OC-301h · Module 1

Incident Detection Mechanisms

3 min read

The time between incident onset and detection — the detection gap — determines the blast radius. A quality failure detected in 5 minutes affects 5 minutes of output. The same failure detected in 5 hours affects 5 hours of output. Every minute of detection gap is a minute of potentially corrupted output flowing to stakeholders.

Five detection mechanisms, in order of detection speed. Real-time monitors: automated checks that run on every agent output — format validation, confidence threshold checks, safety boundary verification. Detection gap: seconds. Quality scoring: automated quality evaluation that runs on a sample of outputs. Detection gap: minutes to hours depending on sampling rate. Anomaly detection: behavioral baseline deviation alerts. Detection gap: minutes to hours depending on metric aggregation window. Human review: stakeholders or reviewers notice something wrong. Detection gap: hours to days. Incident reports: someone files a report about a known-bad output. Detection gap: hours to days. Layer all five mechanisms — the combination closes detection gaps that any single mechanism misses.

Do This

Implement real-time monitors for safety-critical checks — seconds of detection gap, not hours
Layer multiple detection mechanisms — no single mechanism catches every failure type
Measure your detection gap for each incident — the gap is the metric that determines blast radius

Avoid This

Rely on human review as the primary detection mechanism — by the time a human notices, the blast radius is large
Run quality scoring only daily — a quality failure that starts at 9 AM and is detected at 6 PM affects a full day
Assume monitoring catches everything — the failures you do not monitor for are the ones that cause the worst incidents