Trust Readiness · Tier 3 · Validate

Trust Evidence for AI Incidents

Could you defend this decision if it was challenged tomorrow? Diagnose incident readiness—not an IR plan or breach checklist. Recon supplements your SIEM with observe-only trust evidence.

Observe-only by default — no autonomous execution in phase 1. SIEM export uses observeOnly: true; bounded authority defaults to enforcementActive: false.

Clinical Recommendation

Could you explain who approved this recommendation and why within 60 minutes?

Unauthorized Financial Action

Could you attribute this action to a user, agent, or service account immediately?

Sensitive Data Exposure

Could you reconstruct the data path and responsible actor within your SOC today?

Agent Exceeded Authority

Could you show the authority chain that should have blocked this action?

  • · Select incident type · ~5 minutes · 20 evidence inventory questions
  • · Incident Readiness Score + reconstruction estimate vs 60-minute target
  • · Full report unlocked via email (JSON export; PDF deferred)