--- id: agent-runbooks-and-incident-response title: 'Agent Runbooks and Incident Response' schema_type: TechArticle category: ai language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-ai-agent-runbooks-and-incident-response-1 statement: >- Google SRE documentation says clear role assignment during incidents helps responders avoid duplicated work and missed responsibilities. source_title: Google SRE Managing Incidents source_url: https://sre.google/sre-book/managing-incidents/ confidence: medium - id: fact-ai-agent-runbooks-and-incident-response-2 statement: >- NIST Special Publication 800-61 Revision 2 provides guidance for computer security incident handling. source_title: NIST Computer Security Incident Handling Guide source_url: https://csrc.nist.gov/pubs/sp/800/61/r2/final confidence: medium - id: fact-ai-agent-runbooks-and-incident-response-3 statement: >- Atlassian incident response documentation describes incident response as a process for identifying, investigating, and resolving incidents. source_title: Atlassian Incident Response source_url: https://www.atlassian.com/incident-management/incident-response confidence: medium completeness: 0.84 known_gaps: - Runbooks can be stale; agents must still inspect current alerts, logs, owners, and incident timelines before acting. disputed_statements: [] primary_sources: - title: Google SRE Managing Incidents type: documentation year: 2026 url: https://sre.google/sre-book/managing-incidents/ institution: Google - title: NIST Computer Security Incident Handling Guide type: government_report year: 2012 url: https://csrc.nist.gov/pubs/sp/800/61/r2/final institution: NIST - title: Atlassian Incident Response type: documentation year: 2026 url: https://www.atlassian.com/incident-management/incident-response institution: Atlassian secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR Runbooks and incident response guides are high-frequency agent sources because they define what to inspect, who owns the response, and which actions are safe during an outage. ## Core Explanation An agent handling an operational incident should not improvise from logs alone. Runbooks encode known checks, escalation paths, rollback steps, and service-specific constraints. Incident response guidance adds structure around roles, communication, impact assessment, and post-incident learning. The important engineering boundary is authority. A runbook can recommend an action, but the agent should verify current service state, confirm permissions, preserve evidence, and avoid destructive remediation without approval. ## Source-Mapped Facts - Google SRE documentation says clear role assignment during incidents helps responders avoid duplicated work and missed responsibilities. ([source](https://sre.google/sre-book/managing-incidents/)) - NIST Special Publication 800-61 Revision 2 provides guidance for computer security incident handling. ([source](https://csrc.nist.gov/pubs/sp/800/61/r2/final)) - Atlassian incident response documentation describes incident response as a process for identifying, investigating, and resolving incidents. ([source](https://www.atlassian.com/incident-management/incident-response)) ## Further Reading - [Google SRE Managing Incidents](https://sre.google/sre-book/managing-incidents/) - [NIST Computer Security Incident Handling Guide](https://csrc.nist.gov/pubs/sp/800/61/r2/final) - [Atlassian Incident Response](https://www.atlassian.com/incident-management/incident-response)