Summary
- OpenAI's public status record shows that AI availability has moved from a novelty concern to an operational dependency question for customers that build workflows, support queues, classroom tasks, release tools, and public-service experiments around API and assistant-service behavior.
- The accountability question is not whether any cloud service can avoid every outage. It is who had practical control over model-serving capacity, status-page specificity, affected-service mapping, enterprise customer notice, fallback design, and proof that recovery was measured at the level customers actually depend on.
- Public incident records are useful evidence, but they are not complete operational proof. They establish what OpenAI reported, when updates were issued, which broad services were listed, and when recovery was declared; they do not by themselves prove customer-specific loss, queue state, model-level degradation, or the adequacy of every downstream fallback.
- A defensible AI-workflow continuity file should preserve incident chronology, service component mapping, customer-facing guidance, local telemetry, error handling, retry behavior, and post-incident controls without turning general availability percentages into proof for a specific workflow.
AI availability became an operations file
OpenAI made API and assistant status evidence an AI-workflow accountability test because the affected surface is no longer limited to a single product screen or a developer experiment. Organizations now use model APIs and assistant-style services as part of support triage, software development, document review, teaching assistance, content operations, internal search, fraud review, compliance drafting, translation, summarization, and analytic workflows. Some of these uses remain optional. Others become embedded in daily throughput. Once a workflow depends on the service, an outage is not just a degraded user experience.
It is a test of who can explain the affected function, who can route work around it, and who can prove that the restoration reached the task that failed.
The public record has to be read with that operating surface in mind. The OpenAI status page at https://status.openai.com/ gives a public entry point for service health, incident history, component status, and aggregate availability. The incident feed at https://status.openai.com/api/v2/incidents.json gives dated records with incident identifiers, update timestamps, impact levels, status changes, and short update bodies. The component feed at https://status.openai.com/api/v2/components.json gives another layer of evidence by showing which public components the provider chooses to expose as status entities. Those sources are valuable because they turn an otherwise private operations event into a dated public chronology. They are also limited because they are provider-authored, aggregate-facing, and necessarily compressed.
That compression is the first accountability problem. A customer may care about one model family, one endpoint, one region-like routing path, one authentication method, one mobile client, one enterprise workspace, one file path, or one workflow that combines API calls with a human review queue. A status page cannot carry every customer's architecture. But if the page is too broad, the customer cannot tell whether its own failure was part of the incident or a separate local problem. If the page is too narrow, the customer may miss a systemic issue because a component label does not match its business process.
The accountable middle ground is not perfect granularity. It is an evidence design that tells customers enough to separate provider-side degradation from customer-side misconfiguration while the event is still active.
The 2026 status records illustrate why that distinction matters. A July 9 record at https://status.openai.com/incidents/01KX46HHYJ0YB8VPBZTB0KZ03V described elevated errors when selecting models and included the reported message that a selected model was at capacity. That is not merely an error label. For a customer, model selection can decide which application path runs, whether a fallback model is acceptable, whether an automated response is held for human review, whether a request is retried, and whether a service-level report treats the event as capacity, authentication, application, or quality degradation. A status update that says the service recovered helps, but it does not answer how many customer workflows failed closed, failed open, retried, or silently accepted a lower-value path.
This is why the article treats status evidence as an accountability entity rather than a public-relations entity. The provider controls the public component taxonomy, the wording of updates, the timing of status changes, the decision to declare recovery, and the supporting product documentation. Customers control their own dependency inventory, observability, error handling, retry policy, user communication, and fallback workflow. The public record should make that division easier to govern.
It should not require every buyer to reverse-engineer the provider's control plane from short messages while their own users are already reporting failures.
Status evidence has to name scope without pretending to know every customer
The most important public duty in this record is specificity. Specificity does not mean the provider must disclose private infrastructure, security-sensitive topology, or customer-level details. It means the public notice should answer the questions that decide operational action. Which broad service is affected? Is the issue limited to a subset of users or features? Is the problem under investigation, identified, monitored, or resolved? Are errors elevated or is a function unavailable? Is the workaround to retry, wait, switch models, disable a feature, use another access path, or stop sending traffic?
What evidence will distinguish recovery from partial mitigation?
