Revuity Logo
    Business

    Incident Management and Root Cause Analysis for Agent Failures

    How to run an effective incident response and root cause analysis when an agentic system produces a significant failure — including the questions to ask, the stakeholders to involve, and the documentation to produce.

    Jay Burgess7 min read

    Agent failures in production are not if events — they are when events. An agentic system that processes thousands of inputs per day will eventually produce a consequential error, a behavior outside its approved scope, or an output that causes real harm to a real person. How the organization responds to that event determines whether the incident becomes a learning experience, a regulatory problem, a reputational crisis, or all three. Product and project managers who have a practiced incident response process will navigate these events with control and speed. Those who improvise will navigate them slowly, with inconsistent documentation and more damage than necessary.

    Effective agentic incident response has four phases. Containment: stop further harm before investigating cause. This typically means suspending the agent or restricting its scope to a mode where human review is required for all outputs. Containment decisions should be made within hours, not days, and should err toward caution. A false positive containment — suspending an agent that turns out to have been operating correctly — is recoverable. Continuing to run an agent that is causing harm while the investigation proceeds is not. Investigation: reconstruct what happened. This requires access to logs that capture inputs, agent reasoning, tool calls, and outputs at the time of the incident. If your system does not produce these logs, you cannot conduct a meaningful investigation — which means the absence of logging is itself the root cause of your inability to respond. Root cause analysis: identify not just what happened but why the controls failed to prevent it. The root cause of an agentic failure is almost never a single point of failure. It is usually a combination of a tool permission boundary that was too permissive, an evaluation set that did not cover the input type that triggered the failure, and a review gate that was designed to catch a different category of error. Resolution: implement specific, testable changes — to tool permissions, acceptance criteria, evaluation set coverage, or review path design — and verify that the changes address the identified root cause before restoring full operation.

    Root cause analysis for agentic systems requires a different frame than traditional software incident analysis. In deterministic software, the root cause of a bug is usually a specific code path that produced an incorrect output. In agentic systems, the agent's behavior was probabilistic and within the range of behaviors the model is capable of — the question is why the system did not catch or prevent the specific behavior that caused harm. The analysis must therefore trace backward through the control layers: what was the tool permission boundary, what was the review gate design, what was the evaluation set coverage, and what was the acceptance criterion that should have caught this class of error before deployment. Fixing the agent's prompt is rarely the complete answer; fixing the control layer is.

    What this means in practice

    The practical implementation question is not whether the idea is interesting. It is how a team turns it into a workflow that can be inspected, repeated, and improved. For this topic, the operating focus is direct: Build and practice a four-phase agentic incident response process — and conduct root cause analysis that traces through control layers, not just the agent's prompt.

    That means the engineering work starts before the first model call. The team must decide what the agent is allowed to know, what it is allowed to do, what evidence it must produce, and which actions require a human decision. This is the difference between an impressive demo and a system that can survive real users, changing inputs, and production constraints.

    A credible implementation also includes a feedback path. Every agent run should leave behind enough context for another engineer to answer four questions: what goal was attempted, what context was used, which tools were called, and why the system believed the task was complete. If those questions cannot be answered from logs, traces, or structured outputs, the agent is still operating as a black box.

    Reference Diagram

    A simple architecture to reason from

    Use this diagram as a starting point, not as a universal blueprint. The important move is to make the stages visible. Once stages are visible, you can assign owners, define contracts, set permissions, measure quality, and decide where human review belongs.

    Workflow Map
    Read left to right: state moves through controlled boundaries.
    1
    Incident Detected

    Consequential error, out-of-scope behavior, or output causing real harm.

    2
    Containment

    Suspend or restrict to full human review — hours, not days. Err toward caution.

    3
    Investigation

    Reconstruct what happened from logs: inputs, agent reasoning, tool calls, outputs.

    4
    Root Cause Analysis

    Trace through control layers: tool permissions, eval coverage, acceptance criteria, review gate design.

    5
    Resolution

    Specific, testable changes to the control layer — verified before restoring full operation.

    6
    Control Layer Fix

    Fix the control that failed to prevent the behavior, not just the prompt that produced it.

