The AI incident response plan every comms team needs

In 2026, AI incidents won’t be edge cases — they’ll be routine moments of leadership. A chatbot will hallucinate a policy. A model will expose data it shouldn’t. A well-meaning automation will misfire in public. Communications leaders will be the ones expected to translate technical failure into human trust, often in minutes. That’s why an AI Incident Response Plan (IRP) is no longer an IT document; it’s a core comms playbook, right next to crisis protocols and media guidelines. The resources here are designed to help you define triggers, roles, language and guardrails—so when something goes wrong, your team responds with clarity.

We asked AI Center Advisor and McDermott Will & Schulte Associate Katelyn Ringrose what should be included in an IRP. “An Incident Response Plan should be highly tailored to the company it belongs to,” advises Ringrose. “For example, a consumer-facing entity might have an entirely different protocol for responding to customer inquiries than a business-to-business entity. Companies with greater reliance on the supply chain might have a heightened protocol for dealing with downstream vendors. Finally, companies dealing with the government or in the critical infrastructure space may have enhanced data retention and reporting obligations that must be outlined in their Incident Response Plan. Importantly, an Incident Response Plan cannot be a stagnant document; it must be tried and true, which is why regular tabletop exercises are essential.”

Data Security Incident Quick Reference Guide

Execute your data breach response plan

• Alert your incident response team, which should include legal counsel
• If you do not have a data breach response plan, legal counsel can coordinate the response
• Engage your public relations/communications/crisis management team

Engage your legal counsel and privacy compliance teams

• Identify legal obligations
• Identify contractual obligations

Identify and notify insurance providers

• Work with legal counsel to identify potential coverage and notify insurers

Identify the scope of the breach

• Determine what personally identifiable information is at risk
• Determine if other information, financial accounts, or systems are at risk

Have a computer forensics expert investigate, and repair as needed

• Secure compromised devices and preserve evidence
• Find out if any countermeasures, such as encryption, were enabled when the compromise occurred
• Analyze preserved or reconstructed data sources
• Ascertain the number of individuals potentially affected and type of information compromised

Inform law enforcement as necessary

Prepare communications to affected/required individuals

• Consider requirements under state/federal notification statutes, such as:
• California Data Breach Notification Law, Cal. Civ. Code §§ 1798.29 & 1798.82;
• New York SHIELD Act, N.Y. Gen. Bus. Law § 899-aa;
• Illinois Personal Information Protection Act, 815 ILCS §§ 530/1 to 530/25; and
• HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414.
  • Applicability: The notification laws which apply vary based on information breached and affected parties,
  • Timing: Notifications may be required in as few as ten (10) days.
• Involve press/crisis management team in incident-related communications

Afterward, identify lessons learned

• Re-evaluate breach response plan
• Ensure that firms/vendors are pre-approved on insurance policies
• Re-visit and strengthen data security measures
• Consider changing processes to prevent a future breach

Learn more about these critical AI topics with Ragan’s Center for AI Strategy.