When an AI incident hits, the first critical decision is: how serious is this? Get it wrong—classifying a critical incident as routine, or treating a minor issue as an emergency—and you either miss your response window or waste resources on over-reaction.
Effective incident classification ensures the right level of response for each situation. It prevents panic over minor issues and complacency over serious ones.
This guide provides a framework for categorizing AI incidents by type and severity, with clear criteria for prioritization.
Executive Summary
- Classification drives response: Severity level determines response time, escalation, resources, and notification
- AI incidents have unique categories: Model failures, bias events, data exposures, and adversarial attacks require AI-specific classification
- Objective criteria prevent subjective judgment: Define clear thresholds to ensure consistent classification
- Classification can change: Initial assessment may be wrong; build in reassessment
- Over-classification is better than under-classification: When uncertain, classify higher
- Document classification decisions: Reasoning should be recorded for review and learning
Why This Matters Now
Without a classification framework, incident response becomes chaotic:
- Critical incidents get delayed because they weren't recognized as critical
- Routine issues consume executive attention because everything gets escalated
- Response is inconsistent because different responders apply different standards
- Resources are misallocated because priority isn't clearly determined
- Post-incident review is difficult because there's no standard to compare against
A clear classification framework creates shared understanding of what different severity levels mean and what response they require.
AI Incident Type Categories
Category 1: Model Performance Incidents
Incidents where AI models produce incorrect, degraded, or unexpected outputs.
| Sub-type | Description | Examples |
|---|---|---|
| Accuracy degradation | Model accuracy below acceptable threshold | Prediction accuracy drops from 95% to 70% |
| Hallucination | Model generates false information | AI chatbot invents policies or facts |
| Edge case failure | Model fails on unusual but valid inputs | System can't handle legitimate scenarios |
| Drift | Model performance changes over time | Gradual accuracy decline |
| Catastrophic failure | Model produces clearly wrong outputs | Classification system labels everything incorrectly |
Category 2: Data Incidents
Incidents involving data handled by or exposed through AI systems.
| Sub-type | Description | Examples |
|---|---|---|
| Data breach | Unauthorized data access or exposure | Personal data leaked via AI output |
| Data poisoning | Training data corrupted | Malicious data introduced to training set |
| Data leakage | Training data exposed in outputs | Model reveals sensitive training data |
| Data quality | Input data problems affect AI | Garbage-in-garbage-out scenarios |
| Cross-contamination | Data from one context appears in another | Customer A's data shown to Customer B |
Category 3: Bias and Fairness Incidents
Incidents where AI produces discriminatory or unfair outcomes.
| Sub-type | Description | Examples |
|---|---|---|
| Discriminatory outcome | Protected characteristics influence decisions | Loan approval differs by ethnicity |
| Disparate impact | Neutral policy has uneven effects | Resume screening disadvantages a group |
| Feedback loop bias | AI amplifies existing bias | Policing AI concentrates in already-policed areas |
| Representation harm | AI outputs reinforce stereotypes | Image generation produces biased depictions |
Category 4: Security Incidents
Incidents involving security threats to or via AI systems.
| Sub-type | Description | Examples |
|---|---|---|
| Prompt injection | Malicious prompts manipulate AI | Attacker bypasses safety controls via prompts |
| Model extraction | Unauthorized model replication | Attacker reverse-engineers proprietary model |
| Adversarial attack | Inputs designed to cause misclassification | Modified image fools visual AI |
| Data exfiltration | AI used to extract data | Attacker uses AI to summarize confidential data |
| Unauthorized access | Improper access to AI systems | Credentials compromised |
Category 5: Governance and Compliance Incidents
Incidents involving policy violations or compliance failures.
| Sub-type | Description | Examples |
|---|---|---|
| Policy violation | AI use violates organizational policy | Employee uses unapproved AI tool |
| Regulatory breach | AI use violates regulations | Personal data processed without consent |
| Contractual breach | AI use violates agreements | Data shared contrary to contract |
| Unapproved deployment | AI deployed without proper approval | Shadow AI in production |
| Documentation failure | Required records not maintained | No documentation of AI decisions |
Category 6: Operational Incidents
Incidents affecting AI system operations.
