Safeguard
AI Security

How to build an AI-specific incident response playbook

A step-by-step guide to building an AI incident response plan — covering scoping, escalation, detection, containment, and post-incident review for LLM and agent failures.

James
Principal Security Architect
8 min read

Most incident response plans were written for stolen credentials and ransomware, not for a model that starts leaking training data through clever prompts or an agent that silently escalates its own permissions. When a large language model misbehaves, the failure mode is different — it can be probabilistic, hard to reproduce, and buried in a prompt log rather than a stack trace. Without a dedicated AI incident response plan, teams waste the first critical hours arguing about who owns the problem instead of containing it. This guide walks through building a practical, testable playbook for AI and LLM incidents: how to define what counts as an incident, who gets paged, how to detect and contain a compromised model or pipeline, and how to close the loop with a post-incident review. By the end, you'll have a repeatable process your security and ML teams can actually run under pressure.

Step 1: Define the Scope of Your AI Incident Response Plan

Before you write a single escalation rule, agree on what actually counts as an AI-specific incident. Generic IR plans assume the asset is a server or a database; here the asset is a model, a prompt pipeline, a vector store, or an agent with tool access. Your AI incident response plan should explicitly cover:

  • Prompt injection / jailbreak that causes the model to leak system prompts, secrets, or bypass safety controls
  • Training or RAG data leakage — PII, credentials, or proprietary code surfacing in model outputs
  • Model supply chain compromise — a poisoned fine-tune, a tampered model weight file, or a malicious dependency in your inference stack
  • Agent over-permissioning — an autonomous agent taking an action (API call, file write, deployment) outside its intended scope
  • Model drift or degradation that produces unsafe or materially wrong outputs at scale

Write these into a scoping document with example scenarios for each category. This is what turns a generic "security incident" ticket into something your on-call ML engineer and your SOC analyst can both act on immediately.

Step 2: Build the Escalation Path and Assign Ownership

AI incidents fail fast if ownership is ambiguous — security teams don't always understand model internals, and ML teams don't always know breach notification law. Define a joint escalation matrix up front rather than negotiating it during an active incident.

A minimal severity table looks like this:

SeverityExampleTime to AcknowledgeOwner
SEV1Confirmed data exfiltration via model output15 minSecurity IC + ML lead
SEV2Suspected prompt injection in production agent30 minML on-call
SEV3Anomalous output rate / drift flagged by monitoring4 hrsML on-call
SEV4Internal red-team finding, no customer impact1 business dayAppSec

Codify the routing so it isn't tribal knowledge. A simple example using PagerDuty's API for model incident escalation:

curl -X POST "https://api.pagerduty.com/incidents" \
  -H "Authorization: Token token=$PD_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "incident": {
      "type": "incident",
      "title": "SEV1: Suspected LLM data exfiltration - prod-agent-01",
      "service": {"id": "PLLMSVC", "type": "service_reference"},
      "escalation_policy": {"id": "EPMLSEC", "type": "escalation_policy_reference"},
      "urgency": "high"
    }
  }'

Name a single incident commander for the duration of the response — usually security for external-facing breaches, ML/platform for internal model failures — and write that decision into the plan itself so it isn't debated live.

Step 3: Instrument Detection Before You Need It

You cannot respond to what you cannot see. Most LLM incident response failures trace back to missing observability: no prompt/response logging, no anomaly baseline, no alerting on tool-call patterns.

Minimum viable instrumentation:

  1. Log every prompt, completion, and tool call with request IDs, user/session context, and model version — retained at least 90 days for audit purposes.
  2. Baseline normal output length, refusal rate, and latency so drift and abuse both trigger alerts.
  3. Alert on known jailbreak signatures and anomalous tool-call sequences.

A simple Sigma-style detection rule for suspicious tool-call chaining in an agent framework:

title: Anomalous Agent Tool Escalation
id: llm-agent-tool-escalation-001
logsource:
  product: llm-agent
  category: tool_call
detection:
  selection:
    tool_name:
      - "exec_shell"
      - "write_file"
      - "send_email"
  timeframe: 5m
  condition: selection | count() by session_id > 3
level: high

Ship these logs to the same SIEM your broader security team already monitors — an AI incident response plan that lives in a separate tool nobody watches is a plan that fails silently.

