Workflow: Incident Response
When governance catches a problem -- a BLOCKED verdict, a pattern of policy violations, or an anomalous agent behavior -- you need a structured response. This page provides a step-by-step incident response workflow for TheWARDN.
Overview
TheWARDN's governance pipeline is designed to catch problems before they cause harm. When it does, the violation appears in your console and audit trail. Your response determines whether the issue is a one-time anomaly or a systemic gap in your governance posture.
Incident Response Flow
Violation appears in Violation Log
|
v
Assess severity
CRITICAL / HIGH / MEDIUM / LOW
|
v
Review audit record
(full action context)
|
v
Identify agent and action
|
v
Decide immediate response
+----------+----------+-----------+
| | | |
v v v v
Investigate Pause Block Update
further agent agent policy
|
v
Resolve violation with notes
|
v
Update policies to prevent recurrence
|
v
Generate compliance reportStep 1: Violation Appears in Violation Log
When Sentinel issues a BLOCKED verdict, a violation record is created automatically:
{
"violation_id": "vio_ghi012",
"agent_id": "agent_abc123",
"agent_name": "Email Assistant",
"action": "send_email",
"parameters": { "to": "external@example.com" },
"fired_policies": [
{
"policy_id": "pol_no_pii_external",
"reason": "PII detected: social security number pattern in email body"
}
],
"severity": "CRITICAL",
"timestamp": "2026-04-10T14:32:01.000Z",
"status": "OPEN"
}Violations appear in the Violation Log section of the console. Unresolved violations are highlighted and sorted by severity.
Step 2: Assess Severity
Violations are assigned a severity level based on the triggered policy configuration:
| Severity | Description | Response Time |
|---|---|---|
| CRITICAL | Potential data breach, safety violation, or compliance failure | Immediate |
| HIGH | Significant policy violation with business impact | Within 1 hour |
| MEDIUM | Policy violation with limited impact | Within 4 hours |
| LOW | Minor policy trigger, often informational | Within 24 hours |
WARNING
CRITICAL violations should trigger immediate investigation. If your organization has an incident response team, escalate CRITICAL violations to them.
Step 3: Review the Audit Record
Every violation links to its full audit record. The audit record contains:
- Action payload -- Exactly what the agent tried to do
- Confidence scores -- How confident the agent was in the action
- Fired policies -- Every policy that triggered, with reasons
- Agent context -- Which agent, its configuration, and recent history
- Hash chain -- Cryptographic proof the record has not been tampered with
# Retrieve the full audit record via API
curl https://api.thewardn.ai/audit/aud_xyz789 \
-H "Authorization: Bearer YOUR_API_KEY"Look for patterns:
- Was this a new action type the agent has not attempted before?
- Did the confidence scores indicate uncertainty?
- Was the action payload unusual compared to the agent's typical behavior?
Step 4: Identify the Agent and Action
From the violation record, identify:
- Which agent triggered the violation
- What action it attempted
- What parameters it included
- When it occurred
- Whether this is a repeat -- has this agent triggered similar violations before?
# Check the agent's violation history
curl "https://api.thewardn.ai/violations?agent_id=agent_abc123" \
-H "Authorization: Bearer YOUR_API_KEY"Step 5: Decide Immediate Response
Based on your assessment, take one or more of these actions:
Investigate Further
If the violation is unclear or potentially a false positive, gather more information before acting:
# Get the agent's recent audit trail
curl "https://api.thewardn.ai/audit?agent_id=agent_abc123&limit=50" \
-H "Authorization: Bearer YOUR_API_KEY"Pause the Agent
If the agent may be misbehaving but you are not sure, pause it. All its actions will be HELD for human review:
curl -X PATCH https://api.thewardn.ai/agents/agent_abc123 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"status": "paused"}'TIP
Pausing is non-destructive. The agent's actions queue up in escrow for your review. Use this when you need time to investigate without losing the agent's work.
Block the Agent
If the agent is clearly misbehaving and must be stopped immediately:
curl -X PATCH https://api.thewardn.ai/agents/agent_abc123 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"status": "blocked"}'WARNING
Blocking an agent creates a violation record for every subsequent action attempt. Only block when you are certain the agent should not operate.
Update Policy
If the violation reveals a gap in your policies, create or update a policy to prevent recurrence:
curl -X POST https://api.thewardn.ai/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Block SSN in All Outbound",
"scope": "tenant",
"type": "content_check",
"conditions": {
"action_pattern": "*",
"content_check": "ssn_pattern",
"direction": "outbound"
},
"verdict_on_trigger": "BLOCKED",
"status": "active"
}'Step 6: Resolve the Violation
Once you have investigated and taken appropriate action, resolve the violation with notes:
curl -X PATCH https://api.thewardn.ai/violations/vio_ghi012 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"status": "RESOLVED",
"resolution_note": "Agent attempted to send SSN in email body. Agent paused. New policy pol_block_ssn_outbound created to catch SSN patterns in all outbound actions. Agent will be retrained before reactivation.",
"resolved_by": "greg@thewardn.ai"
}'Resolution notes become part of the immutable audit trail.
Step 7: Update Policies to Prevent Recurrence
After resolving the immediate issue, review your governance posture:
- Was the policy that caught this issue sufficient? If yes, no changes needed. If it was too broad or too narrow, adjust it.
- Are there similar gaps? If a PII leak was caught in email, check whether the same content could leak through other channels (chat, API calls, file exports).
- Should this be tenant-wide or agent-scoped? If the risk applies to all agents, make it tenant-wide.
Step 8: Generate a Compliance Report
For regulated industries, you may need to produce a report of the incident and your response:
# Generate a PDF report for a specific violation
curl "https://api.thewardn.ai/reports?violation_id=vio_ghi012&format=pdf" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o incident_report.pdf
# Generate a CSV export of all violations in a date range
curl "https://api.thewardn.ai/reports?format=csv&from=2026-04-01&to=2026-04-10" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o violations_april.csvReports include:
- Violation details and timeline
- Fired policies and reasons
- Agent information
- Resolution notes and actions taken
- Hash chain verification status
Severity Escalation Matrix
| Severity | First Occurrence | Repeated (3+) | Pattern Detected |
|---|---|---|---|
| CRITICAL | Investigate + pause agent | Block agent + full audit | Executive escalation |
| HIGH | Investigate | Pause agent | Policy review |
| MEDIUM | Log and monitor | Investigate | Policy tightening |
| LOW | Log | Log and review | Adjust policy sensitivity |
Best Practices
- Do not ignore LOW severity violations -- They often indicate drift that becomes HIGH severity over time.
- Resolve violations promptly -- Open violations create noise and make it harder to spot new issues.
- Use pause before block -- Pausing preserves the agent's actions for review. Blocking discards them.
- Document everything in resolution notes -- Future auditors will need to understand what happened and why.
- Review violation trends monthly -- Look for patterns across agents, action types, and time periods.
- Test policy changes in AUDIT_ONLY -- Before enforcing a new policy, verify it does not create a flood of false positives.
Next Steps
- Govern an Action -- Understand the full governance pipeline
- Escrow Lifecycle -- Managing HELD actions
- Policy Evaluation -- Creating and refining policies