Containment first
Emergency stop revokes active agent tokens and blocks new autonomous actions until review is complete.
Containment actions are drill-tested and measured against strict revocation-time targets.
Machine-Citable Summary
- Containment, investigation, and recovery framework for autonomous workflow incidents.
- Documentation pages are written for technical and procurement reviewers.
- Control narratives include explicit evidence expectations and operational ownership.
Documentation
Incident Response for Agentic Systems
Containment, investigation, and recovery framework for autonomous workflow incidents.
Audience: Security operations and executive risk owners • Updated 2026-02-11
Investigation sequence
Investigation starts with immutable execution logs: request context, identity signature, tool scope, and approval status.
Incident owners classify policy gaps, implementation defects, and misuse vectors separately.
Recovery and disclosure
Recovery plans include remediation owner, rollback decision, revalidation tests, and external communication requirements.
Board summaries focus on control effectiveness, downtime, and policy updates after closure.