Prompt Lineage: The Process Tree for the AI Era

Every SOC analyst knows the process tree. It is the first thing you pull when something fires: parent spawns child, child calls binary, binary touches the network. You trace the chain, find the root, and close the case. Process trees have been the backbone of endpoint forensics for two decades. They work because operating systems are transparent about execution: every fork, every exec, every PID is logged.

AI agents broke that model. When an agentic session runs, your EDR sees a node process making API calls. That's it. The process tree terminates at a single opaque leaf. Everything that matters, the prompts, the model invocations, the security evaluations, the policy decisions, happens inside that call, invisible to every endpoint sensor you own.

The visibility gap is structural, not incremental

This is not a tuning problem. You cannot configure CrowdStrike or SentinelOne to trace what happens inside a model session, because the data doesn't exist at the OS level. Your EDR instruments system calls, file access, and network connections. AI agents operate through inference chains: prompt in, reasoning, tool use, sub-agent delegation, response out. None of those steps generate a syscall your kernel can see.

Consider a concrete example. A developer runs an agentic coding session. The agent reads a config file, decides to commit code, calls an external API, and spawns a sub-agent to review the output. Your EDR sees Terminal.app → node → /bin/bash → git commit and curl api.example.com. That process tree tells you what binaries ran. It tells you nothing about why the agent decided to call that API, whether a security policy was violated inside the session, or whether the agent was following instructions it should not have received.

Your EDR sees the process. It cannot see the reasoning. That gap is where AI-specific threats live.

Prompt lineage: the forensic primitive AI has been missing

Process trees gave endpoint security a universal forensic primitive: a structured, traceable record of execution. Prompt lineage does the same thing for AI workloads. It captures every request, model invocation, security evaluation, and policy decision in a single trace, from first prompt to final token.

Where a process tree shows you PID 8401 → PID 8455 → PID 8460, prompt lineage shows you gateway_request → chat claude-sonnet-4-6 → security.evaluate_input → security.evaluate_chunk [DENY] → detector.finding. You see the model that was called, the security checks that ran, the policy decision that was enforced, and the reason for that decision. That is the depth your SOC needs to investigate an AI incident instead of guessing at one.

Starseer's AI-EDR (AI Endpoint Detection & Response) builds prompt lineage natively. Three properties make it a real forensic tool, not just a logging layer.

What prompt lineage makes investigable

The analogy to process trees is not cosmetic. It is structural. Process trees made a specific class of investigations possible: tracing lateral movement, identifying persistence mechanisms, reconstructing attack timelines. Prompt lineage does the same for AI-native threats.

Prompt injection: An attacker embeds malicious instructions in a document the agent ingests. Without prompt lineage, you see the agent make a suspicious API call. With it, you see the exact input that triggered the behavior, which model processed it, and whether the security evaluation caught or missed it.

Agent hijacking: A compromised tool call redirects an agent's execution flow. Prompt lineage shows the full delegation chain: which agent called which tool, what the tool returned, and how the agent acted on that response. You can identify the hijack point the same way you identify a process injection in a traditional tree.

Policy violations: An agent attempts to delete production data. The prompt lineage trace shows the security evaluation that fired, the policy that applied, the decision (deny), and the reason (no deletion policy). That is audit evidence, not a log line.

AI agents are endpoints. Treat them accordingly.

The security industry spent fifteen years building the instrumentation layer for traditional endpoints. EDR exists because the industry recognized that you cannot secure what you cannot see. The same logic applies to AI. Every deployed model and agent is an endpoint. It receives inputs, makes decisions, takes actions, and produces outputs. It can be compromised, manipulated, and misused. And right now, most of them are running without any forensic instrumentation at all.

Process trees gave security teams the ability to answer "what happened on this machine." Prompt lineage gives them the ability to answer "what happened inside this model session." That is not a nice-to-have. It is the foundational visibility layer for AI security operations.

Without prompt lineage, your SOC investigates process trees that end at node and hopes for the best.

Your AI agents are making decisions right now. Your EDR can tell you they are running. It cannot tell you what they are doing, why they are doing it, or whether they should be. That gap does not shrink as you deploy more agents. It compounds.