Incident Command for AI

The incident commander is the single point of authority during an active incident. They do not investigate. They do not remediate. They coordinate. They decide what to contain, who to notify, when to escalate, and when to stand down. In AI-specific incidents, the incident commander needs enough AI domain knowledge to make containment decisions — is this a false positive, or should this agent be isolated? — without being so deep in the investigation that they lose the coordination role.

1. Commander Role Clarity The commander coordinates. The investigator investigates. The communicator communicates. Role clarity prevents the common failure where the most senior person does everything and misses the details. Define roles at the start of every incident. Do not assume everyone knows what to do.
2. Decision Cadence Every 15 minutes during an active incident, the commander makes a status decision: escalate, maintain, or de-escalate. This cadence prevents incidents from drifting — the default state between decisions is "continue current actions," not "wait for someone to decide what to do next." The 15-minute rhythm keeps the response moving forward.
3. Incident Log Every decision, every action, and every observation during the incident is recorded in a timestamped log. The log serves two purposes: real-time coordination (everyone can see the current status) and post-incident review (the log is the raw material for the retrospective). A verbal-only incident response produces no learning artifacts.