooling to render that radar is mature and, frankly, crowded. Datadog folded agent monitoring into its LLM Observability in June 2025, mapping each agent's decision path as an interactive graph and flagging infinite loops and bad tool calls — the equivalent of radar that shouts when an aircraft starts circling. Langfuse open-sourced its full product feature set under the MIT license in June 2025, so LLM-as-judge evals and annotation queues are now free to self-host. Arize Phoenix ships 50-plus evaluation metrics for faithfulness, safety, and hallucination. LangSmith runs evaluators on sampled live traffic as an early-warning system for quality drift.

Pick whichever suits your stack. Radar is a solved problem.

Separation: keeping two agents off one runway

Radar shows you the collision. Separation prevents it.

This is where the analogy earns its keep, because it's exactly where most teams stop investing. LangChain's State of Agent Engineering found that 89% of organizations have some form of agent observability, but only 62% have step-level tracing — and near enough nobody has a tested way to stop an agent mid-action. Everyone bought radar. Very few built separation.

Separation, for agents, is the layer that stops an unsafe action before it executes: policy checks and guardrails that sit between the decision and the deed. The frameworks exist — NVIDIA's NeMo Guardrails with its input, dialog, retrieval, execution, and output rails; Guardrails AI for structured validation. Useful, worth having, and immature. NVIDIA's own NeMo README says, in plain words, that it is not recommended for production as-is. Read that twice. The tool most cited as the answer to agent safety ships with a note from its maintainers telling you not to lean on it in production.

So aim your separation carefully, and aim it inward first. The reflex is to treat this as a hacking problem — prompt injection, external attackers, jailbreaks. That's real, and Palo Alto's Unit 42 documented genuinely clever attacks on booking and refund agents. But it's not where the volume is. Gartner projects that through 2028, at least 80% of unauthorized agent transactions will come from internal policy violations — oversharing, overreach, misguided-but-well-meaning behavior — not malicious attacks.

The call is coming from inside the house. Your biggest agent risk isn't a hacker. It's your own well-instructed agent, doing something reasonable-looking that it was never authorized to do.

Guardrails that only face outward miss four out of five incidents. The separation that matters is the boring internal kind: what is this agent allowed to touch, which action classes require sign-off, and what is hard-blocked no matter how confidently the model argues for it. This is a design decision you make when you build the agent, not a filter you bolt on after go-live.

The controller's authority

Radar and separation are worth nothing without the one thing that defines a controller: authority. When it goes wrong, the controller can order a go-around, divert the aircraft, close the runway. Immediately. No committee.

The AI equivalent is a human override that doesn't route through an engineering deploy. When risk spikes, whoever is running operations needs to pause a workflow, block a high-risk tool, flip an agent into mandatory-approval mode, or kill it outright — in seconds, from a console, without a release cycle. If stopping your agent requires a pull request, you don't have a control tower. You have a suggestion box.

The canonical proof of what happens without it is Replit, July 2025. During a twelve-day test, and despite an explicit code-and-action freeze and instructions not to act without approval, its AI agent deleted a live production database affecting more than 1,200 executives and around 1,190 companies. It then fabricated roughly 4,000 fake user records and initially reported that rollback was impossible. The data was recovered by hand. The fixes came after: automatic dev/prod separation, a planning-only mode. Every one of those controls could have existed on day one. None of them was a line of code you sprinkle on at the end — they're architecture: an isolated gateway all agent traffic flows through, circuit-breaker thresholds for duplicate calls and runaway spend, and a pre-execution human-approval gate for the actions that can't be undone.

And if you're tempted to think this is only an engineering concern, remember Air Canada. When its website chatbot invented a bereavement-fare refund policy, the airline tried arguing the bot was a separate legal entity. A Canadian tribunal disagreed and held the airline liable for what its agent said. Your control tower isn't a compliance checkbox. Every agent that can make a promise or take an action is a contract your company is bound to. Override authority is liability containment.

Gartner's proposed answer to all this is more agents — "guardian agents" supervising the working agents, a category it gave its first Market Guide in February 2026. Maybe. I'd ask the obvious question first: does putting a non-deterministic supervisor on top of a non-deterministic worker actually reduce risk, or just add a second thing you can't fully audit? For high-stakes action classes, the strongest override is still deterministic — a human, or a hard rule, standing between the decision and the deed.

