Incident post-mortems are a governance responsibility, not an engineering afterthought

An agent failure you investigate and close the loop on makes the next failure less likely. Treating post-mortems and continuous improvement as core governance is what turns incidents into a falling rate.

B

Balagei G Nagarajan

3 MIN READ


An incident feeding into a post-mortem that produces a control change feeding back into the system, a closed loop
Stanford's AI Index has the numbers: 233 to 362 documented incidents in a year.
— from “Incident post-mortems are a governance responsibility, not an engineering afterthought”

Key facts.

  • Stanford's AI Index logged 233 AI incidents one year. The next year it was 362. A 55% jump. Not because more AI shipped. Because the same failure classes kept repeating. Most orgs fix the symptom and close the ticket. Nobody closes the loop.source
  • DORA (EU Regulation 2022/2554) makes incident reporting and lessons-learned a legal obligation for financial entities, not a nice-to-have. Post-incident learning is now a compliance requirement for covered organizations.source
  • ISO/IEC 42001:2023 requires continual improvement in the AI management system. That means post-mortem learning isn't discretionary either. It's a standing requirement in the management standard.source

Why does an incident keep recurring without a governed loop?

Most agent incident responses look like this: reverse the bad outcome, restart the stuck process, close the ticket. Nobody changed the condition that caused it. Next month, same condition, same failure. Stanford's AI Index has the numbers: 233 to 362 documented incidents in a year. 55% growth. That's not more AI. That's the same failure classes repeating because nobody closed the loop. The loop has three steps: someone owns the post-mortem output, a specific control change actually ships, then someone verifies it catches the original failure class. Most orgs do step zero, the cleanup, and none of the rest.

A better model doesn't solve this. It changes the mix of failures, not whether they get prevented once found. DORA requires incident reporting and lessons-learned for financial entities. ISO/IEC 42001 makes continual improvement a standing requirement. Both frameworks exist because organizations that close tickets without closing loops repeat incidents, and the ones that govern the post-mortem don't.

A timeline of incidents where each post-mortem adds a control, and the incident frequency visibly decreases along the line

What turns a post-mortem into a falling incident rate?

Three things. An owner: one named person accountable for the post-mortem output and whatever change it requires. A shipped control change: not a recommendation in a doc, but an actual gate, boundary or check that lands in the system. And a verification step: run the test that reproduces the original failure and confirm it now gets caught. Do those three, and the same class of failure stops coming back. Skip any one of them, and the post-mortem is paperwork that gets filed and ignored. The failure rate doesn't move.

Post-mortem stepWithout governanceWith governance
OwnershipNobody accountableNamed owner for actions
OutcomeNotes filed, symptom fixedTracked control change shipped
VerificationNone; recurrence likelyTest proves the failure is now caught

A clean close hides a repeat that a more capable model only makes more convincing: govern post-mortems, since Stanford logged incidents rising to 362 from 233. (source)

VibeModel's Pattern Intelligence Layer is where each post-mortem output lands in the agent's behavioral constraints directly: a new gate, a tightened boundary, an added check in the system, not a doc that gets filed and forgotten. That's how a recurring incident stream becomes a falling one.

Frequently asked questions

Isn't a post-mortem just an engineering task?
The investigation is. The follow-through, owning the action, shipping the control change, verifying it, is governance and that is the part that makes the incident rate fall.

Why do the same failures keep recurring?
Because the symptom gets fixed but the control that would catch the class of failure is never added. Reported agent failures are recurring patterns, not one-offs.

How do I know a fix worked?
Write a test that reproduces the original failure and shows it now caught. Verification is what separates a closed loop from a filed document.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.