Purpose & definitions

• AI incident: Any unplanned AI behaviour or process failure causing or likely to cause harm (technical, privacy, ethical, legal, operational, reputational).
• Serious incident (EU): Death/serious injury, systemic bias, significant disruption, or breach of fundamental rights.
• Near miss: Risk materialised without downstream harm but requiring mitigation.

Detection signals & triggers

• Model drift or performance drop > agreed thresholds (e.g., F1 ↓ 10% week-on-week).
• Bias metrics breach (e.g., TPR gap > 5%).
• Security alerts (prompt injection, data exfil, jailbreak success rates).
• Privacy events (PII leakage in outputs or logs).
• User or regulator complaints; AnswerBot feedback spike.

Severity matrix & SLAs

Triage flow & role matrix

• Incident Manager (IM): opens ticket, sets severity, coordinates containment.
• Tech Lead: disables feature/rolls back model; gathers logs & metrics.
• Compliance Lead: classifies regulatory impact; starts evidence capture (EV-IDs).
• DPO/Security: engages for privacy/security events; assesses reporting duties.

ALERT → IM assigns severity → Contain (kill switch/downgrade) → Notify stakeholders
→ Collect artefacts → Decide on regulator/client notifications → Begin RCA → Launch CAPA

Investigation & evidence

• Preserve logs, prompts, inputs/outputs, model/version hashes, feature flags.
• Create a time-lined event narrative; attach plots (drift, bias, latency) with EV-IDs.
• Root Cause Analysis (fishbone, 5-Whys, fault tree) with corrective hypothesis.

CAPA process (8D)

1. D1 Team: Assign IM, Tech Lead, Compliance, DPO.
2. D2 Problem Statement: What/when/where/scope; attach artefacts.
3. D3 Containment: Kill switch, block routes, revert model.
4. D4 RCA: Technical + process factors; verify with data.
5. D5 Corrective Actions: Fix defect; tests; risk acceptance by Board.
6. D6 Preventive Actions: Improve prompts, guardrails, data QA, monitors.
7. D7 Effectiveness Check: KPIs sustained over N periods.
8. D8 Closure: Evidence pack, lessons learned, policy update.

Regulatory & client communications

• Assess notification triggers (EU AI Act serious incident; UK ICO breach rules).
• Client notice template with timeline, scope, user impact, remediation.
• Public statement (if required): approved by Authorising Officer and Legal.

Post-Market Monitoring linkage

• PMM thresholds auto-open incidents (webhook) and pre-populate ticket fields.
• Incident trends feed quarterly management review and continuous improvement.

Templates & forms

CAPA_ID,Incident_ID,Action_Type,Description,Owner,Due_Date,Status,Effectiveness_Check_Date,Linked_Risk_ID,EV_IDs,Notes
  

Implementation checklist

• Severity matrix and SLAs approved by Governance Board.
• Incident runbook integrated with PMM thresholds and alerts.
• CAPA log live with owners, due dates, and effectiveness checks.
• Evidence IDs applied to all artefacts; quarterly trend review in Management Review.
• Regulator & client notification playbooks rehearsed (table-top exercise).

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 15 Nov 2025 • This page is general guidance, not legal advice.