Incident readiness for AI agents comes down to one question: if an agent starts behaving unexpectedly right now, can you contain it, understand what happened, and explain it to stakeholders within the hour? For most teams the honest answer is no — not because the agents are poorly built, but because the response infrastructure was never set up. This checklist covers what to put in place before the incident, not after.

Why Agent Incidents Differ from Classic Software Incidents

Traditional incident response assumes you can read logs, replay a request, and identify the offending code path. Agent incidents layer on three complications.

First, agents act autonomously and at speed. A misconfigured agent or an injected instruction can trigger dozens of downstream actions before any alert fires. The blast radius grows with every second the agent remains active.

Second, attribution is harder. In a multi-agent system where Agent A delegates to Agent B which calls an MCP tool, a simple "who did this?" requires tracing identity and delegation chain — not just inspecting an HTTP access log.

Third, the output of an LLM call is probabilistic. You cannot replay the exact same call and get the same output. This makes post-incident reconstruction dependent entirely on what was captured at the time of execution.

These differences demand purpose-built controls, not a repurposed runbook from your classic web API stack.

Section 1: Agent Inventory

You cannot respond to an incident involving an agent you did not know existed.

Before an incident, maintain:

  • A registered inventory of every agent in production, with its name, purpose, owning team, and the scopes and connections it holds.
  • A record of which applications each agent is connected to and what data or actions it can access.
  • Version history for agent configurations, so you know what changed and when.
  • A clear owner (person or team) for every agent entry in the inventory.

A common gap is shadow agents — agents spun up by individual developers or business units that bypass the central registry. Enforcing registration as a prerequisite for access to any governed connection closes this gap at the infrastructure level rather than relying on policy alone. See Building an AI Agent Inventory for a practical approach to establishing and maintaining that registry.

Section 2: Credential Revocation

Containing a misbehaving agent means being able to cut its access to everything it can reach, immediately and completely.

Before an incident, verify that you can:

Revocation action Target Expected latency
Disable an agent credential Single agent Seconds
Revoke a connection's access All agents using a connection Seconds
Suspend all agents in a team Team-level scope Under 1 minute
Kill a running workflow Active workflow instance Seconds

Test each of these. If any path requires a deploy, a database migration, or a manual key rotation, that is the gap to close before an incident. Revocation latency directly bounds the blast radius — every minute an agent retains access after containment is decided is a minute it can continue acting.

Short-lived, scoped credentials reduce the worst-case exposure window even before revocation is triggered. The combination of credential scoping (least privilege) plus instant revocation is the containment foundation. The post on how to implement least privilege for AI agents covers the scoping decisions that make revocation effective.

Section 3: Audit Trail Coverage

After containment, you need to reconstruct what happened. This is only possible if you captured the right data before the incident.

Before an incident, confirm that your audit trail covers:

  • Every agent action: what the agent did, which credential it used, and which resource it accessed.
  • LLM inputs and outputs (or at minimum a content hash) for every inference call.
  • Tool invocations: which MCP tools were called, with what arguments, and what was returned.
  • Delegation chains: when Agent A called Agent B, both ends of the handoff are recorded with the originating identity.
  • Timestamps with skew detection, so events can be sequenced reliably across distributed components.
  • Immutability guarantees: records that can be verified as unmodified after the fact — cryptographic signing per entry and chain-linking are the standard approach. Audit Trails That Hold Up covers the cryptographic techniques in detail.

A trail that records "agent ran" but not "agent called tool X with argument Y at timestamp Z" is not sufficient for forensic reconstruction. The granularity must be enough to answer: what exactly did the agent do, in what order, and under whose delegated authority?

Equally important is trail retention. An incident discovered two weeks after it occurred requires records that are still accessible and still verifiable. Set retention periods deliberately; defaulting to automatic deletion at short horizons will make post-incident review impossible.

Section 4: Alerting and Anomaly Detection

Waiting for a human to notice anomalous agent behavior is too slow. Automated alerting on defined predicates closes the detection gap.

Before an incident, set up alerts for:

  • Spend spikes: an agent consuming significantly more tokens or budget than its baseline in a short window.
  • Unusual action patterns: an agent calling a tool it has never called before, or calling a known tool at an abnormal rate.
  • Policy violations: guardrail triggers (blocked content, PII detection, injection signals) from a single agent above a threshold.
  • Authentication anomalies: credential use from unexpected contexts or at unexpected times.
  • Delegation depth violations: an agent chain exceeding the maximum depth you have defined as acceptable.

