Alerts and signals

The events you'd want to know about, on one stream. Each behavioural signal carries a type, severity, subject, and a JSON detail blob. You triage from a click-through drawer and resolve as acknowledged, false_positive, or escalated.

What's a signal

A signal is anything the platform decided was worth surfacing. Generated from telemetry, billing data, fluency scores, or policy evaluation. The four categories on the toolbar group every signal type:

Category	Signal types
Content safety	`pii_detected`, `secret_detected`, `api_key_in_prompt`, `customer_data_pattern`, `banned_content_pattern`
Brand and usage	`brand_violation`, `off_topic_production`, `personal_use_company_account`, `abuse_pattern`, `wasteful_prompting`
Budget	`forecast_breach`
Operational	`monitoring_gap`, `model_regression_signal`, `auth_context_mismatch`, `key_misuse_detected`

Severity is one of INFO, WARN, BLOCK. The page defaults to showing WARN and BLOCK only — INFO is available via the severity filter when you need to dig.

Standard list-page chrome with a few extras:

Open only switch — defaults on. Flips between resolved-and-unresolved or unresolved-only.
Unacked counter — left of the switch. Shows how many WARN+ signals haven't been touched.
Severity filter — chip-style multi-select.
One filter section per category — so you can narrow to "show me all content-safety BLOCK signals from the last week" in two clicks.
Sort by — detected at, severity, or type.

The category filters store their selections in the URL under cat:contentSafety, cat:brandUsage, etc. — deep-linkable.

The drawer

Click any row to open the manager-ack drawer on the right.

The drawer shows:

Subject — the session, turn, or service account the signal is about.
Service — for service-account signals, the name and environment.
Session link — jumps to the engineer's My AI Usage page filtered to the offending session.
Details — the raw JSON detail blob. Copy-friendly.
Note field — required for escalated, optional otherwise.

Three resolution buttons at the bottom:

Button	What it does
Acknowledge	Marks the signal handled. Counter ticks down. No further action.
Mark false positive	Same as acknowledge, but feeds back into the rule that fired it — repeated false positives on a rule eventually surface a tuning suggestion.
Escalate	Note required. Routes to your security team via the configured signal-notification channel (in-app + email).

Resolutions are append-only — the resolution and note end up on the audit trail with the resolver's identity.

Notification routing

When a WARN or BLOCK signal is raised, Flowstate fires a signal-notification according to your org's notification settings. The default is in-app + email to the subject's manager (for personal signals) or the policy owner (for service-account or operational signals). See Settings → AI → Notifications for the routing table.

Where the data comes from

Signal generation is split across the platform:

Content safety + brand — the agent and the in-platform classifier raise these inline as sessions are ingested.
Budget — the forecast service raises forecast_breach when projected spend crosses the policy threshold.
Operational — the platform monitors itself: monitoring_gap fires when a connected provider has gone 14 days without traffic; model_regression_signal fires when a model release shifts fluency scores beyond the noise floor.

Empty state

If no signals match your filters, the table shows a circle-alert empty state. Most likely you've over-narrowed — clear the filters and try again.

Alerts and signals ​

What's a signal ​

The toolbar ​

The drawer ​

Notification routing ​

Where the data comes from ​