Illustrative composite scenario, 15 July 2026. At 08:42 on a Wednesday, a Vienna-based industrial supplier receives an ordinary alert: an AI assistant has opened an unusual number of customer files. Ten minutes later, the service team discovers that the assistant also drafted replies using details from cases it was never meant to see. The managing director asks the obvious question: “Has anything left the company?” Nobody can answer. The security log shows API calls, the AI platform shows conversations, and the workflow tool shows actions, but no record joins them into one story.
This scenario combines common operating patterns and is not a client case or claimed result. Its lesson is uncomfortable: an AI incident often begins before the alert. It begins when identity, prompts, tools, data, approvals, and evidence are deployed without one response path.
The shocking problem: your incident plan may stop where the AI system begins
A conventional cyber playbook can isolate a laptop, block an account, preserve a server image, and restore a known application. An AI workflow is harder to reconstruct. A model may be supplied by one vendor, retrieval by another, tools by a third, and approval through email or chat. The same business request may trigger several model calls, delegated credentials, generated content, and a write action.
The first question is therefore not “Did the model hallucinate?” It is: which identity caused which model and tool to act on which data, under which policy version, and who accepted the result? If the company cannot assemble that chain quickly, containment becomes guesswork and management cannot make a defensible disclosure or recovery decision.
What this playbook helps you build
This guide turns the first 24 hours into an operating system. You will get a severity trigger, a 15-minute-to-24-hour response timeline, an AI evidence pack, a responsibility matrix, recovery gates, a tabletop exercise, and a 30/60/90-day implementation roadmap. It complements the broader EU AI Cybersecurity Action Plan guide for DACH SMEs; it does not repeat that policy overview.
The result is not a promise of perfect prevention. It is a controlled ability to stop further harm, preserve facts, make accountable decisions, and restore only what the organisation can trust.
Before the clock starts: define an AI incident in business language
Do not trigger a crisis for every poor answer, and do not dismiss a serious event as “AI quality.” Define an AI incident as an event where an AI-enabled system may have crossed an approved boundary and created a material risk to confidentiality, integrity, availability, legal position, financial authority, safety, or customer trust.
| Trigger | Example | Immediate posture |
|---|---|---|
| Data boundary | Sensitive records entered an unapproved model or appeared in an unrelated case | Contain access, preserve evidence, identify affected data and recipients |
| Authority boundary | An agent sent, purchased, changed, or approved beyond its delegated scope | Revoke credentials, stop queues, verify downstream commitments |
| Integrity boundary | Prompt injection or corrupted retrieval changed an operational decision | Quarantine sources and outputs; switch to a known manual path |
| Availability boundary | AI automation loops, overloads a provider, or blocks a critical workflow | Disable retries and route work to reduced-function or manual service |
| Evidence boundary | A consequential output cannot be linked to identity, input, policy, tool calls, and approval | Treat trust as unproven; restrict the workflow until traceability returns |
The first 15 minutes: stop expansion without destroying the story
The incident commander should open one incident ID and record the time of awareness. The workflow owner pauses new jobs and bounded retries. The identity owner revokes the affected agent, service account, API key, or delegated token. The evidence lead snapshots logs, policy versions, prompts, retrieval references, tool calls, approvals, and queue state before normal retention or automated cleanup changes them.
Do not delete the agent, wipe conversations, rotate every credential, or “test” the suspected prompt in production before evidence is preserved. Broad action can erase the sequence you need and create a second outage. Contain the smallest known boundary first, then widen it as facts justify.
Minute 15 to hour 1: establish scope and a safe operating mode
Build a first event chain: actor identity, business request, model and version, system prompt or policy, retrieved data, tools requested, tools executed, output, human approval, and downstream effect. Mark every missing element explicitly. Absence of evidence is not evidence that no action occurred.
At the same time, choose a safe operating mode. A customer service agent might become draft-only. A purchasing agent may lose write access. A multilingual workflow may move to a manual queue. The goal is not to bring every AI feature back quickly; it is to keep the underlying business service operating at a known risk level.
