Immediate (0–6 hours)

• Shut down further AI actions: Suspend the AI agent’s access to production systems and invoke any available “kill switch” to prevent further autonomous actions.
• Escalate internally – fast: Notify legal, compliance, risk, IT security and senior management immediately. Treat the incident as a potential regulatory and legal event, not a technical fault.
• Preserve evidence: Secure AI logs, prompts, system messages, access permissions, decision trails and backups. Prevent overwriting or auto‑deletion of logs.
• Assess data impact: Determine whether personal information, regulated data, or client records were lost, corrupted or rendered inaccessible.

Short‑term containment (6–24 hours)

• Establish legal privilege: Ensure investigation steps are co-ordinated through legal counsel to preserve privilege where possible.
• Stabilise operations: Prioritise restoration of core services and customer‑facing systems, even if temporarily degraded.
• Initial regulatory triage: Assess whether notification obligations are triggered (e.g. Protection of Personal Information Act 4 of 2013, sector regulators, exchange rules) and applicable timelines.
• Align internal messaging: Ensure management, IT and customer‑facing teams share a consistent understanding of what is known and what is not yet confirmed.

Disclosure and stakeholder management (24–48 hours)

• Board‑level reporting: Brief the board and/or risk committee promptly.
• Prepare regulator notifications: Draft accurate, carefully framed disclosures covering what occurred, known or suspected causes, immediate containment steps and remediation underway.
• Avoid speculation or premature root‑cause conclusions.
• Notify insurers: Put cyber, technology‑errors, professional indemnity and business interruption insurers on notice in line with policy requirements.
• Engage key customers and partners: Provide timely, factual updates. Offer interim solutions where possible. Avoid admissions of liability while demonstrating responsibility.
• Review contractual exposure: Identify affected service‑level agreements, uptime commitments, data‑handling warranties and limitation‑of‑liability provisions.

Governance and remediation (48 hours and beyond)

• Document remedial action: Record governance and control enhancements implemented in response to the incident (human approvals, access restrictions, AI oversight, etc.).
• Board‑level reporting: Brief the board or risk committee promptly with a clear action plan and lessons learned.
• Plan forward‑looking reform: Prepare a structured roadmap to address AI governance gaps – regulators will expect this.