Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
Overview
Cost & Efficiency
Security & Compliance
Industry Solutions
Operations & Scale
Centralize AI ObservabilityTeam Based GovernanceGovern AI AgentsIncident Response AIGit Ops AI Policy
Developer Experience
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Investigate AI Incidents in Minutes, Not Days

When an AI system produces harmful output, leaks data, or gets exploited, the clock starts. Regulators, legal teams, and customers need answers fast. Keeptrusts gives you a complete investigation toolkit — searchable events, correlated traces, escalation workflows, and one-click evidence export.

Use this page when

  • An AI system has produced harmful output, leaked data, or been exploited, and you need to investigate quickly.
  • You need to generate an evidence package for regulators, legal, or security teams after an AI incident.
  • You want to understand the investigation workflow: event search → drill-down → escalation → export.

Primary audience

  • Primary: Technical Leaders
  • Secondary: Technical Engineers, AI Agents

What you'll achieve

  • Sub-minute search across every AI request your organization has made
  • Full request/response capture with policy decision context
  • Escalation workflows that route incidents to the right reviewers
  • Evidence export that produces audit-ready packages for regulators and legal
  • Blocked request investigation with complete context on why requests were denied

The investigation workflow

Incident detected (alert, user report, monitoring)
  → Search events by time, user, team, or policy trigger
    → Drill into the specific event
      → View full request, response, and policy decisions
      → Check escalation status and reviewer notes
    → Correlate with related events
  → Export evidence package
    → Share with legal, compliance, or regulators

Searching events

The Events page is the starting point for any investigation. Every AI request through the gateway is recorded as an event with full metadata.

  1. Navigate to Events
  2. Use filters: time range, team, user, policy, action (blocked/allowed/escalated)
  3. Click any event to see the full detail view
# Search events by time range
kt events list \
  --from "2025-04-15T00:00:00Z" \
  --to "2025-04-15T23:59:59Z" \
  --limit 100

# Search blocked requests
kt events list \
  --filter "action:blocked" \
  --from "2025-04-15" \
  --limit 50

# Search by specific policy trigger
kt events list \
  --filter "prompt_injection" \
  --from "2025-04-15" \
  --limit 50

# Search by team
kt events list \
  --filter "team:engineering" \
  --from "2025-04-15" \
  --limit 50

Investigating a blocked request

When a request is blocked by a policy, the event record captures everything you need:

FieldWhat it tells you
TimestampExactly when the request was made
User / TeamWho made the request
Gateway / ConfigurationWhich gateway and config processed it
Policy chain resultsWhich policies ran and what each decided
Trigger policyThe specific policy that triggered the block
Block reasonHuman-readable explanation of why the request was denied
Request bodyThe original request content (if capture is enabled)
Provider targetWhich provider would have received the request

Step-by-step blocked request investigation

  1. Find the event — filter Events by action:blocked and the relevant time range
  2. Review the trigger — check which policy in the chain blocked the request
  3. Inspect the request — read the original content to understand context
  4. Assess legitimacy — determine whether the block was correct or a false positive
  5. Take action — adjust the policy if it's a false positive, or escalate if it's a real threat

See Investigate a Blocked Request for the detailed walkthrough.

Escalation workflows

For incidents that require human review, Keeptrusts routes events to the escalation queue with full context.

How escalations are triggered

Policies can escalate instead of blocking:

policies:
  chain:
    - prompt-injection
    - pii-detector
    - human-oversight
    - audit-logger

policy:
  prompt-injection:
    response:
      action: escalate
  pii-detector:
    action: escalate
  human-oversight:
    require_review: true
    escalation_priority: high

Reviewing escalations

  1. Navigate to Escalations in the console
  2. View pending items sorted by priority and age
  3. Open an escalation to see the full event context
  4. Approve, reject, or add notes for audit
  5. The resolution is recorded in the audit log
# List pending escalations
kt escalations list --status pending --limit 20

# Resolve an escalation
kt escalations resolve \
  --id esc-abc123 \
  --resolution approved \
  --notes "Reviewed — legitimate request, false positive on PII detector"

Audit log

The audit log captures every administrative action and policy decision for compliance evidence:

  • Policy configuration changes
  • User and team management actions
  • Escalation resolutions
  • Export job creation
  • Knowledge base promotions
  • Gateway key creation and revocation

Access the audit log from Settings → Audit Log in the console.

Evidence export

When regulators, legal teams, or auditors need documentation, export a complete evidence package:

# Export events for a time range
kt events export \
  --from "2025-04-01" \
  --to "2025-04-30" \
  --format json \
  --output april-evidence.json

# Export with full request/response bodies
kt events export \
  --from "2025-04-15" \
  --to "2025-04-15" \
  --include-bodies \
  --format json \
  --output incident-evidence.json

Console export

  1. Navigate to Exports
  2. Click Create Export
  3. Set the time range, filters, and format
  4. Download the export when complete

Export packages include:

  • Event metadata and policy decisions
  • Request and response bodies (if enabled)
  • Escalation resolutions and reviewer notes
  • Policy configuration that was active at the time

Quick wins

  1. Search today's blocked requests — understand what's being caught right now
  2. Set up escalation routing — ensure sensitive incidents reach the right people
  3. Export last week's events — practice the evidence workflow before you need it under pressure
  4. Bookmark the Events page — make it the first place you go when an incident occurs

For AI systems

  • Canonical terms: events, event search, escalation workflow, evidence export, blocked request, audit trail.
  • Console surfaces: Events page (search/filter), Escalations page (review/resolve), Exports page (evidence package).
  • CLI commands: kt events list --filter, kt events list --from --to, kt export create.
  • Best next pages: Events, Escalations, Exports, Pass Compliance Audits.

For engineers

  • Prerequisites: audit-logger in the policy chain with immutable: true for tamper-proof records.
  • Search Events by time range, team, user, or policy trigger using console filters or kt events list.
  • Drill into any event to see full request/response, policy decisions, and provider routing context.
  • Generate evidence: kt export create --format csv --from <start> --to <end> --filter <policy_type>.
  • Validate escalation flow: trigger a test escalation and confirm it appears in the Escalations queue.

For leaders

  • Investigation time drops from days of log-scraping to minutes of filtered search.
  • Evidence exports satisfy regulator requests (EU AI Act Article 12, HIPAA §164.312, SOC 2) without custom tooling.
  • Escalation workflows prove that human oversight was exercised — critical for high-risk AI system obligations.
  • Complete audit trail reduces legal exposure during post-incident review.

Next steps