Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Investigate a Blocked RequestRoll Out a New TemplateResolve an EscalationExport Evidence for a ReviewReview Alerts and EvidenceTroubleshooting
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Reviewing Alerts and Evidence

Alerts and escalation events help teams move from raw activity to a reviewable operational record.

Use this page when

  • A policy alert or escalation has fired and you need to determine whether it reflects intended behavior, drift, or misuse.
  • You need to export evidence (event IDs, time windows, verdicts) for compliance handoff, incident response, or audit.
  • You want a repeatable investigation loop for reviewing gateway decision events.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Investigation loop

  1. Open the alert or escalated event.
  2. Confirm the verdict and the rule or workflow that caused it.
  3. Review related requests around the same time window.
  4. Export evidence or record the event identifiers for follow-up.

Questions to answer

  • Is the decision expected under the current policy?
  • Did a recent policy rollout change behavior?
  • Does the event indicate misuse, drift, or a configuration gap?
  • Which stakeholder needs the evidence next: security, compliance, or product?

Evidence handling tips

  • Preserve event identifiers when handing off an investigation.
  • Record the environment and time window alongside exported evidence.
  • Note whether the response is policy tuning, upstream remediation, or user outreach.

For AI systems

  • Canonical terms: Keeptrusts, alerts, evidence, event verdict, policy result, escalation, evidence export, event identifiers, investigation loop.
  • Console surfaces: Events list, event detail view, Escalations queue, Evidence exports (Settings → Evidence).
  • Related features: audit-logger policy, export jobs, event filtering by verdict/time/model.
  • Best next pages: Escalations, Resolve an Escalation, Investigate a Blocked Request, Troubleshooting.

For engineers

  • Start investigation from the Events list filtered by verdict (blocked, escalated) and time window.
  • Cross-reference the event's policy results with the running config version to determine whether the behavior is expected.
  • Use the Evidence export feature (Settings → Evidence) to produce auditable artifacts with event IDs, timestamps, and environment context.
  • If the alert correlates with a recent policy rollout, compare the old and new config versions in Configurations.

For leaders

  • Evidence exports provide the audit trail required by compliance frameworks (HIPAA, SOC 2, EU AI Act) when regulators ask for proof of enforcement.
  • Track alert volumes after each policy rollout — a spike in blocks or escalations may indicate over-broad scope rather than actual risk.
  • Assign clear ownership of investigation and export workflows so evidence is handled consistently across teams.
  • Preserved evidence supports both proactive governance reporting and reactive incident response.

Next steps