← Essays
AI · FintechAI & Product Operations

GitHub Copilot OpenTelemetry Makes Agent Work Auditable

Telemetry is becoming the control plane for coding agents. The question is not whether agents ran, but whether teams can explain what they did.

July 9, 2026·7 min read·By Rizwan Zafar
Briefing note

GitHub Copilot's managed OpenTelemetry export shows why AI coding agents need approved collectors, policy, traces, and evidence review.

Operator-written7 min read8 sectionsRecruiter-readable

AI coding agents are moving from novelty to managed infrastructure.

That changes the evidence requirement.

GitHub's 8 July 2026 changelog says organizations can now mandate where GitHub Copilot sends OpenTelemetry data for VS Code and Copilot CLI. The configuration applies through enterprise-managed settings and sends telemetry to an approved collector instead of relying on each developer to set local environment variables.

That is a small feature with a large operating implication: agent work is becoming observable by policy.

The Short Answer

GitHub Copilot OpenTelemetry export is useful because it turns agent activity into governed evidence. Enterprises need to know which prompts, tool calls, model interactions, token usage, errors, approvals, and outcomes happened, where the data went, and whether sensitive content was captured. The control is not "watch every developer." The control is "make agent work explainable enough to operate safely."

This is a continuation of the same pattern as Copilot agent-session streaming, but it is more operational: telemetry now plugs into the enterprise observability stack.

Telemetry Is The Agent Evidence Plane

Traditional engineering observability asks whether a system is healthy.

Agent observability has to ask more:

  • What instruction was the agent given?
  • Which files, tools, repositories, and commands did it touch?
  • Which model calls happened?
  • How much token and tool cost was consumed?
  • Which guardrails fired?
  • Where did the agent fail or ask for help?
  • Which outputs reached a pull request, commit, or deployment path?

The VS Code documentation for monitoring Copilot agent usage says Copilot Chat can export traces, metrics, and events through OpenTelemetry, including visibility into agent interactions, LLM calls, tool executions, and token usage. It also notes that signal names and attributes follow OpenTelemetry GenAI semantic conventions.

That matters because it moves the data into systems platform teams already know how to operate.

The best outcome is not another vendor dashboard. The best outcome is agent telemetry that can sit beside CI, incident, cost, security, and developer-experience data.

This is also where agent skills need exit criteria: repeatable agent work should produce repeatable evidence.

Managed Settings Are A Governance Upgrade

GitHub separately announced managed Copilot settings via MDM and file-based configuration. That is important because local configuration is a weak control at enterprise scale.

If every developer decides their own telemetry endpoint, capture setting, and exporter protocol, the organization does not have a policy. It has hope.

Managed settings let the platform team define:

  • the approved collector endpoint;
  • exporter protocol;
  • service name and resource attributes;
  • headers and routing metadata;
  • whether prompt or tool content can be captured;
  • which settings are locked rather than suggested.

That is the difference between "we use agents" and "we operate agents."

Content Capture Is The Hard Boundary

The most sensitive setting is content capture.

The VS Code documentation lists a setting for capturing full prompt and response content, and another for maximum attribute size. That can be useful for debugging, evaluation, and incident review. It can also leak proprietary code, customer data, secrets, credentials, or regulated information if handled carelessly.

Fintech and banking teams should treat agent telemetry as sensitive operational data.

My default policy would be:

  1. collect metadata by default;
  2. avoid full prompt and response capture unless there is a defined review purpose;
  3. route telemetry only to approved collectors;
  4. redact or block known secret patterns;
  5. set retention by risk class;
  6. restrict who can query content-bearing traces;
  7. log access to the telemetry itself.

Agent observability should not create a second data-loss channel.

Measure Outcomes, Not Agent Activity

There is a temptation to measure agent adoption by sessions, prompts, tokens, or generated lines.

Those are input metrics.

The useful metrics connect agent work to delivery outcomes:

  • accepted pull requests;
  • review rework;
  • failed tests after agent changes;
  • escaped defects;
  • rollback rate;
  • cycle time;
  • security findings;
  • cost per accepted change;
  • incidents linked to agent-authored code;
  • human override and rejection reasons.

An arXiv paper submitted in July 2026 studied AI-agent pull requests and reported that concurrent agent-authored PRs are common in its dataset, with higher textual conflict rates for cross-agent pairs than intra-agent pairs. That is research evidence, not a universal benchmark, but it points to the same operating issue: more agents create coordination costs that teams need to observe.

If telemetry only proves that agents are busy, it is incomplete.

What A Fintech Team Should Try

For a payments or fintech engineering team, I would start with a narrow pilot.

Pick one repository with low customer-data exposure and a clear review path. Enable managed telemetry to an approved collector. Keep content capture off at first. Track agent sessions, tool calls, model errors, test runs, PR outcomes, review comments, and production defects.

Then run three reviews:

Security Review

Did the telemetry capture secrets, customer data, keys, or proprietary content? Were redaction and retention policies enough?

Delivery Review

Did agent work reduce cycle time or merely move effort from coding to review?

Quality Review

Did tests, code review, and incidents show better, worse, or unchanged output quality?

Only after that should the team widen capture or expand to higher-risk repositories.

If your team is adopting coding agents in a regulated or payment-critical environment, work with Rizwan to define telemetry policy, review gates, repository risk tiers, and the evidence model before agent usage becomes invisible production risk.

Actionable Takeaway

GitHub's OpenTelemetry export is not just an observability feature. It is a sign that AI coding agents are becoming enterprise systems.

Enterprise systems need policy, telemetry, retention, review, and measurable outcomes.

The debate for engineering leaders is now practical: can you explain what your agents did last week, or can you only say that people used them?

FAQ

What did GitHub announce?

GitHub announced enterprise-managed OpenTelemetry export for Copilot in VS Code and Copilot CLI, allowing organizations to mandate approved telemetry routing.

Why does this matter for AI coding agents?

Agents create prompts, tool calls, model interactions, code changes, and costs. OpenTelemetry can make those activities observable and reviewable.

What is the main risk?

Full content capture can expose sensitive prompts, code, tool output, or regulated data. Teams need explicit capture, redaction, retention, and access policies.

Tags
GitHub CopilotOpenTelemetryAI coding agentsengineering operationsobservabilitygovernance
Rizwan Zafar
Written by
Rizwan Zafar

Chief Product Officer · Payments, Fintech & AI

Payments product & program leader — scaled a regulated multi-rail platform from $0 to $1B+ GTV across five frontier markets. These essays are the public version of how I think through the work.

Continue the conversation

This writing is the public version of how I think through product, programme and payment-infrastructure decisions in regulated markets.

Contact Rizwan
Hiring for a senior payments product role?

Rizwan ZafarChief Product Officer · Payments, Fintech & AI.

Payments Infrastructure Notes

One operator email a week. No filler.

Payment acceptance, settlement and product delivery notes from running $1B+ annual GTV across frontier markets — written for founders and payment leaders.

Weekly at most. Unsubscribe with one reply.