The public feed shows a pattern of short update states: investigating, identified, monitoring, and resolved. A July 11 record at https://status.openai.com/incidents/01KX7Y6ETMKP3ATQ85Z33J0EHN concerned elevated errors for a video-oriented API service and moved quickly from investigation to recovery. A June 15 to June 26 record at https://status.openai.com/incidents/01KV6NGBYE50GK3TRXHD2EMTXA concerned degraded performance for federal-authorized workspaces and API organizations. A June 15 record at https://status.openai.com/incidents/01KV67B3HB2B6JKHAMHCCYS0KZ concerned account creation or login through an OAuth path. A June 11 record at https://status.openai.com/incidents/01KTWCER83NNKE698QXNXJG11M concerned elevated 431 errors. Each record is small in public form. Together they show the variety of failure modes that AI-service customers must translate into local decisions.
That translation is not automatic. Elevated errors in a model-serving path require different customer action from an OAuth login problem. A file transfer problem requires different action from a capacity message. A federal workspace degradation requires a different notice path from a consumer-facing access issue. A customer that treats all of these as one generic "AI platform outage" will under-respond to some and over-respond to others. The practical control question is therefore not only whether OpenAI posted an incident.
It is whether customers had enough public and contractual evidence to map the provider's status language to their own dependency inventory.
The provider cannot know every customer's local workflow. A status page should not be expected to tell a hospital, city agency, university, publisher, or software company exactly what to do in every case. But the provider can maintain a component model that is stable enough for customers to map. It can keep incident pages available after resolution. It can timestamp updates. It can distinguish degraded performance from outage, errors from latency, login from generation, model capacity from file handling, and broad recovery from partial mitigation.
It can document rate limits, error codes, and production design practices so that customers have something more durable than an incident headline when they build their own continuity controls.
The rate-limit guidance at https://developers.openai.com/api/docs/guides/rate-limits, the production guidance at https://developers.openai.com/api/docs/guides/production-best-practices, and the error-code guidance at https://developers.openai.com/api/docs/guides/error-codes are therefore part of the accountability file even when they are not incident reports. They describe the vocabulary and customer-side design expectations that make a status event actionable. If customers are expected to build retries, backoff, monitoring, queueing, graceful degradation, and alerting, those expectations need to be visible before the outage. If the provider updates incident status without connecting it to these customer controls, the public record remains incomplete for operational decision-making.
Capacity is a shared control with unequal visibility
Model-serving capacity is not a simple utility. It depends on deployed compute, scheduling, routing, quota, rate limits, model selection, feature availability, abuse controls, reliability engineering, and product priorities. Customers can design around some of these conditions, but they cannot see the full provider-side state. That makes capacity a shared control with unequal visibility. OpenAI controls the capacity pool, model routing, public status language, rate-limit framework, and much of the evidence used to declare provider-side recovery.
Customers control request volume, prompt size, concurrency, fallback paths, budget limits, alert thresholds, and the decision to build a workflow that assumes the provider will be available.
The July 9 status record about model selection is an example of why this matters. The public record showed a capacity-style user error across multiple models and a short recovery window. For a casual user, that may be a temporary inconvenience. For a business process, the same message may cause a support ticket to remain unanswered, a code review tool to stop producing suggestions, a translation job to fall behind, a risk queue to miss its review target, or a classroom exercise to fail during a scheduled session. The difference lies in the downstream workflow, not in the incident title.
That is why customer evidence cannot stop at the provider's status page. A mature customer should preserve local timestamps, request IDs where available, endpoint names, model names, error codes, retry outcomes, queue depth, user-facing impact, and fallback decisions. The provider's public incident says what the provider reported. The customer's log says whether the customer's workflow was affected, whether the fallback worked, and whether the outcome was recoverable.
If those two records are not aligned, a later board review will struggle to decide whether the problem was provider capacity, customer design, or a local integration defect.
The accountability issue is not solved by shifting all responsibility to the customer. A provider that sells API access into production workflows has to make failure modes legible. Rate-limit and error-code documentation gives customers a baseline, but it does not by itself prove that a specific incident was scoped, mitigated, and resolved. Status updates should be stable enough that customers can automate status monitoring without brittle interpretation. They should avoid language that declares recovery before dependent features are practically usable.
They should preserve incident history so customers can reconcile local logs after the event.
Customers also need to avoid a false sense of resilience. A fallback model may not be a true fallback if it fails in the same provider control plane, shares the same account quota, shares the same authentication path, or produces outputs that are not acceptable for the regulated or high-risk task. A fallback provider may not be ready if data-governance review, contractual approval, prompt adaptation, and output testing have not been completed. A manual workaround may not be real if staff cannot process the same volume. For that reason, AI continuity planning has to distinguish nominal fallback from tested fallback.