    7
    Restore Operation

    Restore only after control changes are verified — not after the prompt is updated.

    Code Example

    Incident response four-phase checklist

    The example below is intentionally small. Production agentic systems should start with compact contracts like this because small contracts are testable. Once the boundary is working, you can add richer orchestration without losing control of the core behavior.

    ts·Incident response four-phase checklist
    const incidentResponseChecklist = {
  containment: {
    timeTarget: "within 4 hours of detection",
    actions: [
      "suspend_agent_or_restrict_to_full_human_review",
      "notify_legal_compliance_engineering_lead",
      "document_scope_of_harm_and_affected_outputs",
    ],
  },
  investigation: {
    required: [
      "log_access_for_inputs_reasoning_tool_calls_outputs",
      "timeline_reconstruction_of_incident",
      "scope_of_impact_quantified",
    ],
    blocker: "If logs don't exist, absence of logging IS the root cause",
  },
  rootCauseAnalysis: {
    traceThrough: [
      "tool_permission_boundary",
      "evaluation_set_coverage_for_this_input_type",
      "acceptance_criteria_that_should_have_caught_this",
      "review_gate_design_and_failure_mode",
    ],
    note: "Fixing the prompt is rarely the complete answer",
  },
  resolution: {
    requiredBefore: "restoring full operation",
    deliverables: [
      "specific_control_changes_documented",
      "changes_verified_against_root_cause",
      "post_incident_review_scheduled",
    ],
  },
};
    Illustrative pattern — not production-ready

    Implementation notes

    Treat these notes as the first design review checklist. They are deliberately concrete because agentic systems fail most often in the gaps between the model, the tools, the data, and the human operating process.

    Design note 1

    False-positive containment (suspending an agent that was operating correctly) is recoverable. Continued harm during investigation is not.

    Design note 2

    If your system cannot reconstruct what happened from logs, add logging as a launch requirement — not a post-incident enhancement.

    Design note 3

    Root cause in agentic systems is almost never a single failure — it is a combination of gaps in the control layer.

    No logs means no investigation
    An agentic system that does not produce logs of inputs, agent reasoning, tool calls, and outputs cannot be meaningfully investigated when an incident occurs. The absence of logging is itself a governance failure — and it is the root cause of your inability to respond. Build logging as a launch requirement.

    Common failure modes

    The fastest way to make an article useful is to name how the pattern breaks. These are the failure modes to watch for when a team moves from reading about this idea to deploying it inside a real workflow.

    Investigation begins before containment is complete — harm continues during the investigation.
    Root cause analysis ends at 'the agent produced a bad output' without tracing the control layer failures.
    Prompt is updated as the complete fix — the control gaps that allowed the incident to occur are not addressed.

    Operating checklist

    Before this pattern graduates from experiment to production, require a short operating checklist. The checklist should include the owner of the workflow, the allowed tools, the risk rating for each tool, the data sources the agent can use, the completion criteria, the review path, and the rollback plan. If a team cannot fill out that checklist, the workflow is not ready for higher autonomy.

    The checklist should also define how the system will be evaluated after launch. Useful metrics include task success rate, human correction rate, average iterations per completed task, cost per successful run, escalation rate, and the number of blocked tool calls. These metrics turn agent quality into an engineering conversation instead of an opinion about whether the output felt good.

    Finally, make the learning loop explicit. When the agent fails, decide whether the fix belongs in the prompt, the retrieval layer, the tool contract, the permission model, the evaluation suite, or the human process. Mature agentic engineering is not the absence of failures. It is the ability to classify failures quickly and improve the system without expanding risk.

    Key Takeaways
    Containment comes before investigation — stopping further harm is more important than understanding cause, and false-positive containment is recoverable.
    If your system does not produce logs of inputs, reasoning, tool calls, and outputs, the absence of logging is the root cause of your inability to investigate.
    Root cause in agentic systems traces through control layers — tool permissions, evaluation coverage, acceptance criteria, and review gate design — not just the agent's prompt.
    Learn the full system

    Build real fluency in agentic engineering.

    The Academy turns these concepts into a full curriculum, AI tutor, templates, and the CAE credential path.

    Start Learning