AI Harm Notification Procedures
Define procedures for notifying regulators, affected individuals, and other required parties when an AI system causes or contributes to harm.
Objective
Meet regulatory notification obligations and fulfill ethical duties to affected parties by ensuring harm notifications are timely, accurate, and appropriately documented.
Maturity Levels
Initial
No notification procedures exist; decisions about whether and how to notify are made ad hoc.
Developing
Legal has been consulted on notification obligations but no documented procedures exist.
Defined
Documented notification procedures specify trigger conditions, timeframes, recipients, and required content for each type of AI harm event.
Managed
Notification readiness is tested through scenario exercises; notification records are maintained.
Optimizing
Notification procedures are reviewed annually against regulatory updates; templates are pre-approved by legal.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Notification procedure document specifying triggers, timelines, required content, and responsible parties for each notification type
- —Actual notification records for incidents that met notification criteria, with timestamp and recipient confirmation
- —Regulatory submission records or acknowledgments for any reportable incidents
- —Legal review records confirming notification triggers and content were reviewed against applicable regulatory requirements
- —Tabletop exercise records testing the notification procedure, including time-to-notification measurement
Implementation Notes
Key steps
- Map your notification obligations by regulation and jurisdiction: EU AI Act, GDPR, sector-specific regulations, and local laws each have different trigger conditions and timeframes.
- Prepare notification templates in advance — drafting under pressure during an incident leads to errors that create secondary legal exposure.
- Define the trigger clearly: 'harm' under most regulations includes significant errors, discriminatory outcomes, and data breaches — not just dramatic failures.
- Document notification decisions including cases where you assessed an event and determined notification was not required — this is important audit evidence.
Example Implementation
Healthcare AI company assessing notification obligations after an AI documentation error affected patient records
AI Harm Notification Assessment — IRC-INC-0044
Incident summary: AI clinical documentation assistant generated an incorrect medication allergy entry for 12 patients; errors were present in the EHR for an average of 3 hours before detection and correction
Notification obligation assessment:
| Obligation | Regulation | Trigger | Assessment | Decision |
|---|---|---|---|---|
| Regulator notification | EU AI Act Art. 73 (serious incident) | Serious incident causing risk to health | 12 patients had incorrect allergy data; clinical review confirmed no adverse events in that window | Notify national authority — meets threshold (risk to health, even without confirmed harm) |
| Patient notification | GDPR Art. 34 (communication to data subject) | High risk to rights and freedoms | Incorrect medical data is high-risk; patients have right to know | Notify all 12 affected patients |
| Supervisory authority | GDPR Art. 33 (breach notification) | Personal data breach likely to result in risk | Inaccurate health data meets breach threshold | Notify DPA within 72 hours |
Notification status:
- DPA notified: 2026-04-10T09:15Z (within 72-hour window) ✓
- National AI authority notified: 2026-04-11 ✓
- Patient notification letters sent: 2026-04-12 (drafted by Legal, reviewed by CMO) ✓
Documentation: All notification decisions and communications stored in /compliance/incident-notifications/IRC-0044/
Control Details
- Control ID
- IRC-003
- Domain
- Incident Response
- Typical owner
- Legal / Compliance / Privacy
- Implementation effort
- Medium effort
- Agent-relevant
- Yes