When Your AI Goes Wrong: 24-Hour Crisis Response Checklist

AI incidents happen fast and spread faster. Whether it's biased outputs, data exposure, or system failures, having a crisis response plan can mean the difference between a minor incident and a business-threatening crisis.

Why AI crises are different

Traditional IT incidents affect systems. AI incidents affect decisions — often involving people, sensitive data, and regulatory compliance. The stakes are higher and the timeline is compressed.

Common AI crisis scenarios:

• Biased outputs affecting hiring, lending, or customer service
• Data exposure through prompt injection or model extraction
• Hallucinated advice in customer-facing or internal decision tools
• Compliance violations from automated processing of protected data
• Vendor incidents affecting your AI-dependent operations

Hour 1: Immediate containment

Goal: Stop the bleeding and preserve evidence.

1. Isolate the system → Disable AI features, pause automated decisions, or take system offline if necessary.
2. Preserve logs → Capture system logs, user interactions, and AI outputs before they rotate or get overwritten.
3. Document the incident → Time, scope, affected users, potential data involved, initial assessment.
4. Notify key stakeholders → Legal, compliance, insurance, and executive team (but not external parties yet).
5. Assess immediate harm → Are customers, employees, or partners currently at risk?

Hours 2-6: Assessment and notification

Goal: Understand scope and begin required notifications.

Legal and compliance review

1. Determine notification requirements → GDPR (72 hours), state breach laws, industry regulations.
2. Assess liability exposure → Contract terms, insurance coverage, potential damages.
3. Privilege protection → Ensure investigation communications are attorney-client privileged where possible.
4. Regulatory obligations → HIPAA, FERPA, financial regulations may require specific reporting.

Technical investigation

1. Root cause analysis → Was it model failure, data poisoning, prompt injection, or system error?
2. Scope assessment → How many users, decisions, or data records were affected?
3. Data impact → What sensitive information was potentially exposed or misused?
4. Vendor coordination → If third-party AI services are involved, engage their incident response.

Hours 6-24: Communication and remediation

Goal: Control the narrative and begin fixing the problem.

External communications

1. Customer notification → Clear, honest communication about impact and remediation steps.
2. Regulatory filing → Meet legal deadlines for breach notifications or incident reports.
3. Media response → Prepare statements if the incident becomes public. See our PR crisis guide.
4. Vendor notifications → Inform partners who may be affected by your AI system changes.

Immediate fixes

1. System patches → Address the technical vulnerability or configuration issue.
2. Process changes → Update procedures to prevent recurrence.
3. Access controls → Revoke compromised credentials, update permissions.
4. Monitoring enhancement → Add alerts for similar incidents in the future.

Insurance and legal considerations

Contact your insurance carrier immediately — many policies require prompt notification to maintain coverage. Key policies that may apply:

• Cyber liability → Data breaches, system failures, business interruption
• Professional liability → Errors in AI-assisted professional services
• General liability → Third-party harm from AI decisions
• Employment practices → Discrimination or harassment from AI tools

Review our cyber vs. AI insurance guide and 5 questions for your insurer.

Building your crisis response plan

Don't wait for an incident to create your plan:

1. Incident response team → Designate roles for legal, technical, communications, and executive decision-making.
2. Communication templates → Pre-draft customer, employee, and regulatory notifications.
3. Vendor contact list → Emergency contacts for all AI vendors and service providers.
4. Legal contacts → Identify counsel with AI and data breach experience.
5. Insurance coordination → Know your coverage and carrier emergency contacts.
6. Testing and drills → Practice your response with tabletop exercises.

Questions to ask yourself

1. Do we have an AI incident response plan that's been tested?
2. Can we quickly isolate AI systems without breaking critical business functions?
3. Do we know our notification requirements for different types of AI incidents?
4. Does our insurance cover AI-related crises and business interruption? See our AI downtime guide.
5. Have we trained our team on crisis communication and legal privilege protection?