---
name: ai-incident-response-playbook
description: Respond to an AI-specific incident (hallucinated output causing harm, prompt injection, data leak via AI tool, model-behaviour change) with a structured investigation, containment, comms, and regulator-clock plan.
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: IT Managers, DPOs, Incident Commanders, Compliance Leads, anyone operating Copilot/ChatGPT/Claude at work
output_format: Formatted Markdown playbook with incident classification, containment steps, investigation script, evidence preservation, comms templates, regulator clocks, and post-incident review.
license: MIT
last-reviewed: 2026-04
---

# AI Incident Response Playbook

A Claude Code skill for the IT manager or DPO who's just been told "the AI sent the wrong thing to a client" — needing a structured response now, not a learning-and-development session.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/ai-incident-response-playbook`. Describe what happened in plain English. Answer the clarifying questions. Receive a structured response pack.

## When to use this

- An AI tool produced output that was used externally and turned out to be wrong or harmful.
- Staff pasted sensitive data into a non-approved AI tool and realised afterwards.
- A user received an unexpected or inappropriate output from an AI tool — a possible prompt-injection attempt.
- A vendor has notified you of a security, privacy, or model-behaviour incident affecting your data.
- Your model-behaviour monitoring flagged a material drift.
- You want a pre-authored playbook ready for the first AI incident before it happens.

## What you'll get

A single Markdown document containing:

- An **incident-type classification** (5 primary classes, each with its own sub-playbook)
- **Immediate containment steps** (first 30 minutes)
- **Evidence-preservation checklist** (prompts, outputs, logs, screenshots)
- **Investigation script** tailored to the incident class
- **Harm assessment** (to data subjects, clients, firm, third parties)
- **Regulator clocks** (ICO, sector, contractual)
- **Communications templates** (internal, affected parties, regulator, vendor)
- **Remediation checklist**
- **Post-incident review template** with structured questions
- **Update-policy-and-training actions**

## Clarifying questions I will ask you

1. **What happened in one sentence?**
2. **Which AI tool was involved?** (Copilot, ChatGPT, Claude, in-house, other)
3. **Was the tool approved or shadow?**
4. **Who was the user?** (named, role — not for blame, for context)
5. **What was the output used for?** (draft kept internal, sent to client, published, acted on)
6. **Was any personal data involved?** (whose, what categories)
7. **Was any privileged / confidential data involved?** (client material, M&A, legal privilege)
8. **Has anyone outside the firm seen the output already?** (client received email, document shared, etc.)
9. **When did it happen?** (awareness time — triggers regulator clocks)
10. **Was any remediation attempted?** (recalled email, deleted document, notified recipient)
11. **Any pattern — first time or previously seen?**
12. **Your sector?** (for regulator routing)

