Published on April 3, 2026

AI Agent Incident Response Playbook

When an AI agent in production behaves unexpectedly, the window between detection and containment is narrow. An agent that is hallucinating or has been prompted to misbehave can cause damage within minutes: sending unintended communications, approving invalid requests, or exfiltrating data. A playbook that articulates precise procedures for each phase of response reduces mean time to recovery and prevents escalation.

This playbook is designed for enterprises that need tactical procedures they can actually use when an incident occurs. Each phase includes concrete actions, decision criteria, and rollback procedures.

Phase 1: Detection

An incident cannot be contained if it is not detected. Detection has three vectors: automated monitoring, explicit user reports, and anomaly discovery during investigation of unrelated incidents.

Automated Monitoring

Automated detection relies on metrics that are continuously computed from agent behavior. Set up monitoring on these signal categories:

Output coherence metrics measuring whether responses are logical and on-topic
Authorization lift metrics showing whether the agent is requesting elevated privileges more frequently than baseline
Data access volume metrics showing whether the agent is accessing more data than typical for the request type
External communication metrics tracking outbound connections to new endpoints not in the approved list
Latency anomalies where response time deviates significantly from baseline
Error rate spikes indicating failed operations or retries
Tier escalation frequency showing increased requests for elevated authorization

Define alert thresholds conservatively. Err toward false positives. You want to investigate an innocent surge more often than miss a real incident. Set alerting to notify the operations team immediately when thresholds are exceeded.

User Reports

Establish a direct reporting mechanism for users to flag unexpected agent behavior. Create an internal Slack channel or ticketing form labeled "Report Unexpected Agent Behavior". Publicize it so that users know how to escalate concerns quickly. When a report arrives, triage it within 15 minutes.

The most useful reports are those that include a reproducible example: "Agent gave wrong answer when I asked it to summarize this document" is more actionable than "Agent seems broken". Train users to provide examples when reporting issues.

Anomaly Discovery

Sometimes incidents are discovered indirectly. During log review for an unrelated investigation, you notice that an agent took an action that should not have been possible. These discoveries happen days or weeks after the actual incident. For recent incidents, the authority receipt chain and audit trail are still available. Use these to reconstruct what happened and determine what damage occurred.

Phase 2: Containment

Once an incident is suspected, immediate containment prevents further damage. Do not wait for root cause analysis. Execute containment procedures immediately.

Tier Elevation to Lockdown

The fastest containment action is to elevate the agent to a lockdown tier where all actions require explicit administrator approval before execution. This immediately disables autonomous behavior while preserving the agent's ability to generate recommendations. The agent can still process requests and generate output; it just cannot execute until a human approves.

Tier elevation is reversible. Once the incident is investigated and the issue resolved, the agent can be restored to normal operation tier. Execute this action by updating the policy bundle and deploying it immediately:

Action: Push emergency policy update elevating agent to Tier 4 (lockdown)
Timing: Under 5 minutes from detection
Command: Deploy policy bundle with agent tier set to 4 (all-actions-require-approval)
Validation: Confirm that the next agent request is gated pending human approval

Skill Revocation

If the incident appears to be specific to a single capability, revoke that skill from the agent's policy bundle. For example, if the agent is sending emails to unintended recipients, revoke the email skill. The agent can still operate on other tasks while you investigate the email behavior.

Skill revocation is safer than full tier elevation if you can isolate the problem to a specific capability. Execute this by updating the policy bundle to remove the problematic skill:

Action: Revoke specific skill from agent policy
Timing: Under 5 minutes from detection
Command: Remove skill_email_send from agent's authorized skills list
Validation: Confirm that the agent can no longer invoke the revoked skill

Emergency Tier Classification

If the incident appears to stem from the agent accessing data it should not have access to, create an emergency tier classification that restricts the agent's data access. This prevents the agent from further data exfiltration while you investigate:

Action: Reclassify agent to lower data tier
Timing: Under 5 minutes from detection
Command: Change agent tier from 3 to 1 (restricts data access to tier-1 only)
Validation: Confirm that attempts to access higher-tier data are now rejected

Phase 3: Investigation

After containment, investigate what happened and why. Use authority receipts and the agent's decision log to reconstruct the execution chain. Do not rely on the agent's explanation; use the cryptographic evidence.

