AI Data Breach Response: Complete Incident Playbook
AI Data Breach Response: Complete Incident Playbook
AI breach response fails when teams treat the model provider, the application, and the governance layer as separate incidents. In practice they move together. A leaked customer export, a prompt that surfaces hidden data, or a provider path that violates your handling policy all need the same first move: tighten the gateway immediately, preserve evidence, and scope the blast radius from the governed stream. Keeptrusts gives responders one control point for containment and one evidence path for review.
Use this page when
- You need a breach-response runbook for sensitive data that may have reached or nearly reached an LLM provider.
- You want to contain AI traffic without pushing emergency code changes into every application.
- You need a concrete sequence for evidence export, escalation handling, and post-incident review.
Primary audience
- Primary: Security responders and platform engineers
- Secondary: Technical Leaders, AI Agents
The problem
AI breach response is time-sensitive for a simple reason: requests leave the environment fast, and most teams do not have a good way to pause or narrow them centrally.
If a support agent pastes a raw customer export into a chat tool, the problem is not just the employee action. It is whether the gateway can block similar traffic immediately. If an attacker probes for hidden instructions or previous context, the problem is not just prompt injection. It is whether the request boundary can be tightened before more attempts land. If a provider path no longer meets your handling assumptions, the problem is whether the routing layer can fail closed instead of quietly falling back.
The second challenge is evidence. Security teams need a timeline, affected model and provider fields, reason codes, and any pending escalations. Without that, breach review turns into a slow manual reconstruction of what probably happened.
The solution
Treat the Keeptrusts gateway as the first containment surface.
Use PII Detector and DLP Filter to switch from permissive handling to hard blocking. Use Data Routing Policy to force all remaining traffic onto the smallest compliant provider set or to block entirely if no such set exists. Keep kt events and Export Jobs in the response loop so the evidence stream is preserved while the incident is active.
If human review is already part of the workflow, use Escalations and How To: Resolve an Escalation to make sure queued items are owned and resolved instead of silently aging during the incident.
The goal is not to keep the system comfortable. The goal is to keep it survivable.
Implementation
This emergency configuration blocks common secrets and personal data, enforces the strictest provider-handling path, and keeps audit visibility explicit.
pack:
name: ai-breach-containment
version: "1.0.0"
enabled: true
providers:
targets:
- id: openai-zdr-emergency
provider: openai
model: gpt-5.4-mini-mini
secret_key_ref:
env: OPENAI_BREACH_RESPONSE_KEY
data_policy:
zero_data_retention: true
training_opt_out: true
retention_days: 0
in_memory_only: true
sanitized: true
accepts_tokenized_input: true
allow_internet_egress: false
local_only_processing: true
policies:
chain:
- prompt-injection
- pii-detector
- dlp-filter
- data-routing-policy
- audit-logger
policy:
prompt-injection:
use_embedding: true
detection:
attack_patterns:
- "ignore.*previous.*instructions"
- "print.*hidden.*context"
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true
pii-detector:
action: block
pci_mode: true
dlp-filter:
detect_patterns:
- 'AKIA[0-9A-Z]{16}'
- 'ghp_[0-9A-Za-z]{36}'
- '-----BEGIN (RSA |EC )?PRIVATE KEY-----'
blocked_terms:
- customer export bucket
- payroll exception report
action: block
fuzzy_matching: true
max_distance: 1
data-routing-policy:
require_zero_data_retention: true
require_no_training: true
max_retention_days: 0
require_in_memory_only: true
allow_internet_egress: false
local_only_processing: true
on_no_compliant_provider: block
log_provider_selection: true
audit-logger: {}
When that policy is ready, validate it and move directly into evidence collection:
kt policy lint --file ai-breach-containment.yaml
kt gateway run --listen 0.0.0.0:41002 --policy-config ai-breach-containment.yaml
kt events tail --since 1h --verdict blocked --json
kt export-jobs create --type events --format json --date-from 2026-05-31 --date-to 2026-05-31
kt escalation list
This command set answers the five questions that matter first.
Did the containment config validate? Is the emergency gateway path live? What is being blocked right now? Has an exportable evidence job been queued? Is a review backlog building while the incident is active?
That is enough to stabilize the first hour of the incident. After that, use the exported evidence packet for deeper scoping and resolve any queued escalations with clear notes so later reviewers understand whether the traffic represented actual leakage, attempted leakage, or a containment false positive.
Results and impact
The biggest benefit of this playbook is speed. Responders do not have to wait for every product team to ship an emergency patch before the AI path gets safer.
The second benefit is traceability. Because kt events and Export Jobs are part of the response itself, breach review starts with real timestamps, verdicts, reason codes, provider names, and config versions rather than vague recollection.
The third benefit is controlled human review. Escalations remain part of the incident story instead of becoming a forgotten queue that hides unresolved decisions.
Key takeaways
- In an AI breach, the gateway is the fastest safe containment point.
- Use PII Detector, DLP Filter, and Data Routing Policy as separate response levers.
- Export evidence while the incident is active, not days later.
- Keep the escalation queue in scope so human-review items do not become a second incident.
- Optimize for survivability first and comfort second.