advanta

HomeModule LibraryGovernance

Module GOV-11 sigil: Governance pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module GOV-11. The Pillar geometry encodes Governance (Pillar 4); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SGOV-11
P4· L-G· Bands OperationalIntegratedOptimisedDefensible

· GOV-11

AI Incident Disclosure Standard

When an AI incident materially affects a client matter, regulatory obligation, or professional conduct exposure, the firm must disclose — to the client, to the regulator, sometimes to the court. The AI Incident Disclosure Standard defines what triggers disclosure, what must be disclosed, to whom, in what timeframe, and how the disclosure record is preserved. Without a Disclosure Standard, incident response collapses into case-by-case judgement calls that compound exposure rather than containing it. Methodology v2026.1.

strategic

·

Per-engagement

·

Disclosure decision: 4–8 hours per incident; regulator notification preparation: 1–3 business days; client disclosure drafting: 1 business day per affected client.

Methodology v2026.1

Executive Summary

GOV-11 defines the AI Incident Disclosure Standard: the governance, decision, and documentation framework for determining when and how to disclose AI incidents to clients, regulators, and professional bodies. It addresses the unique overlay of professional conduct rules, data protection law, and AI-specific regulation that arises when AI tools affect client matters, process privileged or personal data, or act autonomously. The module introduces a disclosure trigger matrix aligned to the Risk Taxonomy 2026, with particular emphasis on Class 2 (Privilege and Confidentiality), Class 4 (Privacy and Data Protection), and Class 6 (Shadow AI with client exposure). It distinguishes client disclosure, regulatory notification, and professional body reporting as separate but coordinated obligations, each with specific content and timing standards. GOV-11 centralises decision authority with General Counsel, embeds a privilege preservation protocol, and mandates a 7-year evidence trail for all disclosure decisions. It is designed to make AI incident handling defensible under GDPR, the EU AI Act, ABA Model Rules, and SRA requirements, while enabling firms to communicate transparently with clients and regulators without unnecessary waiver of privilege or creation of additional liability.

Defensibility Evidence Produced

GOV-11 generates DPS Tier 3 evidence across all three lenses. Adoption lens (5-year retention): incident disclosure trigger assessments documenting which disclosure category applied and why, classification records for each incident processed through the framework, and logs confirming Category 4 internal governance records were created for every qualifying incident. Sophistication lens (5-year retention): General Counsel authority sign-off records and delegation records where authority was exercised below GC level, privilege preservation assessments completed prior to external disclosure, disclosure decision logs capturing the deliberative process, and records of privilege counsel engagement where applicable. Defensibility lens (7-year retention): all external disclosure communications — client disclosure letters, GDPR Article 33 DPA notification submissions with timestamps confirming the 72-hour window was met, professional regulatory body notification correspondence, and regulator acknowledgement records. The 7-year Defensibility retention period applies because disclosure communications may be referenced in regulatory investigations, client complaints, or professional disciplinary proceedings that arise years after the underlying incident.

Elements:

Decision traceabilityGovernance posture

Metric 0 Pre-Check

Before any GOV-11 disclosure assessment proceeds, two gates must pass.

Gate 1 — STR-07 Incident Record Exists

Confirm a formal STR-07 incident report has been opened for the AI incident triggering the disclosure assessment. A disclosure assessment without a formal incident record creates an unanchored evidence trail. If failed: open the STR-07 record before proceeding with disclosure assessment.

Gate 2 — General Counsel Notified

Confirm General Counsel has been notified of the incident and the disclosure assessment is proceeding with their knowledge. All disclosure decisions require General Counsel sign-off; the assessment must not proceed in a way that presupposes a disclosure decision without GC involvement. If failed: notify General Counsel before proceeding.

1. Purpose

GOV-11 establishes the AI Incident Disclosure Standard: the governance policy and procedural framework for determining and fulfilling the organisation’s disclosure obligations when an AI incident occurs. It governs disclosure to clients, data protection authorities, bar associations and professional regulatory bodies, and other mandated recipients.

Disclosure obligations arising from AI incidents differ from conventional IT incident disclosure in two important ways. First, AI-specific professional conduct rules overlay standard data breach notification obligations. An AI tool that produces an incorrect legal opinion is not a data breach, but it may trigger client communication obligations under professional conduct rules. Second, the disclosure recipient, content, and timing vary significantly depending on the type of incident and the risk class it implicates.

