When an AI incident occurs: contain the incident, assess impact, notify appropriate parties, remediate the issue, and implement prevention measures. Having this checklist ready before an incident ensures fast, effective response.
AI Incident Response Checklist: What to Do When Things Go Wrong
Immediate Response: First 60 Minutes
- Identify and confirm the AI-related incident
- Contain the issue by stopping the AI process if still running
- Preserve evidence including screenshots and logs
- Alert your incident response team or manager
- Assess whether personal or confidential data was involved
Speed matters in the first hour. Focus on stopping ongoing harm and preserving evidence. Do not try to fix everything immediately.
Assessment: First 24 Hours
- Determine what data was exposed or what error occurred
- Identify who is affected
- Evaluate severity based on data sensitivity and scope
- Determine whether regulatory notification is required
- Engage legal counsel if personal data or liability is involved
GDPR requires notification to your supervisory authority within 72 hours for qualifying personal data breaches.
Notification and Communication
Submit regulatory notifications within required timeframes. Notify affected individuals if the incident poses high risk to their rights. Communicate to internal stakeholders. Prepare external communications if the incident is public-facing. Be honest and transparent in all notifications.
Remediation and Prevention
Fix the root cause. Update AI policies and controls. Provide additional training if human error was involved. Update your risk assessment. Document the entire incident, response, and lessons learned. Schedule follow-up review to verify remediation effectiveness.
Building Audit Confidence
Audit readiness is not about having perfect documentation or flawless processes. It is about demonstrating that your organization takes AI governance seriously and is making genuine, continuous effort to manage AI responsibly. Auditors and regulators look for evidence of systematic attention, not perfection.
The single most valuable thing you can do is maintain consistent records. Document your decisions, your assessments, your training activities, and your responses to incidents. When an auditor reviews your records, they should see a story of ongoing engagement with AI compliance, regular reviews and updates, and a willingness to identify and address gaps. This narrative of continuous improvement is far more compelling than a static compliance snapshot.
Create a simple compliance calendar that maps out your key AI governance activities throughout the year. Include quarterly risk assessment reviews, annual policy updates, regular training sessions, and monthly compliance spot checks. Having a calendar ensures that compliance activities do not fall through the cracks and helps you demonstrate to auditors that your governance program is systematic rather than reactive.
Practice your incident response before a real incident occurs. Run a tabletop exercise where your team walks through a hypothetical AI incident scenario. Discuss who would do what, what information you would need, and how you would communicate internally and externally. These exercises reveal gaps in your response plan that are much better discovered during practice than during an actual crisis. Even a thirty-minute tabletop exercise can dramatically improve your readiness.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.