Skip to content
AI Prompt Gear

AI agent incident response runbook

What matters first

Section titled “What matters first”

An AI agent incident response runbook should answer one question fast:

What can we safely stop, narrow, or roll back before more damage happens?

The runbook should not begin with prompt debate. It should begin with containment.

Production incidents often involve more than model output:

  • tool calls,
  • approvals,
  • retrieval,
  • external systems,
  • workflow branches,
  • release versions,
  • and human handoffs.

The response has to cover the whole operating unit.

The first ten minutes

Section titled “The first ten minutes”

In the first ten minutes, the incident owner should establish:

  1. affected workflow,
  2. severity class,
  3. active user or customer impact,
  4. recent release or configuration changes,
  5. whether tool side effects are still possible,
  6. whether approval boundaries are intact,
  7. and whether a safer fallback lane exists.

The goal is not perfect diagnosis. The goal is safe containment.

Step 1: classify severity

Section titled “Step 1: classify severity”

Use a simple severity split:

  • S1: harmful, unsafe, unauthorized, destructive, regulated, or high-value customer impact.
  • S2: repeated wrong outcomes, major workflow blockage, costly manual rescue, or trust damage.
  • S3: localized quality regression, non-critical citation issue, formatting issue, or low-risk workflow failure.

Severity should drive speed and authority.

Step 2: contain the agent

Section titled “Step 2: contain the agent”

Containment options should be ready before launch.

Common moves:

  • disable one risky tool,
  • force human approval for a workflow class,
  • switch to draft-only mode,
  • pause a canary,
  • route affected traffic to fallback,
  • roll back the agent release,
  • or temporarily stop the workflow.

Containment should be as narrow as possible but as fast as necessary.

Step 3: preserve evidence

Section titled “Step 3: preserve evidence”

Capture the evidence while it still exists.

Minimum useful evidence:

  • incident ID,
  • run IDs,
  • affected workflow,
  • agent version,
  • model lane,
  • tool configuration,
  • approval policy,
  • user-visible output,
  • tool calls and side effects,
  • reviewer labels,
  • cost and latency,
  • and current containment action.

Do not rely on screenshots and memory if structured run evidence exists.

Step 4: decide rollback versus restriction

Section titled “Step 4: decide rollback versus restriction”

Rollback is not always the right first move.

Use rollback when:

  • a release clearly introduced the failure,
  • a prompt, model, workflow, or tool config changed recently,
  • failures are broad across the workflow,
  • or the previous version is known to be safer.

Use restriction when:

  • one tool is failing,
  • one action class is risky,
  • approval needs tightening,
  • or the agent can still safely draft without executing.

Many incidents need restriction first and rollback second.

Step 5: communicate operationally

Section titled “Step 5: communicate operationally”

The incident update should be short and factual:

  • what workflow is affected,
  • what user impact is known,
  • what has been contained,
  • what is still being investigated,
  • who owns the next decision,
  • and when the next update will happen.

Avoid vague claims that the model is “acting strangely.” State the observable failure class.

Step 6: review after containment

Section titled “Step 6: review after containment”

After containment, the team should determine:

  • root trigger,
  • failed control,
  • missed alert,
  • missing log field,
  • missing eval case,
  • owner of corrective action,
  • and whether the release process needs a new gate.

The best post-incident output is not a long narrative. It is a stronger operating loop.

The post-incident eval update

Section titled “The post-incident eval update”

Every serious AI agent incident should ask whether one or more examples should enter:

  • regression dataset,
  • approval boundary test,
  • tool selection eval,
  • citation audit,
  • support QA scorecard,
  • or canary release gate.

If the incident does not improve eval coverage, the system can repeat the same failure with better wording.

Runbook template

Section titled “Runbook template”
  1. Identify affected workflow, severity, and owner.
  2. Freeze or narrow risky capabilities.
  3. Preserve run evidence and release metadata.
  4. Choose rollback, restriction, fallback, or continued monitoring.
  5. Communicate facts, impact, containment, owner, and next update time.
  6. Convert the incident into eval, alert, logging, or release-gate changes.

Implementation checklist

Section titled “Implementation checklist”

Your incident runbook is probably healthy when:

  • containment authority is clear before incidents start;
  • rollback and restriction options are documented;
  • run evidence can be captured by ID;
  • approval failures have urgent handling;
  • communication names observable failure classes;
  • and post-incident work updates evals, alerts, or release gates.

Compare next

Section titled “Compare next”
What alerts should AI agent monitoring trigger? Use this page when the team needs to decide which production signals should actually open an incident.
Production AI agent observability stack Use this page when incidents are hard to resolve because traces, logs, metrics, and eval labels are disconnected.
How do you roll back an AI agent in production? Use this page when the incident runbook needs a concrete rollback model across prompts, models, tools, and workflow logic.
Frontier AI cyber defense readiness Use this page when advanced AI cyber workflows need stricter access, scope, review gates, evidence, and containment.
What should an AI agent audit trail include? Use this page when incident response needs governance-grade records rather than ordinary debugging notes.

Reader value check

Section titled “Reader value check”

This page should help a reader decide which operational tool, alert, runbook, or control should exist before the AI system scales. For AI agent incident response runbook, the page is not finished if it only explains vocabulary. It should change what the team approves, measures, routes, buys, logs, or refuses to automate.

Before applying the guidance, bring incident history, traces, logs, alerts, release records, ownership rules, and recovery procedures. Those inputs keep the decision anchored in real operating conditions instead of a generic best-practice list.

CheckWhat the reader should be able to answer
Control purposeDoes the tool reduce a concrete operational risk or just add another dashboard?
Signal qualityAre alerts tied to user impact, safety, cost, or release risk?
Response pathDoes someone know what to do when the signal fires?
MaintenanceIs there a process for tuning, retiring, or escalating noisy controls?

Use the page as a working review artifact: compare the current workflow against the table, mark the missing evidence, and assign an owner for the next change. If the page exposes a gap but no one owns that gap, the correct next step is not broader rollout; it is a smaller pilot, a clearer gate, or a better measurement loop.

For tooling pages, the value is actionability. A monitor, runbook, or release control is only useful when it changes what the team does during rollout or failure.