OMB M-24-10 Incident Reporting: 24-Hour Safety Notification Requirements

Office of Management and Budget Memorandum M-24-10 requires agencies operating safety-impacting AI notify OMB of serious incidents within 24 hours, alert affected individuals within seven business days, and brief the Chief AI Officer (CAIO) governance board. With the March 28, 2025 setup deadline approaching, agencies must validate incident reporting capabilities, test escalation procedures, and confirm evidence capture processes meet the memorandum's requirements.

M-24-10 incident reporting requirements overview

Section 5 of M-24-10 establishes specific notification windows for safety-impacting AI incidents. The 24-hour escalation requirement to OMB applies to incidents where AI systems produce outcomes that significantly affect human life, safety, or critical infrastructure. This aggressive timeline requires agencies to have detection, classification, and reporting capabilities that can identify and communicate serious incidents rapidly.

The seven-business-day requirement for notifying affected individuals ensures that people whose rights or safety may be impacted receive timely communication about incidents and their potential consequences. This notification must include clear explanations of what occurred, potential impacts, and remediation steps being taken. Agencies must have pre-approved communication templates and distribution mechanisms ready before incidents occur.

CAIO governance board review ensures that leadership maintains visibility into incident patterns and remediation effectiveness. Boards must review incidents, assess whether existing controls are adequate, and approve remediation plans. Documentation must be preserved for Inspector General and congressional oversight, creating accountability for incident response quality.

Incident classification and escalation criteria

Agencies must establish clear criteria for classifying incidents as requiring M-24-10 notification versus routine operational issues. Safety-impacting AI incidents include situations where AI outputs directly affect decisions about human life, health, safety, or access to critical services. The definition extends to indirect impacts where AI recommendations significantly influence human decision-makers in safety-critical contexts.

Classification criteria should address ambiguous situations where the AI system's role in an adverse outcome is unclear. When AI systems contribute to decisions alongside human judgment, agencies must determine whether the AI contribution was significant enough to trigger notification requirements. Conservative classification approaches may be appropriate when uncertainty exists about AI system influence.

Escalation procedures should specify who has authority to classify incidents, approve notifications, and communicate with OMB and affected parties. Clear escalation paths prevent delays caused by uncertainty about decision authority. Agencies should identify backup contacts for key roles to ensure escalation capability outside normal business hours.

24-hour OMB notification procedures

The 24-hour notification window begins when the agency becomes aware of an incident meeting M-24-10 criteria. Agencies must define when awareness occurs—typically when relevant personnel receive information sufficient to classify the incident—to establish consistent timeline calculations. Clock-start definitions should be documented and communicated to incident response teams.

OMB notification content requirements include incident description, affected AI systems, populations impacted, immediate containment actions taken, and preliminary assessment of root causes. Notifications should be factual and complete without speculating about aspects still under investigation. Follow-up communications can provide additional detail as investigations progress.

Communication channels for OMB notification should be established and tested before incidents occur. Agencies should confirm contact information, verify that communications reach appropriate OMB personnel, and establish acknowledgment procedures that confirm notifications were received. Weekend and holiday escalation procedures may require dedicated channels or duty officer arrangements.

Affected individual notification requirements

The seven-business-day notification requirement for affected individuals demands that agencies have mechanisms for identifying impacted populations, developing appropriate communications, and distributing notifications effectively. Complex incidents may affect diverse populations requiring tailored communications addressing different circumstances and concerns.

Notification content should explain what occurred in accessible language, describe potential impacts to the individual, outline steps the agency is taking to address the situation, and provide contact information for questions or concerns. Legal review of notification language should be speed up to meet timeline requirements without compromising accuracy or completeness.

Distribution mechanisms may include direct mail, email, phone calls, or public announcements depending on the affected population and contact information availability. Agencies should have multiple distribution channels available and procedures for tracking notification delivery. Documentation should show good-faith efforts to reach affected individuals even when contact information is incomplete.

CAIO governance board integration

CAIO-led governance boards must review safety-impacting AI incidents to assess control adequacy and approve remediation plans. Board review procedures should specify how incidents are presented, what information boards require for decision-making, and how board decisions are documented. Expedited review processes may be necessary for serious incidents requiring rapid response.

Remediation plans approved by governance boards should address immediate containment, root cause correction, and systemic improvements preventing similar incidents. Plans should include timelines, resource requirements, and success criteria enabling boards to track remediation progress. Incomplete or ineffective remediation should trigger additional board review.

Waiver implications must be considered when incidents occur in AI systems operating under M-24-10 waivers. Incidents may show that waiver conditions are no longer appropriate or that additional safeguards are required. Boards should assess whether incidents warrant waiver modification or revocation and document reasoning for continued waiver authorization.

Evidence preservation and documentation

M-24-10 requires agencies to preserve incident logs, evaluation artifacts, and corrective actions for Inspector General and congressional oversight. Evidence preservation procedures should capture system states, logs, configurations, and relevant data at the time incidents are detected. Chain of custody procedures ensure evidence integrity for potential investigations.

Documentation standards should address incident timelines, classification decisions, notification content and distribution, board reviews, and remediation actions. Complete documentation enables oversight bodies to assess whether agencies met M-24-10 requirements and responded appropriately. Gaps in documentation may suggest compliance failures even when significant response was adequate.

Retention periods for incident documentation should align with oversight expectations and potential investigation timelines. Agencies should not destroy incident records until retention requirements are clearly satisfied. Legal holds may be appropriate for serious incidents subject to ongoing investigation or litigation.

Operational readiness validation

Agencies should conduct simulations testing incident detection, classification, escalation, and notification capabilities before the March 28 deadline. Tabletop exercises can validate that procedures are understood and executable. Technical drills should confirm that monitoring systems, notification channels, and evidence capture mechanisms function correctly.

Contact matrices identifying key personnel for incident response should be current and accessible. Backup contacts should be identified for critical roles. After-hours coverage arrangements should be validated to ensure 24-hour response capability. Contact information should be tested periodically to identify outdated entries.

Contract and interagency agreement review should confirm that vendor and partner obligations align with M-24-10 requirements. Contracts should specify vendor responsibilities for incident detection, notification, evidence preservation, and remediation support. Unclear contractual obligations may create gaps in incident response capabilities.

Recommended actions for the next 14 days

• Validate 24-hour OMB notification procedures including contact information and acknowledgment processes.
• Test affected individual notification capabilities including communication templates and distribution mechanisms.
• Brief CAIO governance boards on incident review procedures and remediation approval processes.
• Conduct incident response simulations to validate detection, classification, and escalation capabilities.
• Review evidence preservation procedures and confirm documentation standards are understood.
• Verify contact matrices and backup arrangements for key incident response roles.
• Review contracts and agreements to confirm vendor incident response obligations.
• Integrate incident metrics into March governance board packets demonstrating readiness.

Bottom line

The M-24-10 incident reporting requirements establish accountability mechanisms that transform how agencies approach AI system operations. The 24-hour notification timeline demands capabilities that many agencies may not have developed for traditional IT incidents, requiring specific investment in AI-focused monitoring and response.

Agencies should view incident reporting requirements as opportunities to improve AI system operations more broadly. The discipline required for rapid incident detection and classification improves overall operational visibility. Evidence preservation practices support continuous improvement by enabling systematic analysis of incident patterns and root causes.

Recommended: that agencies complete readiness validation before the March 28 deadline rather than assuming existing incident response capabilities are sufficient. The specific requirements of M-24-10 may reveal gaps in procedures, training, or technical capabilities that require remediation. Early identification of gaps enables correction before compliance obligations become enforceable.