返回 Papers
AI 扩展计划 / Playbooks

AI Incident / Postmortem / Reliability Playbook

传统事故管理问的是:

1,055AI_INCIDENT_POSTMORTEM_RELIABILITY_PLAYBOOK.md

AI Incident / Postmortem / Reliability Playbook

受众:AI PM、AI Architect、Platform PM、Model Risk、AI Governance、SRE / Production Engineering、Security、Compliance、Internal Audit。 核心问题:当 AI 系统在生产中出现错误回答、错误检索、工具误用、PII 泄露、成本失控、延迟退化、模型漂移或 prompt injection 时,团队如何快速止血、可审计复盘、形成防复发闭环,并把事故经验转成架构决策、产品门禁和治理证据。 学习目标:不讲 BA 基础,不停留在“写事故报告”。目标是训练高级角色能定义 AI incident taxonomy、severity model、incident command、rollback / containment、postmortem、corrective action register、AI reliability review board、game day、regulator / board communication 和可展示作品集。

重要说明:本文是学习与作品集材料,不构成法律、监管、审计或正式安全意见。金融零售正式项目必须由 business owner、technology、security、privacy、legal、compliance、model risk、operational risk、internal audit 共同确认适用要求、通知义务、证据保留和客户补救。

1. 一句话定位

传统事故管理问的是:

服务是否宕机,多久恢复,根因是什么,如何避免再发生。

AI 事故管理要多问五层:

AI 做错了什么
-> 哪个组件导致或放大了错误
-> 哪些客户、员工、案例、工具动作和监管义务受影响
-> 如何把系统恢复到受控状态
-> 如何把事故样本变成 eval、guardrail、架构门禁和治理证据

这份手册的核心观点:

AI reliability 不是模型准确率,不是 APM,也不是事后归档。它是一个从 detect、triage、command、contain、recover、postmortem、regression、governance 到 architecture decision 的运营闭环。

适合放入作品集的最终产出:

Portfolio artifact展示能力
AI Incident Taxonomy能识别 AI-native failure,而不是只看 5xx 和 timeout。
Risk-Tiered Severity Model能把客户伤害、监管风险、数据泄露、工具动作、成本和可用性合并分级。
Incident Command Runbook能组织跨职能 war room,控制决策节奏和证据保全。
Containment / Rollback Matrix能把模型、prompt、index、tool、policy、route、UI、vendor 变更恢复到受控状态。
Postmortem Template能写出无责但有责任闭环的复盘。
Corrective Action Register能把根因转成 owner、due date、control、regression evidence 和 residual risk。
Reliability Review Board Charter能设计治理机制,而不是靠单个项目组临时判断。
Game Day / Tabletop Pack能主动演练 bad retrieval、PII leak、tool misuse、policy bypass 和 cost spike。

2. Source Anchors

以下来源作为本文的外部锚点。正式项目应记录 access date、版本、内部 policy mapping 和 legal / risk sign-off。

SourceOfficial / primary link本手册使用方式
NIST AI RMFhttps://www.nist.gov/itl/ai-risk-management-framework用 Govern / Map / Measure / Manage 组织 AI 风险识别、度量、处置和治理闭环;把 incident loop 接入 AI inventory、risk tier、monitoring 和 management reporting。
NIST GenAI Profilehttps://www.nist.gov/publications/artificial-intelligence-risk-management-framework-generative-artificial-intelligence用于识别 GenAI 独特风险:生成内容错误、数据泄露、滥用、供应商依赖、评测限制、lifecycle actor 和治理证据。
NIST CSF 2.0https://www.nist.gov/cyberframework用 Govern、Identify、Protect、Detect、Respond、Recover 的网络安全运营语言组织 AI incident response、恢复、证据和改进。
Google SRE Postmortem Culturehttps://sre.google/sre-book/postmortem-culture/用无责复盘、明确 postmortem 触发条件、根因与贡献因素、预防措施跟踪来设计 AI postmortem culture。
MITRE ATLAShttps://atlas.mitre.org/用 AI attack tactics / techniques 组织 prompt injection、data poisoning、model evasion、exfiltration、tool misuse 等攻击路径和事件分析。
OECD AI Incidents Monitorhttps://oecd.ai/en/incidents用 AI incident / hazard、harm type、affected stakeholder、autonomy level、business function 等字段训练外部事件雷达和分类语言。
AI Observability / Cost / SLO Playbookdocs/AI_OBSERVABILITY_COST_SLO_PLAYBOOK.md把 trace、span、quality dashboard、SLO、cost ledger 和 incident timeline 接入本文的响应流程。
AI Threat Modeling / Red Team / Agent Security Playbookdocs/AI_THREAT_MODELING_RED_TEAM_PLAYBOOK.md把 threat model、red-team scenario、tool gateway、DLP、kill switch 和 tabletop 接入事故防复发。
AI Model Risk Management Playbookdocs/AI_MODEL_RISK_MANAGEMENT_PLAYBOOK.md把 incident、model drift、eval regression、model change 和 validation issue 转成 MRM 证据。
AI Audit Evidence Binder Playbookdocs/AI_AUDIT_EVIDENCE_BINDER_PLAYBOOK.md把事故日志、RCA、corrective action、approval、customer remediation 和 regression result 纳入审计证据包。

3. 高级框架:AI Reliability Operating Loop

AI 可靠性不是单点能力,而是一个运营循环。

1. Detect
   -> telemetry, eval regression, customer complaint, analyst override, cost alert, security alert

2. Triage
   -> classify failure type, severity, affected population, customer/regulatory impact, active blast radius

3. Command
   -> assign incident commander, scribe, domain owners, decision cadence, evidence preservation

4. Contain
   -> disable risky path, rollback prompt/model/index/tool/policy, route to safe fallback, pause automation

5. Recover
   -> validated fix, regression tests, staged restart, enhanced monitoring, customer remediation

6. Postmortem
   -> timeline, impact, root cause, contributing factors, detection gaps, response gaps, decision quality

7. Prevent recurrence
   -> eval cases, guardrails, architecture decision, release gate, SLO changes, ownership changes

8. Govern
   -> reliability review board, risk acceptance, audit evidence, board/regulator/customer communication

3.1 AI Incident 和普通 Incident 的差异

维度普通生产事故AI 生产事故
成功假象HTTP 200 通常代表技术成功HTTP 200 可能返回错误、幻觉、过期政策、越权工具建议或泄露内容
根因对象code、infra、dependency、capacitymodel、prompt、RAG、index、policy、tool、judge、human handoff、vendor route、feedback loop
影响范围请求失败、服务不可用、数据丢失客户误导、错误业务动作、监管陈述错误、PII 泄露、偏见、成本爆炸、模型风险
证据要求logs、metrics、deployment historytrace、prompt version、model version、retrieved docs、tool calls、policy decisions、human review、eval result
恢复策略rollback、reroute、scale、fix codepin model、freeze prompt、rollback index、disable tool、force template、switch to human queue、re-run eval
防复发tests、alerts、runbookregression eval、golden set、adversarial cases、control mapping、architecture gate、review board

3.2 AI Reliability 的四个控制面

控制面关注问题关键 owner典型证据
Product control planeAI 被允许回答什么、建议什么、执行什么、何时升级人工AI PM / Business Owneruse case boundary、risk tier、customer impact map、fallback policy
Architecture control plane模型、RAG、工具、策略、日志、回滚、供应商如何被隔离和控制AI Architect / Platform OwnerC4 diagram、component version map、kill switch design、route policy
Risk control plane风险等级、验证、持续监控、残余风险、审计证据是否成立Model Risk / Compliance / Auditvalidation issue log、control evidence、risk acceptance、management attestation
Operations control plane谁值班、谁指挥、如何止血、如何沟通、如何复盘SRE / Incident Commanderincident state doc、timeline、postmortem、corrective action register

