Owner: General Counsel with the CTO (AIMS Owner) and CISO
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 42001 A.8.4 (communication of incidents); EU AI Act Art. 73 (serious-incident reporting); state AI adverse-impact reporting. Extends the Incident Response Policy.
Effective Date: June 13, 2026
Reviewed: Annually
Frameworks: ISO/IEC 42001 A.8.4 (communication of incidents); EU AI Act Art. 73 (serious-incident reporting); state AI adverse-impact reporting. Extends the Incident Response Policy.
Purpose
Ensure AI-specific incidents — malfunctions, harms, bias events, and serious incidents within the meaning of the EU AI Act — are detected, handled, and externally reported where the law or a contract requires it. This procedure sits on top of the general Incident Response Policy; AI incidents are first handled as incidents and additionally assessed for external AI-reporting duties.What is an AI serious incident / adverse impact
- EU AI Act “serious incident” (Art. 3(49)): an incident or malfunction of an AI system that directly or indirectly leads to death or serious harm to health, a serious and irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, or serious harm to property or the environment.
- Adverse impact (employment AI): a pattern of biased or discriminatory outcomes from a Neuroscale AI feature affecting candidates/employees (e.g., a failed bias audit in production, or a credible discrimination complaint).
- Algorithmic-discrimination event (state law): identification that a Neuroscale AI system has caused or is reasonably likely to have caused algorithmic discrimination (e.g., Colorado AI Act).
Workflow
- Detect & log. Source: post-market monitoring (AI System Life Cycle Process), bias re-audit, customer report, or complaint. Log as a security/privacy incident in the Incident Response flow and tag
ai-incident. - Triage & classify. The CTO, CISO, and GC determine whether the event is an AI serious incident, an adverse-impact event, and/or an algorithmic-discrimination event, and the affected jurisdictions.
- Contain & correct. Apply the Incident Response containment steps; where appropriate, suspend or roll back the AI feature or route affected decisions to human review. Open a Corrective Action with root-cause analysis.
- Assess external-reporting duties. GC determines which of the following apply and the deadline for each:
- EU AI Act Art. 73 — provider reporting of a serious incident to the relevant market-surveillance authority, without undue delay and within the Art. 73 timelines, once Neuroscale is a provider on the EU market.
- Colorado AI Act — notice to the Colorado Attorney General on identification of algorithmic discrimination, within the statutory period.
- GDPR / state breach laws — where personal-data breach criteria are also met (handled via the Customer Communications and breach matrix).
- NYC LL144 / employment-AI — deployer/customer obligations; Neuroscale supports the customer and updates the bias-audit posture.
- Contractual — customer-notification commitments in the MSA/DPA.
- Report. GC files each required external report using the authority’s mechanism and records it in the regulatory-correspondence log (see Customer Communications template 4) and the Legal & Regulatory Register.
- Stakeholder communication. Communicate to affected customers and, where required, affected individuals, per the Customer Communications procedure.
- Learn. Feed findings into the Corrective Action & Continual Improvement Procedure and the next ISMS Management Review; update the model card and bias-audit posture.
Records
Incident record, classification and reporting-duty assessment, copies of external reports, and corrective actions — retained per the Records Retention Schedule.Cross-references
- Incident Response Policy — base incident handling.
- AI System Life Cycle Process — monitoring source.
- Employment-AI Bias-Audit Procedure — adverse-impact detection.
- Customer Communications — external notice mechanics.
- Legal & Regulatory Register — reporting obligations.
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial AI serious-incident & adverse-impact reporting procedure. | Cameron Wolfe | Ishan Jadhwani |