Step 4: Contain the Model, Pipeline, or Agent

Containment for AI systems is different from pulling a network cable. Depending on the incident type, containment actions include:

  • Revoke or rotate API keys tied to the affected model endpoint immediately
  • Disable the specific agent or tool permission, not necessarily the whole system — a scoped kill switch preserves availability elsewhere
  • Roll back to the last known-good model version rather than patching a live model in place
  • Quarantine the RAG index or fine-tune dataset suspected of poisoning

Example: disabling a single tool for an agent via a feature flag rather than taking the whole service down:

curl -X PATCH "https://flags.internal/api/v1/flags/agent-shell-exec" \
  -H "Authorization: Bearer $FLAGS_TOKEN" \
  -d '{"enabled": false, "reason": "SEV1-2026-0417 containment"}'

Document containment actions in real time in the incident channel — timestamps matter later for both the post-mortem and any regulatory notification.

Step 5: Eradicate and Remediate

Once contained, eradicate the root cause before restoring the model to full traffic. This is where an AI breach playbook diverges most from traditional IR: the fix is often a data or weights problem, not a code patch.

  • If the incident originated in a prompt template, patch and version the prompt, then re-run your red-team suite against it before redeployment.
  • If it originated in a poisoned fine-tune or compromised model artifact, verify the model's provenance and hash against your signed model registry before trusting any version, including the "last known good" one.
  • If it involved leaked secrets, rotate every credential the model or agent had access to, not just the one confirmed exposed.
  • If it involved a vulnerable dependency in your inference stack (a common vector for model supply chain attacks), patch and rebuild the serving image, then re-scan.

Step 6: Communicate, Notify, and Document

Legal, customer, and regulatory notification timelines don't pause for root-cause analysis. Draft your notification templates before an incident, not during one — for both internal stakeholders and, where applicable, customers or regulators under frameworks like the EU AI Act or state breach notification laws. Assign a single communications owner in the plan so technical responders aren't also fielding press or customer inquiries mid-incident.

Step 7: Run the Post-Incident Review

Close every incident with a blameless review that specifically asks AI-shaped questions: Was the detection signature effective? Did the model version rollback work cleanly? Was the escalation path fast enough? Feed every finding back into Step 1's scoping document and Step 3's detection rules — an AI incident response plan that doesn't evolve after each incident will miss the next variant of the same attack.

Troubleshooting and Verification

Before trusting your playbook, stress-test it:

  • Run a tabletop exercise quarterly using a realistic scenario (e.g., a jailbroken customer support agent exfiltrating account data) and time each step against your severity table's SLAs.
  • Verify your logging actually captures what you think it does — a shockingly common failure is discovering during a real incident that prompt logging was silently disabled by a config change months earlier. Check retention and completeness monthly.
  • Confirm your rollback path works, not just that it exists — practice reverting to a prior model version in a staging environment and measure how long it actually takes.
  • Test escalation contacts quarterly. On-call rotations change; a playbook that pages someone who left the company three months ago is worse than no playbook.
  • If alerts are too noisy, tighten your detection thresholds incrementally rather than disabling rules outright — a muted alert during a real LLM incident response scenario is the single most common root cause of slow containment in post-mortems.

How Safeguard Helps

Safeguard extends software supply chain security into the AI layer, giving teams the visibility an AI incident response plan depends on. Safeguard tracks model and dependency provenance across your ML pipeline — so when an incident hits, your team can immediately verify which model version, weights, and third-party packages were in production, rather than reconstructing that picture under pressure. Continuous SBOM and artifact signing checks catch tampered model files and vulnerable inference-stack dependencies before they ship, shrinking the pool of incidents you need a playbook for in the first place. And because Safeguard integrates with existing SIEM and alerting workflows, the detection and escalation steps in this guide plug directly into infrastructure your security team already trusts — turning a documented plan into one your organization can actually execute at 2 a.m.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.