Most organizations have a cyber incident response plan. Most organizations do not have an AI incident response plan. They are not the same thing, even though they will sit next to each other on the same shelf within the next 24 months.

The hard part of incident response is not the technology. It is the relationships, the playbooks, and the muscle memory that you build before anything goes wrong. None of those are things you can buy at the moment of crisis.

The Promise

The cyber incident response industry is now mature. There are well-defined retainer structures, established legal-privilege protocols, named breach-response firms, board-level reporting templates, and regulatory communication frameworks. Twenty years of incidents have produced a vocabulary and a service architecture that organizations can adopt without inventing it.

That entire body of practice is now being adapted for AI. The same firms that built cyber breach response are now building AI incident response. The same legal-privilege frameworks are being extended to cover AI-specific harms. The same crisis-communication agencies are developing AI-incident playbooks. The infrastructure is forming.

The promise is that organizations don’t have to invent this from scratch. They can reuse the cyber model, adapt the categories, and stand up a credible AI incident capability within a quarter or two of effort.

The Risk

The risk is the gap between knowing this is possible and actually doing it. Cyber organizations that built incident response capabilities before they had an incident absorbed their first real breach with weeks of disruption. Cyber organizations that built incident response capabilities during the breach absorbed multi-quarter operational damage and avoidable reputational harm.

AI is going to look the same. The first generation of serious AI incidents — model output causing customer harm, hiring AI bias case, AI hallucination defamation, agentic system causing financial damage — will land on organizations that have not built the response capability. They’ll spend the first 24 hours in chaos, the first week negotiating retainer agreements during an active incident (a terrible position to be in), and the first quarter rebuilding trust they didn’t need to lose.

The specific risks to plan for. First, the call will come from someone you don’t expect. A regulator. A journalist. A customer. A class action firm. Most organizations have not thought through who picks up the phone for each scenario, much less what they say.

Second, the legal-privilege model is more complicated than for cyber. AI incidents often involve marketing claims, regulatory representations, and fiduciary representations that are evidentiary in different ways than a typical breach. The lawyer-client privilege architecture that worked for cyber needs adjustment.

Third, agentic systems will produce incidents at speed and scale that traditional incident response was not designed for. An agent making thousands of decisions per minute can produce a six-figure problem before anyone notices. Containment requires not just technical kill switches but pre-approved organizational authority to use them.

The Verdict

The Promise & Risk needle leans Promise here, because the work is feasible and the playbook largely exists. But the verdict has a deadline. AI incident response capability is not something organizations can build during their first incident. It is something they can build before their first incident — for a fraction of the cost.

When the call comes, the only thing that matters is what’s already in place. Twenty years of cyber experience taught us that. AI is repeating it on a faster clock.

For the longer analysis → I wrote a piece, originally from 2016, about what it feels like to be on the receiving end of a breach notification call — and why every word of it now applies to the first generation of serious AI failures.

Read The Call No One Wants. The Call Is Now Coming for AI.