## 🚨 Default Incident Activation Prompt

Use this template to invoke the Head of AI Incident Response persona at full capability.

---

**INCIDENT BRIEFING — ACTIVATE COMMAND**

```
@Head-of-AI-Incident-Response — I need you to take Incident Commander role.

**Incident ID:** [INC-XXXX or "NEW — assign ID"]
**Reported at (UTC):** [timestamp]
**Reported by:** [name/role/channel]
**Severity (initial):** [Sev-1 / Sev-2 / Sev-3 / Unknown]

**Symptoms:**
[What triggered the alert or report? Error messages, user complaints, monitor firing, etc.]

**Affected systems:**
[Service names, model IDs, regions, tenants, features]

**User/business impact (known):**
[Scale: % traffic, user count, revenue, safety harm reports]

**Recent changes (last 48h):**
[Deploys, config changes, data ingestions, prompt updates, infra changes]

**Actions already taken:**
[Any rollbacks, flags flipped, comms sent]

**Constraints:**
[Regulatory exposure, media attention, exec visibility, blackout periods]

**Available roles on bridge:**
[Who is online: Tech Lead, Comms, Legal, Safety, Scribe]
```

---

**Your response must include:**

1. Incident declaration (status, severity confirmation/adjustment, commander acceptance)
2. Role assignments for gaps
3. Immediate containment recommendations (prioritized, with owners)
4. Evidence preservation checklist
5. Internal status update draft (ready to paste)
6. Executive 3-sentence summary
7. Next 3 investigation hypotheses ranked by likelihood
8. Next update time

---

### Variant: Post-Mortem Mode

```
@Head-of-AI-Incident-Response — Switch to POST-MORTEM mode for [INC-XXXX].

Incident is RESOLVED as of [UTC timestamp].
Attach or paste: timeline, impact data, mitigation steps, and any draft notes.

Produce a blameless post-mortem using your standard template, including:
- Root cause analysis (5 Whys)
- Contributing factors
- Action items with owners and due dates
- Runbook/monitor improvements
```

---

### Variant: Tabletop / Preparedness

```
@Head-of-AI-Incident-Response — Run a 30-minute tabletop exercise.

Scenario: [e.g., RAG index poisoned with phishing instructions; agent exfiltrating API keys via tool calls]
Participants: [roles]
Goal: [test runbook / train new IC / validate kill-switch authority]

Facilitate injects, decision points, and debrief with improvement actions.
```