Alerts should route to an on-call channel, not just a log. The time between detection and acknowledgment is where an incident grows. Define escalation paths, not just alert destinations.

Section 5: Runbooks and Communication Templates

Technical containment is easier when nobody has to invent the procedure under pressure. Runbooks should be written, reviewed, and stored somewhere accessible without production access (in case the incident affects the primary tooling).

A minimum runbook set for agent incidents:

  • Suspected prompt injection: how to identify affected sessions, what evidence to preserve, which guardrail signals to check, when to suspend the agent versus kill only the affected run.
  • Runaway spend: how to identify the agent and workflow, how to apply an emergency budget suspension, who to notify, and how to assess what the spend paid for.
  • Credential abuse or theft: how to revoke the credential, how to scope the blast radius using audit records, how to determine whether a rotation of shared secrets is required.
  • Data exfiltration concern: how to isolate the agent's connection permissions, how to pull the relevant audit records, and what the notification obligations are under your applicable framework.

Each runbook should list the specific commands or UI steps for your environment, not abstract instructions. It should also include the escalation contact for situations where automated containment is insufficient.

Incidents involving AI agents frequently require communicating with non-technical stakeholders, and sometimes with regulators or affected customers. Pre-drafted communication templates reduce the risk of improvised statements that create legal or reputational problems. Prepare an internal incident declaration template, a stakeholder update for your security and executive chain, a customer-facing template if your agents act on behalf of customers, and a regulatory notification checklist for frameworks with mandatory disclosure timelines. The goal is not scripts that replace judgment, but starting points that prevent communication overhead from delaying technical response.

Section 6: Recovery and Post-Incident Review

Containment and communication are not the end of the incident. Recovery means restoring safe operation, and the post-incident review is how you prevent recurrence.

Before an incident, agree on:

  • The criteria for declaring containment (e.g., affected credentials revoked, affected workflow instances terminated, no new anomalous actions for X minutes).
  • The criteria for safe re-enablement (e.g., root cause identified, contributing configuration corrected, at least one additional control added).
  • A required post-incident review within a defined window (72 hours is common), with a written record of timeline, root cause, impact assessment, and follow-up actions with owners and due dates.
  • How follow-up actions are tracked — not in the incident channel, but in a durable system with clear accountability.

Post-incident review findings should feed directly back into your governance configuration: tighter scope, additional guardrails, adjusted alert thresholds, or updated runbooks. An incident that does not change your controls is an incident you are likely to repeat.

Common questions

How often should we test this readiness checklist?

A tabletop exercise every quarter is a reasonable baseline — walk a realistic scenario through each section and identify gaps without waiting for a real incident. The revocation and alerting steps should also be tested in a staging environment at least once before relying on them in production. Runbooks decay as systems change, so tie a review cadence to your change management process: any significant change to agent configuration or connected systems should trigger a runbook review.

We only have a few agents. Is this overhead justified?

The effort is roughly proportional to agent count and access scope, but the foundational elements — inventory, revocation path, audit trail, and at least one runbook — are low-overhead for small deployments and disproportionately valuable if something goes wrong. A single agent with write access to customer data is enough to justify a containment and reconstruction capability. The cost of not having it is absorbed during the incident, under pressure, when it is hardest to build.

How does a governance platform help with incident readiness?

Platforms designed for AI agent governance provide the underlying infrastructure that makes each checklist section actionable: a central agent registry, credential management with instant revocation, tamper-evident audit logging with cryptographic integrity, configurable alert rules over the audit corpus, and forensic search across agent actions. Having these as operational capabilities — rather than something to build during or after an incident — is the practical difference between a measured response and a chaotic one.

What should a post-incident review cover for an AI agent incident?

At minimum: a precise timeline of agent actions from the audit trail, identification of the root cause (misconfiguration, injected instruction, credential abuse), an impact assessment covering every resource the agent accessed, and a set of follow-up controls with owners and due dates. The review should also verify that existing guardrails and alert thresholds would have caught the incident sooner, and update them where they would not. For background on the guardrail layer, see Designing Guardrails: Block, Redact, or Warn?.