4. AI Incident Taxonomy

事故分类的目的不是贴标签,而是决定谁进 war room、先切断哪个路径、保留哪些证据、启动哪些通知和回归测试。

Category典型症状关键证据立即 containment防复发方向
Bad retrievalRAG 找到过期、错误、低权限、跨租户或不相关文档query、index version、retrieved doc IDs、ACL filter、citation IDs、freshness回滚 index;禁用问题文档;切换权威搜索;强制引用校验;高风险问题转人工source trust、ACL test、freshness SLO、retrieval eval、index release gate
Hallucination模型生成未被证据支持的事实、政策、金额、日期、原因prompt、model output、citation support score、judge result、human edits限制答案类型;启用 answerability gate;高风险回复改模板;增加拒答groundedness eval、citation checker、template locking、risk-tiered response policy
Policy bypass模型绕过业务、合规、安全、销售、投资建议或投诉规则policy decision log、guardrail result、prompt version、conversation启用 blocklist / classifier;关闭自由生成路径;高风险 intent 强制升级policy engine externalization、rule test suite、prompt conflict review
Tool misuseAgent 调错工具、越权查询、重复执行、错误提交、错误更新 casetool span、tool args hash、approval ID、side effect、idempotency key关闭写工具;改 dry-run;冻结高风险 action;撤销错误动作;人工复核队列tool permission matrix、step budget、dual control、idempotency、approval UX
PII / PCI / secrets leak输出、日志、外发工具或供应商调用泄露敏感数据output sample、DLP result、egress log、trace redaction、affected records停止外发;启用 redaction;关闭日志明文;通知 privacy/legal;隔离供应商 routedata minimization、DLP regression、log masking、field-level policy、tenant isolation
Cost spiketoken、retrieval、rerank、judge、tool 或 loop 导致成本异常cost ledger、route policy、token counts、cache status、loop trace启用 budget cap;降级模型;限制上下文;关闭 retry loop;rate limitunit economics SLO、loop detector、quota、prompt size budget、cache policy
Latency degradationTTFT、total latency、tool latency、queue wait、judge latency 超阈值latency spans、queue metrics、vendor status、retrieval timing降级模型;绕过非必要 judge;减少 top_k;启用 cached answer;切换 fallbacklatency SLO、capacity test、route policy、timeout budget、dependency isolation
Model drift / eval regression离线或线上质量分数下降,升级后行为改变eval run ID、model alias、prompt/index version、golden set deltapin 旧模型;停止 rollout;扩大 human review;回滚 routecanary eval、shadow test、model pinning、approval workflow、drift dashboard
Prompt injection用户、文档、网页、邮件、tool output 诱导模型忽略规则或泄露malicious payload、context labels、tool proposal、blocked/allowed decision禁用受影响入口;强制 untrusted-context labeling;关闭外发和写工具adversarial eval、instruction hierarchy、tool gateway、content isolation
Data / index poisoning知识库、记忆、feedback、fine-tuning data 被恶意或错误内容污染source change log、document owner、index manifest、memory write log暂停 ingest;回滚 index;清理 memory;冻结 feedback trainingsource approval、data lineage、memory governance、poisoning red-team
Judge failureLLM judge 或规则评测误判,使坏输出通过或好输出被误挡judge prompt、rubric version、expert disagreement、score drift暂停自动通过;改人工抽样;回滚 judge prompt;提高阈值judge calibration、expert benchmark、rubric versioning、meta-eval
Human handoff failure本应升级人工但未升级,或人工无法理解 AI 上下文escalation log、queue SLA、handoff payload、review notes强制人工队列;停止自动完成;补发 case contextwarm handoff spec、queue SLO、review training、override analytics
Vendor / dependency incidentLLM、embedding、vector DB、tool API、MCP server、cloud 出现异常或变更vendor status、model version、contract notice、route log切换 vendor;降级本地模型;禁用第三方 connector;冻结新请求vendor exit plan、multi-provider route、contract controls、dependency game day

4.1 事件不是事故的边界

Signal何时只是 event何时升级为 incident
单个差评用户主观不满意,未违反政策或证据命中高风险 intent、客户受损、同类模式重复、人工判定错误严重
Eval 下降低风险指标轻微波动,未进生产高风险 golden set fail、已上线版本退化、release gate 被绕过
成本升高预算内季节性流量单 use case 超预算、loop / abuse、单位经济性失效、影响服务能力
Prompt injection 被拦截控制按预期工作拦截率异常升高、出现未拦截样本、攻击者触发工具提议或数据外泄
客户投诉普通服务投诉投诉指向 AI 误导、拒绝人工、错误承诺、错误费用、歧视或隐私问题

5. Severity Model:AI 事故分级

Severity 必须按影响和控制失效,而不是按团队紧张程度。建议将金融零售 AI 事故分为 SEV0 到 SEV4。

Severity定义触发条件决策权限默认动作
SEV0 - Critical AI Harm已造成或极可能造成重大客户伤害、监管违规、重大数据泄露、资金损失、系统性错误业务动作或董事会级声誉风险PII / PCI 大规模泄露;客户资金或账户状态被错误改变;监管报告/AML/SAR 重大错误;高风险 agent 自动执行失控;跨租户数据暴露Executive incident lead + Legal / Risk / CISO / Business head立即停用相关 AI path;保全证据;启动客户补救、法律评估、监管沟通准备和董事会通知
SEV1 - High Impact影响受监管流程、客户可见输出或高风险员工决策,但可通过快速 containment 限制范围错误 KYC / AML 建议批量出现;客服 AI 给出错误费用/权利说明;高风险工具绕过审批但未大规模执行Incident Commander + Business Owner + Model Risk / Compliance冻结变更;回滚组件;扩大人工复核;24-48 小时内完成初版 postmortem
SEV2 - Material Degradation质量、安全、延迟、成本或可用性显著退化,影响业务效率或中风险流程groundedness 低于阈值;retrieval freshness failure;p95 延迟超 SLO;单位成本超预算;人工拒绝率异常IC + Product / Platform Owner降级或分流;开 corrective action;一周内完成复盘和回归证据
SEV3 - Controlled Issue局部问题,已被 guardrail、人审或监控捕获,没有客户实质影响bad retrieval 被 answerability gate 拦截;prompt injection 被阻断;低风险 internal copilot 错误Product / Ops Owner记录 issue;转 regression case;下次 review board 汇总
SEV4 - Learning Signal早期 hazard、近失误、桌面演练发现、离线 eval 失败tabletop 发现 runbook 缺口;red-team 样本失败;外部 incident radar 触发内部 reviewReliability owner更新测试、runbook、training 和 backlog

5.1 Severity 判定维度

DimensionLowMediumHighCritical
Customer harm无客户影响客户困惑或轻微不便客户权益、费用、投诉、账户操作受影响大规模客户损害、资金或法律权利受影响
Regulatory exposure无监管流程间接流程AML/KYC/credit/complaints/adverse action 受影响监管报告、法定义务、消费者保护严重风险
Data sensitivity无敏感数据内部数据PII、交易、身份、信用、AML 数据大规模 PII/PCI、跨租户、外部泄露
Automation levelread / summarizerecommend / draftact with approvalact without effective approval 或不可逆动作
Blast radius单请求单团队或小样本多业务线、客户群或高价值客户系统性、跨租户、跨区域
Detectability自动拦截监控发现客户/员工发现外部媒体、监管、审计或重大投诉发现
Reversibility可立即修正可补救补救成本高难以逆转或需客户/监管通知

5.2 AI-Specific SEV Escalation Rules

Trigger最低 SEV
客户可见 AI 输出虚构费用、资格、拒绝原因、投诉权利、投资/信贷建议SEV1
AI 工具调用改变客户账户、交易、退款、case 状态,且审批或幂等失效SEV1;若不可逆或批量执行则 SEV0
PII / PCI / secrets 出现在客户可见输出、外部工具、供应商 ticket、日志导出SEV1;大规模或跨租户则 SEV0
AML / KYC / fraud / credit 高风险流程中的 AI 建议系统性错误SEV1;若影响监管提交或客户权益则 SEV0
Prompt injection 导致工具提议、数据外泄、policy bypass 或持久化污染SEV1
Eval regression 已进入生产且影响高风险 use caseSEV1
成本异常导致预算熔断、服务降级或其他客户流程受影响SEV2;若影响关键服务可升 SEV1

