Control #
E
3
.
1
Maintain an AI incident response plan with severity tiers
Create and maintain an AI incident response plan that defines what constitutes an AI-related incident and assigns severity tiers based on potential impact to users, systems, or society. Each tier should have mapped response actions, escalation procedures, and resolution timelines.
Evidence
Incident Response Plan (IRP) document includes specific AI scope and definitions
Recommended actions
Create an incident response plan
AI-specific incidents should be explicitly scoped and defined within your Incident Response Plan (IRP). These incidents may involve model failures, hallucinations, data leakage, unauthorized access to model outputs, unsafe behavior, or failures in risk mitigation mechanisms.
To operationalize this, your IRP should include:
An AI incident definition. Clearly define what qualifies as an “AI-related incident.” Examples may include "Sensitive user data is exposed via model responses". An incident response strategy. Develop playbooks for common AI failure modes. These playbooks should outline:
Detection: How incidents are identified (e.g., monitoring logs, human review, flagged outputs).
Triage: Criteria for severity (e.g., user harm, data exposure, system integrity).
Response roles: Who leads technical, legal, and communication responses.
Communication: Internal escalation, external disclosure, and user notification if applicable.
Containment & Recovery: How the system is stabilized and brought back into a safe state.
Remediation & Prevention: Postmortem analysis and updates to models, prompts, or safeguards.
Each AI incident should be documented with structured fields:
Date/Time
Detection Method
Incident Summary
Which AI system or model was involved
Which component of the Manage function broke down (e.g., policy, access control, testing, monitoring)
Impact (e.g., user harm, data exposure, financial cost)
Response Actions Taken
Root Cause
Preventative Measures Implemented