Owner: General Counsel with the CTO (AIMS Owner) and CISO
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 42001 A.8.4 (communication of incidents); EU AI Act Art. 73 (serious-incident reporting); state AI adverse-impact reporting. Extends the Incident Response Policy.

Purpose

Ensure AI-specific incidents — malfunctions, harms, bias events, and serious incidents within the meaning of the EU AI Act — are detected, handled, and externally reported where the law or a contract requires it. This procedure sits on top of the general Incident Response Policy; AI incidents are first handled as incidents and additionally assessed for external AI-reporting duties.

What is an AI serious incident / adverse impact

  • EU AI Act “serious incident” (Art. 3(49)): an incident or malfunction of an AI system that directly or indirectly leads to death or serious harm to health, a serious and irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, or serious harm to property or the environment.
  • Adverse impact (employment AI): a pattern of biased or discriminatory outcomes from a Neuroscale AI feature affecting candidates/employees (e.g., a failed bias audit in production, or a credible discrimination complaint).
  • Algorithmic-discrimination event (state law): identification that a Neuroscale AI system has caused or is reasonably likely to have caused algorithmic discrimination (e.g., Colorado AI Act).

Workflow

  1. Detect & log. Source: post-market monitoring (AI System Life Cycle Process), bias re-audit, customer report, or complaint. Log as a security/privacy incident in the Incident Response flow and tag ai-incident.
  2. Triage & classify. The CTO, CISO, and GC determine whether the event is an AI serious incident, an adverse-impact event, and/or an algorithmic-discrimination event, and the affected jurisdictions.
  3. Contain & correct. Apply the Incident Response containment steps; where appropriate, suspend or roll back the AI feature or route affected decisions to human review. Open a Corrective Action with root-cause analysis.
  4. Assess external-reporting duties. GC determines which of the following apply and the deadline for each:
    • EU AI Act Art. 73 — provider reporting of a serious incident to the relevant market-surveillance authority, without undue delay and within the Art. 73 timelines, once Neuroscale is a provider on the EU market.
    • Colorado AI Act — notice to the Colorado Attorney General on identification of algorithmic discrimination, within the statutory period.
    • GDPR / state breach laws — where personal-data breach criteria are also met (handled via the Customer Communications and breach matrix).
    • NYC LL144 / employment-AI — deployer/customer obligations; Neuroscale supports the customer and updates the bias-audit posture.
    • Contractual — customer-notification commitments in the MSA/DPA.
  5. Report. GC files each required external report using the authority’s mechanism and records it in the regulatory-correspondence log (see Customer Communications template 4) and the Legal & Regulatory Register.
  6. Stakeholder communication. Communicate to affected customers and, where required, affected individuals, per the Customer Communications procedure.
  7. Learn. Feed findings into the Corrective Action & Continual Improvement Procedure and the next ISMS Management Review; update the model card and bias-audit posture.

Records

Incident record, classification and reporting-duty assessment, copies of external reports, and corrective actions — retained per the Records Retention Schedule.

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.0June 13, 2026Initial AI serious-incident & adverse-impact reporting procedure.Cameron WolfeIshan Jadhwani