Severity 1 (active data exfiltration): RACF ALTUSER REVOKE the compromised userid immediately - Severity 2 (unauthorized access attempt): increase monitoring, do not revoke yet (preserve evidence) - Severity 3 (policy violation): document and investigate during business hours