How to build an internal AI incident workflow that meets Article 73

Your incident workflow starts with detection. High-risk AI systems must have post-market monitoring (Article 72) that feeds into incident identification. This means automated anomaly detection on model outputs, user complaint channels, and downstream impact monitoring. Without detection, you cannot start triage — and the 15-day clock may start ticking before you realise it.

Detection sources should include: automated performance drift alerts, user or deployer feedback channels, downstream system health checks, and media or regulatory notifications. Centralising these signals into a single incident log ensures nothing slips through the cracks.

Not every anomaly is a serious incident. Your triage process must distinguish operational issues (e.g., temporary downtime) from serious incidents as defined in Article 3(49). The triage checklist should answer: Did the event cause or could it cause death, serious health damage, critical infrastructure disruption, or fundamental rights harm? Is there a causal link or reasonable likelihood of one between the AI system and the harm?

Assign clear roles: who performs initial assessment, who escalates, and who authorises the notification. Document every triage decision with timestamps. If you determine the event is not a serious incident, record why — this documentation protects you if a regulator later disagrees.

Once a serious incident is confirmed, the provider must notify the market surveillance authority within 15 days, notify the importer or distributor, implement immediate corrective measures (e.g., suspend deployment, roll back model version), and begin root cause analysis.

After the immediate response, conduct a structured post-incident review. Update your risk management system (Article 9) with the findings, adjust monitoring thresholds, and retrain staff if the incident reveals a gap. ActLoom automates notification tracking, evidence collection, and post-incident review documentation — so your team can focus on fixing the problem rather than filling out templates.