AI Incident Tabletop Kit.

SOC analyst on call · pages CISO + GC within 15 min

• Was the tool on the approved list?
• Is the content material non-public information? (CFO + GC adjudicate)
• SEC/regulatory notification clock — does this start now?
• Vendor data-deletion request — submit immediately?
• Who tells the analyst, when, and how — coaching or HR?

• What policy did the analyst think applied? Was training current?
• Why was there no technical block on this tool?
• Do other teams have the same gap?

Customer's CSM escalates to GC + sales VP within 1 hour of receiving the legal forward

• Do we retract the email, correct it, or stand behind it?
• Who responds to the customer's counsel — sales or GC?
• Are other reps using the same AI assistant with similar risk?
• Disable the assistant immediately or scope the disable to contract responses?
• What goes in writing to the customer; what stays verbal?

• Was the AI assistant approved for contract-adjacent work?
• What controls would have caught this before send?
• Notification to E&O insurer — required, prudent, or no?

Head of Support + Comms within 30 min of social-listening alert

• Public response — apology, correction, or silence pending review?
• Pause chatbot entirely, restrict to certain topics, or keep running with disclaimer?
• Reach out to the affected customer privately — make whole or refer to dispute process?
• Is there a regulator that needs to hear from us proactively?
• Audit log review — how many other customers got similar wrong advice?

• What was the human-review threshold? Was it set correctly?
• Were known limitations of the bot documented in the AI System Card?
• Should this category of question route to human by default going forward?

SRE on-call escalates to ops VP within 30 min of detection

• Fall back to manual review, conservative rule-set, or pause new transactions?
• What's the financial cost of each option per hour?
• Do we proactively notify customers of slower processing?
• Is there a contractual SLA trigger — and what does it pay?
• At what hour-mark do we begin contingency procurement of an alternative vendor?

• Did we have a documented fallback before this happened?
• Is vendor concentration risk acceptable? Multi-vendor strategy review?
• Should this workflow be eligible for AI in the first place?

Security analyst who ran discovery · pages CISO + DPO within 1 business day

• Disable the tool today, or grant a transition window?
• Notification: customers, regulators (GDPR / CPRA clocks), partners under DPA?
• Data-deletion request to the vendor — how do we verify execution?
• Was anything generated using this data published or shared externally?
• Marketing team — coaching, training requirement, formal write-up?

• Why didn't the AI Vendor Intake process get triggered?
• What detection control would have caught this in month one, not month six?
• Are other teams running with similar unapproved tools right now?

Head of Content + Comms within 1 hour of public debunking

• Correction, retraction, or rewrite — and how is it labeled?
• Public acknowledgment, quiet edit, or both?
• Audit: how many other published pieces used the same tool with the same review depth?
• Reach out to the expert who flagged it — credit, response, both?
• Update editorial policy on AI-drafted content review depth?

• What was the human-review standard for AI-assisted content? Was it followed?
• Should some content categories be off-limits to AI drafting entirely?
• SEO + brand cost of the correction — how do we measure?