Stats
Actions
Tags
Structures AI incident reports aligned to NIST SP 800-61 incident response phases and EU AI Act Article 62 serious incident reporting obligations. Use whenever someone says "log an AI incident", "report an AI failure", "document this incident", "file an incident report", "something went wrong with our AI", "we had an AI bias incident", "our model produced harmful output", "Article 62 report", "serious incident report", "EU AI Act incident", "post-incident review", or "AI incident debrief". Also trigger when someone describes an AI system failure, unexpected output, harm to a user, or regulatory notification requirement — even if they don't use the word "incident". Produces a structured, pre-filled incident report ready for internal review, legal sign-off, and where required, submission to a national market surveillance authority. Identifies whether the incident meets the Article 62 serious incident threshold and routes to the right stakeholders automatically.
How this skill is triggered — by the user, by Claude, or both
Slash command
/incident-response-logger:incident-response-loggerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Structures AI incident reports to align with NIST SP 800-61 response phases and EU AI
Structures AI incident reports to align with NIST SP 800-61 response phases and EU AI Act Article 62 serious incident reporting obligations. Produces a completed report ready for internal review, legal sign-off, and regulatory submission where required.
Before drafting the report, collect the critical facts and determine severity. Infer from conversation where possible; ask only for what's genuinely missing.
Minimum required to proceed:
Severity screen — ask these immediately:
Load references/article-62-thresholds.md and check whether the incident meets the
EU AI Act Article 62 serious incident threshold:
If ANY serious incident threshold is met → flag immediately and proceed to Step 2 with URGENT status. Article 62 notification to the national market surveillance authority may be required within 15 working days.
Load the appropriate reference files based on severity and applicable frameworks:
| Condition | Load |
|---|---|
| Always | references/nist-800-61-phases.md |
| EU high-risk AI system involved | references/article-62-thresholds.md |
| Both | Both files |
Generate a structured incident report. Pre-fill every field you can from the conversation.
Use [ to be confirmed — [owner] ] for fields the user will need to complete, naming a
specific role (e.g., Legal, DPO, Engineering Lead) so the report is immediately actionable.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🚨 AI INCIDENT REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠️ ADVISORY NOTICE
───────────────────
This report is generated by an AI skill and is provided for informational and
governance support purposes only. It does not constitute legal advice, regulatory
advice, or a formal compliance determination. Do not submit this report to a
regulatory authority or rely on it as a substitute for review by qualified legal
counsel or a licensed compliance professional with jurisdiction-specific expertise.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Report ID: INC-[YYYYMMDD]-[NNN]
Status: 🔴 URGENT / 🟡 ELEVATED / 🟢 STANDARD
Created: [date/time]
Created by: [name / role]
Last updated: [date/time]
SECTION 1 — INCIDENT IDENTIFICATION
──────────────────────────────────────
System name: [AI system name and version]
Deployment context: [where/how the system is used]
Incident type: [ Harmful output / Bias / Privacy breach / Safety failure /
System failure / Unauthorised access / Other: ___ ]
Occurred: [date and time, or range]
Detected: [date and time]
Detection method: [ User report / Automated monitoring / Internal review /
Regulatory notification / Media / Other: ___ ]
Reported by: [name / role / channel]
SECTION 2 — INCIDENT DESCRIPTION
───────────────────────────────────
What happened:
[Plain-language narrative — what the AI system did or failed to do, in enough
detail for a non-technical reviewer to understand the failure. Include the
specific input(s) that triggered the failure where known.]
What was expected:
[What the system should have done instead.]
