Scope & severity

• Severity matrix by impact: user harm, legal breach, data exposure, operational outage, reputational risk.
• AI-specific triggers: bias spikes, unsafe content, model exfiltration, compromised tools, unapproved model swap.

Triage & command

• Incident Commander; Safety Lead; Security; Legal/Privacy; Comms; Product; Regulator Liaison.
• Declare incident; open ticket; start timeline clock; assign severity; page on-call roles.

Containment & kill-switch

• Rate limit, disable tools, switch to read-only, roll back model or index, or trigger full kill-switch.

Investigation & evidence

• Bundle: prompts/outputs, inputs, model/index versions, configs, logs, screenshots, user list, time-line.
• Root cause analysis with 5-Whys or fishbone; list contributing factors and control gaps.

Notifications (EU/UK)

• Serious incident definitions; initial notice clock; regulator contacts; user notifications where required.

CAPA & effectiveness

• Immediate fixes; preventive actions; owners and due dates; follow-up checks and sign-off.

Comms & stakeholders

• Internal status updates; external statements; regulator Q&A pack; press holding lines; unified messaging.

Runbooks per scenario

• Safety: harmful output, bias surge, misinformation; Security: model/key compromise, tool abuse; Privacy: data leak.

Drills & readiness

• Quarterly tabletop; live paging tests; kill-switch drills; measure MTTD/MTTR and notification timing.

Handoffs & records

• Immutable incident bundle; lessons captured; CAPA links; regulator follow-ups tracked.

Lessons learned

• Update policies, guardrails, training, PMM thresholds; share examples in internal knowledge base.

Playbook checklist

• Roles trained; paging works; evidence template ready; regulator list current; drills performed; metrics improving.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.