Production Agent Incidents: Real Post-Mortems

Layer 1: Trigger — The specific event that initiated the incident. This is usually well-documented and over-discussed in post-mortems, because it is concrete and blameable. A CSV import. A webhook fired twice. A rate limit not checked. The trigger is never the root cause — it is the visible entry point.

Layer 2: Proximate Cause — The immediate technical failure the trigger exposed. The deduplication key that wasn't set. The approval gate that wasn't inserted. The rate limiter that wasn't implemented. This is what teams fix after an incident, and fixing it is necessary but not sufficient — the same failure will recur through a different trigger if the systemic gap beneath it isn't addressed.

Layer 3: Contributing Factors — The conditions that made the proximate cause possible. Insufficient testing with real data. A handoff between two teams where each assumed the other owned the safeguard. Timeline pressure that caused a known risk to be deferred. Contributing factors are usually organizational and process-related, which makes them uncomfortable to document honestly.

Layer 4: Systemic Gap — The architectural or process design choice that allowed the contributing factors to exist. No deduplication pattern standard across the platform. No automated check that approval gates are present before production deployment. No ownership policy for automation governance. Systemic gaps are the layer most often skipped in post-mortems because addressing them requires changing how the organization works, not just how the software works.

Layer 5: Governance Failure — The oversight or policy failure that allowed the systemic gap to persist. No review process that would have caught the missing control. No accountability for the governance standard. No escalation path when a team member identified the risk and was overridden by schedule pressure.

What this means for your post-mortems: Most teams declare an incident closed when the proximate cause is fixed and the system is back online. By this framework's standard, they have completed Layer 2 of a five-layer analysis. The systemic gap is still open. The governance failure is still unaddressed. When the next variant of the same incident class arrives — and it will — the team will be surprised. This report shows you what all five layers look like for eight different incident categories, so that when you run your own post-mortem, you know what layer you're actually on.

The implementation requirement that most teams skip: A baseline is only useful if it is written down before an incident. Teams that establish baselines post-incident build them under pressure, too specific to the incident that just happened, missing adjacent failure classes. The right time to build your monitoring baseline is during the 48 hours before your first production deployment — when you have the clearest picture of expected behavior and the motivation to think carefully about what normal should look like.

The baseline you can build today — in under two hours: Document four numbers for each agent deployment you operate: (1) expected sessions per hour at peak, (2) expected tool calls per session by task type, (3) expected cost per session by task type, (4) expected error rate by error category. Write these numbers down. Set alerts at 3x each. This exercise takes two hours and transforms your monitoring from reactive to anticipatory. Every team in this report that had an incident without early detection had failed to do this one thing.

What happened: A marketing team member uploaded a CSV of 847 customer email addresses to trigger a "thank you" workflow. The CSV included a header row and 847 data rows. The workflow triggered on every row — including the header row itself.

Friday, 2:14 PM: First 848 emails begin sending at approximately 200/min. The header row email address ("Email Address") received the message alongside every real customer.

Friday, 2:23 PM: Send completes. 848 executions. No errors flagged. The workflow behaved exactly as it was configured to behave.

Friday, 2:47 PM: First customer reply arrives: "Why did I receive 6 identical emails?" The customer appeared six times in the CRM export — duplicated entries nobody caught. The deduplication step was on the backlog. It never shipped.

The full blast radius: 847 customers received the email. 6 customers received it multiple times. 1 non-customer received it (the header row). The automation program was suspended for three weeks while leadership debated whether to continue using it at all.

Trigger: CSV import with 847 rows plus a header row that the trigger treated as a data row.

Proximate cause: No deduplication key on the trigger. No row-count sanity check before execution began. No dry run against the actual file before the production send.

Contributing factors: The workflow was built by one team member and reviewed by another who assumed deduplication was handled upstream in the CRM export. Neither verified. Timeline pressure to send before end-of-week meant skipping the planned 48-hour shadow mode.