Hour 1 to hour 4: decide impact, notification paths, and ownership
Bring operations, security, privacy or legal, communications, and the accountable executive into one decision room. Confirm what is known, what is inferred, what remains unknown, which customers or partners may be affected, and which contractual or regulatory clocks may apply.
For organisations within scope, the European Commission’s NIS2 FAQ describes an early warning within 24 hours of awareness, followed by an incident notification within 72 hours and a final report within one month. This is not a universal deadline for every SME or every AI defect. Determine applicability with the competent national authority and qualified legal counsel; do not let the 24-hour headline replace a scoped legal assessment.
Hour 4 to hour 24: produce an evidence-based management decision
By hour 24, management needs a decision pack, not a perfect forensic report. It should state the business service affected, confirmed and plausible impact, containment status, data and authority boundaries, customers or partners potentially affected, legal assessment in progress, safe-mode capacity, unresolved evidence gaps, next update time, and the named person authorised to restore each capability.
The decision may be to remain manual, restore a narrow read-only workflow, or keep the system offline. Speed matters, but unowned recovery is not resilience. The strongest statement a team can make may be: “We have contained the known path, preserved the evidence listed below, and will not restore write authority until three missing traces are reconciled.”
The AI evidence pack: nine records that reconstruct the incident
- Incident chronology: awareness, alerts, actions, decisions, handoffs, and system time sources.
- Identity chain: user, agent, service account, delegated credentials, roles, and effective permissions.
- Model record: provider, model/version, region, configuration, safety settings, and request identifiers.
- Instruction record: system prompt, workflow policy, routing policy, and their deployed versions.
- Context record: documents, retrieval results, memory, conversation history, and data classification.
- Tool trace: requested and executed calls, parameters, results, retries, and downstream transaction IDs.
- Output and approval: generated content, evaluation result, reviewer, decision, and release time.
- Change record: deployments, vendor changes, credential changes, and configuration drift before the alert.
- Impact ledger: systems, records, recipients, commitments, cost, and remediation status.
Preserve originals with access control and integrity protection. Create working copies for analysis. Agree a shared time standard and link every artefact to the incident ID. Your evidence pack should minimise unnecessary personal or confidential data while retaining what authorised responders need.
Responsibility matrix: one incident commander, four accountable decisions
| Decision | Accountable | Responsible | Required evidence |
|---|---|---|---|
| Declare and grade the incident | Incident commander | Security and workflow owner | Trigger, known impact, awareness time |
| Contain AI authority | Business service owner | Identity, platform, and workflow teams | Effective credential removal and queue state |
| Notify externally | Legal/privacy accountable owner | Legal, security, communications | Scope, jurisdiction, facts, uncertainty, deadlines |
| Restore capability | Business service owner | Operations and technology | Root-cause hypothesis, changed control, test results, rollback |
A vendor can provide logs and support, but it cannot own your customer promise or restoration decision. An external security provider can investigate, but the business still needs a named executive who accepts the residual risk.
Recovery gates: do not confuse “the alert stopped” with “the system is safe”
- Scope gate: the affected identities, data classes, tools, queues, and downstream systems are bounded.
- Evidence gate: critical traces are preserved, time-aligned, and linked to the incident.
- Control gate: the exploited or failed boundary has a specific change, not merely a reset.
- Test gate: normal, malicious, and failure-path tests pass in a non-production or isolated environment.
- Operations gate: manual fallback, monitoring, owner coverage, rollback, and customer handling are ready.
- Authority gate: a named accountable person approves the exact capability and permission being restored.
Restore in layers: observe-only, read-only, draft-only, human-approved action, then bounded automation. Each layer should have measurable stop conditions. The wider AI agent gateway and control-plane playbook explains how runtime restrictions and emergency stops can be engineered; this incident guide explains how to decide and evidence their use.
A 60-minute tabletop exercise your team can run this month
Use one real workflow, but fictional data. At minute zero, announce that an agent sent three unauthorised supplier messages after retrieving a restricted document. Give the team incomplete logs. At minute 15, reveal that the agent reused a delegated token. At minute 30, a supplier asks whether its data was exposed. At minute 45, the AI vendor reports a configuration change.
