Definition & triggers

• Serious harm/potential harm to health, safety, or fundamental rights; unlawful processing; systemic failure.
• Trigger list with examples (e.g., bias surge, unsafe recommendations, privacy breach, security compromise).

Triage & ownership

• Incident commander; safety, security, legal, comms, and product owners; timeline clock starts at detection.

Initial notification

• Send initial notification within required window; include scope, impact to date, mitigations underway, contacts.

Investigation & bundle

• Evidence bundle: prompts/inputs/outputs, model/data versions, decisions/overrides, logs, screenshots, timelines.

Corrective actions

• Immediate protective measures; rollbacks; kill-switch where warranted; roadmap for structural fixes.

Follow-up reports

• Root cause, impact analysis, CAPA, effectiveness plan, and communication to affected parties.

Roles & comms

• Single point of contact to regulator; internal comms cadence; user notices where required.

Templates & forms

• Pre-approved notification templates; redaction guidance; evidence checklist; demo path for investigators.

Privacy & legal

• Data protection & confidentiality maintained; legal hold; discovery-ready exports; counsel oversight.

Table-top tests

• Quarterly drills; measure time-to-notify; bundle completeness; effectiveness of mitigations and runbooks.

Lessons & RMS updates

• Feed findings to RMS/PMM; update thresholds, controls, training and documentation.

Reporting checklist

• Definition agreed; owners trained; forms prepared; evidence bundle pattern tested; regulator contacts current.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 05 Nov 2025 • This page is general guidance, not legal advice.