Resources · Worked example 5

AI incident response plan

Worked example · fictional company (Vesta Mutual Insurance AS) · free PDF · CC BY 4.0

When enforcement starts, the first thing an authority asks for is your training record. The second is this: when an AI system fails, what do you actually do? A plan that cannot answer in hours is not a plan.

This one defines an AI incident across five categories, then sets a severity ladder with real clocks: contain a SEV-1 within two hours, a SEV-2 within one business day. What makes it usable is that containment is pre-decided. Every high-risk system has a named fallback: TalentScreen drops to manual screening of the full applicant pool, PriceWise falls back to its GLM baseline with widened manual review, the chatbot goes to human-only chat. Authority to pull the switch sits with the system owner or the incident lead, with no further approval, and the plan says in writing that nobody is criticised for a defensible suspension. That sentence is what lets people act in the moment.

The notification logic is where AI governance meets the rest of compliance. As a deployer of a vendor system, Vesta informs the provider without undue delay; as the provider of PriceWise, it reports serious incidents to the market surveillance authority on the Article 73 deadlines; and the GDPR 72-hour breach clock runs in parallel under the DPO. The rule when clocks differ is simple: the shortest governs, and this plan never extends another's deadline. It closes with an annual tabletop exercise to test the fallbacks and the notification tree before a real incident does, which is the same discipline behind the rest of this practice.

Legal references: EU AI Act Article 26(5) (deployer duties) · Article 73 (serious-incident reporting) · GDPR Article 33 (breach notification).

What's inside

  • What counts as an AI incident, across five categories
  • The severity ladder (SEV-1/2/3) with definitions, examples, and response clocks
  • Roles, and the protected right of any employee to report
  • Response phases: detect, triage, contain, assess, notify, recover, learn
  • Pre-approved fallbacks for each high-risk system
  • Notification duties under Articles 26 and 73, run alongside the GDPR clock
  • The incident register, templates, and the annual tabletop exercise

Download the PDF

Worked example for portfolio and training purposes. Vesta Mutual Insurance AS is a fictional company; all data, metrics, and names are invented. Prepared by Erik Bernath, Furioso AI Consulting OÜ. Licensed CC BY 4.0: reuse freely with attribution. Informational, not legal advice.

The other four examples

Need this documented for your own company before August 2?

That's what the literacy and governance workshop produces: your own governance documents and the training record behind them.

See the workshop Book a call