| Sub-type | Description | Examples |
|---|---|---|
| Availability | AI system unavailable | System outage |
| Performance | AI system slow or degraded | Response times unacceptable |
| Integration | AI-other system communication fails | API failures |
| Resource exhaustion | AI consumes excessive resources | Runaway costs or capacity |
AI Incident Classification Matrix
Severity Level Definitions
| Severity | Business Impact | Data Impact | Harm Potential | Regulatory Exposure |
|---|---|---|---|---|
| Critical | Major disruption; significant financial impact | Sensitive data breach affecting many | Active harm occurring or imminent | Certain regulatory notification required |
| High | Significant disruption; moderate financial impact | Sensitive data at risk; limited exposure | Potential for significant harm | Likely regulatory interest |
| Medium | Limited disruption; minor financial impact | Non-sensitive data; contained | Potential for limited harm | Possible regulatory interest |
| Low | Minimal disruption | No data impact or very limited | Minimal harm potential | No regulatory implication |
Classification Decision Tree
START: AI incident detected
1. Is there active harm occurring to individuals or customers?
YES → CRITICAL
NO → Continue
2. Is sensitive personal data exposed or at risk?
YES (large scale) → CRITICAL
YES (limited scale) → HIGH
NO → Continue
3. Is there regulatory notification required within 72 hours?
YES → CRITICAL
LIKELY → HIGH
NO → Continue
4. Is there significant business operation disruption?
YES → HIGH
LIMITED → MEDIUM
NO → Continue
5. Is there potential for harm if unaddressed?
SIGNIFICANT → HIGH
MODERATE → MEDIUM
MINIMAL → LOW
6. Is there a policy or compliance violation?
SERIOUS → MEDIUM (minimum)
MINOR → LOW
NO → Continue
7. Default classification based on operational impact:
Significant → MEDIUM
Limited → LOW
Severity Criteria Matrix
| Factor | Critical | High | Medium | Low |
|---|---|---|---|---|
| People affected | >1000 or vulnerable groups | 100-1000 | 10-100 | <10 |
| Data sensitivity | Financial, health, children's data | Personal data | Business data | Public data |
| Financial impact | >$100K | $10K-100K | $1K-10K | <$1K |
| Reputation risk | National media likely | Industry coverage likely | Limited visibility | Internal only |
| Reversibility | Cannot undo harm | Partially reversible | Fully reversible | No harm |
| Detection confidence | Confirmed | Highly likely | Suspected | Possible |
| Duration | Ongoing | Hours | Days | One-time |
Response Requirements by Severity
| Severity | Response Time | Escalation | Team Activation | Communication |
|---|---|---|---|---|
| Critical | Immediate (<1 hour) | Executive + Board | Full AI-IRT | Immediate internal; external as required |
| High | <4 hours | Executive | Core AI-IRT | Same day internal |
| Medium | <24 hours | Manager | Limited team | Next business day |
| Low | <72 hours | Standard channels | Assigned responder | Normal reporting |
Classification Examples
Example 1: AI Chatbot Hallucination
Scenario: Customer-facing AI chatbot tells a customer they're entitled to a refund they're not actually entitled to. One customer affected, no data breach.
Classification process:
- Active harm? No (minor financial misstatement)
- Sensitive data exposed? No
- Regulatory notification? No
- Business disruption? No
- Harm potential? Low (one incorrect response)
Classification: LOW
But note: If the chatbot is making this error systematically, reclassify to MEDIUM or HIGH.
Example 2: AI System Data Leak
Scenario: AI system accidentally includes personal data from training set in outputs. 50 customers' names and emails exposed.
Classification process:
- Active harm? No (exposed, not exploited)
- Sensitive data exposed? YES (personal data)
- Regulatory notification? LIKELY (personal data breach)
- Business disruption? Limited
- Harm potential? Moderate
Classification: HIGH
Example 3: Bias in Hiring AI
Scenario: Analysis reveals hiring AI has been systematically rating female candidates lower. Has affected hiring decisions for 6 months.
Classification process:
- Active harm? YES (ongoing discriminatory decisions)
- Sensitive data? Employment decisions (sensitive context)
- Regulatory notification? Potentially (discrimination laws)
- Business disruption? Significant (hiring process affected)
- Harm potential? Significant (career impacts)
Classification: CRITICAL
Example 4: Model Accuracy Drop
Scenario: Internal predictive model accuracy drops from 90% to 85% based on monitoring alerts. No customer-facing impact yet.
