Trust Readiness · Tier 3 · Validate
Trust Evidence for AI Incidents
Could you defend this decision if it was challenged tomorrow? Diagnose incident readiness—not an IR plan or breach checklist. Recon supplements your SIEM with observe-only trust evidence.
Observe-only by default — no autonomous execution in phase 1. SIEM export uses observeOnly: true; bounded authority defaults to enforcementActive: false.
Clinical Recommendation
Could you explain who approved this recommendation and why within 60 minutes?
Unauthorized Financial Action
Could you attribute this action to a user, agent, or service account immediately?
Sensitive Data Exposure
Could you reconstruct the data path and responsible actor within your SOC today?
Agent Exceeded Authority
Could you show the authority chain that should have blocked this action?
- · Select incident type · ~5 minutes · 20 evidence inventory questions
- · Incident Readiness Score + reconstruction estimate vs 60-minute target
- · Full report unlocked via email (JSON export; PDF deferred)