AI Incident Response: What to Do When Your AI System Fails or Causes Harm

What makes AI incidents distinctive

Systematic bias produces unfair outcomes for a demographic group across thousands of decisions before anyone identifies the pattern. Hallucination produces confident but wrong information acted on before its inaccuracy is apparent. Model drift produces gradually degrading performance only visible through aggregate analysis. The scope of an AI incident is often not immediately apparent — harm may have been occurring for months before detection.

Regulatory notification obligations

EU AI Act Article 73: providers and deployers of high-risk AI must notify national market surveillance authorities of serious incidents — within 15 days (general), within 10 days (death), within 2 days (widespread infringement or critical infrastructure disruption). APRA CPS 230: material operational risk incidents require notification within 72 hours; critical operation disruptions outside tolerance within 24 hours. GDPR Articles 33-34: DPA notification within 72 hours and individual notification where high risk exists where AI incidents involve personal data breaches.

First 24 hours and retrospective remediation

Containment first — specific individuals should be pre-authorised to take production systems offline without extended approval chains. Evidence preservation simultaneously: preserve model versions, configurations, and relevant logs. Plan for retrospective remediation before incidents occur: maintain records of AI-informed decisions, preserve model versions, and keep logs enabling identification of affected individuals. EU AI Act high-risk AI requires documented investigation, root cause analysis, and updated conformity assessment after incidents.