Overview & objectives

The purpose of this policy is to establish a structured, auditable process for managing AI-related incidents, near-misses, and nonconformities. It ensures rapid containment, root-cause identification, corrective and preventive measures, and evidence capture to demonstrate continual improvement under ISO/IEC 42001.

Definitions & scope

• AI Incident: Any unexpected behaviour, malfunction, or output causing or likely to cause harm, legal violation, or reputational risk.
• Non-conformity: Deviation from approved policy, standard, or process (e.g., model released without CAB approval).
• Near-miss: Potential but unrealised failure detected before harm occurred.
• Scope: All AI systems, datasets, suppliers, and oversight processes under the AIMS boundary.

Incident workflow stages

1. Detection: System alert, user complaint, or oversight observation.
2. Logging: Create record (AI-INC-###) with date, system ID, severity, and owner.
3. Containment: Suspend AI component or isolate data pipeline if needed.
4. Analysis: Perform RCA using 5-Whys or Fishbone methods; assign interim risk level.
5. Correction: Apply fix, retrain model, or rollback release; verify performance post-action.
6. CAPA Initiation: Raise CAPA record with corrective & preventive tasks and deadlines.
7. Closure: AO approval after verification of effectiveness and updated evidence pack.

Roles & responsibilities

• Incident Manager: Coordinates detection, containment, and reporting.
• Model Owner: Provides technical analysis and rollback plan.
• Oversight Officer: Validates incident classification and ensures human-in-the-loop authority.
• Compliance Lead: Handles regulatory notifications and CAPA documentation.
• Authorising Officer (AO): Approves final closure and lessons learned.

Regulatory reporting

• EU AI Act Art 62 requires providers to notify competent authorities of serious incidents within 15 days.
• Reports include description, risk assessment, mitigation, and recurrence prevention plan.
• Notifications handled only by Compliance Lead or authorised delegate.
• Keep log of all submissions and correspondence as evidence for AIMS audits.

Root cause analysis (RCA)

• Analyse across 4 lenses — Data, Model, Process, and Human Factors.
• Use templates to identify:
  • Triggering event > Immediate cause > Root cause > Corrective action.
• Classify causes (e.g., bias, misconfiguration, oversight error) and assign risk linkage (R-ID).
• Document findings in incident record; cross-reference CAPA ID.

Corrective & Preventive Actions (CAPA)

• Corrective: Action to remove the cause of a detected nonconformity.
• Preventive: Action to remove the cause of potential nonconformity.
• Each CAPA includes:
  • Root cause & impact summary
  • Corrective step(s) and evidence of completion
  • Preventive step(s) and effectiveness validation
  • Target completion date and owner
• Verification required before closure — audit or test results must show risk eliminated or reduced.

Integration with AIMS & PMM

• Incident and CAPA records form mandatory AIMS evidence (Clause 10.2).
• Trends reviewed quarterly in Management Review for systemic improvement.
• PMM dashboards use incident and CAPA metrics to detect recurring weaknesses.
• Outputs trigger updates to risk assessments, policies, and training plans.

Templates & examples

CAPA ID: CAPA-2025-014   Related Incident: AI-INC-057   System: ChatRisk-LLM  
Root Cause: Insufficient prompt filtering → toxic response generated.  
Corrective Action: Added moderation API and test gate in CI/CD.  
Preventive Action: Updated developer checklist + retraining module.  
Owner: Oversight Officer   Target: 2025-11-15  
Verification: Passed re-test (toxicity score <0.1%) | AO Sign-off: 2025-11-18
  

Performance metrics

• Incident response time (detection → containment) ≤ 48h.
• CAPA closure rate ≥ 90% within 30 days.
• Recurring incident rate ↓ year-over-year.
• Audit NCs linked to incidents = 0.

Common pitfalls & mitigation

• Underreporting: Encourage open reporting culture — no blame, focus on improvement.
• Unverified CAPAs: Require test or audit evidence before closure.
• Missing traceability: Always link incidents → CAPA → Risk Register IDs.
• Fragmented records: Maintain central Incident Register with access control.

Implementation checklist

• Incident Response & CAPA Policy approved and published.
• Incident & CAPA registers implemented and version-controlled.
• Roles trained and escalation process tested.
• Regulatory reporting procedure validated.
• Quarterly trend analysis and lessons learned documented.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 09 Nov 2025 • This page is general guidance, not legal advice.