Incident Response

When an AI-related incident occurs, narratives collapse quickly.

ChainOfFact is designed for what happens next.

During Normal Operation

Events are recorded append-only
No interpretation or scoring
No retroactive edits

When an Incident Is Flagged

The moment is recorded immutably
Subsequent events are cryptographically linked
No data is backfilled

Example incident start marker:

{
  "type": "incident_start",
  "incident_id": "INC-2026-001",
  "timestamp": "2026-01-29T18:42:00Z",
  "description": "Bias investigation initiated",
  "triggered_by": "compliance_team",
  "severity": "high"
}

What to Record

Record artifacts with cryptographic hashes to prove they existed in their exact form at collection time.

System Logs

Hash the complete log file, not excerpts. Include file path and collection timestamp.

artifact_type: "system_log", artifact_hash: "sha256:..."

Model Inputs/Outputs

Hash both the input prompt and output response separately. Link to the model version.

inputs_hash: "sha256:...", outputs_hash: "sha256:..."

Configuration Snapshots

Hash the active configuration at incident time. Include version identifiers.

artifact_type: "config_snapshot", config_version: "v2.1.0"

Access Logs

Record who accessed what data and when. Include authentication context.

artifact_type: "access_log", accessor: "user@domain.com"

Closing the Investigation

When evidence collection is complete, mark the end of the incident scope.

{
  "type": "incident_end",
  "incident_id": "INC-2026-001",
  "timestamp": "2026-01-30T14:00:00Z",
  "artifact_count": 47,
  "status": "collection_complete",
  "closed_by": "lead_investigator@company.com"
}

Bundle Generation

Generate a sealed evidence bundle for sharing with regulators, counsel, or auditors.

POST /api/bundles/evidence
{
  "incident_id": "INC-2026-001",
  "include_chain_proof": true,
  "format": "zip"
}

Generate a sealed evidence bundle
Share it with regulators, counsel, or auditors
Verification requires no trust in ChainOfFact