Containment Strategies

Containment is the first response to a confirmed incident. Not investigation. Not root cause analysis. Not "let me understand what happened." Containment. Stop the bleeding first. Understand it later. This principle applies universally to security incidents, but AI systems present unique containment challenges because the "bleeding" might be invisible — a model that is leaking data through normal-looking responses.

AI containment operates at three levels, and you need to decide which level to apply based on the severity classification. Level one is output throttling — you do not shut down the system, but you increase guardrail sensitivity, reduce the model's access permissions, and route all outputs through human review. Level two is partial isolation — you disable the compromised feature or integration while keeping the rest of the system operational. Level three is full shutdown — the system goes offline until the incident is resolved. The temptation is always to stay at level one because shutting down affects users. The discipline is to escalate when level one is not enough.

1. Level 1: Throttle and Monitor Increase guardrail sensitivity. Route outputs through human review. Reduce rate limits. Block the specific user or IP involved if identified. Keep the system running for non-affected users. Appropriate for Severity 3 events and initial response to Severity 2.
2. Level 2: Partial Isolation Disable the compromised integration — revoke the database connection, disable the email tool, remove the file access capability. The core system stays operational but without the attack vector. Appropriate for Severity 2 events where the exploit path is identified.
3. Level 3: Full Shutdown Take the AI system completely offline. Revoke all credentials. Preserve all logs for forensic analysis. Notify affected parties. Appropriate for Severity 1 events and Severity 2 events where the full extent of compromise is unknown.