Creating an Autonomous CRM Incident Investigator with Nova

I have spent a significant part of my career working closely with CRM data. And if there is one thing that never stopped being frustrating, it is this: the moment an alert fires telling you a lead source has dropped, you already know the hard part is not the detection. The hard part is everything that comes after it.

In this article, I wanted to look at this from a closer angle.

The pattern was always the same: Leads from X source from Germany drop overnight. The alert fires. You open your SQL client, start forming hypotheses, and run the first query. The result changes the next hypothesis. You run another query. Then another. Is the drop isolated to Germany or is it hitting the same source across other markets too? Did the pipeline fail at a specific timestamp or was it gradual? Is it a form-level issue or something in the broader source family? 

Every incident looked similar on the surface. The investigation underneath was always different. You could not write a fixed rule that covered all of them because the right path depended entirely on what the data showed. 

And then, once you had your answer, you had to explain it. Operations, sales, leadership. They needed to act on it, which meant you needed to translate query results into plain language that was accurate, clear, and fast. That translation happened every time. It was repetitive, it was time consuming, and there was no way to generalize it with rules.

I started thinking about this project not as a hackathon submission but as a solution to something that had genuinely bothered me for years.

The Autonomous CRM Incident Investigator is an agentic system built on Amazon Nova Pro V1 through Amazon Bedrock, with Amazon Athena handling the query execution.

The detection step is straightforward SQL. A preparatory query compares the last 28 days of CRM data against the most recent 7 days and flags any source and country combination with a volume drop above 50%. That part does not need a language model.

What happens next does. Each flagged anomaly is passed to Nova Pro V1 along with a bounded set of pre-registered Athena Named Queries. The key word is bounded. Nova does not get access to arbitrary SQL. It gets access to exactly the queries that matter for this class of incident: day-by-day volume trend, country peer volumes, source family peers across other countries, last-seen timestamp, and a row-level sample for final inspection.

Nova reads the result of each query before deciding whether to call the next one. If the first two queries establish that the drop is country-wide, the source-family query adds nothing. Nova skips it. If the evidence points somewhere unexpected, it continues. The path is shaped by the data, not by hard-coded branching logic written in advance by a human who cannot anticipate every scenario.

Session memory carries findings across anomaly iterations within the same detection cycle. If Nova confirms a multi-country weakness on the first flagged source, subsequent investigations for the same source family skip the peer analysis entirely. The system does not repeat work it has already done.

The output is a strictly typed JSON verdict: root cause, pattern classification, plain-language explanation, and operational impact. Ready to hand to anyone, technical or not.

The demo runs against a synthetic dataset of 500,000 CRM lead records spanning five months, with two deliberate anomalies injected into the final week. The first is isolated: FR | LinkedinForm goes to zero overnight. The second is broader: GB | web_form and DE | web_form both drop 85%, representing a multi-country source family failure.

For the French anomaly, Nova runs the full path. It traces the trend, checks peer sources within France, examines the source family across other markets, and extracts the exact timestamp the pipeline stopped.

For the German anomaly, which follows in the same detection cycle, Nova identifies early that the drop pattern matches the multi-country weakness already established for GB | web_form. The source-family query is skipped. 
Fewer steps, same quality of verdict.

That is what the demo is designed to show. Not that the system can call a query. That it can stop calling one when the evidence already answers the next question.

Demo link: https://www.youtube.com/watch?v=jmkgq3DpeTc 

The most obvious benefit is time. Mean time to resolution for this class of incident drops from hours to minutes without requiring a data analyst to be available and context-switched every time an alert fires.

But the less obvious benefit is consistency. When a human investigates manually, the quality of the output depends on who is doing it, how much time they have, and how familiar they are with that specific type of anomaly. An autonomous system produces the same structured output every time, regardless of incident volume or hour of day.

The architecture is not limited to lead source monitoring. Any CRM data incident where the hypothesis space can be defined in advance is a candidate: conversion rate anomalies, duplicate record spikes, field-level data quality failures. The tool registration layer is what changes. The agent logic stays the same.

The next step is connecting the detection layer to an existing alerting system so the investigator fires automatically rather than on demand. That closes the loop completely and turns what is currently a tool you run into a system that runs itself.

The source code is public. The stack is Python, Boto3, and active AWS credentials with Bedrock and Athena access. If you are already on AWS, setup takes under thirty minutes.

Github Link: https://github.com/selimsevim/nova-crm-investigator