# ChainOfFact Incident Response

When an AI-related incident occurs, narratives collapse quickly.

ChainOfFact is designed for what happens next.

## During Normal Operation

- Events are recorded append-only
- No interpretation or scoring
- No retroactive edits

## When an Incident Is Flagged

- The moment is recorded immutably
- Subsequent events are cryptographically linked
- No data is backfilled

Example incident start marker:

{
  "type": "incident_start",
  "incident_id": "INC-2026-001",
  "timestamp": "2026-01-29T18:42:00Z",
  "description": "Bias investigation initiated",
  "triggered_by": "compliance_team",
  "severity": "high"
}

## What to Record

Record artifacts with cryptographic hashes to prove they existed in their exact form at collection time.

### System Logs
Hash the complete log file, not excerpts. Include file path and collection timestamp.
artifact_type: "system_log", artifact_hash: "sha256:..."

### Model Inputs/Outputs
Hash both the input prompt and output response separately. Link to the model version.
inputs_hash: "sha256:...", outputs_hash: "sha256:..."

### Configuration Snapshots
Hash the active configuration at incident time. Include version identifiers.
artifact_type: "config_snapshot", config_version: "v2.1.0"

### Access Logs
Record who accessed what data and when. Include authentication context.
artifact_type: "access_log", accessor: "user@domain.com"

## Closing the Investigation

When evidence collection is complete, mark the end of the incident scope.

{
  "type": "incident_end",
  "incident_id": "INC-2026-001",
  "timestamp": "2026-01-30T14:00:00Z",
  "artifact_count": 47,
  "status": "collection_complete",
  "closed_by": "lead_investigator@company.com"
}

## Bundle Generation

Generate a sealed evidence bundle for sharing with regulators, counsel, or auditors.

POST /api/bundles/evidence
{
  "incident_id": "INC-2026-001",
  "include_chain_proof": true,
  "format": "zip"
}

- Generate a sealed evidence bundle
- Share it with regulators, counsel, or auditors
- Verification requires no trust in ChainOfFact

ChainOfFact does not explain incidents. It preserves evidence.

---

Canonical URL: https://chainoffact.com/incidents