Measure time to incident commander, effective authority removal, safe business mode, first event chain, notification decision, and recovery owner. Record unanswered questions. The exercise succeeds when it exposes missing ownership and evidence; a smooth meeting with no friction usually means the scenario was too easy.
30/60/90-day roadmap: make response a system, not a document
First 30 days: map and assign
- Select the three AI workflows with the greatest data or authority consequence.
- Define incident triggers, severity, business owner, incident commander, and safe mode.
- Map identities, models, data, tools, approvals, vendors, retention, and notification contacts.
- Test whether one incident ID can retrieve the nine-part evidence pack.
Days 31-60: instrument and rehearse
- Add correlation IDs and version records across model, retrieval, tool, approval, and downstream actions.
- Implement bounded stop controls and verify that credential removal is effective, not cosmetic.
- Run the tabletop exercise with operations, security, legal/privacy, communications, and management.
- Fix the three gaps that most delay containment or a defensible decision.
Days 61-90: recover and govern
- Build staged recovery gates and test rollback plus manual continuity.
- Agree evidence retention, access, and integrity controls with privacy and legal owners.
- Review vendor support, incident notice, log access, region, and exit terms.
- Report response readiness through time-to-contain, trace completeness, safe-mode capacity, and overdue remediation.
What current official sources support, and what they do not
The European Commission’s EU Action Plan on Cybersecurity and Artificial Intelligence, published 7 July 2026, describes a coordinated approach to safe advanced AI, resilience, and AI-enabled cybersecurity. It supports the urgency of operational readiness; it does not provide this article’s 15-minute response sequence.
ENISA’s July 2026 view on cybersecurity in the frontier AI era connects faster AI-enabled threats with logging, monitoring, runtime guards, access control, and incident response. ENISA’s NIS2 Technical Implementation Guidance offers practical evidence examples for covered sectors, but is not a substitute for national requirements.
NIST SP 800-61r3 integrates incident response across Govern, Identify, Protect, Detect, Respond, and Recover. The NIST Generative AI Profile recommends owned, rehearsed incident plans for third-party GAI and attention to fallback. The evidence pack, timing, responsibility matrix, and recovery gates above are Ali’s practical synthesis for DACH operating teams, not requirements quoted from those sources.
Operational recipe: the one-page AI incident card
Declare when: [data, authority, integrity, availability, or evidence boundary]. Incident commander: [name/role]. Stop: [agent, token, tool, queue, retry]. Preserve: [nine evidence records and locations]. Safe mode: [manual/read-only/draft-only]. Assess: [impact, affected parties, legal and contractual paths]. Update: [time and audience]. Restore only when: [six gates pass]. Approve: [named accountable owner].
FAQ
What is an AI incident response plan?
It is an owned and rehearsed process for detecting, containing, investigating, communicating, and recovering from events involving AI models, prompts, data, tools, agents, approvals, vendors, and downstream business actions.
What should happen in the first 15 minutes of an AI incident?
Open one incident record, pause new work and retries, remove affected authority, preserve volatile evidence, name the incident commander, and establish a safe business mode without destroying the event chain.
Does every AI incident need to be reported within 24 hours?
No. The NIS2 24-hour early-warning requirement applies to covered entities and significant incidents under applicable law. Scope, significance, national implementation, contractual duties, and other regimes require qualified assessment.
Which evidence is essential for an AI incident?
At minimum, preserve chronology, identities and permissions, model and configuration, prompt and policy versions, retrieved context, tool calls, outputs and approvals, recent changes, and a business impact ledger.
When is an AI workflow safe to restore?
Restore it in controlled layers only after scope and evidence are sufficient, the failed boundary has changed, adversarial and failure-path tests pass, monitoring and rollback are ready, and a named business owner accepts the residual risk.
Next step: test one workflow before the real alert
Bring one consequential AI workflow, its vendors, identities, data sources, tools, approval path, and current logs to a focused working session. As an AI Systems Architect, Ali Najafzadeh will map the first-hour decision path, test evidence continuity, define safe mode and recovery gates, and turn the result into a 90-day improvement plan. Book an AI Systems Review before the first real incident asks questions your dashboards cannot answer.