What counts as an AI incident?

An AI incident is any event that affects model behaviour, fairness, reliability, oversight, or risk in a way that should be reviewed and recorded.

Do teams need a formal incident register?

Yes, if they want a durable operational record rather than scattered notes across email, slides, and spreadsheets.

What should be exportable from an incident register?

At minimum: the incident summary, ownership, actions taken, status, and supporting evidence.

Can this start with one system only?

Yes. Building an incident structure around one live system is usually the fastest way to create a usable baseline.

Resource

How to build an AI incident register for high-risk AI systems

An AI incident register is a structured record of what happened, what system was affected, what follow-up was required, and how the issue was resolved.

Guardian is a continuous monitoring and auditability platform for high-risk AI systems under the EU AI Act. For monitoring context, see how to monitor high-risk AI systems, the product, EU AI Act, and For AI.

Book a readiness call See the 4-week readiness sprint

What an AI incident register is

An AI incident register is the operational record teams use to track incidents affecting the behaviour, fairness, oversight, or reliability of a high-risk AI system.

It should make it possible to answer three questions clearly: what happened, what was done, and what remains unresolved.

What each incident record should include

Incident summary
Affected system
Date and time
Affected cohort or workflow
Severity
Assigned owner
Actions taken
Resolution status
Supporting evidence

Who should own follow-up

Ownership depends on the incident, but the record should always make responsibility visible.

Compliance, legal, risk, operations, and AI teams may all contribute. What matters is that ownership, actions, and status are explicit rather than buried in email threads. The same record should be visible in Guardian so all sides see one thread. Methodology: open methodology; data: security.

How incident records connect to AI Act readiness

Incident records help demonstrate post-deployment monitoring, traceability, oversight, and operational follow-up. In practice, they are one of the clearest parts of a defensible evidence record. For regulatory framing, see the EU AI Act page; for post-launch work, see post-market monitoring.

Common mistakes

Logging incidents without owners
Recording the problem but not the follow-up
Keeping evidence in disconnected tools
Failing to capture affected cohorts or workflows
Treating incident review as an ad hoc process

A Readiness Sprint on one system helps you define a first register pattern before you scale. Learn more about the company: About.

FAQ

What counts as an AI incident?: An AI incident is any event that affects model behaviour, fairness, reliability, oversight, or risk in a way that should be reviewed and recorded.
Do teams need a formal incident register?: Yes, if they want a durable operational record rather than scattered notes across email, slides, and spreadsheets.
What should be exportable from an incident register?: At minimum: the incident summary, ownership, actions taken, status, and supporting evidence.
Can this start with one system only?: Yes. Building an incident structure around one live system is usually the fastest way to create a usable baseline.

Start with one incident-ready system baseline

Book a readiness call to define what an incident register should look like for one live system and how it should connect to your broader evidence trail.

Book a readiness call See the 4-week readiness sprint

All resources