6. Incident Command:AI War Room 设计

AI 事故不能只由工程值班处理,因为根因可能是业务政策、模型版本、知识库、工具权限、人工流程或供应商变更。War room 需要明确角色,而不是所有人同时发言。

6.1 角色与职责

Role主要职责关键决策
Incident Commander控制节奏、分配任务、设定更新频率、做最终 operational decision是否升级 SEV;是否停用 AI path;是否宣布 containment 完成
Scribe / Evidence Lead记录 timeline、decision log、证据链接、版本和行动项哪些证据进入 postmortem 和 audit binder
AI Product Lead定义客户/业务影响、fallback experience、补救路径和用户沟通是否关闭某类 intent;是否切人工;如何处理受影响用户
AI Architect / Platform Lead判断组件边界、回滚路径、route policy、日志保全和技术恢复rollback model / prompt / index / tool / policy / vendor 的顺序
Model Risk / Validation判断模型风险、eval regression、验证缺口和风险接受是否需要 re-validation;是否阻止 restart
Security Lead判断 prompt injection、exfiltration、tool abuse、credential / connector 风险是否启动 security incident;是否隔离 connector / secrets / MCP server
Privacy / Data Protection判断 PII / PCI / sensitive data 暴露、通知义务和数据最小化缺口是否需要 privacy incident workflow
Legal / Compliance判断监管、合同、客户通知、投诉和保存义务是否准备 regulator response、legal hold 或 board escalation
Business Owner判断业务影响、客户补救、人工产能和 residual risk是否接受降级服务;是否暂停流程
Customer / Operations Lead执行客户支持、人工队列、分行/坐席指引、话术如何识别和联系受影响客户
Vendor Owner协调模型/云/工具供应商、SLA、变更说明和证据是否切换 vendor;是否触发合同 incident notice

6.2 War Room 节奏

阶段时间目标产出
First 15 minutes确认 SEV、IC、scribe、受影响系统、初始 containment ownerIncident state doc、bridge channel、decision cadence
First 30 minutes锁定 blast radius、证据保全、是否关闭高风险路径Impact hypothesis、freeze decision、initial customer / regulatory exposure
First 60 minutes执行 containment、确认 fallback、开始受影响对象识别Containment decision、rollback record、affected population query
First 4 hours验证 containment 有效、准备内部更新、定义补救策略Stable state declaration、executive update、remediation backlog
First 24 hours初版 postmortem、customer/regulator/board communication draft、regression planDraft RCA、corrective action register、communication pack
First 5 business days完整复盘、review board、risk acceptance 或 restart approvalFinal postmortem、evidence pack、board / regulator-ready summary

6.3 Decision Log 最小字段

Field示例
Decision IDDEC-2026-AML-001
Time2026-06-29 14:35 America/Chicago
Decision禁用 AML copilot 的 free-form SAR narrative 生成,仅保留 evidence summary
Decision ownerIncident Commander + AML Business Owner
Rationale发现 4 个高风险 case 的 narrative 引用了过期 typology;RAG index rollback 尚未完成
Alternatives considered仅提高 judge 阈值;全量停用 copilot;切换旧 index
Risk accepted分析员效率下降,但避免错误 narrative 进入提交流程
Evidence linktrace IDs、index manifest、affected case query、approval record
Revisit condition新 index 通过 50 个 regression cases 且 Model Risk 批准 restart

7. Containment / Rollback 决策矩阵

AI containment 的原则:

先停止伤害,再恢复能力;
先切断高风险动作,再修复回答质量;
先保全证据,再清理状态;
先验证 rollback,再重新放量。

7.1 组件级 Rollback Matrix

Suspected component典型信号最快 containment可靠恢复条件
Model同一 prompt / index 下输出风格、拒答、准确性突然变化pin previous model;切备用 provider;提高 human reviewCanary eval 通过;供应商变更说明复核;高风险 sample 专家复核
Prompt新版本后 policy bypass、格式错误、拒答下降rollback prompt template;锁定 approved response templatesPrompt diff review;regression eval;policy owner sign-off
RAG index错误引用、过期政策、权限错配、freshness failurerollback index;禁用受污染 source;改权威门户 fallbackIndex manifest 校验;ACL test;source owner approval;retrieval eval
Retriever / reranker召回相关性下降、低信任文档上位降级到 hybrid search;调整 top_k / filters;禁用 rerankerRetrieval benchmark 回归;low-trust source penalty 验证
Tool gateway越权 tool proposal、approval bypass、重复执行关闭写工具;只读模式;强制 manual approvalPermission matrix review;idempotency test;approval trace sample
Policy engine / guardrail拦截突然下降或误拦截上升回滚 rule set;启用 conservative mode;强制 escalationPolicy test suite;false positive / false negative review
Memory / feedback loop污染记忆、错误偏好、重复错误学习暂停 memory read/write;清理污染记录;禁用 online learningMemory lineage review;write policy test;sampling approval
Judge / eval坏输出通过、好输出被拒、分数漂移暂停自动通过;转人工抽样;回滚 judge promptExpert calibration;judge benchmark;threshold review
UI / disclosure客户误解 AI 能力、无法转人工、错误提示改静态文案;强制人工入口;关闭高风险 flowUX content approval;complaint trigger test;accessibility check
Vendor dependency延迟、输出异常、版本漂移、SLA 告警Route away;降级本地或备用模型;暂停 connectorVendor RCA;contract notice;internal canary;exit plan review

7.2 Failure Type 到 Containment

FailureFirst containmentSecond containmentRecovery gate
Bad retrieval回滚 index 或禁用 source高风险问题强制人工通过 retrieval golden set、ACL test、freshness check
Hallucination限制自由生成;启用模板降级为引用摘要或拒答groundedness >= threshold;expert sample pass
Policy bypass启用 conservative policy暂停相关 intentpolicy regression suite pass;compliance sign-off
Tool misuse禁用写工具撤销 / 补偿 side effect;重放 idempotency checktool permission test;approval audit sample
PII leak停止外发和明文日志识别 affected records;privacy workflowDLP regression pass;redaction evidence;legal decision
Cost spike预算熔断和 rate limit降级模型、缩短上下文、停 retry loopunit cost 回到 SLO;loop detector verified
Latency degradationroute to fast path关闭非必要 judge / rerank / long contextp95 latency stable;capacity margin confirmed
Model driftpin previous model增加人工复核canary eval + shadow traffic pass
Prompt injection隔离入口和不可信内容关闭工具 / 外发 / memory writeadversarial regression pass;security approval

7.3 Kill Switch 分层

Switch level作用范围适用场景风险
L1 Response mode switch从生成回答切到模板、拒答或引用摘要hallucination、policy bypass、customer-facing risk用户体验下降,但业务不中断
L2 Intent switch关闭某类 intent,例如投诉、退款、KYC exception单个业务 flow 失控人工队列压力上升
L3 Tool switch禁用写工具、外发工具、高风险查询工具tool misuse、prompt injection、PII leak自动化收益下降
L4 Component switch回滚 model、prompt、index、policy、judge组件变更引发回归可能回到旧缺陷,需要回归验证
L5 System switch停用整个 AI capabilitySEV0 或无法确认 blast radius业务影响最大,但止血最确定

8. Detection and Evidence:没有证据就没有复盘

AI incident 的证据必须能回答:

谁问了什么
系统看到了什么
模型/检索/工具/策略如何决策
输出影响了谁
我们何时知道、何时止血、何时确认恢复

8.1 Detection Signals

Signal检测来源可触发的 incident 类型
Human reject spikeQA / reviewer decisionhallucination、bad retrieval、policy bypass、model drift
Citation support failuregroundedness judge、citation checkerhallucination、bad retrieval、index poisoning
Tool policy denied spiketool gatewayprompt injection、excessive agency、permission issue
DLP hitoutput filter、egress gateway、log scannerPII leak、secrets leak、cross-tenant data issue
Cost per case spikecost ledgerloop、long-context expansion、abuse、vendor price/route change
p95 / p99 latency breachtracing / APMvendor degradation、retrieval slowdown、judge bottleneck
Eval regressionCI / release gate / scheduled evalmodel drift、prompt regression、index regression
Customer complaintcontact center、complaints system、social channelcustomer-facing hallucination、handoff failure、wrong advice
Security alertSIEM、WAF、MCP gateway、red-team monitorprompt injection、tool abuse、exfiltration
External incident radarOECD monitor、industry reports、vendor noticeshazard review、third-party dependency risk

8.2 Evidence Pack 最小内容

Evidence字段
Incident state docSEV、status、IC、scribe、systems、affected use cases、current containment
Timelinedetection、triage、decision、rollback、recovery、communication、restart
Trace sampletrace IDs、request IDs、user role、workflow step、risk tier
Version mapmodel、prompt、index、retriever、reranker、judge、policy、tool schema、UI copy
Impact queryaffected customers / cases / employees / transactions / outputs
Tool side effect logtool name、arguments hash、approval ID、result、reversal / compensation
Data exposure assessmentfields exposed、records count、destination、retention、redaction status
Eval / regression resultfailed cases、baseline, current score, rerun after fix
Communication recordinternal update、customer script、regulator memo、board brief
Corrective action registerowner、due date、control, verification evidence, closure decision

