# HAL Incident Response Template

> Domain 06: Monitoring. A runbook for when an agentic system misbehaves.

**Incident ID:** ___________   **System:** ___________________   **Detected:** ___________
**Owner:** ___________________   **Severity:** ☐ Low  ☐ Medium  ☐ High  ☐ Critical

## 1. Detect
- How was the incident detected? (alert / report / review)
- What is the observed behaviour vs expected?
- Time of first occurrence vs time of detection:

## 2. Pause / contain
- [ ] System paused or authority restricted
- [ ] Blast radius identified (records / customers / actions affected)
- [ ] Further harm prevented
- Containment actions taken:

## 3. Communicate
- [ ] Accountable owner notified
- [ ] Affected internal teams notified
- [ ] Affected customers / counterparties identified
- [ ] Regulator notification considered  ☐ Required  ☐ Not required
- [ ] Disclosure obligations reviewed

## 4. Remediate
- Root cause:
- Which HAL domain failed? (Ownership / Authority / Limits / Escalation / Evidence / Monitoring / Review / Liability)
- Corrective actions:
- Records / customers remediated:

## 5. Learn
- What control would have prevented this?
- HAL re-assessment required?  ☐ Yes  ☐ No
- Changes to limits / escalation / monitoring:
- Review date for corrective actions:

## Timeline
| Time | Event | Action | By |
|------|-------|--------|----|
|      |       |        |    |

Signed (owner): ___________________   Date: ___________

---
Part of the HAL Governance Toolkit. hal.orchestrate.legal