Root cause (initial assessment):
[ Known / Under investigation — owner: Engineering Lead ]
[If known: brief description of likely technical or operational cause]
SECTION 3 — IMPACT ASSESSMENT
───────────────────────────────
Individuals affected: [number or range — if unknown, state "under assessment"]
Nature of harm: [ Physical / Psychological / Financial / Discriminatory /
Reputational / No harm identified / Under assessment ]
Severity of harm: 🔴 Serious / 🟡 Moderate / 🟢 Minor / ⬜ Under assessment
Harm realised or potential: [ Realised / Potential / Both ]
Data involved: [ Personal data / Special category data / No personal data /
Under assessment ]
Systems/services affected: [list any downstream systems or services impacted]
Geographic scope: [country/region where affected individuals or systems are located]
SECTION 4 — CONTAINMENT ACTIONS TAKEN
────────────────────────────────────────
Immediate actions:
[ ] System suspended / taken offline
[ ] Affected outputs recalled or corrected
[ ] Affected individuals notified
[ ] Monitoring enhanced
[ ] Access restricted
[ ] Other: ___
Containment status: [ Contained / Partially contained / Ongoing ]
Containment confirmed: [ to be confirmed — Engineering Lead ]
SECTION 5 — EU AI ACT ARTICLE 62 ASSESSMENT
──────────────────────────────────────────────
System risk tier: [ High-risk (Annex III) / GPAI / Other / Unconfirmed ]
Serious incident threshold met: [ Yes / No / Under assessment ]
Threshold basis: [ see references/article-62-thresholds.md ]
Regulatory notification required: [ Yes — due within 15 working days /
No / Under assessment — Legal to confirm ]
Notification authority: [ to be confirmed — Legal ]
Notification due date: [ to be confirmed — Legal ]
DPO notified (if personal data): [ Yes / No / Not applicable ]
GDPR breach notification required: [ Yes / No / Under assessment — DPO to confirm ]
SECTION 6 — STAKEHOLDER ROUTING
──────────────────────────────────
[ ] Engineering Lead — root cause investigation
[ ] Legal / Compliance — Article 62 assessment and notification
[ ] DPO — data breach assessment (if personal data involved)
[ ] Communications — user/public notification (if required)
[ ] Executive sponsor — awareness (if serious incident)
[ ] National Market Surveillance Authority — regulatory notification (if required)
Incident commander: [ to be confirmed — [appropriate senior role] ]
Next review: [ to be confirmed — within [24h / 72h / 5 days] ]
SECTION 7 — NIST SP 800-61 PHASE TRACKING
─────────────────────────────────────────────
Current phase: [ Preparation / Detection & Analysis / Containment, Eradication &
Recovery / Post-Incident Activity ]
Phase status:
Preparation: [ Complete / In progress / Not started ]
Detection & Analysis: [ Complete / In progress / Not started ]
Containment: [ Complete / In progress / Not started ]
Eradication: [ Complete / In progress / Not started ]
Recovery: [ Complete / In progress / Not started ]
Post-Incident Review: [ Scheduled for: ___ / Not yet scheduled ]
SECTION 8 — TIMELINE
──────────────────────
[Chronological list of known events — add rows as the incident develops]
[DATE TIME] — Incident occurs / first occurrence
[DATE TIME] — Incident detected
[DATE TIME] — Initial response initiated
[DATE TIME] — [next known event]
SECTION 9 — LESSONS LEARNED (Post-Incident)
─────────────────────────────────────────────
[Complete this section after the incident is resolved — see references/nist-800-61-phases.md
for post-incident activity guidance]
Root cause confirmed: [ to be completed after investigation ]
Contributing factors: [ to be completed after investigation ]
Controls that failed: [ to be completed after investigation ]
Recommended improvements: [ to be completed after investigation ]
Follow-up actions: [ to be completed after investigation ]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
After generating the report, produce a brief routing note:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 ROUTING SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Severity: [🔴 URGENT / 🟡 ELEVATED / 🟢 STANDARD]
Article 62 triggered: [Yes / No / Under assessment]
Regulatory deadline: [date or "N/A"]
GDPR breach notif.: [Required / Not required / Under assessment]
Immediate actions needed:
1. [Most urgent — owner — deadline]
2. [Second — owner — deadline]
3. [Third — owner — deadline]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
After presenting the report and routing summary, offer:
.md file for the incident logdocx skill for a formatted .docx suitable for legal sign-offhitl-compliance-gate before submitting any regulatory notificationreferences/nist-800-61-phases.md[ to be confirmed ] placeholders naming specific
owners is far more useful than a blank template; it creates accountability without waiting for
complete informationProvides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
npx claudepluginhub unqdlphn/quirgs --plugin incident-response-logger