# **Incident Reportability Classifier**

**Domain Title & Project Overview Incident Reportability Classifier**
Incident Reportability Classifier

This project implements an AI-powered compliance assistant that determines whether a given incident must be reported to regulatory authorities. The system supports multi-modal prompting strategies to demonstrate how the same compliance task can be solved using different input/output modalities and prompting techniques.

The objective is binary classification:
Reportable or Not Reportable, with structured reasoning where applicable.

-------------------------------------------------------------------------------------


**Problem Statement & Domain Challenges**

Organizations face significant compliance risk when incidents are misclassified or reported late. Manual incident triage is slow, inconsistent, and prone to human error.

Core challenges:

Ambiguous incident descriptions

Jurisdiction-specific legal thresholds

Time-bound reporting obligations

Lack of standardization across teams

This project addresses these challenges using prompt-engineered LLM workflows.


-------------------------------------------------------------------------------------


**AI Models / Prompting Techniques Used**

Template	Modality	Prompting Technique

Template 1	Text → Text	Zero-Shot

Template 2	Text → Audio	Chain-of-Thought (CoT)


Template 3	Text → Image	Role-Based

-------------------------------------------------------------------------------------


**Features & Capabilities Implemented**

Incident classification (Reportable / Not Reportable)

Multi-modal reasoning workflows

Explicit compliance reasoning (where applicable)

Extensible prompt templates

Regulator-ready structured outputs

-------------------------------------------------------------------------------------


**Data Flow Architecture**

Incident Input → Prompt Template → LLM Reasoning → Decision Output

Each template uses the same incident sub-topic but varies in:

Input/Output modality

Prompting strategy

Reasoning transparency

-------------------------------------------------------------------------------------


**USE CASE — TEMPLATE 1**

Use Case Description

Scenario:
A compliance analyst inputs a raw textual incident description and requires an immediate classification with no examples or prior context.

Modality: Text → Text
Prompting Technique: Zero-Shot

**Prompt Template (Markdown)**

Determine whether the following incident must be reported to regulators.

Incident Description:
*italicized text*
{{incident_text}}

Decision Output:

Reportable or Not Reportable

In [None]:
# Install OpenAI SDK
from openai import OpenAI

# Initialize client
client = OpenAI(
    api_key="sk-sL7iiJsgPUQAaJXHjDAzGg",
    base_url="https://apidev.navigatelabsai.com/"
)

response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a regulatory compliance expert responsible for incident classification."
        },
        {
            "role": "user",
            "content": """
Determine whether the following incident must be reported to regulators.

Incident Description:
An internal employee accidentally accessed a customer account without authorization.

Decision Output:
Reportable or Not Reportable
"""
        }
    ]
)

print(response.choices[0].message.content)


Reportable


**Sample Input & Output**

Input:

An internal employee accidentally accessed a customer account without authorization.

Output:

Reportable

-------------------------------------------------------------------------------------


**USE CASE — TEMPLATE 2**

Use Case Description

Scenario:
A compliance officer wants an audible explanation of how the decision was reached for audit transparency.

Modality:PDF->Text
Prompting Technique: Chain-of-Thought (CoT)

**Prompt Template (Markdown)**

You are a compliance incident officer.

Analyze the incident step by step:
1. Identify the incident type
2. Evaluate regulatory thresholds
3. Determine reporting obligation

Then explain the reasoning verbally and conclude with:
Final Decision: Reportable or Not Reportable

Incident:
{{incident_text}}




In [None]:
!pip install PyPDF2 openai


Collecting PyPDF2
  Downloading pypdf2-3.0.1-py3-none-any.whl.metadata (6.8 kB)
Downloading pypdf2-3.0.1-py3-none-any.whl (232 kB)
[?25l   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/232.6 kB[0m [31m?[0m eta [36m-:--:--[0m[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m232.6/232.6 kB[0m [31m7.9 MB/s[0m eta [36m0:00:00[0m
[?25hInstalling collected packages: PyPDF2
Successfully installed PyPDF2-3.0.1


In [None]:
from PyPDF2 import PdfReader

def extract_text_from_pdf(pdf_path):
    reader = PdfReader(pdf_path)
    text = ""
    for page in reader.pages:
        text += page.extract_text()
    return text

# Path to your compliance PDF
pdf_path = "/content/42  Guide to the GDPR  Personal data breaches and notification.pdf"

incident_text = extract_text_from_pdf(pdf_path)
print(incident_text)


• Data controllers and data processors are  
now subject to a general personal data breach 
notification regime.
• Data processors must report personal data 
breaches to data controllers.
• Data controllers must report personal data 
breaches to their supervisory authority and in 
some cases, affected data subjects, in each 
case following specific GDPR provisions.
• Data controllers must maintain an internal 
breach register. 
• Non-compliance can lead to an administrative fine 
up to €10,000,000 or in case of an undertaking, 
up to 2% of the total worldwide annual turnover of 
the preceding financial year, whichever is higher.
• As things stand, the specific breach notification 
regime for communications service providers, 
set out in Commission Regulation 611/2013  
on the measures applicable to the notification 
of personal data breaches under Directive 
2002/58/EC, still applies.At a glance
In line with the accountability principle 
laid down by the GDPR, data controllers 
and dat