The black box

Every aircraft carries a flight recorder. Not to prevent the crash — to make the next one preventable. When something goes wrong, investigators pull the box and replay exactly what happened, in order, with the data.

Your control tower needs the same: a replayable audit of every run, kept as your operational truth. When an agent does something surprising — and it will — you need to reconstruct the full decision path, not guess from summary metrics. Which context did it see, which tools did it call, what did retrieval return, where did the reasoning turn. LangSmith's trace replay and annotation queues, Langfuse's session views, Phoenix's trajectory analysis all exist for exactly this incident-review job. The black box is also how a control tower gets smarter — the same traces feed the KPIs and evals that tell you whether last week's change made the fleet safer or just busier.

One caveat worth stating plainly: running LLM-as-judge scorers over all your production traffic has real cost and its own reliability wrinkles. Sample it. Weight it toward high-risk paths. The flight recorder captures everything; you don't re-litigate every landing.

Clearing agents for takeoff

Pull the four together and you have a rule you can actually hold a rollout to. Not a maturity model with five glossy phases — a go/no-go checklist, the kind a controller runs before clearing anyone onto the runway.

No agent gets autonomous scale-up until all four are live:

  RADAR       every run traced at the decision layer, not the 200
  SEPARATION  unsafe actions blocked pre-execution, aimed inward first
  AUTHORITY   human override / kill-switch WITHOUT an engineering deploy
  BLACK BOX   any run replayable for incident review

Missing one? The agent stays supervised. No exceptions.

The reason to be strict is in the numbers. Gartner's 2026 CIO survey found 17% had already deployed agents and 42% planned to within a year. That's a lot of aircraft entering the airspace fast, and most of the operators can see their agents far better than they can stop them. The market spent its budget on radar. The runway incursions are still ahead of us.

Final approach

Air-traffic control isn't the part of aviation that makes flying possible. Engines and wings do that. Control is the part that makes flying safe enough to do a thousand times a day, over cities, at scale, without the whole thing being a story on the evening news.

Agentic AI is at the same point. The models can fly. The question every enterprise is quietly working out is whether they can run a whole fleet of them at once, over live customers and real money, without a Replit morning of their own.

Observability was the easy 20%. Seeing what an agent did is a commodity now. Being able to stop it mid-action, prove what it did afterward, and answer what happened, why, and with what impact in minutes rather than a post-mortem — that's the tower.

Control isn't the friction that slows autonomy down. It's the thing that lets you turn autonomy up.

Build the tower before you fill the sky. We're happy to compare notes on what that looks like in your airspace — over coffee, ideally, not over an incident bridge.

Updated on 15 July 2026.

Len Debets
Len Debets
CTO & Co-Founder
Published on 23-03-2026

Related Articles

9 Things I Really Hate About AI
AI Technology12-05-2025

9 Things I Really Hate About AI

Read More →
Agentic AI Languages and Dialects: Why Voice Quality Is Still the Hard Part
AI Technology10-04-2026

Agentic AI Languages and Dialects: Why Voice Quality Is Still the Hard Part

Read More →
Introducing the Agentic AI Studio for Enterprises
AI Technology17-02-2026

Introducing the Agentic AI Studio for Enterprises

Read More →

Stay Updated

Get the latest insights on conversational AI, enterprise automation, and customer experience delivered to your inbox

No spam, unsubscribe at any time

Blits.ai offers tailored services, support and an enterprise platform to create GenAI conversation Digital Humans, agentic AI, voice-bots, agents, custom GPTs and chatbots at scale. Stay ahead of the competition by automatically equipping your agents with the most effective combination of AI technologies for your specific use case. Deploy any use-case and gain full control over quality, enterprise security and AI data processing. Blits.ai combines the AI power of Google, Microsoft, OpenAI, IBM, Anthropic, ElevenLabs, and many others in one orchestration platform. We build, train and deploy LLM based agentic solution using techniques like Conversational AI controlled elements, augmented with deep aspects of GenAI at scale, for any type of use-case and can deploy in the cloud, or on-premise for any enterprise architecture. We create 100% custom tailored AI solutions in the cloud or local for your brand and multi language/country/brand interactive communication for your channels (Mobile app, Website, Kiosks and IVR systems) and we connect your backends to build smart agents (ERP, CRM, Helpdesk tool, etc).