8.3 Trace Fields for Incident Readiness

Field groupRequired fields
Business contextuse_case_id、risk_tier、workflow_step、customer_segment、employee_role、case_id
AI component versionsmodel_alias、model_version、prompt_id、prompt_version、index_version、policy_version、judge_version
Retrievalquery、filters、retrieved_doc_ids、citation_doc_ids、source_trust、freshness_days、ACL decision
Tooltool_name、risk_level、input_hash、policy_decision、approval_id、side_effect、idempotency_key
Safetyguardrail_decision、DLP_decision、prompt_injection_score、escalation_reason
Qualitygroundedness_score、citation_correctness、answerability、human_review_decision、edit_reason
Performancettft_ms、total_latency_ms、retrieval_latency_ms、tool_latency_ms、judge_latency_ms
Costinput_tokens、output_tokens、reasoning_tokens、retrieval_cost、judge_cost、tool_cost、total_cost
Audittrace_id、request_id、retention_class、redaction_status、access_control_group

9. Postmortem:无责,但不能无行动

AI postmortem 的质量标准:

Bad postmortemGood postmortem
“模型幻觉了,已优化 prompt”明确哪个模型 / prompt / index / policy / tool / workflow 组合失效,为什么控制没有拦住,如何验证不会复发
“用户问法太刁钻”识别产品边界、answerability gate、fallback 和 user education 是否不足
“坐席没有认真审核”分析人审界面是否提供证据、风险提示、差异高亮和足够时间
“供应商模型变了”检查 vendor change notice、model pinning、canary eval、route policy 和 exit plan
“已加强监控”说明新增指标、阈值、owner、alert route、演练和验证样本

9.1 Postmortem Template

# AI Incident Postmortem: AML Copilot Bad Retrieval, 2026-06-29

## 1. Executive Summary

- Incident ID: AI-INC-AML-2026-001
- Severity: SEV1
- Status: Contained, restart pending Reliability Review Board approval
- Use case: AML Copilot evidence summary and SAR narrative draft
- Business owner: Head of AML Operations
- Incident commander: AI Platform SRE Lead
- Detection time: 2026-06-29 09:42 America/Chicago
- Containment time: 2026-06-29 10:18 America/Chicago
- Recovery time: 2026-06-30 16:00 America/Chicago after regression approval
- Customer / business impact: 23 AML cases required analyst re-review; no customer-facing message sent
- Regulatory / privacy / security exposure: Potential regulatory narrative quality risk; no PII leakage and no SAR submission confirmed
- Current residual risk: Low after index rollback, narrative freeze and freshness regression

## 2. What Happened

- Observable symptom: Senior analyst found SAR draft citing a typology retired in 2026-Q1
- AI failure category: Bad retrieval and hallucinated regulated narrative
- Affected users / cases / customers / transactions: 9 analysts, 23 AML cases, 0 customer contacts, 0 submitted SARs
- Affected AI components: AML policy index v2026.06.28, retrieval filter v1.7, narrative prompt v3.2
- First known bad version: index-aml-policy-2026.06.28
- Last known good version: index-aml-policy-2026.06.21

## 3. Impact

| Impact area | Assessment | Evidence |
|---|---|---|
| Customer harm | No direct customer impact; cases stayed in analyst workflow | case_state_query_2026_06_29.csv |
| Operational impact | 23 cases re-reviewed; analyst queue delayed by 4.5 hours | AML queue dashboard snapshot |
| Financial impact | No direct loss; 18 analyst hours used for re-review | workforce impact estimate |
| Regulatory / compliance | Potential SAR quality risk if drafts had been submitted | SAR submission cross-check showing zero submitted |
| Data / privacy | No PII leaked outside approved systems | DLP report DLP-AML-2026-001 |
| Security | No prompt injection or external access found | SIEM query and context payload review |
| Reputation | Internal operational issue; no external communication required | Legal / Compliance decision log |

## 4. Timeline

| Time | Event | Owner | Evidence |
|---|---|---|---|
| 09:42 | Analyst reports outdated typology in SAR draft | AML QA Lead | QA ticket AML-QA-7782 |
| 09:50 | IC opens SEV1 war room and assigns scribe | AI Platform SRE Lead | incident channel export |
| 10:05 | Impact query identifies 23 affected cases | Data Engineer | impacted_case_query.sql |
| 10:18 | SAR narrative generation disabled; evidence summary remains read-only | Platform Lead | route_policy_change_2026_06_29 |
| 10:31 | Index rolled back to v2026.06.21 | RAG Owner | index manifest diff |
| 12:10 | Analysts complete first 10 case re-reviews | AML Operations | QA review sample |
| 16:40 | No submitted SARs found for affected drafts | Compliance | SAR submission reconciliation |

## 5. Detection

- Which signal detected the issue: Human QA by senior AML analyst
- Which signal should have detected it earlier: Freshness regression in the index release gate
- Detection gap: Citation checker validated source existence but not effective date
- Alert / dashboard changes: Added retired-source citation alert and freshness breach tile

## 6. Containment and Recovery

- Immediate containment: Disabled SAR narrative draft generation for AML Copilot
- Rollback / route / kill switch used: L1 response mode switch plus index rollback to v2026.06.21
- Fallback experience: Analysts receive evidence summary and link to policy portal; narrative written manually
- Recovery validation: 50 AML golden cases, 10 retired-typology adversarial cases and 23 affected cases rechecked
- Restart approval: Required from Model Risk, AML Business Owner and AI Reliability Review Board

## 7. Root Cause and Contributing Factors

### Direct root cause

The AML RAG index release included retired typology guidance without effective-date filtering, allowing outdated evidence to support generated SAR narrative text.

### Contributing factors

| Factor | Explanation | Control gap |
|---|---|---|
| Product boundary | Narrative generation was allowed for all AML typology questions | No high-risk narrative freshness gate |
| Architecture | RAG index and narrative prompt were released independently | Component release coupling missing |
| Data / RAG | Retired documents remained searchable with low metadata quality | Effective-date filter and source owner approval missing |
| Model / prompt | Prompt encouraged concise narrative even when evidence was stale | Answerability instruction did not include retired-source refusal |
| Tool / workflow | No external write tool was involved | Tool control worked as designed |
| Monitoring | Citation support did not check source validity period | Freshness metric absent |
| Human review | Analyst QA caught the issue before submission | Human review worked but late in workflow |
| Governance | Index release did not require Model Risk review for retired policies | Gate scope too narrow |

## 8. Why Existing Controls Failed

| Control | Expected behavior | Actual behavior | Fix |
|---|---|---|---|
| Citation checker | Ensure narrative claims are supported by cited evidence | Confirmed document existed but ignored retirement date | Add effective-date validation and retired-source block |
| Index release gate | Prevent stale or unauthorized policy from entering production | Checked document count and ACL only | Add source owner approval and freshness regression |
| Human review | Catch low-quality narrative before regulatory submission | Caught issue before submission | Move freshness alert earlier in workflow |

## 9. Corrective Actions

| Action ID | Action | Owner | Due date | Verification evidence | Closure approver |
|---|---|---|---|---|---|
| CA-AML-001 | Add effective-date filter to AML retrieval | RAG Owner | 2026-07-03 | 60-case retrieval regression pass | Model Risk |
| CA-AML-002 | Block narrative generation when citation freshness fails | AI Platform Lead | 2026-07-05 | 10 retired-typology cases refused or escalated | AML Business Owner |
| CA-AML-003 | Add AML index release owner approval | Data Governance Lead | 2026-07-08 | signed source manifest in evidence binder | Compliance |

## 10. Regression and Recurrence Prevention

- New eval cases: 50 AML SAR narrative golden cases with citation support and freshness assertions
- New adversarial cases: 10 retired typology and conflicting policy cases
- New monitoring: retired-source citation rate, freshness_days p95, narrative blocked by freshness gate
- Release gate changes: AML index release requires source owner approval and freshness regression pass
- Architecture decision records: ADR-AML-004 requires evidence freshness gate before regulated narrative generation
- Runbook changes: Bad retrieval containment now requires index rollback plus affected case query
- Game day scenario added: AML retired typology tabletop for quarterly reliability exercise

## 11. Communication

- Customer communication: Not required because no customer-facing output or account action occurred
- Regulator / examiner communication: Prepared evidence pack for examiner request; no proactive notice recommended by Legal / Compliance
- Board / executive communication: Included in monthly AI risk dashboard as SEV1 contained incident
- Internal operations guidance: AML analysts instructed to use manual narrative drafting until restart approval

## 12. Residual Risk Decision

- Residual risk: Low for restarted narrative generation after freshness gate; medium for same-day policy updates until source SLA improves
- Risk owner: Head of AML Operations
- Accepted / rejected / requires additional controls: Accepted with source-owner SLA and monthly freshness audit
- Next review date: 2026-08-15 AI Reliability Review Board

9.2 Root Cause Tree for AI Incidents

LayerQuestions
Business boundaryAI 是否被允许处理这个 intent、客户类型、地区、产品或风险等级?
Data source证据是否权威、最新、可访问、按权限过滤、可追溯?
Retrieval查询改写、filter、top_k、reranker、citation 是否把正确证据带入上下文?
Prompt / policy指令是否冲突、过宽、未区分可信和不可信上下文?
Model模型是否升级、route 改变、参数改变、能力或拒答行为变化?
Tool工具权限、schema、审批、幂等、回滚、side effect 是否受控?
Judge / guardrail拦截或评分是否覆盖该失败模式,是否被绕过或漂移?
Human review人审是否看到足够证据,是否有时间、权力和流程去覆盖 AI?
Monitoring质量、安全、成本、延迟、业务 outcome 是否有阈值和 owner?
Governance变更是否经过 gate,风险是否被正式接受,owner 是否明确?

