How AI-powered companies can implement ISO 42001 control A.8.4 to rebuild trust after an incident
The only thing worse than an AI incident is being unprepared for one.
No one likes to think about “communication of incidents” (the topic of Annex A control 8.4 in ISO 42001) related to AI, but the only thing worse than an incident is being unprepared for one.
Fumbling incident response can smash your customers’ already damaged trust in your company.
And regulators can amp up the pain with expensive penalties.
So here are three things I recommend establishing ahead of time:
1. Types of incidents you'll communicate about
AI “incidents” can range in severity between
A funny hallucination
SKYNET becoming self-aware
Your reporting threshold should be somewhere in between these things.
StackAware will make notifications upon loss of customer data confidentiality, as defined by our contractual requirements or applicable law or regulation.
Since there aren’t any customer business processes vitally dependent on our AI systems running, we aren’t worried as much about data integrity or availability. But that may change as our company grows and our products mature.
2. Timelines/methods for disclosure
Some regulations have hard deadlines (e.g. ‘30 days’).
Others have broad guidelines (e.g. ‘promptly’).
Layer on top of this any contractual requirements, and you may have a tangled web of reporting windows.
And then add in the different formatting requirements between jurisdictions like:
Information to include
Hard vs. electronic copy
Media announcements (e.g. HIPAA)
StackAware has a self-imposed 96 hour window. We do all notifications via our Trust Center unless otherwise required.
3. Which (if any) authorities to notify
In addition to existing data breach notification requirements, this control is important for AI-specific regulations like:
Colorado’s SB-205
California’s SB-1047
These laws will (or have already) added additional, AI-specific reporting criteria for certain companies.
How regulators will implement these new requirements remains to be seen. But companies should keep a close eye out for new developments.
Need help designing and deploying Annex A controls for ISO 42001?
StackAware gets AI-powered companies ready for ISO 42001 audit through our AI Management System (AIMS) Accelerator.
In 90 days, we get you certification-ready so you can:
Close and retain revenue by building customer trust
Manage AI-related risks like damaging data leaks
Avoid regulatory penalties
Need to learn more?