GOV-11 provides the decision architecture for navigating these obligations reliably and defensibly.

Operational Signals

gov-11.disclosure-decisions-logged

Defensibility Posture Statement

Disclosure decisions made with full rationale and timing — DE-1 Decision traceability record.

per-engagement

gov-11.notification-sla

Annual Legal AI OS Index

Disclosure notifications delivered within regulatory SLA feeds the Annual Legal AI OS Index disclosure-discipline signal.

per-engagement

gov-11.client-disclosure-currency

Console

Client-facing disclosure record currency per active matter for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • General Counsel

Approvers

  • General Counsel
  • Audit Committee Chair
  • Risk & Compliance

Contributors

  • Head of Legal Operations
  • External Counsel

Informed

  • Board
  • CIO / CISO
  • AI Task Force

Inputs · Outputs

Inputs

  • · STR-07 AI incident report
  • · DAT-06 AI Bill of Materials entry for implicated tools
  • · GOV-08 Agentic Governance Panel records
  • · Client engagement documentation and AI use disclosures
  • · Applicable data protection authority notification requirements
  • · Bar association or professional regulatory AI disclosure guidelines
  • · Internal and external legal counsel opinions on privilege and disclosure

Outputs

  • · Completed disclosure trigger assessment record per incident
  • · Client disclosure letters or notifications where required
  • · Regulator notification submissions where required
  • · Professional body notifications where required
  • · Internal post-incident governance record linked to STR-07
  • · Privilege preservation protocol record per incident
  • · Disclosure evidence package for DPS retention

Framework Crosswalk

ABA Model Rules of Professional Conduct

American Bar Association

Rules 1.4, 1.6, 1.13, and 5.1–5.3 inform thresholds and content for client communication and self-reporting when AI incidents affect client matters or supervision duties.

EU AI Act

European Union

Articles 9, 13, 14, and 73–74 inform incident reporting, transparency, and risk management obligations for high-risk AI systems implicated in GOV-11 incidents.

GDPR

European Union

Articles 33–34 define personal data breach notification duties to supervisory authorities and data subjects, shaping Trigger Category 2 and related client notifications.

SRA Code of Conduct

Solicitors Regulation Authority

Outcomes on transparency, client communication, and reporting to the SRA guide when AI incidents must be disclosed to clients and regulators in England and Wales.

Operational Artefacts

  • AI Incident Disclosure Trigger Matrix

    xlsx · v2026.1

    Gated
  • Client Disclosure Letter Template

    docx · v2026.1

    Gated
  • Regulator Notification Template

    docx · v2026.1

    Gated
  • Professional Body Notification Template

    docx · v2026.1

    Gated
  • Disclosure Decision Record Template

    docx · v2026.1

    Gated

Diagnostic Relevance

Running the AI Incident Disclosure Standard strengthens the Defensibility lens — expected Band progression: Integrated → Optimised.

Confidence: high

Key Takeaways

  • Apply the disclosure trigger matrix to every AI incident before any external communication.

  • Prioritise Class 2 and Class 6 incidents for rapid GC assessment and likely disclosure.

  • Treat client, regulator, and professional body notifications as distinct obligations with tailored content.

  • Follow the privilege preservation protocol so disclosure does not unnecessarily waive legal privilege.

  • Require GC sign-off for all disclosure decisions, including decisions not to disclose.

  • Retain all disclosure decisions and communications for 7 years as Defensibility lens evidence.

  • Monitor adherence to timing KPIs for client and regulatory notifications.

Run this Module

Operational artefacts available to Enterprise Partnership members. Methodology v2026.1.

View Membership

Targeting

Audience

General CounselAI Governance LeadRisk and ComplianceSenior PartnersExternal Counsel

Strengthens

Defensibility lens

Module Details

Format
Module
Difficulty
Advanced
Pillar
P4
Owner
General Counsel
Access
Enterprise Partnership

Maturity Bands

OperationalIntegratedOptimisedDefensible

Where this Module lives

The Incident Disclosure Standard extends the Incident Response Playbook (GOV-05) into the disclosure decision. It consumes severity classifications from GOV-05, produces DE-1 (Decision traceability) records into the DPS, and feeds Board AI Reporting (MAT-06) at material thresholds. Without this Module, the firm faces every material incident with no documented disclosure discipline.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.