10. Corrective Action Register

Corrective action 的目标不是关闭 Jira,而是降低复发概率或影响范围。每个行动项都必须有验证证据。

Field填写标准合格样例
Action ID与 incident ID 关联CA-AML-2026-001
Failure mode对应 taxonomyBad retrieval + hallucinated SAR narrative
Control objective要降低的风险高风险 AML narrative 必须由有效证据支持
Action可执行变更增加 citation support gate,低于阈值时只输出 evidence summary
Owner单一责任人AML AI Platform Lead
Due date明确日期2026-07-12
Verification evidence可复核结果50 个 SAR golden cases 全部通过;10 个过期 typology cases 被拒答
Risk reduction预期效果降低错误 narrative 进入 analyst workflow 的概率
Residual risk仍然存在的风险新 typology 发布当天仍可能存在 freshness gap
Closure approver有权关闭的人Model Risk + AML Business Owner
Next review防止行动项假关闭2026-08-15 review board

10.1 Action 类型

Type例子何时使用
Eval action新增 golden / adversarial / regression cases事故样本可转成可重复测试
Architecture action增加 policy engine、tool gateway、route isolation、index manifest根因是边界和控制不足
Product action缩小 use case、改变 disclosure、增加人工入口、限制答案类型AI 被放进了不适合的客户旅程
Data actionsource trust、owner approval、freshness SLO、ACL、data contractRAG / data lineage 是根因
Operations actionalert、runbook、on-call、war room、rollback drill响应慢、检测晚、证据不足
Governance actionreview board、approval gate、risk acceptance、policy update决策链或责任边界不清
Vendor actionSLA、model pinning、change notice、exit plan、support escalation外部依赖导致或放大事故

10.2 Recurrence Prevention Ladder

Level防复发强度示例
L0 Manual reminder依赖人记住仅培训坐席“注意检查引用”
L1 Checklist依赖流程提醒上线前检查 prompt / index version
L2 Monitoring能发现bad citation rate alert
L3 Gate能阻止发布eval fail 时 CI 阻止 prompt / index release
L4 Runtime control能实时阻断answerability gate、DLP、tool gateway、policy engine
L5 Architectural isolation能限制 blast radiusmodel route isolation、read-only mode、tenant boundary、kill switch
L6 Governance system能持续学习review board、audit sample、game day、risk appetite update

复盘后的行动项至少应达到 L3;SEV0 / SEV1 的核心失效应优先设计到 L4 或 L5。

11. Architecture and Product Mapping

11.1 从事故类型到架构控制

Incident typeProduct decisionArchitecture controlGovernance evidence
Bad retrieval明确哪些答案必须引用权威来源Source registry、ACL filter、index manifest、citation checkerData owner approval、retrieval eval report
Hallucination高风险答案从自由生成改为模板 / 引用摘要Answerability classifier、groundedness gate、template composerPrompt approval、quality dashboard
Policy bypass将业务规则从 prompt 中外置Policy engine、intent classifier、decision table、guardrail traceCompliance sign-off、policy version log
Tool misuse定义 read / draft / act 边界Tool gateway、ABAC、dual control、idempotency、dry-runPermission matrix、approval evidence
PII leak限制输入、输出、日志和外发字段DLP、field redaction、egress gateway、log maskingPrivacy impact record、DLP test
Cost spike定义每个 outcome 的 unit economicsCost ledger、quota、route policy、cache、loop detectorBudget review、FinOps dashboard
Latency degradation设定按风险分层的响应体验Fast path、async review、timeout budget、fallback responseSLO document、capacity test
Model drift明确模型升级不是透明小变更Model alias pinning、canary、shadow eval、rollbackChange approval、eval comparison
Prompt injection将不可信内容和工具权限隔离Context labeling、sandbox、tool approval、memory write policyRed-team report、ATLAS mapping

11.2 AI Reliability ADR 模板

# ADR-AML-004: Require Evidence Freshness Gate Before SAR Narrative Generation

## Context

- Incident / risk trigger: AI-INC-AML-2026-001 showed SAR narrative could cite retired typology guidance
- Affected use case: AML Copilot SAR narrative drafting
- Risk tier: Tier 1 regulated decision-support workflow
- Current weakness: Citation checker verifies support but does not verify source effective date or retirement status

## Decision

- Chosen architecture / product control: Add evidence freshness gate before narrative generation; stale evidence forces evidence-summary-only mode
- Components changed: Retrieval metadata filter, citation checker, narrative composer, release gate
- Runtime behavior: If any cited AML policy source is retired or outside effective date, the system refuses narrative generation and escalates to analyst manual drafting
- Rollback approach: Disable freshness gate through controlled feature flag only after IC and Model Risk approval; default fallback is evidence-summary-only mode

## Options Considered

| Option | Benefit | Risk | Decision |
|---|---|---|---|
| Prompt-only warning | Fast to implement | Model may still use stale evidence under pressure | Rejected |
| Freshness gate before narrative | Blocks stale regulated narrative at runtime | Some valid edge cases require manual drafting | Chosen |
| Full narrative shutdown | Maximum safety | Removes productivity benefit for low-risk summaries | Reserved for SEV1 containment |

## Consequences

- Reliability impact: Reduces recurrence of stale-source SAR narrative and creates auditable block events
- Customer impact: No direct customer-facing impact; analyst workflow may require more manual drafting during stale-source periods
- Cost / latency impact: Adds citation metadata check with negligible latency; may increase manual review hours
- Governance impact: AML source owner approval becomes mandatory for index release
- Residual risk: Same-day policy changes can still create a temporary gap until source SLA is met

## Verification

- Eval cases: 50 AML golden cases and 10 retired-source adversarial cases
- Monitoring: retired-source block rate, freshness_days p95, manual drafting escalation count
- Game day scenario: Quarterly AML retired typology tabletop
- Review board approval: Required before re-enabling narrative generation

11.3 Release Gate After Incident

GateRequired evidence
G1 Scope gateUse case boundary updated;forbidden uses 明确;fallback owner 确认
G2 Component gatemodel / prompt / index / tool / policy version map 完整
G3 Eval gate事故样本进入 golden set;regression 通过;expert sample 通过
G4 Security / privacy gateDLP、prompt injection、tool misuse、egress、log masking 测试通过
G5 Operations gaterunbook、kill switch、on-call、alert、dashboard 已更新
G6 Governance gateModel Risk / Compliance / Business Owner 对 residual risk 做出决策
G7 Restart gate分阶段放量计划、rollback condition、monitoring window 明确

12. Customer / Regulator / Board Communication

沟通不是 PR 话术,而是控制面的一部分。越早准备结构化事实,越少在压力下做模糊承诺。

12.1 Communication Matrix

Audience关注问题不能说应该准备
Customers我是否受影响,发生了什么,如何补救,是否需要行动“AI 偶尔会错”“我们已优化模型”事实、影响、补救、人工渠道、时间线、后续通知
Frontline / Operations现在怎么处理客户、案例、例外和人工队列“先凭经验处理”临时 SOP、话术、升级条件、受影响 case list
Executives影响范围、风险、恢复、补救成本、下一步决策只报技术细节SEV、impact, containment、customer/regulatory exposure、decision needed
Board / Risk Committee是否触及风险偏好、控制是否失效、治理是否有效“项目团队会修好”root cause theme、risk appetite、corrective action、accountability、timeline
Regulator / Examiner是否影响受监管义务、客户权益、数据、模型风险、第三方未经确认的法律结论verified facts、controls、affected population、remediation、evidence path
Vendor是否供应商导致、需要什么证据、SLA 是否触发只口头描述trace sample、timestamps、model/route IDs、contract notice、RCA request

