Why preserve evidence before investigating?

AI logs are frequently subject to short retention windows and rolling caches that overwrite themselves within hours. If you investigate first, the most diagnostic evidence — the exact prompt, the model version, the raw output — may already be gone. Preserve first, analyse second.

What evidence is unique to AI incidents?

Beyond ordinary application logs you need the exact prompt and system prompt, the model name and version, sampling parameters like temperature, any retrieval context fed in, and the raw model output before post-processing. These determine whether the behaviour is reproducible.

Does this guarantee admissibility in a legal proceeding?

No. This checklist helps you preserve the technical artifacts and maintain a basic chain of custody, but formal admissibility depends on jurisdiction and process. For litigation-grade preservation, involve legal counsel and a qualified forensic specialist early.

How fast do I need to act?

Treat the first hour as critical. Provider-side logs, ephemeral caches, and in-memory session state can disappear quickly. Issue a litigation hold or retention freeze to your provider and internal teams as the very first action.

Is my progress saved?

Yes, your ticks are stored locally in your browser so a refresh does not lose them, and nothing is sent to a server. The checklist itself is informational and is not a substitute for professional incident-response advice.

AI Incident Evidence Preservation Checklist

AI incident evidence preservation

When an AI system causes a safety or privacy incident — a harmful output, a data leak, a hallucinated decision with real consequences — the most valuable evidence is also the most perishable. Prompt logs roll over, model versions get silently updated, caches expire, and session state evaporates. This checklist walks you through preserving the right artifacts first, before anyone starts poking at the system and accidentally destroys the very record an investigation needs.

How it works

You tell the tool the incident type — harmful output, data exposure, an erroneous automated decision, a security breach, or a model behaviour change — and which systems were involved. It then filters a master list of evidence sources down to the ones that matter and orders them by how quickly they decay. Volatile sources like in-memory session data and provider-side rolling logs come first; durable sources like database snapshots come later. Each item carries a note on what exactly to capture and why. As you secure each source you tick it off, and you can export the whole record with the time you completed it for your chain-of-custody file.

Tips and notes

Freeze retention immediately. Your very first action should be a retention hold to your AI provider and internal logging teams so nothing rotates out.
Capture the model version, not just the model. “GPT-4” is not enough — the exact dated version and its sampling parameters decide reproducibility.
Preserve raw output before post-processing. Your application probably transforms model output; the unmodified response is the real evidence.
Record who touched what, when. A simple timestamped action log turns a pile of files into a defensible chain of custody.