Incident response · AI governance

An AI incident starts aregulatory clock you can’t see.

The deadline is rarely the hard part. The hard part is that the clock starts at a trigger you didn’t recognize, or that no one was authorized to call — so days burn before the countdown registers. Drill it before it’s real.

Get the Drill — $79one-time · instant download · yours to keep

Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.

Five deliverables · runnable
Notification-readiness engine
runnable
Workbook that reproduces it
.xlsx
Drill Facilitator Playbook
.docx
Notification-Readiness Runbook
.docx
6-scenario worked sample
sample
Works alongside
Postmortem Gate · Ransomware Drill · NIST AI RMF Kit
01.The Problem

You knew the deadline. You missed it anyway.

The clock starts at a trigger, not at “oops”

A breach clock starts at “awareness.” A material-cyber clock starts at the materiality call. If you never make the call, the clock runs silently against you.

One incident, several clocks

The same event can fire a data-breach duty, an AI safety report, and a securities disclosure at once — each with a different deadline and a different start.

No one was authorized to start it

A plan that routes the decision to a committee that meets next week is a plan that misses the clock. Someone has to be able to start it at 2am.

02.See It Work

Drill a scenario. Read whether you’d beat the clock.

This is the live scoring logic from the engine. The “AI Act serious incident” preset scores 82 and still reads WOULD MISS THE CLOCK — because no one can start the clock. Give it a clock-starter and it clears.

Drill a scenario:
Detection-to-awareness path20

Defined, rehearsed path; awareness time recorded

Severity & regime triage20

Rehearsed mapping surfaces the shortest clock at once

A named decision-maker who can start the clock18

No one empowered to declare awareness / materiality

Regulator contact map & filing channel16

Authorities, portals, channels mapped in advance

Drafting path & breach register14

Templates + initial-then-complete path + register ready

Cross-track coordination12

Rehearsed cross-functional parallel-track process

WOULD MISS THE CLOCKscore 82/100

Clock-start gate fired: no one is empowered to start the clock. The score alone would read NOTIFIABLE-READY, but a deadline you can’t start counting is a deadline you miss.

Drill first: A named decision-maker who can start the clock

Weighted to 100. The gate forces WOULD MISS THE CLOCK when you can’t establish the clock has started (⚡ detection or triage) or no one can start it (⚡ authority). Date-agnostic — it grades your process, never a specific deadline. Not legal advice.

03.The Engine

The same verdicts, from the runnable engine.

Verbatim output from the included Python engine on the six-scenario sample. The workbook reproduces these byte-for-byte.

==========================================================================
AI INCIDENT REPORTING & REGULATORY-NOTIFICATION DRILL
==========================================================================

Customer PII leak via AI chatbot
  verdict: NOTIFIABLE-READY   (score 94/100)

Model failure harms a user (AI Act serious incident)
  verdict: WOULD MISS THE CLOCK   (score 82/100)
  gate: WOULD MISS THE CLOCK — no one is empowered to start the clock
  drill first: A named decision-maker who can start the clock

Same incident after naming an on-call clock-starter
  verdict: NOTIFIABLE-READY   (score 100/100)

Material cyber incident in a public-co AI system
  verdict: TIGHTEN   (score 50/100)
  drill first: Detection-to-awareness path

Vendor/sub-processor breach reaches your data
  verdict: WOULD MISS THE CLOCK   (score 50/100)
  gate: WOULD MISS THE CLOCK — you could not establish in time that the clock has started
  drill first: Severity & regime triage

Prompt-injection exfiltrates regulated records
  verdict: WOULD MISS THE CLOCK   (score 56/100)
  gate: WOULD MISS THE CLOCK — you could not establish in time that the clock has started
  drill first: Detection-to-awareness path

--------------------------------------------------------------------------
PROGRAM: WOULD MISS NOTIFICATION   (3 of 6 would miss the clock · exposure 50.0%)
--------------------------------------------------------------------------

Grades your notification PROCESS against the clock, never a specific
deadline — so it does not break when a regime's dates shift. It grades a
process, never people, and confirms no actual regulatory obligation.
A readiness drill, not legal advice. Confirm which regimes apply, and
every deadline, with counsel.
04.The Standard

Six controls, weighted to 100. The weakest clock-start is dispositive.

20

Detection-to-awareness path

Can you reach “reasonable certainty an incident occurred” fast? The clock starts at awareness, not detection.

20

Severity & regime triage

Which regimes does this incident fire, and which clock is shortest? The strictest applicable deadline governs.

18

A named decision-maker who can start the clock

Someone empowered to declare awareness or materiality at any hour — not a committee that meets Monday.

16

Regulator contact map & filing channel

Authorities, lead supervisory authority, portals, and channels mapped before the incident, not during it.

14

Drafting path & breach register

Pre-drafted templates, the initial-incomplete-then-complete path, and a maintained register.

12

Cross-track coordination

One incident can run several notification clocks at once — legal, security, comms, privacy pre-aligned.

⚡ = a clock-start gate control. If detection-to-awareness or severity triage is absent, or no one can start the clock, the scenario is WOULD MISS THE CLOCK regardless of score. The gate worsens only — it never promotes a verdict.

05.What It Is — And Isn’t

A readiness drill, not a compliance ruling.

It is

  • A rehearsal of your incident-notification process.
  • Date-agnostic — it grades the process, never a deadline.
  • A deterministic, offline engine + workbook you control.

It isn’t

  • Legal advice, a filing service, or a certification.
  • A ruling on whether an incident is legally reportable.
  • A score of people — it grades a process.

Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.

06.Who It’s For

Whoever owns the first hour of an AI incident.

  • Security, privacy, and compliance leads who own incident response.
  • Legal and DPO functions tracking GDPR, AI Act, SEC, HIPAA, and state clocks.
  • Teams deploying high-risk or customer-facing AI that could cause a reportable incident.
  • Not a filing tool — it rehearses readiness, it doesn’t notify anyone.
  • Not a ruling on what’s reportable — confirm that with counsel.
  • Not a postmortem tool — that’s the close-out gate it pairs with.
08.Common Questions

Answers before you buy.

It grades whether your process could meet a regulatory notification clock when an AI incident hits — scenario by scenario. For each drilled incident you mark six controls 0/1/2: your detection-to-awareness path, severity and regime triage, whether a named person can start the clock, your regulator contact map and filing channel, your drafting path and breach register, and cross-track coordination. The six are weighted to a 0–100 score banded NOTIFIABLE-READY, TIGHTEN, or WOULD MISS THE CLOCK, and the program rolls up to DRILL-READY, GAPS, or WOULD MISS NOTIFICATION. It grades the process, never people, and never asserts a deadline as the verdict.

Don’t discover the clock
after it’s run out.

One purchase, lifetime access, 12 months of updates. $79, once.

Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.

Sold by RedHub AI LLC · Secured by Stripe · redhub.ai