There is a growing class of AI infrastructure that participates directly in execution pipelines without generating anything. It does not call models. It does not inspect prompts. It does not emit completions. And yet it is structurally involved in how AI systems behave. This essay is about that category, and about why the observability vocabulary we currently have does not see it.
I came to this topic by accident. While instrumenting a small deterministic workflow enforcement layer, I tried to use the emerging OpenTelemetry GenAI semantic conventions and ran into six concrete frictions, which I wrote up separately as a friction log. Each friction was small on its own. Together they pointed at something larger: the conventions assume a particular shape of AI system, and a whole adjacent class of systems falls outside that shape.
This essay tries to name that class, give examples, and argue that it deserves its own observability vocabulary rather than being accommodated awkwardly through custom attributes.
The dominant model of AI observability is generation-centric
If you read the current GenAI semantic conventions and try to reconstruct the implied mental model of an AI system, you get something like this:
- A request enters the system as a prompt or message.
- A model or agent receives it.
- The model generates a completion, possibly invoking tools or retrieving context.
- The completion exits the system as a response.
Observability, under this model, means watching what flows through the
model. Prompts in, completions out, tool calls along the way,
retrieval steps when relevant. The attributes available reflect that:
gen_ai.operation.name values describe runtime inference
activities. gen_ai.provider.name presumes a model
endpoint. Tool-call and retrieval semantics dominate.
This is a coherent model, and for a large part of the ecosystem it is the right one. Most projects shipping LLM-powered features really do look like this: a prompt goes to a model, a completion comes back, and the interesting observability questions are about what happened inside that round trip.
But it is one model among several. And the conventions have grown up almost entirely around it.
What gets missed
A different class of system has been quietly accumulating in the AI infrastructure space over the last few years. It includes:
- Graph-execution and workflow orchestration engines (LangGraph, ControlFlow, some of LangChain's execution layer) that decide which node runs next and how state flows between steps.
- General-purpose workflow runtimes wrapping LLM steps (Temporal, Prefect, Airflow with AI tasks) that provide durability, retries, and orchestration without being AI-specific themselves.
- Safety and policy gates (NVIDIA NeMo Guardrails, various input/output filters, content classifiers, jailbreak detectors) that sit in front of or behind model calls and decide whether execution may proceed.
- Validation and topology-enforcement layers, such as the small Router I instrumented, that check whether a given workflow transition is structurally permitted before any model is invoked.
- Execution governors and deterministic orchestration runtimes that enforce invocation limits, re-entry constraints, dependency ordering, or audit requirements.
These systems are not the same as each other. They have different purposes, different state models, and different surfaces. But they share a small set of properties that make them collectively distinct from the systems the current conventions imagine:
- They participate in AI execution pipelines.
- They make decisions that affect what happens next.
- They do not themselves generate anything.
- They are often deliberately content-blind, observing structure rather than semantics.
I am going to call this category content-blind AI infrastructure, with the caveat that the name is provisional. Other reasonable names might be structural AI infrastructure, orchestration-layer systems, or non-generative AI infrastructure. The naming is less important than the recognition that the category exists.
Why content-blindness is a feature, not an absence
One easy mistake when reading the list above is to interpret content-blindness as a limitation. As though these systems would observe content if they could, and the absence of prompt and completion data is a gap to be filled.
That is backwards.
For many of these systems, content-blindness is a deliberate design property with real downstream consequences:
- Privacy. A governance layer that never sees prompts cannot leak them. A workflow runtime that operates on metadata only cannot accidentally log sensitive user content.
- Determinism. A structural validator that decides based on workflow topology gives the same answer for the same configuration every time, regardless of how the underlying model behaves on any particular day.
- Auditability. A refusal that depends only on structural facts is a refusal that can be explained, reviewed, and challenged without needing to reproduce a model's output.
- Composability. A guardrail or governor that operates on metadata can be placed in front of any model without needing model-specific integration.
In other words, content-blindness is often load-bearing. It is the property that makes these systems useful for safety, governance, and structural correctness in the first place.
An observability vocabulary that treats content as the primary signal is therefore not just incomplete for this category. It is misaligned with what makes the category valuable.