## Output template

```markdown
# AI Incident Response Pack — <incident ref>

**Reported:** <time> · **Awareness time (for regulator clocks):** <time>
**Incident Commander:** <role> · **DPO engaged:** <Yes/No, time>

## 1. Classification
Tick the class(es) that apply:
- [ ] **A. Harmful or incorrect AI output used externally** (wrong answer, fabricated citation, mis-stated advice, hallucination)
- [ ] **B. Data leak via AI tool** (sensitive data entered an unapproved tool, or an approved tool in an unauthorised way)
- [ ] **C. Prompt injection / adversarial input** (user or third party got the AI to produce something it shouldn't)
- [ ] **D. Model behaviour change** (vendor updated model, outputs changed materially, monitoring flagged drift)
- [ ] **E. Vendor-reported incident** (vendor notified us of a security / privacy / training-data issue)

## 2. First 30 Minutes — Containment
Regardless of class:
- [ ] Stop the user / workflow from continuing the action
- [ ] Identify who has seen the output and where it now lives
- [ ] Preserve the full prompt, full output, tool session id, timestamps, user id (screenshots + raw text)
- [ ] Do NOT delete the evidence (even if tempting — send a message, don't wipe the chat)
- [ ] If external recipients exist, identify whether recall / retraction is possible
- [ ] Engage DPO if personal / privileged data potentially exposed
- [ ] Start the Awareness timestamp for regulator clocks (see §8)

## 3. Evidence Preservation (critical)
Collect and store in a restricted folder:
- Full prompt text (exact characters)
- Full output text (exact characters)
- Timestamps: prompt sent, output received, output used (if different)
- Tool and version (e.g. "Copilot in Outlook, M365 Enterprise tier, accessed via Outlook desktop 16.x")
- User id and session / thread id if exposed by tool
- Surrounding context: was this a multi-turn conversation? If yes, preserve the whole conversation.
- Screenshots of tool UI showing output (including any "Copilot helped write this" badges)
- Any downstream artifacts — emails sent, documents saved, messages posted
- Monitoring / audit log exports for the relevant period

## 4. Investigation Script (per-class)

### Class A — Harmful or incorrect AI output
1. Was the output reviewed by a human before use? If not, why not?
2. Was the AI cited as the author, or was the output passed off as human-written?
3. Has the error caused measurable harm (financial, reputational, advisory)?
4. Is the output reproducible with the same prompt?
5. Was the prompt library-grade or ad-hoc?
6. Were the input documents labelled correctly?
7. Who reviewed and approved the final work product?

### Class B — Data leak via AI tool
1. Which tool, which data class, how much?
2. Was the tool approved for that data class?
3. Does the tool vendor's contract let us purge / disallow training on this data?
4. Were any third parties (vendor sub-processors) likely to have retained it?
5. Is a UK GDPR personal-data breach in play?
6. Has the user deleted the evidence (problem — ask them to confirm what they did)?

### Class C — Prompt injection
1. Was the injection input external (document the user processed) or internal (user deliberately tested)?
2. What protective controls should have caught it? (system prompt, output filter, DLP)
3. Did the injection succeed in exfiltrating or altering anything material?
4. Is the attack vector reproducible?
5. Who else could be affected before containment?

### Class D — Model behaviour change
1. When did the behaviour change?
2. Does the vendor's release notes explain it?
3. Which workflows are affected?
4. Is the change material (different answer to same question, different tone, new failure mode)?
5. Does any user documentation / prompt library need updating?

### Class E — Vendor-reported incident
1. What did the vendor notify us of? (scope, timeline, affected customers)
2. What evidence has the vendor provided?
3. Does it trigger our own downstream notifications (clients, regulator)?
4. Do we need to pause use of the tool pending vendor remediation?
5. What's our contract right to audit / further information?

## 5. Harm Assessment
| Affected party | Nature of harm | Severity | Evidence |
|---|---|---|---|
| Data subject(s) | | | |
| Specific client(s) | | | |
| Firm | | | |
| Third party | | | |
| Market / regulator | | | |

## 6. UK GDPR Personal-Data-Breach Trigger (if class B or E likely)
- Personal data involved? <Yes / No>
- Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access? <Yes / No>
- Likely to risk individuals' rights & freedoms? <Yes / No>
- → **Notify ICO within 72 hours of awareness** if yes.
- Likely to result in high risk to individuals' rights & freedoms? <Yes / No>
- → **Notify affected data subjects without undue delay** if yes.

## 7. Regulator-Notification Clocks
| Regime | Trigger | Deadline from awareness | Owner |
|---|---|---|---|
| UK GDPR Art. 33 (ICO) | Personal-data breach | 72 hours | DPO |
| UK GDPR Art. 34 | High-risk breach | Without undue delay | DPO |
| FCA / PRA op-resilience | Material service impact | Promptly | Compliance |
| NIS2 (if designated) | Significant incident | 24h early / 72h notification | Security Lead |
| SRA | Material incident affecting client files | Prompt | COLP |
| Client contract | Per contract | Per contract (often 24h) | Account Owner |
| Cyber insurer | Per policy | Per policy (often 24-72h) | Risk |

## 8. Communications Templates

### Internal — first hour
> "We're working through an AI-related incident involving <one-line description>. <Incident Commander> is running the response. If you've been asked for information, please respond quickly and preserve any related material. Updates will follow in <channel>."

### To affected client — Class A correction
> "Dear <client>, I'm writing to correct information we shared with you on <date>. <Specifics of correction.> The root cause was an error in how we prepared the <document>, which we've already addressed. We apologise for the inconvenience and are reviewing the specific matter to ensure no further impact. [Direct contact for questions.]"
>
> (Never attribute externally to "the AI" — you used the output. Accountability stays with the firm.)

### To affected data subject — Class B / E, high-risk
> DRAFT — requires DPO sign-off.
> "We're writing to let you know about an incident affecting your personal data at <firm>. On <date>, <brief nature>. The data involved was <categories>. The likely consequences are <>. We've taken the following steps: <>. You should consider <>. For further information, contact: <>."

### To regulator (ICO, Art. 33)
> Drafted by DPO, reviewed by <role>, submitted via the ICO's breach notification form. Key facts: nature, categories of data and subjects, approximate numbers, likely consequences, measures taken, DPO contact.

### To vendor (Class B — if vendor may have received data they shouldn't)
> "We'd like to formally notify you that on <date> data was inadvertently sent to <service>. Please confirm in writing: (1) whether this data was retained, (2) whether it was used in any training pipeline, (3) the actions you are taking to delete it, (4) timelines for each. This notice is being sent for the record and to initiate the purge process per our contract."

## 9. Remediation Checklist
- [ ] Root cause identified (technical, process, or human)
- [ ] Output recalled / retracted where feasible
- [ ] Policy update drafted (AI Use Policy, specific workflow)
- [ ] Prompt library update (remove / revise problematic prompt)
- [ ] Training update (specific module or all-hands reminder)
- [ ] Technical control added (DLP rule, output-filter, allow-list change, label policy)
- [ ] Monitoring / detection improved
- [ ] Affected parties notified
- [ ] Regulator notified (if required)
- [ ] Vendor engaged (if applicable)
- [ ] Insurer notified (if applicable)
- [ ] Incident closed with signed PIR

## 10. Post-Incident Review
Held within <N> working days. Structured around:
1. Timeline (minute-by-minute for the first hour, hour-by-hour after)
2. What went well (containment speed, evidence preservation, communications)
3. What went wrong (detection, decision-making, comms)
4. Where we got lucky
5. Root cause (5-whys)
6. Systemic contributors (policy gap, training gap, tool gap)
7. Remediation register with owners and dates
8. Policy and training changes agreed

## 11. Classify for the AI Incident Register
| Field | Value |
|---|---|
| Date of incident | |
| Class | A / B / C / D / E |
| Tool | |
| Data class | |
| Detected by | user / monitor / vendor / client |
| Impact category | none / minor / moderate / major |
| Regulator notified | Yes / No / Not required |
| Post-incident review complete | |
| Remediation closed | |
```

