An AI incident starts aregulatory clock you can’t see.
The deadline is rarely the hard part. The hard part is that the clock starts at a trigger you didn’t recognize, or that no one was authorized to call — so days burn before the countdown registers. Drill it before it’s real.
Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.
You knew the deadline. You missed it anyway.
The clock starts at a trigger, not at “oops”
A breach clock starts at “awareness.” A material-cyber clock starts at the materiality call. If you never make the call, the clock runs silently against you.
One incident, several clocks
The same event can fire a data-breach duty, an AI safety report, and a securities disclosure at once — each with a different deadline and a different start.
No one was authorized to start it
A plan that routes the decision to a committee that meets next week is a plan that misses the clock. Someone has to be able to start it at 2am.
Drill a scenario. Read whether you’d beat the clock.
This is the live scoring logic from the engine. The “AI Act serious incident” preset scores 82 and still reads WOULD MISS THE CLOCK — because no one can start the clock. Give it a clock-starter and it clears.
Defined, rehearsed path; awareness time recorded
Rehearsed mapping surfaces the shortest clock at once
No one empowered to declare awareness / materiality
Authorities, portals, channels mapped in advance
Templates + initial-then-complete path + register ready
Rehearsed cross-functional parallel-track process
Clock-start gate fired: no one is empowered to start the clock. The score alone would read NOTIFIABLE-READY, but a deadline you can’t start counting is a deadline you miss.
Drill first: A named decision-maker who can start the clock
Weighted to 100. The gate forces WOULD MISS THE CLOCK when you can’t establish the clock has started (⚡ detection or triage) or no one can start it (⚡ authority). Date-agnostic — it grades your process, never a specific deadline. Not legal advice.
The same verdicts, from the runnable engine.
Verbatim output from the included Python engine on the six-scenario sample. The workbook reproduces these byte-for-byte.
========================================================================== AI INCIDENT REPORTING & REGULATORY-NOTIFICATION DRILL ========================================================================== Customer PII leak via AI chatbot verdict: NOTIFIABLE-READY (score 94/100) Model failure harms a user (AI Act serious incident) verdict: WOULD MISS THE CLOCK (score 82/100) gate: WOULD MISS THE CLOCK — no one is empowered to start the clock drill first: A named decision-maker who can start the clock Same incident after naming an on-call clock-starter verdict: NOTIFIABLE-READY (score 100/100) Material cyber incident in a public-co AI system verdict: TIGHTEN (score 50/100) drill first: Detection-to-awareness path Vendor/sub-processor breach reaches your data verdict: WOULD MISS THE CLOCK (score 50/100) gate: WOULD MISS THE CLOCK — you could not establish in time that the clock has started drill first: Severity & regime triage Prompt-injection exfiltrates regulated records verdict: WOULD MISS THE CLOCK (score 56/100) gate: WOULD MISS THE CLOCK — you could not establish in time that the clock has started drill first: Detection-to-awareness path -------------------------------------------------------------------------- PROGRAM: WOULD MISS NOTIFICATION (3 of 6 would miss the clock · exposure 50.0%) -------------------------------------------------------------------------- Grades your notification PROCESS against the clock, never a specific deadline — so it does not break when a regime's dates shift. It grades a process, never people, and confirms no actual regulatory obligation. A readiness drill, not legal advice. Confirm which regimes apply, and every deadline, with counsel.
Six controls, weighted to 100. The weakest clock-start is dispositive.
⚡ Detection-to-awareness path
Can you reach “reasonable certainty an incident occurred” fast? The clock starts at awareness, not detection.
⚡ Severity & regime triage
Which regimes does this incident fire, and which clock is shortest? The strictest applicable deadline governs.
⚡ A named decision-maker who can start the clock
Someone empowered to declare awareness or materiality at any hour — not a committee that meets Monday.
Regulator contact map & filing channel
Authorities, lead supervisory authority, portals, and channels mapped before the incident, not during it.
Drafting path & breach register
Pre-drafted templates, the initial-incomplete-then-complete path, and a maintained register.
Cross-track coordination
One incident can run several notification clocks at once — legal, security, comms, privacy pre-aligned.
⚡ = a clock-start gate control. If detection-to-awareness or severity triage is absent, or no one can start the clock, the scenario is WOULD MISS THE CLOCK regardless of score. The gate worsens only — it never promotes a verdict.
A readiness drill, not a compliance ruling.
It is
- A rehearsal of your incident-notification process.
- Date-agnostic — it grades the process, never a deadline.
- A deterministic, offline engine + workbook you control.
It isn’t
- Legal advice, a filing service, or a certification.
- A ruling on whether an incident is legally reportable.
- A score of people — it grades a process.
Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.
