How do I investigate what an AI agent did after an incident?

Answer

Forensic reconstruction requires:

1. Audit trail query — filter by agent_id, time range, action types.
2. Input/output analysis — examine what the agent received and produced, check for prompt injection patterns.
3. Decision trace — for each action, retrieve the compliance check result and which rules were evaluated.
4. Dependency graph — trace the full execution tree if the agent delegated to others.
5. Baseline comparison — compare behavior during the incident against established baselines.
6. External context — correlate with model provider logs, API gateway logs, and infrastructure metrics.