# AI Incident Response Runbook > What to do in the first 10, 60, and 360 minutes when an AI system misbehaves, leaks, or is under attack. > Free · CC-BY 4.0 · [dfieldsolutions.com](https://dfieldsolutions.com) --- ## Seven incident classes | Code | Class | Example signal | |------|-------|----------------| | I1 | **Prompt injection** | Output contains system-prompt text verbatim | | I2 | **Data leakage** | Response contains PII not in this user's context | | I3 | **Hallucination emergency** | Fact claim refuted by ground-truth in < 1h | | I4 | **Rate-limit / cost abuse** | Single user > 10× baseline token burn | | I5 | **Model swap regression** | Eval score drops > 5 points in new version | | I6 | **Jailbreak** | Model emits disallowed content under known bypass | | I7 | **Oracle / source manipulation** | Retrieved doc contains attacker-planted content | --- ## T+10 minutes · contain 1. **Identify** the class (I1-I7). Label in incident tracker. 2. **Freeze** new traffic to the affected feature: - Feature flag off, OR - Kill-switch at the gateway, OR - Circuit-break the tool call pattern. 3. **Snapshot** logs: last 15 minutes of prompts + responses + tool calls, before rotation deletes them. 4. **Ping** on-call + security lead in one channel. No side-channel conversations. ## T+60 minutes · diagnose 5. **Scope impact**: which users, which tenants, since when? 6. **Reproduce** locally or in staging. Write a failing test. 7. **Triage severity**: - **Critical** — PII leak, unauthorized financial action, disallowed-content emission - **High** — broken contract with user but no data loss - **Medium** — degraded quality, no data integrity issue 8. **Notify** stakeholders: critical → CEO + DPO + Legal; high → product owner; medium → slack channel. ## T+360 minutes · remediate + restore 9. **Apply fix** · prefer a targeted guardrail (new output validator, input filter, tool scope tighten) over a full retrain. 10. **Re-run full eval suite** including a new test case for the incident. 11. **Staged rollout**: 1% of traffic → 10% → 100%. Monitor the incident's signal at each step. 12. **Customer communication**: - Critical + PII → GDPR Art. 33 breach notification within 72h to NAIH. - Critical no-PII → proactive email to affected tenants within 24h. - High / Medium → status page + next newsletter. --- ## GDPR breach notification template (NAIH, Hungary) ``` Tárgy: Adatvédelmi incidens bejelentése · [céged neve] · [dátum] Adatkezelő: [céged neve], [cím], [adószám] DPO: [név], [email] Incidens ideje: [ISO timestamp UTC] Észlelés ideje: [ISO timestamp UTC] Incidens leírása: [1-2 bekezdés, technikai részletek + hogyan történt] Érintett személyes adatok kategóriái: - [pl. e-mail, név, számla-azonosító] Érintett személyek köre és száma: - [becsült szám + kategória] Azonnali intézkedések: - [1-3 pont · mit állítottál meg] Tervezett intézkedések: - [1-3 pont · mi következik] Ügyfelek értesítése: - [módja + időzítése] ``` --- ## Escalation matrix | Class | Severity | Who pages | Who decides | Who communicates | |-------|----------|-----------|-------------|------------------| | I1-I7 | Critical | On-call + Security | CTO | DPO + Legal | | I1-I3 | High | On-call | Product | Product | | I4-I7 | High | On-call | Engineering | Engineering | | Any | Medium | Slack channel | Engineering | Status page | --- ## Blameless post-mortem template 1. **Timeline** · raw events with timestamps 2. **Impact** · who was affected, how, for how long 3. **Root cause** · technical + process 4. **What went well** · what made detection or response faster 5. **What went poorly** · what slowed us down 6. **Action items** · owner + deadline + Jira link per item 7. **Prevention** · eval case added? Guardrail added? Runbook update? Training delivered? --- Cite as: DField Solutions, "AI Incident Response Runbook" (April 2026) · CC-BY 4.0.