v0.3.0 — Playbook 04: Tool Design Is Containment

v0.3.0 — Playbook 04: Tool Design Is Containment

The second practitioner playbook ships in this release — the pre-incident preparation playbook that pairs with the Agent Privilege Matrix template shipped in v0.1.0. Per the framework's release model, every playbook is its own MINOR release; v0.3.0 captures Playbook 04.

What's new

• playbooks/04-tool-design-is-containment.md (15.5KB · 2,298 words · ~9 min read) — Pre-incident playbook for designing the agent tool layer as a containment boundary. Operationalizes the Tier 0 / Tier 1 / Tier 2 model, the five per-tool controls (what / where / how-much / irreversibility / accountability), the 60-minute first-hour drill, and the tier-ordered Recovery Sequence.

• README reading order #9 — Playbooks — Now lists both PB01 and PB04 with one-line descriptions.

Why Playbook 04 closes a critical gap

The Agent Privilege Matrix template (templates/agent-privilege-matrix.csv) shipped in v0.1.0 and was the artifact M3 Tool Tiering depends on. But until v0.3.0, the template had no companion playbook. A reader picking up the framework today saw:

• A CSV template with columns like risk_tier, approval_required, reversible
• A README explaining the columns
• Forward references to playbook-04 that pointed at nothing

v0.3.0 closes that gap. Playbook 04 is the operational guide for using the matrix — the thing that converts "I downloaded the template" into "my highest-risk agent has its tools tiered with one upgrade shipped this week."

Playbook 04 — sections shipped (CONTRIBUTING template compliant)

• Premise — Why tool design IS containment, and why this work is done on a quiet Tuesday rather than under incident pressure
• First-Hour Actions — The 60-minute drill on one production agent (pick → audit → tier → identify top risk → ship one upgrade)
• Containment Options — The Tool-Tiering Model (T0/T1/T2 with examples) + the Five Controls (what / where / how-much / irreversibility / accountability)
• Evidence Priorities — How tool-design choices shape the Minimum Evidence Set Type B (Tool-Call Ledger) and Type F (SaaS audit correlation)
• Recovery Sequence — Tier-ordered re-enablement (T0 → T1 with tightened caps → T2 one tool at a time with approvals → baseline)
• Post-Incident Hardening — 9-action checklist that converts incident lessons into code changes (split god tools, add allowlists, tighten caps, add diff previews, instrument structured logging)
• Common Pitfalls — 10 highest-frequency failure modes (God Tools · no read/write split · T2 defaulted to no-approval · allowlist as comment not code · no diff preview · cap counts requests not blast radius · success-only logging · tools not in AI-BOM · T2 without approver identity contract · DRY-reusing tool definitions across agents with different risk profiles)
• Related — 11 framework cross-references

Crosswalk coverage

Playbook 04 supports the following industry-standard subcategories — referenced citation chain:

• NIST AI RMF 1.0: MAP 4.1, MANAGE 1.3, MANAGE 2.4
• NIST CSF 2.0: ID.AM-05 (asset prioritization), PR.AA-05 (access permissions with least privilege), RS.MI-01 (incidents contained)
• OWASP Agentic Top 10 2026: ASI02 Tool Misuse & Exploitation (direct), ASI03 Identity & Privilege Abuse, ASI05 Unexpected Code Execution

What this unlocks

The framework now spans the complete temporal arc for the privileged-identity-class scenario:

PB 04 (Proactive)      →  Design tools BEFORE the incident
       ↓
PB 01 (Reactive)       →  Respond when the incident happens
       ↓
[PB 18 forthcoming]    →  Harden AFTER the incident (v0.4.0 candidate)
       ↓
[PB 24 forthcoming]    →  Report to the board (v0.5.0 candidate)

A reader who downloads v0.3.0.zip gets — for the first time — both the pre-incident preparation playbook AND the incident response playbook. The framework is now executable on both sides of the incident timeline.

What did NOT change

• The four MVO controls (Inventory, Safe Modes, Minimum Evidence Set, Controlled Re-Enable)
• The Six Triage Questions
• The Kill-Switch Modes M0–M5
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• All 3 crosswalks (NIST AI RMF + NIST CSF 2.0 + OWASP Agentic)
• All templates (AI-BOM, Privilege Matrix)
• All 4 OSS-convention files
• All 5 .github/ templates
• Apache 2.0 + Trademark Notice in LICENSE
• Playbook 01 (byte-identical to v0.2.0)
• Branch protection on main (enforced from v0.2.0 onward)
• 100/100 GitHub Community Standards

CITATION.cff

• Top-level version: "0.3.0"
• preferred-citation.version: "0.3.0"
• date-released: "2026-06-18"

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.3.0). https://github.com/jacobideji/aiiroverlay

Forward references — playbook roadmap

Remaining load-bearing forward references (multi-file citations):

• playbook-18 Post-Incident Hardening — v0.4.0 candidate (referenced from crosswalks/nist-csf-2.md + kill-switches/overview.md)
• playbook-24 Board-Ready Scorecard — v0.5.0 candidate (referenced from framework/01-minimum-viable-overlay.md + framework/03-maturity-roadmap.md)

Single-reference forward refs (lower priority but available): playbook-03 (RAG Forensics), playbook-12 (Insider Threat 3.0), playbook-13 (Six Metrics), playbook-14 (Testing for Agent Failure Modes), playbook-15 (Records and Retention), playbook-20 (Operating Cadence), playbook-23 (Multi-Stakeholder Logging).

Acknowledgments

The "Tool Design Is Containment" thesis — prompts guide, tools contain — comes from Issue #4 of the AI IR Overlay LinkedIn newsletter. v0.3.0 makes that thesis concrete in an executable pre-incident runbook with a Tier 0/1/2 model, five-control checklist, and 60-minute first-hour drill that any platform team can run starting today.