Systemic gap: No organizational standard requiring deduplication logic for any workflow that processes records from a file or CRM export. No pre-flight checklist including a row count review and a duplicate scan before triggering any bulk operation.

Governance failure: The shadow-mode requirement existed as an informal norm with no enforcement mechanism. A team member under deadline pressure could skip it without triggering any review. There was no named owner for the automation governance standard.

What actually fixed it: Not adding deduplication — that was already planned. What fixed it was a mandatory pre-flight gate: any workflow processing more than 10 records must complete a dry run review where the first 5 intended executions are shown to a human before the full run proceeds. This gate has blocked a recurrence of the bulk send incident class in every deployment since.

Day 0, Thursday 4:47 PM: A team member who owned a service account used across 14 automated workflows leaves the company. Standard IT offboarding runs that evening. The service account is deleted.

Day 1, Friday 6:03 AM: The first workflow dependent on the deleted account runs its scheduled trigger. The API call returns 401 Unauthorized. The workflow has error handling — but the error handler sends a notification to the deleted account's email address. The notification is never received.

Day 1, Friday 8:47 AM through 11:59 PM: Nine more workflows run and fail. All error notifications go to the same deleted email address. Nobody knows anything is wrong.

Day 4, Monday 9:12 AM: A team member checks a dashboard populated by one of the failing workflows and finds it hasn't updated since Thursday. Investigation begins. The full scope: 14 workflows down, four days of data missing, three customer-facing processes that failed silently over the weekend.

Trigger: Employee offboarding plus service account deletion.

Proximate cause: Workflows used hardcoded service account credentials rather than role-based access credentials that survive individual account changes. Error notifications routed to the account owner's email rather than a durable team alias. No monitoring that checked whether scheduled workflows had actually run.

Systemic gap: No credential dependency mapping for automation infrastructure. No standard for routing error notifications to a durable team address. No workflow execution monitoring independent of error notification.

Governance failure: IT offboarding had no step requiring a dependency audit before account deletion. Automation infrastructure was not included in the offboarding checklist. There was no owner for the credential audit process.

What fixed it: Two changes. First: every workflow error notification re-routed to a team alias with at least two members. Second: a weekly automated check verifying each scheduled workflow actually ran in the last 7 days and sending a summary to the automation owner. This single change — the weekly execution summary — would have surfaced this incident within 24 hours instead of 96.

What happened: A new multi-agent system was deployed to production after testing. The testing environment used GPT-4o-mini for all tasks. A single configuration variable — model_tier — was not updated during the production deployment. Production defaulted to GPT-4o for every task. In the 72 hours before the cost spike was detected, the system processed $47,000 in API calls — approximately 14x the monthly budget.

No cost monitoring: The team had API cost visibility at the monthly billing level only. There were no daily or hourly alerts. By the time costs were reviewed, the incident was already 72 hours old.

No per-session budget: There was no hard ceiling on token spend per session enforced at the infrastructure level. Individual sessions ran uncapped.

No environment parity check: The deployment pipeline had no automated verification that production configuration matched intended values. The configuration drift between test and production was not caught before rollout.

Control 1: Daily cost alerts at 50%, 80%, and 100% of budget. This converts a 72-hour detection gap into same-day detection. The specific thresholds matter less than the existence of the alert. This is a 30-minute setup task in any major cloud provider and most LLM API dashboards.

Control 2: Per-session token budget enforced at the gateway layer, not the prompt layer. Prompts can be overridden by the model; gateway limits cannot. Set the per-session limit at 3x your expected maximum session cost. Anything above that is either a runaway session or a configuration error.

Control 3: Pre-deployment configuration diff. Before any production deployment, automatically compare production configuration against staging and require explicit sign-off on any differing value. This is a script, not a process — it takes 30 minutes to build and prevents a $47,000 incident.