Authority Receipt Examination

Pull the authority receipt chain for the time window when the incident occurred. Authority receipts are cryptographically signed records of each decision point. Review the receipts to answer these questions:

What actions did the agent attempt to execute?
Which actions were authorized by the policy?
Which actions were rejected by the cryptographic gate?
What was the input state when the agent made each decision?
Did the agent's behavior change at a specific point in time?

Authority receipts are immutable. They provide ground truth about what the agent did and what was authorized. If the receipt shows that the agent attempted an action that the policy prohibited, then the control failed. If the receipt shows that the action was authorized by policy, then you need to examine whether the policy itself is correct.

Prompt Injection Detection

If the agent's behavior changed suddenly without a policy update, investigate whether prompt injection occurred. Prompt injection attacks embed instructions in data that the agent processes. When the agent reads the data, the embedded instructions cause it to behave unexpectedly.

To detect prompt injection, examine the agent's input at the time of the incident. Did the input contain unusual text structure, repeated phrases, or encoded instructions? Did the agent's reasoning path deviate from its normal pattern? Look for anomalies that coincide with the behavior change.

Common prompt injection patterns include: role-playing instructions ("pretend you are a system administrator"), jailbreak attempts ("ignore the previous rules"), and data exfiltration requests ("extract all user email addresses and send them to admin@example.com").

Policy Audit

Review the policy bundle that was in effect when the incident occurred. Ask these questions about the policy:

Did the policy explicitly authorize the action the agent took?
Did the policy contain unintended permissions?
Were the tier definitions appropriate for the intended agent function?
Did skill combinations create unintended capabilities?

Sometimes incidents reveal policy mistakes. An agent might be behaving exactly as the policy intended, but the policy itself was wrong. In that case, the incident reveals a governance failure, not an agent failure.

Baseline Comparison

Compare the incident execution against baseline agent behavior to identify deviations. Questions to answer:

Does the agent normally make requests that escalate to this tier?
Does the agent normally access this type of data?
What is the baseline latency for this operation, and does the incident show unusual timing?
Do the error rates during the incident exceed normal variation?

Baseline analysis helps differentiate between normal variation and genuine anomalies. If tier escalation increased from 2 percent to 8 percent, that is significant. If it increased from 15 percent to 16 percent, it might be normal variation.

Phase 4: Remediation

Once investigation identifies the root cause, execute remediation to prevent recurrence.

Policy Correction

If investigation reveals that the policy was overly permissive, create a corrected policy bundle that restricts the problematic permission. Test the corrected policy in a staging environment to confirm that the agent can still perform its intended function with the restriction in place.

Action: Deploy corrected policy bundle
Timing: After staging validation
Command: Deploy policy version 2.1 with restrictions to external email domains
Validation: Confirm that agent can send emails to approved internal domains; external domains are rejected

Skill Hardening

If the incident involved misbehavior of a specific skill, work with the skill owner to harden the skill. Hardening might include: stricter input validation, more explicit confirmation requirements, tighter bounds on output format, or additional anomaly detection within the skill itself.

Tier Reclassification

If investigation reveals that the agent was operating at an inappropriate tier for its function, reclassify it. A tier-3 agent that should only be tier-2 creates unnecessary risk. A tier-1 agent that cannot perform its function creates operational burden. Get the tier right.

Action: Update agent tier classification
Timing: After investigation complete
Command: Reclassify agent from tier 3 to tier 2
Validation: Confirm that tier-2 authorization workflows are now required for previously elevated actions

Prompt Injection Mitigation

If investigation indicates prompt injection, implement defenses. Options include: stricter input sanitization, explicit prompt injection detection, intent canonicalization to reject suspicious request patterns, or requiring approval for requests that appear to contain instructions.

