SUPPLY CHAIN & INCIDENTS
What happens when your AI system behaves incorrectly or causes harm?
Current as of July 2026.
A model answer
AI incidents follow a defined path: detection, triage, severity classification, containment, root-cause analysis, remediation and disclosure. Severity is assessed against defined criteria, and reportable incidents trigger the applicable notification clocks — including the EU AI Act Article 73 serious-incident obligation and, where personal data is involved, GDPR Articles 33 and 34. Every incident is recorded, owned and closed out. The incident register is maintained and can be produced on request.
Evidence a buyer expects
The runbook, the severity criteria, and the register — including a truthful account of past incidents. Claiming zero incidents is rarely credible and is frequently disproved.
Why weak answers fail
"We would investigate and respond" is not a process. Buyers ask this question knowing most vendors have nothing written down, and the honest vendor with a one-page runbook beats the confident vendor with none.
What Hael produces
Hael's Incident Log and per-incident Incident Artefact (EU AI Act Article 73, GDPR Articles 33–34, ISO/IEC 42001 Clause 10) — with live 72-hour clocks on anything reportable.
Related questions
Current as of July 2026. General information, not legal advice.
Keep reading
More from the answer library.
OVERSIGHT & CONTROLS
Where does human oversight sit in your AI system, and who holds it?
Read answer →
SUPPLY CHAIN & INCIDENTSList your AI sub-processors and describe how you assess them.
Read answer →
CERTIFICATION & FRAMEWORKSHas your AI system been classified under the EU AI Act, and what obligations apply?
Read answer →