Incident Response Runbook for Agent Mishaps
Prepare for the day your agent does damage: detection, containment, rollback, investigation, and prevention - written before you need it.
The route
4 steps to Done
- 01
Define detection and the kill switch
You cannot respond to what you cannot detect or stop.
Preview prompt + verify gate ▾ Hide ▴
Build detection and the emergency stop. DETECTION: enumerate mishap signals - blast-radius limits tripping, security events (blocked/escalated actions spiking), anomaly flags from observability (runaway cost, error bursts), audit-trail alerts on sensitive-resource changes, and human reports; define where each surfaces and who is notified. KILL SWITCH: implement a single, fast action that immediately halts the agent loop (no more turns), cancels in-flight tool executions at safe boundaries, and revokes the agent's tool authority (all tools drop to blocked/ask) - reachable by an operator without a code change and, ideally, auto-triggerable by severe signals (e.g. blast-radius hard stop). Test the kill switch: trigger it mid-task and confirm the agent stops acting within seconds and cannot execute further tools.
- ✓ Mishap signals enumerated with notification paths
- ✓ Kill switch halts loop and revokes authority
- ✓ Verified to stop action within seconds
- 02
Write containment and rollback procedures
Stop the bleeding, then undo the damage - in that order.
Preview prompt + verify gate ▾ Hide ▴
Author the containment and rollback runbook sections. CONTAINMENT (immediately after kill switch): isolate affected systems if needed (revoke the agent's credentials/tokens, pause dependent automation), preserve evidence (do NOT delete logs, traces, or the workspace state - snapshot them first), and assess scope from the audit trail (what actions fired, what they touched). ROLLBACK: use the checkpoint/undo system to restore pre-incident state - identify the last good checkpoint before the mishap (audit trail timestamps locate it), verify the checkpoint's integrity, restore, and confirm the restored state by diffing against expectations; for effects outside the workspace (external sends, data changes), list compensating actions since rollback cannot undo them. Write these as numbered, do-this-now steps, not prose.
- ✓ Evidence-preservation before any cleanup
- ✓ Rollback locates the last good checkpoint via audit timestamps
- ✓ External/irreversible effects get compensating actions
- 03
Write the investigation procedure
Reconstruct exactly what happened, using the records you built.
Preview prompt + verify gate ▾ Hide ▴
Author the investigation section leveraging your observability and audit systems. Procedure: locate the incident session(s); pull the audit trail for the affected resources (what actions, what authority, what triggering requests); open the trace tree and use session replay to see the exact model context and decisions at the point things went wrong; identify the ROOT cause and classify it - prompt injection, permission gap, blast-radius miss, hallucinated action, harness bug, or genuine ambiguity in the user request. Capture the causal chain: what content or instruction led the agent to the harmful action, and what control failed to stop it. This section assumes the audit-trail and observability flows exist; if a needed record is missing during the drill, that gap is itself a finding.
- ✓ Audit trail and replay used to reconstruct events
- ✓ Root cause classified into defined categories
- ✓ Missing records flagged as findings
- 04
Establish the postmortem loop and drill it
Every incident must leave the system safer - proven by a live drill.
Preview prompt + verify gate ▾ Hide ▴
Close with the prevention loop and a full drill. POSTMORTEM: adopt a blameless template - timeline (from audit/traces), root cause, what contained it and how fast, what went well/poorly, and REQUIRED prevention items each mapped to a concrete control (a new rule-file rule, a permission tier change, a blast-radius limit, an injection-suite case, an observability improvement) with an owner; the incident is not closed until prevention items land, each with a regression test where possible. DRILL: run the entire runbook end to end on a simulated incident (in a disposable environment, script the agent into a contained-but-real mishap): detect -> kill switch -> contain -> rollback -> investigate -> postmortem -> prevention. Time each phase, fix rough spots, and produce at least one real prevention item from the drill. Schedule periodic re-drills.
- ✓ Postmortem produces control-mapped prevention items
- ✓ Incident not closed until fixes land
- ✓ Full runbook drilled end to end with timings
Research-backed
Sources behind this flow
Tier 6 · agent-research
AgentOps
The observability and DevTool platform for AI agents: session replays, cost and token tracking, and failure analysis via a lightweight SDK spanning the major agent frameworks.
Tier 6 · agent-research
TapeAgents
ServiceNow's framework built around the Tape: a structured, replayable log of the agent session that drives reasoning, debugging, evaluation, and even fine-tuning data extraction across the agent lifecycle.