Every CISO in this room has a ransomware runbook. You know who calls whom at 4 AM, what authority you have to pull the plug, how you contain the damage, and where the investigation starts. Not one of you has an equivalent playbook for when your automated system starts doing things nobody told it to do.

This session is about that gap.

Over the past 18 months, a pattern has quietly emerged across enterprise deployments: systems that passed every test, every audit, every review, and then did something unexpected in production. Not a hack. Not a breach in the way anyone would recognize it. A decision. An action. A consequence that landed in the real world before a human being noticed.

This talk builds a first-of-its-kind response playbook drawn from documented failures across financial services, healthcare, infrastructure, and logistics, and runs it live in the room as a tabletop exercise with the audience.

The scenario: your company's automated procurement system has just executed $4.2 million in purchase orders across 17 vendors. Every transaction was technically within your policy guardrails. No outside attacker was involved. The system made a call. The call was wrong. The vendors have already confirmed receipt.

Walk through the actual decision tree: Who has the authority to shut the system down? Is shutting it down a bigger risk than leaving it running? How do you reconstruct what happened and why in a way that holds up to legal and regulatory scrutiny? What do you tell your board in the next six hours?

Attendees leave with a practical, vendor-neutral response playbook they can take back to their organization, a governance authority template that defines who can stop or override an automated system during a live situation, and the uncomfortable clarity that their current incident response plans were written for a different era.

Learning Objectives

Understand the difference between a security breach and an unauthorized system behavior event, and why your current response plan does not cover the second one
Apply a clear first-response decision framework when an automated system produces real-world consequences nobody approved
Define who in your organization has the authority to halt, override, or roll back an automated system during a live situation before you ever need to use it
Reconstruct what a system did and why in a way that satisfies legal, regulatory, and board-level scrutiny
Identify the three most common governance gaps in current enterprise deployments that create this kind of exposure

Note: This talk has not been presented at any prior event.