What should an AI agent incident response runbook include?

An AI agent incident response runbook should include procedures for detection, escalation, containment, communication, and learning, specifically tailored for AI agents. It must also incorporate mechanisms for continuous discovery, behavioral monitoring, and forensic audit trails to effectively manage incidents involving autonomous agents.

• Continuous Discovery and Inventory: The runbook should emphasize continuous discovery across all SaaS applications, AI agents, integrations, and non-human identities, including shadow AI, as you cannot protect what you cannot see. This aligns with the asset inventory requirement at Layer 2 (Data Operations and Storage) of the MAESTRO model.
• Behavioral Monitoring and Anomaly Detection: Implement behavioral monitoring for human and non-human identities with data-layer context to distinguish compromised agents from normal operations. This requires establishing a baseline for agent behavior, its own anomaly detection model, and an alert taxonomy distinct from human user behavioral analytics.
• AI Agent Flight Recorder: Include a requirement for an AI Agent Flight Recorder to provide a forensically complete, cross-SaaS audit trail of every agent action, mapped to sensitive data and blast radius. This is crucial for reconstructing agent actions across all systems it touched to determine the blast radius of a compromise and provide accountability. This also supports auditability and forensic readiness, ensuring immutable, queryable records that preserve decision context.
• Blast Radius Calculation: The runbook should detail procedures for rapidly calculating the blast radius to identify which data, systems, and identities are at risk. This capability is essential for a fundamentally different post-incident posture.
• Cross-App Coordinated Response: Outline a cross-application coordinated response with native SecOps integration across exposure management, threat hunting, and incident response. This ensures that when the blast radius is understood and affected systems are identified, the response can be orchestrated across the entire ecosystem simultaneously.
• Deactivation and Rollback Procedures: Include procedures to deactivate, roll back, or safely retire AI systems that exceed risk tolerances, acting as a kill-switch for agents (NIST-MANAGE-2.3).
• Incident Reporting: The runbook should specify the generation of structured incident reports upon agent completion, covering the initial alert, investigation steps, tools used, findings, remediation actions, and confidence scores. This supports the NIST-MANAGE-4.1 function for incident response and post-deployment monitoring.
• Skill-Based Response: Incorporate the use of agent skills for structured containment and investigation procedures, such as ransomware response, which can include steps for host isolation, memory acquisition, and SIEM notification. This allows for codifying approaches to novel attacks.
• Data Classification and Access Control: The runbook should consider data classification, memory retention rules, role-based and capability-based access controls, and compliance review of rubrics to mitigate threats like access-control drift and unapproved memory of regulated data (Layer 6: Security and compliance). It should also address data residency violations by requiring residency labels on data and routing logic that respects residency at the inference layer.
• Authenticated Agent Rosters and Traceable Messages: For multi-agent orchestration, the runbook should include mitigations such as authenticated agent rosters, version-pinned agents, signed tool definitions, and traceable inter-agent messages to address threats like agent impersonation and malicious specialist agents (Layer 7: Agent ecosystem).