Classification process:
- Active harm? No
- Data impact? No
- Regulatory notification? No
- Business disruption? Not yet
- Harm potential? Moderate if unaddressed
Classification: MEDIUM
Classification Procedures
Initial Classification
- Gather available facts (don't wait for complete information)
- Walk through decision tree using known information
- Apply criteria matrix where judgment needed
- When uncertain, classify higher
- Document classification reasoning
- Communicate classification to response team
Reclassification
Initial classification is preliminary. Reassess as information develops:
Reclassification triggers:
- New information changes impact assessment
- Scope expands or contracts
- Root cause identified that changes understanding
- External factors change (media attention, regulatory inquiry)
Reclassification process:
- Identify trigger for reclassification
- Re-walk classification criteria with new information
- Adjust response if severity changes
- Document reclassification and reasoning
- Communicate change to stakeholders
Common Failure Modes
1. Under-Classification
Serious incidents classified as routine, causing delayed response. When in doubt, classify higher.
2. Over-Classification
Every incident treated as critical, causing alert fatigue and resource exhaustion. Use criteria objectively.
3. Inconsistent Classification
Different responders classify similar incidents differently. Use documented criteria, not gut feel.
4. Static Classification
Failing to reclassify as information develops. Build in reassessment points.
5. Missing Categories
AI-specific incident types (bias, model failure) not in classification scheme. Ensure all AI incident types are covered.
6. Unclear Thresholds
"Significant impact" is subjective without defined thresholds. Quantify criteria where possible.
Implementation Checklist
- Define incident categories relevant to your AI systems
- Establish severity levels with clear definitions
- Create quantified criteria for each level
- Build decision tree for classification
- Define response requirements per severity
- Train responders on classification process
- Create classification templates/tools
- Establish reclassification procedures
- Test classification with scenarios
- Review and calibrate regularly
Metrics to Track
| Metric | Measurement | Purpose |
|---|---|---|
| Classification accuracy | Post-incident review: was classification correct? | Calibrate criteria |
| Classification time | Time from detection to classification | Ensure quick triage |
| Reclassification rate | % of incidents reclassified | May indicate initial process issues |
| Classification distribution | % at each severity level | Ensure appropriate spread |
| Classification disagreements | Cases where classification was disputed | Identify unclear criteria |
Frequently Asked Questions
Who should perform initial classification?
The first responder or on-call person should perform initial classification using the framework. They can escalate to the Incident Commander for confirmation on borderline cases.
What if an incident spans multiple categories?
Classify based on the highest-impact category. An incident that's both a data breach (HIGH) and policy violation (LOW) should be classified as HIGH.
How do we handle near-misses?
Near-misses (incidents that almost happened) should be logged at LOW severity but reviewed for lessons learned. They may indicate systemic issues.
Should we publish our classification criteria internally?
Yes—transparency helps everyone understand what constitutes incidents at different levels. This improves reporting and appropriate escalation.
How often should we review and update classification criteria?
After each significant incident (did criteria work?) and at least annually. Update when new AI systems are deployed or regulations change.
Taking Action
Effective incident classification is the foundation of effective response. It ensures critical incidents get urgent attention while routine issues follow standard processes.
Build your classification framework now, when you have time to think clearly—not in the chaos of an active incident.
Ready to build your AI incident classification capability?
Pertama Partners helps organisations develop AI-specific incident classification frameworks. Our AI Readiness Audit includes incident response capability assessment.
References
- NIST. (2023). Incident Handling Guide (SP 800-61).
- ITIL. (2024). Incident Management Practice Guide.
- ENISA. (2024). Good Practice Guide for Incident Management.
- ISO/IEC 27035. Information Security Incident Management.
- Singapore PDPC. (2024). Data Breach Management Guide.
Frequently Asked Questions
Consider impact on safety, data breach scope, business disruption, regulatory implications, and reputational risk. Use a consistent framework (e.g., Critical/High/Medium/Low) with defined criteria.
Prioritize based on ongoing harm potential, number of affected individuals, regulatory notification requirements, and ability to contain. Critical incidents need immediate response regardless of business hours.
AI incidents may involve harder-to-detect issues like bias emergence, gradual model drift, or subtle accuracy degradation. Classification must account for these AI-specific failure modes.
References
- NIST. (2023). *Incident Handling Guide (SP 800-61)*.. NIST *Incident Handling Guide * (2023)
- ITIL. (2024). *Incident Management Practice Guide*.. ITIL *Incident Management Practice Guide* (2024)
- ENISA. (2024). *Good Practice Guide for Incident Management*.. ENISA *Good Practice Guide for Incident Management* (2024)
- ISO/IEC 27035. Information Security Incident Management.. ISO/IEC Information Security Incident Management
- Singapore PDPC. (2024). *Data Breach Management Guide*.. Singapore PDPC *Data Breach Management Guide* (2024)