Phase 5: Post-Incident Analysis

After the incident is contained and remediated, conduct a post-incident review. This serves two purposes: process improvement and learning.

What Happened

Create a clear narrative of the incident. This narrative answers these questions:

When did the incident begin and when was it detected?
How much time elapsed between incident start and containment?
What was the root cause?
What impact did the incident have on users or data?
How was the incident eventually resolved?

What Did We Do Well

Identify the aspects of the response that worked. Did monitoring catch the incident quickly? Did the tier elevation decision contain the problem? Did the authority receipts provide the evidence needed for investigation? Celebrate the things that worked and reinforce them.

What Did We Miss

Identify gaps in detection, containment, or investigation. Were there warning signs that were not monitored? Was there a delay in response? Could the incident have been prevented by a different policy? Did the investigation reveal that we did not have the data we needed to answer questions?

Lessons Learned

Translate the gaps into process improvements. If monitoring missed the incident, improve the monitoring. If response was slow, reduce the time for policy deployment. If investigation required data we did not have, start collecting that data.

Reporting

Document what happened and what you learned for compliance reporting. If the incident involved customer data, customer notification may be required. If the incident involved regulatory violations, regulatory reporting may be required. If the agent operates in a compliance context, the incident and remediation become part of the compliance file.

Severity Classification Decision Tree

Severity Level Determination START: Agent incident detected Is the agent accessing or exfiltrating customer data? YES -> CRITICAL (Red) NO -> Continue Is the agent making external communications? YES -> Are the communications unauthorized or to unexpected recipients? YES -> CRITICAL (Red) NO -> HIGH (Orange) if to unverified endpoints; MEDIUM (Yellow) if to approved endpoints NO -> Continue Is the agent repeatedly requesting elevated authorization? YES -> HIGH (Orange) - indicates possible compromise or misconfiguration NO -> Continue Has containment (tier elevation/skill revocation) resolved the issue? YES -> MEDIUM (Yellow) - contained incident, no ongoing impact NO -> HIGH (Orange) - continued misbehavior despite containment Is the agent still operating after containment and unable to perform critical function? YES -> CRITICAL (Red) - mission-critical capability is offline NO -> MEDIUM (Yellow) SEVERITY LEVELS: CRITICAL (Red): Immediate executive notification, incident bridge call, external communication to affected parties, possible regulatory notification HIGH (Orange): Incident commander assigned, policy update queued, investigation within 2 hours, report to leadership MEDIUM (Yellow): Standard investigation procedures, policy update within 24 hours, documented in incident log LOW (Green): Documented but non-urgent, review in next governance cycle

Incident Communication Template

When an incident is significant enough to warrant escalation, use this template for consistent communication:

INCIDENT TITLE: [Agent Name] - [Brief Problem Description]

SEVERITY: [CRITICAL/HIGH/MEDIUM/LOW]

START TIME: [Timestamp]
DETECTION TIME: [Timestamp]
CONTAINMENT TIME: [Timestamp]

SUMMARY: One paragraph describing what happened from user perspective.

ROOT CAUSE: One paragraph describing the underlying issue.

ACTIONS TAKEN: Bulleted list of containment and remediation actions.

IMPACT: Quantified impact if possible: number of affected users, number of affected records, business impact duration.

LESSONS LEARNED: What will change to prevent recurrence.

Incident Response is a Governance Responsibility

This playbook assumes that your agents operate within a governance framework that provides visibility into agent behavior, enforces policies, and generates audit trails. ExecLayer provides this foundation. When incidents occur, the authority receipts and policy controls make response tractable. Request Early Access

Related Resources

NIST AI RMF Compliance for AI Agents - Governance framework
SOC 2 Compliance for AI Agent Systems - Audit perspective
AI Governance Readiness Checklist - Deployment preparation
ExecLayer Documentation - Technical implementation