How do we stay blameless when InfoSec or Compliance wants names for audits?

Name roles and controls, not people. Auditors want traceability, not scapegoats. Record who approved the control change and where it lives. Use phrases like “control missing” and “control failed.” Provide links to PRs, runbooks, and change requests. That satisfies SOX/ISO while staying blameless.

What if action items require cross-team work and die in the queue?

Create a Reliability workstream with ring-fenced capacity (10–20%) and a VP sponsor. Use a shared Jira board for postmortem items with a 30-day SLA and escalation to the sponsor at 21 days. Review the board in the Ops QBR. Make blocking visible and someone’s job.

We’re stuck with CAB and long change windows. How do we move fast enough?

Split fixes into interim guardrails (feature flags, circuit breakers, increased alert lead time) that don’t require heavy CAB, then schedule the durable change. Document both in the postmortem. Your SLA is to land the interim control within a week, durable within 30 days.

What if the incident came from AI-generated code or a hallucinated config?

Treat it as a class of failure. Add guardrails: policy-as-code checks, static analysis for risky patterns, mandatory peer review for AI-assisted diffs, and a “vibe code cleanup” task. Track recurrence like any other control failure and fix at the system level (templates, linters, approval rules).

Culture · Nov 28, 2025 · 9 minute read

The Blameless Postmortem That Finally Stopped Our 2 a.m. Pages

If your postmortems end with “action items” that never land, you’re collecting folklore, not fixing systems. Here’s the concrete process we’ve implemented at large enterprises to actually prevent repeat incidents—complete with rituals, leadership moves, and metrics that keep everyone honest.

Back to all posts

The Blameless Postmortem That Finally Stopped Our 2 a.m. Pages

Key takeaways

Implementation checklist