Three kinds of semantics, currently blurred
If we step back, AI infrastructure as currently observed actually involves three distinct semantic registers, which the present conventions tend to blur into one:
Inference semantics
The semantics of what a model is doing while it generates: tokens, completions, tool calls, retrieval, the contents of messages. This is what the current conventions cover well. Prompt in, completion out, with whatever happened in between.
Structural orchestration semantics
The semantics of how execution is shaped: which node runs next, which transitions are valid, how state flows between steps, whether a given sequence of operations is structurally permitted. This is what workflow engines, orchestrators, and topology validators care about.
Governance and enforcement semantics
The semantics of what is permitted to happen and why: refusals, policy decisions, invocation limits, attribute-based access checks, structural denials. This is what guardrails, governors, policy gates, and authorization layers care about.
These three registers overlap in real systems — a single execution often involves all three — but they are not the same. A prompt is not a transition. A completion is not an enforcement outcome. A refusal is not an error. Conflating them produces telemetry that is either misleading or impossible to express cleanly.
The friction log demonstrated this concretely. Refusals had to be
represented as if they were errors, because error.type was
the closest available attribute. Structural validation had to invent a
non-standard gen_ai.operation.name, because no value in
the standard set described it. Topology had to be expressed through
custom workflow.* attributes, because no
gen_ai.* attribute represented structural execution
position.
Each of those workarounds was technically possible. None of them produced telemetry that downstream tooling could interpret without custom adapters.
What a better vocabulary might look like
I do not have a finished proposal to offer here. What follows is a sketch of the shape such a proposal might take, intended to give future contributors something concrete to react to.
A vocabulary for content-blind AI infrastructure might include:
- Operation names for structural activities: configuration validation, topology evaluation, transition checking, enforcement evaluation. These are first-class operations in orchestration and governance systems, and they deserve to be named.
-
Attributes for structural execution position:
current container, requested transition, valid next states. The
equivalent of
gen_ai.conversation.idfor systems that are not conversational. - A clear distinction between refusal and error: terminal enforcement outcomes are not failures. They deserve a semantic category of their own, with typed reasons that downstream tooling can interpret.
- Trace-parenting guidance for standalone evaluation: governance and orchestration systems often produce traces that have no upstream model span to parent under. The conventions should not implicitly assume one.
- Provider-optional spans: not every GenAI-adjacent span has a model provider. The current conventions imply otherwise.
None of these are radical additions. Each of them is an attribute or clarification that would let an existing category of system describe itself in standard terms rather than escaping to custom attributes.
Whether they live under gen_ai.*, under a sibling
namespace, or under a broader workflow.* namespace that
applies beyond AI is an open question, and probably one that should be
decided by people closer to the standards process than I am. The
important argument is the prior one: that the category exists, and
that the current vocabulary does not see it.
Why this matters beyond the conventions
It is tempting to read all of this as a narrow specification debate. Six friction points in one library, in one part of one standards body, in one corner of the AI ecosystem.
I think it is bigger than that, for two reasons.
The first is that observability vocabularies have downstream effects. What can be named gets monitored. What gets monitored gets debugged and improved. What cannot be named gets quietly worked around, and the systems that depend on those workarounds get harder to operate over time. If a category of AI infrastructure has no standard observability vocabulary, it will be slower to mature, harder to compare across vendors, and harder to argue for in production deployments.
The second is that the categories the conventions do see end up shaping how we think about AI systems in general. If the only first-class objects in our observability vocabulary are prompts, completions, tool calls, and retrieval, then AI systems will be imagined as systems of generation. The structural, governance, and orchestration layers that exist around generation will be treated as adjuncts. That framing has real consequences for safety work, for compliance, and for the architecture of production AI systems.
Making content-blind AI infrastructure legible at the observability layer is one small move toward a more accurate picture of what AI systems actually are: not just generators, but composites of generation, structure, and enforcement.
Closing
This essay is exploratory rather than proposal-shaped. It does not try to land specific attributes in a specific namespace. It tries to name a category of system whose existence I think is currently underweighted in observability discussions, and to argue that giving that category a vocabulary would be a real contribution.
I will keep exploring the technical side of this in my own time, through further instrumentation experiments and writing. If anyone working on similar systems finds this useful, or disagrees with it, or sees a category I have missed, I would be glad to hear from them. 🌙