Whoever owns the first hour of an AI incident.
- Security, privacy, and compliance leads who own incident response.
- Legal and DPO functions tracking GDPR, AI Act, SEC, HIPAA, and state clocks.
- Teams deploying high-risk or customer-facing AI that could cause a reportable incident.
- Not a filing tool — it rehearses readiness, it doesn’t notify anyone.
- Not a ruling on what’s reportable — confirm that with counsel.
- Not a postmortem tool — that’s the close-out gate it pairs with.
Detect and notify, then recover and close out.
Ransomware & AI-Outage Recovery Readiness Drill
Would you actually recover? The recovery-side drill to this notification-side one.
ViewAI Incident Postmortem & Readiness Gate
Close the loop after: grade the blameless writeup and gate the close.
ViewNIST AI RMF / US AI Governance Readiness Kit
The governance program this incident drill lives inside.
ViewAnswers before you buy.
It grades whether your process could meet a regulatory notification clock when an AI incident hits — scenario by scenario. For each drilled incident you mark six controls 0/1/2: your detection-to-awareness path, severity and regime triage, whether a named person can start the clock, your regulator contact map and filing channel, your drafting path and breach register, and cross-track coordination. The six are weighted to a 0–100 score banded NOTIFIABLE-READY, TIGHTEN, or WOULD MISS THE CLOCK, and the program rolls up to DRILL-READY, GAPS, or WOULD MISS NOTIFICATION. It grades the process, never people, and never asserts a deadline as the verdict.
Because of the clock-start gate, which is the heart of the drill. A scenario is forced to WOULD MISS THE CLOCK regardless of score when either fatal pattern is present: you could not establish in time that the clock has started (your detection-to-awareness path or your severity/regime triage is absent), or no one is empowered to start the clock. The deadline is rarely the hard part — the hard part is that the clock starts at a trigger event you may not recognize, or that no one is authorized to call, so days burn before the countdown even registers. In the worked example a model-failure scenario scores 82 yet reads WOULD MISS THE CLOCK because no one can start the clock; the next row is the same incident after naming an on-call clock-starter, and it clears at 100. The gate worsens only — it never promotes a verdict.
An AI incident rarely fires one clock. The same event can trigger a personal-data breach notification (e.g. GDPR’s 72-hour rule, which starts at “awareness,” not detection), an AI safety / serious-incident report (e.g. the EU AI Act’s tiered 2/10/15-day Article 73 regime), a material-cyber disclosure (e.g. the SEC’s four-business-day clock, which starts at the materiality determination), sector duties like HIPAA’s 60-day rule, and US state breach laws with their own windows. The strictest applicable clock governs. These specifics are named in the playbooks as planning references — the engine itself is deliberately date-agnostic so it does not break when a regime’s dates shift.
Because the deadlines move, and a tool that hard-codes a date is wrong the moment a regime shifts. The EU AI Act’s high-risk timeline, state breach windows, and sector rules all change. So the drill grades the thing that actually determines whether you hit any clock — your process for recognizing the trigger, starting the count, and filing — rather than checking a calendar. That makes the verdict durable, and it keeps the tool honest: it tells you whether you would be ready, not whether a specific statute applies to you. Which regimes apply, and every deadline, must be confirmed with counsel.
No. It is a readiness drill that grades your notification process from your own marks. It files nothing, contacts no regulator, connects to no system, and confirms no actual regulatory obligation — it cannot tell you whether a given incident is legally reportable or to whom. It is not legal advice, a filing service, a certification, or a safe harbor, and it scores a process, never people. Use it to find and close the gaps in your incident-notification readiness, then confirm which regimes apply to you and every applicable deadline with qualified counsel.
A runnable zero-dependency Python engine, a workbook that reproduces it exactly (Start Here, Dashboard, and a Drill Scorecard with the mark definitions built into each column), a six-scenario worked example, and two playbooks: a Drill Facilitator Playbook for running the tabletop and marking honestly, and a Notification-Readiness Runbook that maps the controls to the major regimes and walks the clock-start, triage, and filing steps. Pick the incident types that matter to you — a data breach, an AI serious incident, a material cyber event — drill each one, and close the control the tool names first. Deterministic and offline; one-time purchase, lifetime access, 12 months of updates.
Don’t discover the clock
after it’s run out.
One purchase, lifetime access, 12 months of updates. $79, once.
Not legal advice. This is a readiness drill that grades your notification process from your own marks. It is date-agnostic and asserts no deadline; it files nothing, confirms no regulatory obligation, and scores no people. Notification duties (GDPR, the EU AI Act, SEC, HIPAA, and US state breach laws) vary by jurisdiction and change often — confirm which apply to you and every deadline with qualified counsel.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai