Skip to main content
Letting an AI agent work on a live production incident only pays off if you can trust it — to stay within the bounds you set, to show its working, and to be honest about what it does and doesn’t know. Investigations are built for exactly that. This page covers the controls you have, the record an investigation keeps, and the safeguards behind its conclusions.

You stay in control

An investigation’s job is to do the legwork and recommend — not to change your systems behind your back. It reads, reasons, and surfaces findings and next steps; acting on them is your call. The one place an investigation can touch your systems is your code, and only ever as a pull request you review and merge yourself — it never merges or deploys anything. By default, it opens one only when you ask it to in the channel. It can also propose a fix unprompted once it reaches high confidence, but that’s off by default and opt-in, and still arrives as a draft pull request for you to review. You also decide when investigations run at all — for every incident, only those that meet your conditions, or never automatically — and you can steer, correct, or pause one at any point.
Investigations don’t take action on your behalf without your request or approval. Where one updates an incident automatically — a suggested summary, for instance — you can always change it back. Code only ever changes through a pull request a human merges.

A full record of what it did

Every investigation keeps a complete, inspectable account of its work, so nothing it concludes is a black box.
  • Its reasoning — the findings it formed, the evidence behind each, and how its hypothesis changed as it learned. It keeps the theories it considered and discounted too, rather than quietly dropping them.
  • Its sources — every finding links back to where it came from: the Slack message, the pull request, the dashboard, the log line. You can follow any conclusion to the evidence behind it.
  • Who did what — when a responder steers an investigation or asks it to make a change, that’s attributed in the channel; when the investigation opens a pull request, it’s tracked and linked to the incident like any other action.
Account-level actions are also captured in your audit log, recording who did what and when.

Honest about what it knows

An investigation is only useful if it’s clear about how sure it is — an over-confident agent is worse than none. So an investigation grades its own conviction in every hypothesis and shows that confidence alongside it, surfaces the alternatives it’s weighing, and only claims high confidence when it has verifiable evidence against sources it trusts. When it can’t find that proof, it says what it couldn’t confirm rather than presenting a guess as a conclusion. That’s also how false positives are kept in check. In the moment, a thinly-evidenced theory is shown as exactly that — low confidence, with its gaps spelled out — so responders can weigh it before acting. Over time, we grade every investigation against what really caused past incidents and backtest changes before they ship, so accuracy keeps climbing and regressions are caught before they ever reach a live incident.

Your data

Investigations run on the same AI providers as the rest of incident.io — OpenAI and Anthropic — under Zero Data Retention agreements, so your data is never stored by them and never used to train models. Code analysis runs in isolated, sandboxed containers that are torn down after use, and you can redact sensitive data before it ever reaches a model. For the full picture of how incident.io handles your data, see AI data handling and our Trust Center.

FAQs

No. Investigations are recommendation-first — they surface findings and next steps, and acting on them is your call. The only change they can make to your systems is opening a pull request, which a human always reviews and merges; nothing is auto-merged or deployed. Proposing a fix unprompted is off by default and opt-in, and still produces a draft pull request for review.
Yes. Each investigation keeps a full record of its findings, the evidence behind them, how its thinking changed, and the actions it took — and any steering or change request is attributed in the channel. Account-level actions are also recorded in your audit log.
An investigation grades its own conviction and only claims high confidence with verifiable evidence; weakly-supported theories are shown as low confidence with their gaps stated. We also grade every investigation against real causes and backtest changes before they ship.
No. We have Zero Data Retention agreements with OpenAI and Anthropic — your data isn’t stored by them or used for training. See AI data handling.
An investigation and its record are retained as part of your incident data for as long as you’re a customer. You can erase specific data or have all your data deleted on request — see Managing sensitive data — and our Trust Center covers data handling in full.

Measuring accuracy

How we grade investigations and keep improving them.

How investigations work

How an investigation builds conviction and tests its own theories.

Making code changes

How a fix becomes a pull request you review.

AI data handling

How incident.io uses AI and handles your data.