A failure-mode guide to deciding when an AI system should degrade, stop, escalate, recover, and return safely to normal operation.
At 10:12, an internal assistant begins citing a policy that expired two months ago. The service is available. Latency is normal. The model provider reports no outage. Yet the system is failing at the job the business depends on it to do.
What should happen next?
One team may leave the feature running while it investigates. Another may disable retrieval but keep a general chat mode available. A third may send every answer to human review. All three responses can sound reasonable. Without thresholds agreed in advance, however, the decision is made under pressure by whoever happens to be online.
That is the operating gap in many AI products. Teams discuss accuracy, security, and uptime before launch, but they do not define the conditions that turn an anomaly into an incident. They have monitoring without triggers, backups without tested recovery, and approval steps without decision authority.
AI incident response is the discipline of closing that gap. It is not a document that predicts every possible failure. It is a system for recognizing harmful behavior, limiting the damage, preserving evidence, choosing a safe operating mode, and returning to normal only when the evidence supports that decision.
Traditional availability measures still matter. An AI application can fail because an endpoint is unavailable, a queue is full, an identity service is down, or a database cannot be reached. But an HTTP 200 response does not prove that the result is useful or safe.
A retrieval assistant can answer from the wrong document. A classification model can drift for one customer segment. An agent can choose a valid tool for the wrong purpose. A model can produce syntactically valid JSON with an invented account number. These are semantic failures: the components run, but the workflow violates an important expectation.
An incident plan therefore needs signals at several layers:
This is one place where ordinary software operations and AI evaluation have to meet. The hidden work behind reliable AI projects explains why evaluation, data, integration, and observability belong in the build. Incident response gives that evidence an operational consequence.
If a metric can become dangerous without crossing an action threshold, it is only a chart.
The most useful incident rule is not “monitor output quality.” It is closer to: “If more than 2% of sampled answers cite a superseded policy in a rolling hour, disable automated answers for that policy group and route requests to the service desk.”
The precise threshold will differ by system. A writing assistant can tolerate failures that a medication-information workflow cannot. The important design choice is to connect observable evidence to a required response.
Here is a compact severity matrix teams can adapt before launch:
| Level | Example evidence | Immediate operating mode | Decision owner | Exit evidence |
|---|---|---|---|---|
| S0: normal variance | Isolated low-impact error within expected range | Continue; log and sample | Product or service owner | Routine evaluation remains within target |
| S1: degraded | Quality threshold missed for one bounded use case | Warn users, narrow scope, increase review | On-call lead | Targeted tests pass and trend stabilizes |
| S2: material | Repeated harmful output, unauthorized retrieval, or incorrect action | Stop affected workflow; preserve traces; notify stakeholders | Incident commander plus risk owner | Cause contained, fix verified, backlog reviewed |
| S3: critical | Safety impact, sensitive-data exposure, large financial action, or uncontrolled agency | Disable system or revoke tool access immediately | Named executive and incident commander | Formal approval after security, legal, and technical review |
This is not a universal risk model. It is a conversation starter that forces six decisions into the open: what evidence matters, how much is too much, which mode is safer, who has authority, who must be told, and what proves recovery.
Good thresholds mix rates with absolute events. Ten weak summaries might be an evaluation issue. One unauthorized payment or exposure of protected data can be an incident by itself. Waiting for a statistically meaningful sample would be irresponsible.
The team also needs authority to act on the trigger. If the on-call engineer sees an S2 condition but needs three managers to approve a shutdown, the trigger is ceremonial. Leadership must decide in advance which actions can be taken immediately and which require additional approval.
“Use another model” is not a recovery strategy.
A second model may depend on the same region, gateway, retrieval index, prompt, identity layer, or broken tool. It may also behave differently enough to create a new quality problem. Redundancy helps only when the alternative path removes or contains the failed dependency.
Microsoft’s current application design guidance for AI workloads recommends provider abstraction and fallback mechanisms, but it also warns teams not to rely only on SDK retries and timeouts. That distinction matters. Repeating a request against a dependency that is overloaded can amplify the incident. A circuit breaker, bounded retries, or deliberate degradation may be safer.
Useful fallbacks are often less capable:
Graceful degradation needs product design, not only infrastructure. The user should understand what remains available and what has changed. A silent fallback that produces lower-quality answers can preserve uptime while damaging trust.