The pattern this incident reveals: Cost explosions almost always involve a configuration gap (wrong model, wrong parameters), a missing ceiling (no per-session budget), and a detection delay (no real-time alerting). All three are required for the incident to reach the numbers that cause organizational damage. Fixing any one of the three converts a catastrophic incident into a caught-and-corrected anomaly. Fixing all three means the incident class cannot reach organizational-damage scale even if the triggering configuration error still occurs.

What happened: A planner-executor-reviewer architecture was deployed to production. The planner agent decomposed tasks and assigned them to executor agents. The reviewer agent evaluated executor outputs and could request revisions.

Sessions 1–200: System performed as designed. Planner → Executor → Reviewer → Complete. Average 8–12 tool calls per session.

Session 201+: A specific task type — multi-document synthesis — began generating revision requests from the reviewer that the executor couldn't satisfy with its current tool access. The executor would revise. The reviewer would reject with slightly different feedback. The executor would revise again. Sessions began running 40, 80, 120+ tool calls without completing.

Day 4: Three concurrent sessions hit the context window limit during the revision loop. The system did not degrade gracefully — it produced incomplete outputs while consuming full token budgets. Cost for the day: 4x baseline. Customer-facing output quality: sharply degraded.

Trigger: A specific task type that exceeded the executor's tool-access boundary.

Proximate cause: No loop detection on the planner-executor-reviewer handoff. The reviewer could reject indefinitely without an escalation path. The executor had no mechanism to report that the reviewer's requirements exceeded its capabilities.

Systemic gap: No maximum revision count per task. No reviewer-to-escalation path when a task cannot be completed within defined tool boundaries. No test coverage for tasks near the boundary of executor capability.

What fixed it: Three changes. First: a hard maximum of 3 revision cycles per task, after which the task escalates to a human. Second: the reviewer was explicitly scoped to evaluate quality within the executor's defined tool access — if a quality improvement requires a capability the executor doesn't have, that is an escalation, not a revision request. Third: all executor capability boundaries were documented and added to the test suite as explicit boundary condition tests.

Why this incident class will increase in 2026: As teams move from single-agent to multi-agent systems, the planner-executor-reviewer pattern is becoming the dominant architecture. Every team adopting it will eventually encounter a task type that falls into the gap between executor capabilities and reviewer requirements. The teams that have already defined their escalation protocol before that task type arrives will handle it in minutes. The teams that haven't will spend days debugging what looks like a model quality problem but is actually a missing architectural constraint.

Inject 1 (pause and discuss): 'What do you do in the next 5 minutes? Who do you call? What do you check first?'

Facilitator note: The correct answer includes: (1) immediately check the automation run history to understand what triggered and how many times, (2) check whether the send is still running or has completed, (3) assign someone to draft a holding response for customer complaints while the scope is assessed. Teams that debate in the first 5 minutes instead of acting are revealing a gap in incident command clarity.

Inject 2 (after 10-minute discussion): 'You check the run history. A team member uploaded a CSV of 850 records 45 minutes ago. Your logs show 851 workflow executions — including one from a header row. The workflow appears to have completed. How many customers were affected and how do you find out?'

Facilitator note: Teams without a deduplication log will not be able to answer this question quickly. Document whether the team has a log of which records were processed in each bulk run. If not, flag as a gap.

Inject 3 (after 10-minute discussion): 'You determine 847 unique customers received the email. 6 customers received it multiple times. Your CEO is asking for a public statement within the hour. What does it say, and who approves it?'

Facilitator note: Watch for communication ownership gaps. Is there a named person who owns customer-facing incident communications? Is there an approval chain that can move in under an hour?

Why the last question matters: Tabletop exercises that produce no specific, assigned action items have a near-zero impact on incident prevention. The entire value of the exercise is in the gaps it surfaces and the specific changes that follow. If the exercise ends with 'that was useful' but no named owner for a named change with a named deadline, the exercise will not prevent the incident class it was designed to address.