SAIL 2.0

/

Monitor: AI Activity Tracing & Telemetry

/

Absence of AI- and Agent-Specific Incident Response Plan

7.5

.

Absence of AI- and Agent-Specific Incident Response Plan

sail
7.5
Risk

Absence of AI- and Agent-Specific Incident Response Plan

Description

The organization lacks a documented, role-based, and regularly tested IR playbook for AI and agentic incidents, delaying containment and recovery efforts. In the GTG-1002 era, agents themselves can be the attacker โ€” IR must address agent-driven compromise.

Example

A prompt-leak alert fires in production; without an agentic IR playbook the SOC can't identify owners, evidence chain stalls, and legal review is delayed.

Assets Affected

AI Policy

AI Platform

App Usage Log

Agent Usage Log

Model Files

Model Response

Mitigation
  • Establish and maintain an AI- and agent-specific IR plan aligned with enterprise IR
  • define agentic incident severity levels, owners, and escalation paths
  • integrate agentic attack scenarios (GTG-1002 class) into tabletop exercises
  • automate evidence capture at alert time
  • tamper-evident storage
  • review and update the plan after each incident or major change.
Standards Mapping
  • ISO: A.8.4, A.6.1.3
  • OWASP agentic: ASI10, ASI08
  • EU AI Act: Art. 73
  • DASF: Platform 12.3
  • AIUC-1: E001, E002