
Key facts.
- The framework "Incident Analysis for AI Agents" argues that public incident reports are insufficient because they exclude an agent's chain of thought and browsing history, and it models incidents as a chain of causes across system, contextual, and cognitive factors.source
- One 2025 industry review counted on the order of two dozen publicly reported agent incidents in the year, many involving real production impact like deleted data and unauthorized actions (reported).source
- MAST shows the failures behind these incidents are recurring and categorizable, so they're learnable, if the trace exists to learn from.source
- TRAIL, a benchmark of 148 annotated agent traces with 841 errors, shows that even the best frontier model localizes the true cause in a trace only about 11% of the time, which is why the raw chain of causes has to be captured for a human to learn from.source
what's the recurring gap across these incidents?
it's the missing chain. An agent deletes data, or takes an action it shouldn't, and the public report says what happened but not why, because the why lived in the agent's reasoning and tool trail, which nobody captured. The "Incident Analysis for AI Agents" framework names this directly: existing reporting is built on publicly available data and excludes exactly the internal record an analyst needs. Without that record, the postmortem stops at the action, and the underlying cause, an over-broad permission, a misread tool result, a context the agent inherited, stays in place to cause the next incident.
The framework borrows from aviation's HFACS (Human Factors Analysis and Classification System), which treats incidents as chains across organizational, supervisory, and operational levels, not a single bad act. For agents: the fix is rarely "the model was wrong." It's a specific link. A permission. A tool contract. A retrieval source. Visible only if the chain was recorded.

Making incident fixes stick
Three moves: record the chain before you need it, classify the failure against a known taxonomy, fix the specific link instead of blaming the model. Recording the chain means the reasoning, tool calls, and tool results are captured on every run, so the analyst has the internal data the public report lacks. Classifying means matching the incident to a mode you can name, which MAST shows is feasible. Fixing the link means the postmortem ends in a concrete change to a permission or a contract, not a vague intention to "improve the prompt." Do this and the class of incident doesn't return, which is the only real measure of a postmortem that worked.
The Pattern Intelligence Layer keeps the chain of causes as a property of the running pattern, so every incident arrives with its own evidence already captured. Classification and link-level fixes operate on the pattern's behavior, independent of the model in place, so the lesson learned from one incident survives the next model upgrade. Reliability at the pattern level is what turns a year of incidents into a year of fixes instead of a year of reruns.
Frequently asked questions
Why do public incident reports keep missing the cause?
They exclude the agent's reasoning and tool trail, which is where the cause lives. The fix is to capture that internal chain yourself, before the incident.
Is "the model hallucinated" ever the real cause?
Rarely the whole cause. The chain usually includes a fixable link, a permission, a tool contract, a source, that the model error merely triggered.
What proves a postmortem worked?
The class of incident doesn't recur. If it comes back, the chain was never fully seen or the fix addressed the symptom, not the link.

