AI Incidents H1 2026 Retrospective: Failure Modes Analysis

AI incidents became a measurable category in the first half of 2026. Across the six-month window we catalogued more than fifty public events — hallucinations that reached customers, tool-misuse cascades that burned six-figure budgets, prompt injections that exfiltrated data, leaks that surfaced in regulator complaints, and bias-driven outcomes that landed in courtrooms. This retrospective walks through what happened, what it cost, how fast teams caught it, and what the failure-mode distribution implies for the second half of the year.

The shift from anecdote to data is the story. A year ago, cataloguing AI incidents meant collecting tweets and press headlines; the sample was too sparse, too noisy, and too biased toward consumer-facing assistants to support quarterly analysis. H1 2026 broke that pattern. Enterprise agent rollouts produced enough public events — driven partly by regulatory reporting obligations, partly by the sheer volume of production deployments — that the failure modes stratify cleanly and the severity distribution holds up to comparison across industries.

This guide covers the methodology behind the count, the five failure-mode categories that absorb roughly 90% of incidents, the severity distribution across customer impact and financial loss, the time-to-detect and time-to-contain numbers (the operational metrics that matter most for the H2 trajectory), the industry breakdown, the four cross-cutting trends the data surfaces, and our projection for the second half of the year. It pairs with our companion agentic incident response playbook — the retrospective is what the data says; the playbook is how teams respond.

Quarterly retrospectives on AI incidents weren't possible a year ago. The sample was sparse — a couple of high-profile chatbot embarrassments, the occasional copyright suit, a handful of disclosed prompt-injection demos at security conferences. Counting those events as "the AI incident landscape" was already misleading; the real failure modes were happening in private, visible only to the teams running production workloads.

H1 2026 broke that pattern for three reasons. First, enterprise agent rollouts crossed a volume threshold where the law of large numbers made public incidents inevitable; a fraction of one percent of agent-mediated transactions misbehaving in public is still a steady stream of disclosable events. Second, regulatory disclosure obligations expanded — the EU AI Act's incident reporting provisions came online for high-risk systems, and US sector regulators (financial services, healthcare) began treating AI-driven failures as reportable under existing model-risk frameworks. Third, the security research community standardised on disclosure norms for prompt-injection and data-exfiltration findings, producing a steadier flow of well-documented incidents from the offensive-research side.

The combination produced a dataset large and structured enough to stratify. Fifty-plus public events in six months isn't comprehensive — private incidents still dominate the actual failure surface — but it's enough to identify the dominant failure modes, rank them by severity, measure operational metrics like time-to-detect, and produce a forward projection that isn't just narrative.

The retrospective is published as a quarterly cadence because the failure-mode distribution shifts faster than the annual reporting cycle classical risk frameworks assume. Categories that were negligible in H2 2025 (tool misuse, agentic prompt injection) are now meaningful shares of the dataset; categories that dominated consumer narratives (chatbot personality drift) have largely receded. A team operating on a one-year update cadence is making risk decisions on a model of the world that's already wrong.

The catalogue stratifies cleanly into five failure modes. The taxonomy isn't exhaustive — every classification scheme collapses edge cases — but it captures the operational reality for roughly nine in ten public events. The remaining ~10% covers infrastructure failures, third-party model-provider outages, and human-in-the-loop process breakdowns that aren't cleanly attributable to a specific AI failure class.

The cards below describe each mode, the typical incident shape, the share of the H1 dataset, and the cross-cutting trend over the six-month window.

Two patterns stand out. Hallucination and bias are the categories most teams already have institutional memory for — eval suites, statistical bias testing, established review processes. Their shares are either declining or stable because the discipline of managing them is becoming routine. Tool misuse and prompt injection are the categories where most teams are still in discovery mode; their shares are rising because production deployments are outpacing the operational maturity needed to catch them.

Data leakage sits in its own bucket. The share is stable but the consequences aren't — a single data-leakage incident routinely produces ten times the regulatory and financial impact of a typical hallucination incident in the dataset. The distribution of severity isn't uniform across the failure modes, which is why the next section matters as much as this one.

Severity is measured here on a four-point scale: catastrophic (regulatory penalty, customer harm, or material financial loss over a threshold), major (significant customer impact requiring disclosure but bounded loss), moderate (degraded service with internal incident response but no external disclosure), and minor (caught at the edge with negligible customer impact). The bars below show the share of the H1 dataset that fell into each tier — across all five failure modes combined.

The half-and-half split is the headline. Roughly half the catalogued incidents (catastrophic + major) reached the customer-disclosure threshold. The other half resolved internally before external impact. That ratio is meaningfully better than the analogous historical figure for classical software incidents at comparable production scale, which suggests AI incident response is maturing — but the catastrophic tier at 18% is large enough that the operational discipline gap remains the dominant story.

Severity correlates strongly with failure mode. Data-leakage incidents skew heavily toward the catastrophic tier — roughly two-thirds of leakage events in the dataset reached regulatory reporting. Hallucination skews toward moderate and minor — the category is increasingly caught at deploy-time eval rather than in production. Tool-misuse cascades produce the widest severity distribution; the cost-spike incidents that get caught at minute four are minor, the ones that get caught at hour four are catastrophic.