12.2 Executive Update 模板

# AI Incident Executive Update

- Incident ID:
- Severity:
- Current status:
- Affected capability:
- What happened:
- Customer / business impact:
- Data / privacy / security exposure:
- Regulatory exposure:
- Containment completed:
- Remaining risk:
- Decisions needed:
- Next update time:

12.3 Regulator / Examiner Response Pack

Section内容
Factual summary已验证事实、时间线、影响范围,不包含猜测
System descriptionAI system、workflow、human role、model/RAG/tool components
Control design上线前控制、监控、人工复核、policy、DLP、tool gateway
Control failure哪些控制未生效、为什么未生效
Customer impact受影响对象、补救、通知、投诉处理
Remediationcontainment、corrective actions、completion evidence
Governanceowner、review board、risk acceptance、management oversight
Evidence indextrace、logs、evals、approval、communication、postmortem 路径

12.4 Board Brief 结构

Slide内容
1. Incident summarySEV、时间线、影响、当前状态
2. Business and customer impact客户、员工、案例、资金、投诉、品牌
3. Risk and control view失效控制、残余风险、风险偏好影响
4. Management actioncontainment、corrective actions、owner、due date
5. Governance ask需要董事会知情、批准、预算、风险接受或监督的事项

13. AI Reliability Review Board

AI Reliability Review Board 不是大型委员会,而是高风险 AI 系统的运营门禁。它把 incident、eval regression、architecture change、model update、vendor change 和 risk acceptance 放在同一个决策桌上。

13.1 Charter

Item内容
Mission降低 AI 事故复发概率和影响范围,确保高风险 AI use case 的 release、change、restart 和 residual risk 有证据、有 owner、有审批
ScopeTier 1 / Tier 2 AI systems;SEV0-SEV2 incidents;model/prompt/index/tool/policy 高风险变更
Decision rightsapprove restart、require additional controls、block release、accept residual risk、escalate to executive risk committee
MembersAI Product、AI Platform、Architecture、SRE、Security、Privacy、Model Risk、Compliance、Business Owner、Audit observer
CadenceSEV0/1 event-driven;SEV2 weekly;normal monthly reliability review
Inputsincident postmortem、eval trend、SLO breach、cost trend、red-team result、vendor notice、customer complaint trend
Outputsdecision log、corrective action status、risk acceptance、architecture ADR、game day backlog

13.2 Review Agenda

Agenda item决策问题
Open incidents是否真正 containment,是否仍有客户/监管风险
Corrective actions是否有逾期、假关闭、缺验证证据的行动项
Eval and drift哪些模型 / prompt / index / tool 出现质量或安全退化
SLO / cost / latency是否触发 error budget 或 budget guardrail
Customer harm signals投诉、人工升级、拒绝率、错误补救是否异常
Vendor changes是否需要 re-validation、model pinning 或 exit test
Game day findings演练发现是否进入 release gate 和 runbook

13.3 Decision Categories

DecisionCriteriaEvidence
Restart approvedcontainment 完成,fix 通过 regression,monitoring window 明确eval report、trace sample、owner sign-off
Restart with restrictions核心风险降低,但 residual risk 仍需限制disabled intent、human review、traffic cap
Continue shutdown影响或根因不清,无法证明控制有效incomplete RCA、failed regression、unresolved privacy/legal issue
Risk accepted业务决定接受残余风险,并有补偿控制risk memo、business sign-off、review date
Escalate超出 board 权限或触及监管/董事会风险偏好executive memo、legal/compliance analysis

14. Game Days and Tabletops

Game day 的目标不是表演成熟,而是暴露系统、流程和组织在压力下的真实弱点。

14.1 Game Day 设计原则

原则解释
基于真实 trace用生产相似的请求、知识库、工具权限和角色,不只用抽象故事
覆盖跨职能决策PM、Architect、SRE、Security、Privacy、Model Risk、Compliance 都要做决定
演练证据保全检查是否能找到 prompt、index、retrieval、tool、DLP、approval 和 impacted population
演练 kill switch不只讨论是否关闭,要实际验证配置、权限和恢复步骤
生成行动项每次演练必须产出 corrective actions 和 owner

14.2 Tabletop Scenarios

ScenarioInjectExpected decisionsEvidence to test
Bad retrieval in AML copilot分析员发现 SAR narrative 引用了过期 typology停 narrative 生成、回滚 index、识别受影响 case、Model Risk reviewindex manifest、retrieved docs、case list、regression eval
KYC assistant PII leak外部供应商 ticket 中出现客户身份证件摘要关闭外发、privacy workflow、log scan、vendor noticeegress log、DLP decision、affected records、retention
Payment dispute agent tool misuseAgent 重复提交 provisional credit禁用写工具、撤销重复动作、检查 idempotency、客户补救tool span、approval ID、transaction ledger、compensation
Customer-facing AI hallucination客户被告知不存在的 fee waiver 权利关闭自由生成、发布坐席话术、识别客户、投诉处理output samples、customer IDs、policy source、QA decisions
Prompt injection via uploaded PDF投诉附件诱导 Agent 调用外部 email tool隔离 upload path、关闭外发工具、security incident triagemalicious payload、context label、tool proposal、blocked/allowed decision
Cost spike via loopPlanner 重复检索和 judge,成本 8 倍上升预算熔断、rate limit、关闭 retry loop、恢复 unit costcost ledger、trace loop、route policy、quota
Latency degradationp95 从 8s 到 35s,人工队列积压降级模型、异步处理、减少 rerank、业务 SLA 更新latency spans、queue wait、fallback success
Model drift after vendor upgrade同一 golden set fail 率从 3% 到 18%pin 旧模型、暂停 rollout、vendor RCA、shadow evalmodel alias、eval diff、vendor notice、route log

14.3 Game Day Scorecard

Dimension1 - Weak3 - Adequate5 - Strong
Detection只能靠人工发现有部分 alert,但信号分散自动 alert 命中 failure mode,owner 清晰
Triage争论分类和 SEV30 分钟内完成初判15 分钟内明确 SEV、blast radius 和 war room
Containment不知道关闭哪里能手动关闭主要路径kill switch 分层、可验证、可回滚
Evidence找不到版本或 trace能找到核心日志trace、版本、impact query、tool side effect 完整
Communication技术更新难被业务理解有基础 executive update客户/监管/董事会版本清晰、事实一致
Prevention只写行动项有 owner 和 due date行动项有 regression evidence 和 review board closure

15. 金融零售 AI 事故案例

15.1 AML Copilot:错误检索导致 SAR narrative 风险

项目内容
SystemAML Copilot,为分析员总结告警证据并起草 SAR narrative
FailureRAG 检索到过期 typology guidance,模型把旧规则写成当前风险理由
SeveritySEV1;若 narrative 已提交监管则升 SEV0
DetectionSenior analyst QA 发现 narrative 与最新政策冲突;citation checker 未检查 effective date
Containment关闭 SAR narrative 自动草稿,只保留 evidence summary;回滚 index;高风险 case 全部人工复核
Root causeIndex manifest 没有 policy effective date;retriever freshness filter 未启用;release gate 未包含过期 typology regression
Corrective actions增加 freshness SLO;policy source owner 审批;50 个 AML regression cases;narrative 输出必须带 citation support score
Portfolio artifactAML AI Incident Postmortem + Retrieval Freshness ADR + SAR Narrative Regression Pack

15.2 KYC Assistant:PII 外发到供应商系统

项目内容
SystemKYC 文档审核助手,自动总结客户身份证明和缺失项
FailureAssistant 把客户身份证件摘要写入外部 vendor support ticket,ticket 系统不在批准处理范围
SeveritySEV1;若包含大规模证件号或跨境处理则 SEV0
DetectionDLP 在 egress gateway 命中身份证号 pattern;privacy alert 自动升级
Containment关闭外发 ticket tool;清理 vendor ticket;启用 legal hold;识别 affected customers;暂停相关日志导出
Root causeTool gateway 未区分内部 case note 和外部 support ticket;DLP 只在最终回答启用,未覆盖 tool payload
Corrective actionsegress policy 按目的绑定;tool input field redaction;vendor processor matrix 更新;PII leak adversarial eval
Portfolio artifactKYC PII Incident Pack + Egress Policy Matrix + DLP Regression Evidence