The fallback must also have its own limits. If manual review is the backup, how many cases can reviewers handle per hour? If a static knowledge page is the backup, who confirms it is current? If a second provider is the backup, has the team tested data residency, output schemas, latency, and capacity? Every alternative introduces a new set of assumptions.
When an AI workflow causes harm, raw application logs may not explain it. Investigators may need the model and prompt version, retrieved document identifiers, tool calls, permission context, structured output, human override, feature flags, and correlation ID. Without these records, the team can see the result but not reconstruct the path.
Observability should be designed around questions an incident commander will ask:
This does not justify logging everything. Prompts, retrieved context, and tool results may contain personal, confidential, or regulated information. Teams need access controls, retention limits, redaction, and an explicit purpose for the telemetry they keep.
The broader lesson in making AI work visible before trust breaks applies directly here: visibility is useful when it helps people make decisions. During an incident, that means establishing scope, containing impact, and testing a hypothesis—not collecting traces without ownership.
A runbook can list technically correct steps and still fail operationally. The person with permission to revoke an agent’s credentials may be asleep. The service owner may not know who owns the source data. Support may learn about the incident from customers. Legal may be contacted after a disclosure instead of during the first assessment.
Define roles by responsibility, with named backups:
For a small team, one person may fill several roles. The distinction still matters because it prevents diagnosis, business tradeoffs, and communication from collapsing into an unstructured chat.
I see a related pattern in technical teaching: learners naturally spend more attention on the happy path because it gives immediate feedback. The deeper learning begins when they have to explain what should happen after invalid output, a failed API call, or missing data. Production teams face the same test at higher stakes. Recovery depends on decisions made before the failure is emotionally and commercially expensive.
This is also why hero culture is a reliability risk. If one engineer holds the system map, credentials, and recovery knowledge, the organization has confused expertise with resilience. AI teams need repeatable operating systems, not emergency heroes.
Tabletop exercises are valuable because they reveal organizational dependencies that unit tests cannot. But an exercise is not successful because people attended it. It is successful when it changes the system.
Choose a scenario with a credible chain of effects. For example: a document permission bug exposes restricted text to retrieval; the assistant cites it in several answers; a user posts a screenshot publicly; disabling the index also breaks a customer-support workflow. Then walk through detection, severity, containment, communication, evidence preservation, recovery, and customer remediation.
During the exercise, inject complications:
NIST’s Generative AI Profile explicitly recommends defining roles for generative AI incident response, rehearsing plans regularly, communicating them to relevant actors, and using retrospective learning. The sequence is important. Ownership without rehearsal leaves hidden gaps; rehearsal without corrective work only documents them.
Every exercise should end with assigned changes and deadlines. Update permissions, alerts, contact lists, dashboards, feature flags, recovery scripts, user messages, and evaluation cases. Retest the failed step. A lesson that never changes code, configuration, documentation, or authority is easy to lose.
Restoring availability is only one part of recovery. The team may need to identify affected decisions, correct records, notify users, rebuild an index, rotate credentials, or reprocess a queue. It may also need to prove that the fix addresses the cause rather than hiding the symptom.
Define recovery objectives for the business workflow, not only the service:
A safe return often moves through modes: stopped, read-only, internal users only, sampled human review, limited traffic, then full operation. Each step should have entry and exit evidence. This reduces the chance that pressure to restore service recreates the incident.
Afterward, review the system without reducing the story to one person’s mistake. Ask why the action was possible, why the signal was missed, why the response was delayed, and why the fallback did not contain the problem. AI reliability requires protocols, not blind trust; the post-incident review is where those protocols should become more precise.
No team can predict every model behavior, dependency outage, malicious input, or business consequence. Trying to write a runbook for every scenario creates a library nobody can use under pressure.
Prepare the decisions that recur across scenarios instead. Define severity. Connect triggers to action. Limit authority before an agent receives it. Design a genuinely different fallback. Preserve enough evidence to investigate safely. Name decision owners and backups. Rehearse a realistic failure. Require evidence before returning to normal.
That operating discipline does not eliminate AI incidents. It makes them easier to recognize, harder to amplify, and less dependent on improvised courage.
The strongest incident plan is not the longest document. It is the one a team can execute when the dashboard looks healthy, the output looks fluent, and something important is still going wrong.