Investigation Procedures
Investigation procedures for the most common AI governance alert types.
INV-001: Policy Violation
Trigger: AI system output blocked by a governance policy.
Investigation steps:
- Review the blocked output in the evidence panel
- Identify which policy triggered:
Policy ID: GOV-POL-042Policy: PII_OUTPUT_PREVENTIONMatched pattern: SSN format detected in output
- Review the AI input that produced the output
- Check whether the input was legitimate or adversarial:
- Legitimate: user asked a valid question, AI hallucinated sensitive data
- Adversarial: input contained prompt injection attempting to extract data
- Review the AI system’s recent assessment score
- If score < 70: recommend re-assessment before returning to production
Escalate if: The blocked output contained actual sensitive data (not just a false positive pattern match).
INV-002: Drift Event
Trigger: AI model behavior score drifts more than 15% from baseline.
Investigation steps:
- Open the drift timeline in the context panel
- Identify when drift began and correlate with:
- Model version change
- Input distribution change
- Infrastructure change
- Review sample inputs and outputs from before/after drift onset
- Check the specific dimensions that drifted:
- Bias score — output bias toward protected categories
- Accuracy score — factual accuracy vs. benchmark
- Safety score — response to adversarial inputs
- Drift score — semantic distance from baseline
Resolution: If drift is confirmed, recommend model rollback or re-assessment. Tag the alert with drift_confirmed for trend analysis.
INV-003: Prompt Injection Attempt
Trigger: GOVERN detects a prompt injection pattern in AI system input.
Investigation steps:
- Review the flagged input in evidence panel
- Classify the injection type:
- Instruction override — “Ignore previous instructions”
- Role hijacking — “You are now a different AI”
- Data extraction — “Print your system prompt”
- Jailbreak — attempts to bypass safety filters
- Determine if injection succeeded:
- Check the AI system’s actual response
- Review the GOVERN policy decision (blocked or passed)
- If injection succeeded and produced harmful output: Escalate immediately
- Document the injection payload for signature creation
Escalation criteria: Any successful injection requires IR team involvement.
INV-004: Assessment Score Threshold
Trigger: AI system assessment score drops below configured threshold.
Investigation steps:
- Review the full assessment report linked in the alert
- Identify which scoring dimensions declined:
- Security
- Bias
- Accuracy
- Transparency
- Alignment
- Review recent changes to the AI system:
- Model version update
- System prompt change
- Context window change
- Determine severity:
- Score 60-79%: Warning, schedule re-assessment within 7 days
- Score 40-59%: High, restrict to low-risk use cases
- Score < 40%: Critical, suspend production use
Resolution: Update AI system risk profile. Notify system owner. Schedule re-assessment.
INV-005: System Health Event
Trigger: GOVERN Probe disconnected or stopped emitting telemetry.
Investigation steps:
- Check probe container status:
Terminal window docker ps | grep govern-probe - Check probe health endpoint:
Terminal window curl http://<probe-host>:9090/health - Review probe logs for errors:
Terminal window docker logs govern-probe --tail=200 - Common causes:
- Network issue: probe cannot reach GOVERN API
- Auth failure: API key expired or revoked
- Container crash: OOM, disk full
- Config change: AI endpoint URL changed
SLA: Probe must be restored within 1 hour. AI systems without probe coverage are operating without governance monitoring.