## Example invocation

**User:** "An associate used Copilot in Word to draft a client advice letter. Copilot cited a regulation that doesn't exist. The letter was sent to the client yesterday. Client noticed this morning and queried us politely. No regulator angle yet."

**What the skill will do:**
1. Ask the 12 questions, drilling on: was human review skipped or cursory, is this a financial-advice regulated output, has the client relied on the wrong citation yet.
2. Classify as **Class A — harmful/incorrect AI output used externally**. Score moderate severity (client noticed quickly, professional relationship intact).
3. Produce:
   - Immediate containment: hold any follow-up advice until verified; preserve the Copilot chat session; take screenshots
   - Client correction letter (draft, tone: professional + owning the error)
   - Investigation script focused on why human review didn't catch the fabricated citation
   - Remediation: add a "verify any regulation/case citation" step to the drafting workflow; update prompt library; training reminder on AI-assisted drafting
   - No Art. 33 notification triggered (no personal-data breach); however, if SRA-regulated, flag for prompt/material-incident consideration under SRA standards
4. Produce the register entry, ready to add to the firm's AI incident log.

## Notes for the requester

- **Never attribute externally to "the AI".** The firm used the output. Accountability is yours.
- **Preserve evidence before you notify anyone.** Once you tell the user "you messed up," they may reflexively delete the chat.
- **The UK GDPR 72-hour clock starts at AWARENESS, not at confirmation.** If you have reasonable grounds to suspect a personal-data breach, the clock is running while you investigate.
- **Most AI incidents are process incidents.** The technology did what it was asked; the review step was missing. Remediation should focus on process, not on "banning the tool."
- **Pattern-match.** Keep an AI incident register. Three Class-A incidents in a quarter means a training problem, not three user problems.
- **Good looks like:** a pack like this one closed out in 2 weeks, with remediation visibly changing behaviour at week 4, and the PIR lessons integrated into the AI Use Policy at the next review.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*