15.3 Payment Dispute Agent:工具误用导致重复 provisional credit

项目内容
System支付争议处理 Agent,读取争议材料、建议下一步、草拟客户通知
FailureAgent 在 retry 后重复调用 provisional credit tool,幂等 key 未绑定 dispute ID 和 amount
SeveritySEV1;若批量资金影响或无法撤销则 SEV0
Detection账务对账发现同一 dispute 两笔 provisional credit;tool side effect alert 滞后
Containment禁用写工具;切只读建议模式;冻结受影响 dispute;启动客户和账务补救
Root causeTool schema 未要求 idempotency key;approval UI 未展示已执行 action;retry policy 未识别 side effect
Corrective actions写工具强制 idempotency;approval ledger;retry 禁止重复 side effect;payment game day 每季度演练
Portfolio artifactPayment Agent Tool Misuse Postmortem + Tool Permission / Idempotency ADR

15.4 Customer-Facing AI:错误费用减免承诺

项目内容
System信用卡客服 AI,客户可直接询问费用、争议、权益和投诉
FailureAI 虚构“年费可无条件减免一次”的政策,客户认为银行已承诺
SeveritySEV1,因为客户可见且涉及费用和权利;若大规模传播则 SEV0
Detection投诉系统中 fee waiver 关键词异常上升;QA 抽样确认 AI 输出无来源支持
Containment关闭费用政策自由回答;改用模板 + 权威 API;受影响客户转人工补救
Root causeAnswerability gate 未覆盖费用承诺;UI 披露没有区分一般信息和正式承诺;citation optional
Corrective actionsfee / rate / eligibility 全部 template locking;complaint trigger dashboard;customer remediation script
Portfolio artifactCustomer-Facing AI Incident Memo + Regulated Conversation Boundary Card

15.5 Fraud Review Copilot:模型漂移导致误报解释退化

项目内容
System欺诈复核 Copilot,帮助运营解释交易阻断原因并建议下一步
FailureVendor 模型升级后,解释变得更自信但证据更少,human override 从 6% 升到 19%
SeveritySEV2;若导致客户账户错误冻结或拒绝申诉则 SEV1
DetectionHuman reject spike + golden set scheduled eval fail
ContainmentPin previous model;扩大人工复核;暂停新模型 rollout
Root causeModel alias 未 pin;vendor change notice 未进入 AI release gate;shadow eval 样本未覆盖冻结解释
Corrective actionsmodel alias pinning;vendor change intake;fraud explanation golden set;review board restart approval
Portfolio artifactModel Drift Incident Review + Vendor Change Gate Checklist

16. Templates and Artifacts

16.1 AI Incident Intake Card

FieldExample
Incident IDAI-INC-2026-001
ReporterAML QA Lead
Detection channelHuman QA + citation support alert
Use caseAML Copilot SAR narrative
Suspected categoryBad retrieval / hallucination
Initial SEVSEV1
Customer / regulatory exposurePotential regulatory narrative quality issue; no submission confirmed
Active blast radius23 cases generated since index v2026.06.28
Immediate askDisable SAR narrative generation and run affected case query

16.2 Affected Population Query Spec

QuestionQuery requirement
哪些输出可能受影响按 prompt_version、index_version、model_route、time window、intent、risk_tier 查询
哪些客户或案例受影响关联 case_id、customer_id、employee_id、channel、workflow_state
是否发生工具 side effect关联 tool_call、approval_id、side_effect、ledger / case status
是否已经客户可见或监管提交关联 message_sent、document_exported、SAR_submitted、letter_generated
是否已人工覆盖关联 review_decision、edit_reason、override_time

16.3 Customer Remediation Worksheet

Field填写标准
Affected segment客户类型、产品、地区、时间范围
Harm hypothesis错误费用、错误拒绝、错误说明、隐私暴露、延迟、错误补偿
Verification methodtrace + CRM + transaction / case system cross-check
Remediation action更正通知、费用调整、人工回访、投诉升级、数据删除请求
ApprovalLegal、Compliance、Business Owner、Customer Ops
Evidencecustomer list hash、message template、completion status、exception log

16.4 AI Reliability Dashboard Spec

TileMetricThresholdOwner
Incident count by categorySEV0-SEV4 per monthSEV1+ immediate reviewReliability Lead
Bad retrieval ratecitation unsupported / stale / ACL failHigh-risk use case > 1% alertData / RAG Owner
Hallucination / groundednessgroundedness fail rateTier 1 > 0.5% alertModel Risk
Tool policy violationsblocked / attempted / allowed high-risk tool callsAny unexpected allowed high-risk callSecurity / Tool Owner
PII / DLPDLP hit by route and destinationAny external PII hitPrivacy
Cost unit economicscost per resolved case / analysis / dispute> approved budget guardrailPlatform PM / FinOps
Latency SLOp95 TTFT / total / tool latencybreach for 3 intervalsSRE
Human reject / overriderejected outputs, edit distance, override reasonspike vs baselineBusiness Ops
Eval regressionscheduled eval pass rate by versionhigh-risk fail blocks releaseValidation
Corrective action agingoverdue, no evidence, repeated failureoverdue SEV1 action escalatesReview Board

16.5 Reliability Review Board Packet

Section内容
Open incidentsSEV、status、owner、next decision
Closed incidentspostmortem link、RCA theme、closure evidence
Corrective actionsoverdue、blocked、accepted risk、closed with evidence
Eval / driftregressions、model changes、prompt / index changes
Security / privacyinjection attempts、PII events、tool gateway exceptions
SLO / costlatency, availability, unit cost, error budget
Customer harmcomplaints、handoff failure、remediation status
Decisions requestedrestart、block release、accept residual risk、fund control

17. 30-Day Lab:AI Incident and Reliability Portfolio Pack

目标:30 天内围绕一个金融零售 AI use case,完成一套可展示的 AI Incident / Postmortem / Reliability 作品集。推荐主线选择 AML Copilot、KYC Assistant、Payment Dispute Agent 或 Customer-Facing AI。

Day任务Artifact
1选择 use case,定义 AI 行为边界、risk tier、禁止用途Use Case Boundary Card
2画系统组件:model、prompt、RAG、tool、policy、judge、human handoffComponent Map
3定义 AI incident taxonomy,选 8-10 个最相关 failure modesIncident Taxonomy
4设计 SEV0-SEV4 severity modelSeverity Matrix
5设计 incident command RACI 和 war room cadenceIncident Command Runbook
6定义 trace evidence 字段Evidence Schema
7设计 AI reliability dashboardDashboard Spec
8写 bad retrieval scenarioScenario Card 1
9写 hallucination / policy bypass scenarioScenario Card 2
10写 tool misuse scenarioScenario Card 3
11写 PII leak scenarioScenario Card 4
12写 cost spike / latency degradation scenarioScenario Card 5
13写 model drift / eval regression scenarioScenario Card 6
14设计 containment / rollback matrixRollback Matrix
15设计 kill switch 分层Kill Switch Spec
16选择一个 scenario,写完整 incident timelineIncident Timeline
17写 affected population query specImpact Query Spec
18写 postmortem 初版Postmortem Draft
19写 root cause tree 和 contributing factorsRCA Worksheet
20写 corrective action registerCorrective Action Register
21把事故样本转成 eval regression casesRegression Pack
22写 architecture ADRReliability ADR
23写 customer / operations communicationCustomer and Ops Comms
24写 regulator / board briefGovernance Communication Pack
25设计 reliability review board charterReview Board Charter
26运行一次 tabletop,记录 decision logGame Day Decision Log
27根据 tabletop 更新 runbook 和 dashboardRunbook Revision
28汇总 evidence binder indexEvidence Index
29写 1500-2500 字 portfolio case studyPortfolio Case Study
30准备 8-10 个面试问答和 5 分钟讲述Interview Story Pack

17.1 30 天最终交付包

Artifact面试价值
Executive one-pager展示你能向高管解释 AI 事故风险和决策
System and control map展示架构判断,而不是只做流程文档
Incident taxonomy + SEV model展示高级风险分类能力
Postmortem + corrective action register展示生产可靠性和治理闭环
Game day pack展示主动验证和组织协同能力
Regression pack展示把事故样本转成 EvalOps 的能力
Board / regulator communication展示金融零售场景的风险表达

18. Interview Answers

Q1:AI incident response 和普通 SRE incident response 最大区别是什么?

