
Key facts.
- Stanford's AI Index logged 233 AI incidents one year. The next year it was 362. A 55% jump. Not because more AI shipped. Because the same failure classes kept repeating. Most orgs fix the symptom and close the ticket. Nobody closes the loop.source
- DORA (EU Regulation 2022/2554) makes incident reporting and lessons-learned a legal obligation for financial entities, not a nice-to-have. Post-incident learning is now a compliance requirement for covered organizations.source
- ISO/IEC 42001:2023 requires continual improvement in the AI management system. That means post-mortem learning isn't discretionary either. It's a standing requirement in the management standard.source
Why does an incident keep recurring without a governed loop?
Most agent incident responses look like this: reverse the bad outcome, restart the stuck process, close the ticket. Nobody changed the condition that caused it. Next month, same condition, same failure. Stanford's AI Index has the numbers: 233 to 362 documented incidents in a year. 55% growth. That's not more AI. That's the same failure classes repeating because nobody closed the loop. The loop has three steps: someone owns the post-mortem output, a specific control change actually ships, then someone verifies it catches the original failure class. Most orgs do step zero, the cleanup, and none of the rest.
A better model doesn't solve this. It changes the mix of failures, not whether they get prevented once found. DORA requires incident reporting and lessons-learned for financial entities. ISO/IEC 42001 makes continual improvement a standing requirement. Both frameworks exist because organizations that close tickets without closing loops repeat incidents, and the ones that govern the post-mortem don't.

What turns a post-mortem into a falling incident rate?
Three things. An owner: one named person accountable for the post-mortem output and whatever change it requires. A shipped control change: not a recommendation in a doc, but an actual gate, boundary or check that lands in the system. And a verification step: run the test that reproduces the original failure and confirm it now gets caught. Do those three, and the same class of failure stops coming back. Skip any one of them, and the post-mortem is paperwork that gets filed and ignored. The failure rate doesn't move.
| Post-mortem step | Without governance | With governance |
|---|---|---|
| Ownership | Nobody accountable | Named owner for actions |
| Outcome | Notes filed, symptom fixed | Tracked control change shipped |
| Verification | None; recurrence likely | Test proves the failure is now caught |
A clean close hides a repeat that a more capable model only makes more convincing: govern post-mortems, since Stanford logged incidents rising to 362 from 233. (source)
VibeModel's Pattern Intelligence Layer is where each post-mortem output lands in the agent's behavioral constraints directly: a new gate, a tightened boundary, an added check in the system, not a doc that gets filed and forgotten. That's how a recurring incident stream becomes a falling one.
Frequently asked questions
Isn't a post-mortem just an engineering task?
The investigation is. The follow-through, owning the action, shipping the control change, verifying it, is governance and that is the part that makes the incident rate fall.
Why do the same failures keep recurring?
Because the symptom gets fixed but the control that would catch the class of failure is never added. Reported agent failures are recurring patterns, not one-offs.
How do I know a fix worked?
Write a test that reproduces the original failure and shows it now caught. Verification is what separates a closed loop from a filed document.