In [None]:
# Install OpenAI SDK
from openai import OpenAI

# Initialize client
client = OpenAI(
    api_key="sk-sL7iiJsgPUQAaJXHjDAzGg",
    base_url="https://apidev.navigatelabsai.com/"
)

response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a compliance incident officer who reasons step by step."
        },
        {
            "role": "user",
            "content": f"""
Analyze the incident described in the following document step by step:

Steps:
1. Identify incident type
2. Check regulatory thresholds
3. Assess reporting obligations

Then conclude with:
Final Decision: Reportable or Not Reportable

Incident Document Text:
{incident_text}
"""
        }
    ]
)

print(response.choices[0].message.content)


Step 1: Identify incident type

The document describes a data breach incident involving the unauthorized access, disclosure, destruction, loss, or alteration of personal data. It emphasizes the importance of breach detection, internal procedures, and notification obligations under GDPR, indicating that the incident in question involves a security breach leading to personal data compromise. Therefore, the incident type is a **personal data breach**.

Step 2: Check regulatory thresholds

According to the GDPR, a personal data breach must be assessed for whether it results in a risk to the rights and freedoms of individuals to determine if notification is required. Key considerations include:

- Nature of the breach: Unlawful access, disclosure, destruction, or loss of personal data.
- Potential harm: Whether the breach is likely to result in a risk or harm to data subjects.
- Adequate protections: Whether appropriate technical and organizational measures (e.g., encryption) were in place 

**Sample Input & Output**

Input:

A sample pdf

Audio Output (Transcribed):

“This incident involves personal data exposure. Email addresses qualify as personal data under GDPR. Even without financial loss, exposure triggers reporting requirements.”

Final Decision:

Reportable

-------------------------------------------------------------------------------------


**USE CASE — TEMPLATE 3**

Use Case Description

Scenario:

A risk dashboard requires a visual classification indicator for executive-level review.

Modality: Text -> Voice

Prompting Technique: Role-Based

Prompt Template (Markdown)
You are a regulatory compliance visualization expert.

Based on the incident below, generate an image that visually represents:
- Reportable incident OR
- Not Reportable incident

Use clear compliance symbolism (alerts, shields, warning icons).

Incident Description:
{{incident_text}}


In [None]:
from openai import OpenAI

client = OpenAI(
    api_key="sk-sL7iiJsgPUQAaJXHjDAzGg",
    base_url="https://apidev.navigatelabsai.com/"
)

text_response = client.chat.completions.create(
    model="gpt-4.1-nano",
    messages=[
        {
            "role": "system",
            "content": "You are a senior compliance officer explaining decisions verbally."
        },
        {
            "role": "user",
            "content": """
Explain verbally whether the following incident must be reported.
End clearly with Final Decision.

Incident:
A third-party vendor breach exposed customer names and email addresses.
"""
        }
    ]
)

spoken_text = text_response.choices[0].message.content
print(spoken_text)


Certainly. In this case, the incident involved a breach by a third-party vendor that exposed customer names and email addresses. Given that customer personally identifiable information (PII) was compromised, this would typically meet the criteria for reporting under most data breach notification laws and our internal policies. The exposure of customer names and email addresses could potentially lead to privacy risks such as identity theft or targeted phishing attacks, which heighten the importance of prompt notification.

Therefore, based on the information provided and our compliance obligations, this incident must be reported to the relevant authorities and affected individuals in accordance with applicable data protection laws.

Final Decision: Yes, this incident must be reported.


In [None]:
# Generate audio from text
audio_response = client.audio.speech.create(
    model="gpt-4o-mini-tts",
    voice="alloy",
    input=spoken_text
)

# ✅ FIX: extract binary content before writing
with open("incident_decision_audio.mp3", "wb") as f:
    f.write(audio_response.content)

print("Audio generated: incident_decision_audio.mp3")


Audio generated: incident_decision_audio.mp3


In [None]:
from IPython.display import Audio

Audio("incident_decision_audio.mp3")

**Sample Input & Output**

Input:

A textual description
Output:

Voice message of outcome

-------------------------------------------------------------------------------------


**Final Summary & Reusability Notes**

This notebook shows how the same compliance task—Incident Reportability Classification—can be solved using different modalities and prompting techniques without changing the core logic. All templates produce a clear Reportable / Not Reportable decision, tailored to different users (analyst, auditor, executive).

Reusability:

Works across regulations (GDPR, HIPAA, SOC 2, RBI) with minor prompt tweaks

Modular, plug-and-play prompt templates

Easy to extend with deadlines, severity, or jurisdiction rules