版本回答
30 秒普通 SRE 主要处理 availability、latency、error rate。AI incident 还要处理语义正确性、证据支持、政策边界、工具动作、数据泄露、模型漂移和客户/监管影响。HTTP 200 也可能是事故,所以必须有 trace、eval、guardrail、human review 和治理闭环。
2 分钟我会把 AI incident 拆成 detect、triage、command、contain、recover、postmortem、regression、governance。关键不是“模型错了”,而是定位哪个组件失效:prompt、RAG、index、policy、tool、judge、model route、human handoff 或 vendor change。然后按风险分级决定是否 rollback model、回滚 index、禁用工具、切模板、人审、客户补救和监管沟通。复盘后必须把事故样本进入 regression eval 和 release gate,否则只是写报告。

Q2:如何给 AI 事故分级?

版本回答
30 秒我不会只按技术故障分级,而会按客户伤害、监管暴露、数据敏感度、自动化程度、blast radius、可逆性和检测来源分级。比如客户可见错误承诺、PII 外泄、高风险工具误执行、AML/KYC/credit 流程系统性错误,最低就应该是 SEV1。
2 分钟我会建立 SEV0-SEV4。SEV0 是重大客户伤害、监管违规、大规模数据泄露或不可逆工具动作;SEV1 是高影响但可 containment 的受监管流程或客户可见问题;SEV2 是质量、成本、延迟、eval 显著退化;SEV3 是被控制捕获的局部问题;SEV4 是 hazard 或演练发现。这样 severity 能直接驱动 war room、通知、postmortem 深度、review board 和 restart gate。

Q3:Bad retrieval 导致错误答案,你会怎么处理?

版本回答
30 秒先止血:回滚 index 或禁用错误来源,高风险问题切人工或模板。然后保留 query、retrieved doc IDs、index version、ACL、citation 和输出样本。根因通常在 source trust、freshness、ACL、chunking、reranker 或 release gate。最后把样本加入 retrieval regression。
2 分钟我会先判断是否客户可见或影响受监管流程。如果是,立即关闭相关 intent 的自由生成,切换到权威搜索或人工复核。技术上做 index manifest diff、source owner check、freshness filter、ACL test 和 citation support check。治理上让 Data Owner 和 Model Risk 共同确认恢复条件。防复发不是“调 prompt”,而是 source registry、index release gate、retrieval eval、freshness SLO 和 impacted population query。

Q4:Agent tool misuse 为什么危险,如何设计防线?

版本回答
30 秒Tool misuse 把语言错误放大成真实业务动作,比如重复退款、错误关闭投诉、越权查账户。防线要在工具网关,而不是 prompt:最小权限、risk-tiered tools、approval、idempotency、dry-run、step budget、side-effect logging 和 kill switch。
2 分钟我会把工具分为 read-only、draft、write-low、write-high、irreversible。模型只能 propose,系统通过 ABAC / purpose binding / policy engine 决定是否 allowed、blocked 或 requires approval。所有写动作必须有 idempotency key、approval ID、ledger、reversal path 和 trace。事故时第一步通常是把写工具切只读,保全 side effect log,识别 affected population,再做补偿和 regression。

Q5:PII leak 事故如何处理?

版本回答
30 秒先停止外发和明文日志,隔离受影响 route,保全 trace 和 egress log,识别字段、记录数、目的地和保留状态。然后 privacy、legal、security 判断通知和补救。防复发要覆盖输入、输出、tool payload、日志和供应商调用,不只做回答过滤。
2 分钟我会要求证据包包含 DLP decision、output sample、egress destination、trace ID、redaction status、affected records 和 vendor handling。Containment 包括关闭外发工具、清理第三方 ticket、禁用日志导出、启用 field redaction。根因可能是目的绑定缺失、tool gateway 未做 DLP、日志策略错误或供应商处理范围不清。修复要进入 DLP regression、egress policy、privacy impact record 和 vendor control。

Q6:Postmortem 怎么做到无责但不失去 accountability?

版本回答
30 秒无责不是无人负责。无责是避免追责个人,聚焦系统为什么让合理的人在当时信息下做出错误决策;accountability 是每个 corrective action 都有 owner、due date、验证证据和关闭审批。
2 分钟好的 postmortem 会记录时间线、影响、检测缺口、控制失效、根因和贡献因素。它不会写“某人没审核好”或“模型幻觉了”,而会问人审界面有没有显示证据、release gate 为什么没覆盖样本、policy 为什么只写在 prompt、tool 为什么没有 approval。最后行动项必须能验证,例如新增 50 个 regression cases、启用 kill switch、通过 DLP test、更新 ADR,而不是“加强培训”。

Q7:如何把 AI 事故转成长期治理能力?

版本回答
30 秒每个 SEV1+ 事故都应该进入三条线:eval regression、architecture decision、governance review。也就是样本进入测试,控制进入架构,残余风险进入 review board 和证据包。
2 分钟我会设 AI Reliability Review Board,定期看 incident、eval trend、SLO、cost、security、privacy、customer harm 和 corrective action aging。事故后的 restart 需要通过 scope、component、eval、security/privacy、operations、governance 和 phased rollout gate。这样事故不只是项目组修 bug,而是改变 release gate、tool permission、source governance、model pinning、vendor controls 和 board reporting。

Q8:成本 spike 算不算 AI incident?

版本回答
30 秒算。AI 成本 spike 可能来自长上下文、retry loop、judge 放大、工具循环或滥用,可能导致预算熔断、服务降级和单位经济性失效。它应该按业务影响和可控性分级。
2 分钟我会看 cost per outcome,而不是只看总账单。证据包括 token、route、cache、retrieval、rerank、judge、tool 和 loop trace。Containment 包括 quota、rate limit、降级模型、缩短上下文、关闭 retry loop、启用 cache。防复发是 budget guardrail、step budget、loop detector、unit economics dashboard 和 release 前成本压力测试。

Q9:面对监管或董事会,AI 事故应该怎么讲?

版本回答
30 秒讲事实、影响、控制、补救和治理,不讲模型黑箱借口。要说明发生了什么、谁受影响、哪些控制失效、如何 containment、如何补救、如何防复发、谁负责和何时完成。
2 分钟我会准备两套材料:regulator / examiner response pack 和 board brief。监管材料需要 system description、control design、control failure、affected population、remediation 和 evidence index。董事会材料需要风险偏好、客户和业务影响、管理层行动、重大残余风险和需要批准的决策。所有数字都必须来自可复核查询,未确认的内容标为 under assessment。

Q10:为什么 AI Reliability Review Board 有必要?

版本回答
30 秒因为 AI 事故根因跨产品、模型、数据、工具、安全、隐私、合规和供应商,不能靠单个团队自己判定 restart。Review Board 把事件、eval、变更、风险接受和证据放在同一个治理机制里。
2 分钟Review Board 的价值是 decision rights。它可以批准 restart、要求额外控制、阻止 release、接受残余风险或升级高管。输入包括 postmortem、eval trend、SLO breach、cost、red-team、vendor change 和 customer harm。输出是 decision log、corrective action、ADR、risk acceptance 和 game day backlog。这比项目组“修完上线”更适合金融零售高风险 AI。

19. 自检清单

Check达标标准
Taxonomy覆盖 bad retrieval、hallucination、policy bypass、tool misuse、PII leak、cost spike、latency degradation、model drift、eval regression、prompt injection
SeveritySEV 模型同时考虑客户、监管、数据、工具、成本、延迟、blast radius 和可逆性
Command有 IC、scribe、product、architecture、model risk、security、privacy、legal/compliance、business、vendor owner
Containment能按 model、prompt、index、retriever、tool、policy、judge、vendor 分层 rollback
EvidenceTrace 能复原 prompt、model、retrieval、tool、policy、judge、human review 和影响对象
Postmortem包含 timeline、impact、RCA、contributing factors、control failure、corrective actions、residual risk
Corrective actions每个行动项有 owner、due date、verification evidence、closure approver
Communications覆盖 customer、operations、executive、board、regulator、vendor
Governance有 reliability review board、restart gate、risk acceptance、audit evidence
Game days至少覆盖 bad retrieval、PII leak、tool misuse、prompt injection、cost spike、model drift
Portfolio能形成 incident pack、ADR、dashboard spec、game day log、board brief、interview story

20. Final Principle

AI production reliability 的成熟度不在于事故少,而在于:

事故能早发现,
影响能快收敛,
证据能复原,
决策能追踪,
客户能补救,
风险能治理,
同类错误不会以同样方式再次发生。

真正高级的 AI PM / AI Architect / Platform PM / Model Risk / SRE-like 角色,不只是会解释模型能力,而是能把 AI 系统做成可运营、可回滚、可审计、可复盘、可治理的生产系统。