• integrated_82#Q4.13

RAIDT supports incident response by making a disputed or harmful generative AI event reconstructable at the level where organisational risk actually materialises. Across the papers, RAIDT treats the run as the unit of governance and binds the key artefacts for one configured use into a run-level evidence pack: prompt or template version, model and tool configuration, retrieved context, output, hashes, timestamps, and recorded checks. That matters for incident response because post-incident scrutiny is retrospective. Internal audit, complaint handling, managerial escalation, and formal investigation all depend on evidence preserved before anyone knew the run would become contentious. RAIDT therefore moves organisations from scattered logs and broad policy statements to a bounded proof object that can support reconstruction, challenge, and adjudication.

RAIDT also supports incident response through the five pillars (Responsibility, Auditability, Interpretability, Dependability, Traceability) and the accompanying score profile. The score profile does not itself prove legal compliance or factual correctness, but it makes governance readiness observable and comparable for the incident under review. Investigators can identify whether failure arose from weak ownership and escalation, poor reconstructability, inadequate explanation, unstable behaviour, or incomplete provenance. The papers further argue that influence methods as governance interventions must be logged because prompting, retrieval augmentation, PEFT or LoRA, and preference-based controls can change both behaviour and the evidence available for review. In this sense, RAIDT supports incident response not merely by documenting what happened, but by revealing which controls were absent, partial, or effective in the run that now requires corrective action.

In a cybersecurity operations centre, an analyst uses GenAI to triage a phishing alert and recommend containment steps. Under RAIDT, the organisation retains a run-level evidence pack containing the run ID, timestamp, prompt template version, model deployment ID, enabled tools, retrieved threat-intelligence snapshot, output hash, and analyst review note. When the recommendation is later questioned because it missed a key indicator, the incident manager does not rely on memory or a generic system card. The team reconstructs the exact run, checks which sources were retrieved, and sees whether uncertainty was stated.

The score profile then helps separate the failure mode. The run may show acceptable Interpretability but only partial Auditability and Traceability because the retrieval snapshot was not fully preserved. That lets the team identify a weak control, justify escalation, and specify corrective action such as tighter logging, mandatory evidence capture, or revised review steps.

• 16-RAIDT-Audit-Accountability_M_v05
• 10-RAIDT_Policy_Pathways_M_V50