Playbook Architecture

Good news, everyone! In AS-301a and AS-201c we covered the four-phase incident response structure: contain, investigate, remediate, communicate. That structure still applies. What changes at the 301 level is the specificity — each AI threat category requires its own playbook with category-specific containment actions, category-specific investigation steps, and category-specific indicators of compromise. A generic "security incident" playbook applied to a prompt injection attack produces a generic response. A prompt injection playbook produces a targeted response.

1. Playbook Structure Every AI incident playbook contains: trigger conditions (what alerts activate this playbook), severity classification criteria, containment actions with execution sequence, investigation checklist with specific log queries, remediation steps, communication templates, and post-incident review requirements. Each section is pre-written, reviewed, and rehearsed.
2. Threat Category Mapping Map each AI threat category to a dedicated playbook. Prompt injection: separate playbooks for direct, indirect, and stored injection. Data exfiltration: separate playbooks for output-based, tool-mediated, and conversation-leakage exfiltration. Model compromise: playbooks for behavior drift, system prompt extraction, and supply chain compromise. Specificity enables speed.
3. Decision Trees Within each playbook, include decision trees for ambiguous situations. The alert shows an injection attempt — was it successful? Check the output log. The output contains sensitive data — was it sent to the user or intercepted by the guardrail? Check the guardrail log. Decision trees remove hesitation from a process where hesitation costs time.