Time-to-detect (TTD) and time-to-contain (TTC) are the two operational metrics that matter most for the H2 trajectory. They measure the discipline of the team responding to an incident, not the failure rate of the underlying model — and they're the metrics where year-over-year improvement is clearest in the dataset.

Median TTD across the H1 dataset was measured in hours. The comparable figure for AI incidents catalogued in H2 2025 was measured in days. That improvement is concentrated in the teams investing in agent-specific observability — token-spend anomaly detection, trace-volume baselines, eval regression canaries — and the long tail of the distribution still sits in the multi-day range for organisations without that instrumentation.

The variance in TTC is the operational story. A team with a kill-switch wired, runbooks rehearsed, and severity-tiered paging resolves a P0 in under two hours. A team writing the kill-switch during the incident — which the dataset suggests is still the modal case for first-time agent incident responders — spends roughly a day in active response. The cost of building those primitives before they're needed is small; the cost of building them during a P0 is the difference between a major and a catastrophic incident.

For teams standing up an incident-response programme from scratch, our companion agentic incident response playbook covers the five-phase loop in operational detail — detection, containment, eradication, recovery, postmortem — plus the severity matrix and runbook templates we install with clients before their first P0.

The industry breakdown reveals where the failure surface is most mature and where the discovery curve is steepest. Four sectors absorbed roughly three-quarters of the H1 dataset; the rest spread thinly across logistics, education, public sector, entertainment, and a long tail of vertical-specific deployments.

The matrix below summarises each leading sector — the dominant failure mode in that vertical, the typical severity profile, and the recommended posture for teams operating in that space.

The cross-cutting observation is that incident distribution tracks regulatory maturity. Financial services and healthcare both show high catastrophic-tier shares because the disclosure obligations are sharper — incidents that would resolve internally in another sector reach the public dataset because reporting is mandatory. The retail and SaaS sectors show lower catastrophic shares partly because the obligations are looser, not necessarily because the underlying failure rate is lower. Adjusting for disclosure obligations, the per-deployment failure rate appears broadly similar across sectors — a finding consistent with the hypothesis that failure modes are more about operational discipline than vertical specifics.

Four trends emerge consistently across the failure-mode and industry stratifications. Each is supported by the H1 dataset and informs the H2 projection in the following section. None is a surprise to teams operating at the leading edge; the contribution is that the data now supports treating them as quantitative patterns rather than qualitative intuitions.

Trend 01 · Agentic incidents are the fastest-growing share

Tool-misuse cascades grew their share of the dataset from roughly 12% in Q1 to roughly 30% by late Q2. The growth is directly tied to production agent rollouts crossing volume thresholds; teams that shipped agents earlier in the cycle are now seeing the second-order incident classes that don't surface in single-turn deployments. We expect this share to keep climbing through H2 as more enterprises move agentic pilots into production.

Trend 02 · TTD is falling fast — TTC is not

Detection times improved by roughly an order of magnitude over the half, driven by the spread of agent-specific observability tooling. Containment times improved much less. The pattern is that teams are getting better at noticing incidents before they're ready to respond to them — which is still a net improvement on the prior state, but produces a new operational failure mode: the team that pages on a real incident and spends the next 12 hours figuring out what to do.

Trend 03 · Regulatory exposure is now the dominant severity multiplier

Roughly a third of catalogued incidents triggered regulatory reporting in at least one jurisdiction. For incidents that cross that threshold, the cost — measured in remediation work, disclosure overhead, follow-on regulator engagement — routinely doubles. Regulatory exposure has overtaken direct financial loss as the largest single severity component for the catastrophic tier.

Trend 04 · Indirect prompt injection is rising faster than direct

The prompt-injection share grew steadily through the half, with indirect injection (via retrieved documents, tool outputs, or untrusted context) growing roughly twice as fast as direct injection. The implication is that RAG pipelines and tool-using agents have become a meaningful attack surface in their own right, distinct from the prompt window itself. Defensive patterns are still maturing here — the security research community is ahead of the defensive engineering community by roughly two quarters.

Projecting from a six-month dataset is hazardous — failure-mode distributions can shift in a quarter when a new agent framework crosses a deployment threshold or a regulator releases new guidance. The projections below are best read as scenario anchors, not predictions; we'll update them in the H2 retrospective at end of year.

Three working hypotheses inform our scenario for H2 2026: the volume of public incidents will roughly double again as more enterprises move agents to production, the failure-mode mix will keep shifting toward tool misuse and indirect prompt injection at the expense of hallucination, and regulatory exposure will grow as a severity multiplier rather than as an incident driver in its own right.

The operational implication for teams running production agents is clear-cut. Close the TTC gap before the next quarter — wire the kill-switches, write the runbooks, calibrate the severity matrix. Prioritise defence against indirect prompt injection over the marginal next eval improvement on hallucination. Treat regulatory exposure as a first-class component of the severity model rather than a downstream consequence. Our AI transformation engagements include the full incident-response programme — detection panels, runbook templates, severity calibration, postmortem discipline — built around the H1 2026 failure-mode distribution.

For teams new to the operational side of AI safety, the companion piece on the twelve-layer prompt injection defence framework covers the defensive engineering side of the dataset's fastest-rising attack surface in detail.