Answer — AI Governance
What can an AI governance record show after an incident?
After an AI-related incident, a governance record can show what the tool did, when, what it could access, and what it touched — replayed from entries made as events happened. That contemporaneous history is what Law 25’s incident register and notification duties assume you can produce.
Why the record matters after an incident
Law 25 makes a municipality keep a register of confidentiality incidents, and — when an incident presents a risk of serious harm — notify the Commission d’accès à l’information (CAI) and the people concerned, with diligence (public-sector Act A-2.1, ss. 63.8–63.11; the register is s. 63.11). When AI is involved, the practical question underneath every one of those duties becomes narrow and concrete: what did the tool do, when, and with what access?
Answering it in the days after an incident is either straightforward or nearly impossible — and which one depends entirely on what you were keeping before it happened.
What a kept record can show
A record built for this is designed to answer the incident timeline, not to be assembled in a panic:
- The trigger — what set the AI agent in motion, and when.
- The action — what it actually did, step by step.
- What it touched — which files or data it could reach, and which it modified. By default that is metadata and signals: we can see that a tool modified a file at 2:00 PM and who owns it — never what is inside.
- The fix — the gap you found and the change you made, entered into the record as it happened.
Because the history is append-only and independently held, each of those points is a contemporaneous entry you replay, not a memory you defend.
Replayed, not reconstructed
This is the whole distinction. A record you replay is drawn from entries written at the time; paperwork reconstructed after the fact — assembled in the week before a review — carries only your word that it reflects what really happened. Regulators and auditors know the difference, and Law 25 assumes the first kind. A tamper-proof immutable history meets that expectation by construction.
Filing the incident itself
The incident-register entry is itself a governance act. Filed on Agentica’s rails, it is entered into the record — dated, hash-sealed, sitting in the same independently held history as the machine signals it describes. So the register the CAI can ask to see, and the timeline behind it, live in one place.
Agentica, an AI Governance company in Montréal, keeps that record continuously: every AI agent in your business environment, mapped and recorded in a tamper-proof history under independent custody — read-only, metadata and signals by default.
Agentica provides AI-governance evidence and risk intelligence. It does not constitute legal advice or compliance certification.