The provider's status page can trigger the plan, but it cannot prove the plan works.
This is the point at which the cloud-service dependency becomes visible. Customers may buy a managed AI service because it saves them from building model-serving infrastructure. That is rational. But the operational dependency does not disappear; it moves into a contract, a status page, a support path, a logging design, and a local continuity plan. Accountability is the discipline of keeping those records connected.
Public-sector and enterprise use changes the notice burden
The manifest for this article includes public-sector continuity because AI-service outages can affect more than private productivity. Public agencies, schools, universities, civic-service teams, government contractors, regulated enterprises, and federally authorized workspaces may use API and assistant services in ways that carry continuity, records, procurement, privacy, or equity consequences. Even when a use case is not life-critical, a service interruption can change deadlines, user access, staff workload, public messaging, or compliance evidence.
The June federal workspace degradation record at https://status.openai.com/incidents/01KV6NGBYE50GK3TRXHD2EMTXA matters for that reason. Its public form was short, but the category is important. A federal-authorized workspace is not just another customer segment. It is a signal that some users need evidence aligned with public-sector procurement, assurance, and continuity expectations. When a specialized environment has degraded performance for an extended period, the status record must support a different class of reader: administrators who need to decide whether to notify agencies, security teams that need to preserve logs, procurement officers who need to document vendor performance, and program owners who need to explain service disruption without disclosing sensitive internal work.
Enterprise customers face similar issues. If a support desk uses an AI assistant to draft replies, an outage may slow customers but can be managed manually. If a software-delivery pipeline uses model calls for test generation, documentation, or review, an outage may delay releases. If a research team uses API calls for time-sensitive analysis, an outage may change the evidence trail. If an education program uses the service during exams or labs, the fairness question is not only whether the provider recovered but whether students had an equal alternative. These are not all the provider's direct legal responsibility.
They are reasons why notice quality matters.
Notice quality includes timing. The status record should show when the issue was first acknowledged, when mitigation was applied, when monitoring began, and when recovery was declared. It also includes classification. A record marked minor from a provider-wide perspective can still be major for a customer whose exact workflow is affected. That does not mean the provider must label every incident by worst-case downstream effect. It means customers should not treat provider impact labels as a substitute for their own impact assessment. The public record is a starting point, not the final severity rating.
Contract terms and assurance materials also belong in the evidence file. The OpenAI trust portal at https://trust.openai.com/ gives customers a due-diligence location for security and assurance materials. The services agreement at https://openai.com/policies/services-agreement/ supplies the contractual context for obligations and limits. These sources do not replace incident evidence. They help define the relationship in which incident evidence is used. A buyer should know which obligations are contractual, which are product documentation, which are public status statements, and which are internal continuity assumptions created by the buyer's own workflow design.
The risk of confusion is high because AI services are often adopted faster than traditional enterprise platforms. Teams prototype quickly, embed outputs into existing tools, and then discover that the assistant or API has become part of a repeated workflow. If procurement, security, legal, and operations teams do not catch up, the first outage becomes the first serious dependency inventory. That is a weak form of governance.
The better approach is to identify critical AI workflows before an incident, assign owners, record fallback rules, define acceptable degradation, and subscribe to provider status updates as a control rather than a convenience.
Aggregate uptime is not customer-specific proof
The public status page presents aggregate availability metrics at a high level and notes that individual customer availability may vary by tier, model, and feature. That caveat is not a weakness; it is an important boundary. Aggregate uptime can tell a market that a service category was broadly available over a period. It cannot prove that a specific organization had usable service at a specific time for a specific model, endpoint, workflow, or account. Accountability improves when that boundary is explicit.
For a customer, the relevant question is not only "Was the provider up?" It is "Was the function we depended on available with acceptable latency, error rate, quality, and policy behavior when we needed it?" A workflow that depends on file upload, retrieval, conversation continuity, model selection, authentication, or a particular endpoint can fail even when other parts of the platform remain healthy. The June 23 incident at https://status.openai.com/incidents/01KVTDW6E1PXBTY2A9XEBT4MY4 concerned file operations. The June 19 incident at https://status.openai.com/incidents/01KVEZD06ZFM2CMDZQMQYDV9RK concerned access. The June 17 incident at https://status.openai.com/incidents/01KVB9JAB1PP9GS4A6AZ52TT5Y concerned conversation errors on mobile operating systems. The July 10 incident at https://status.openai.com/incidents/01KX6Y1QMFX4NASV5DD591AD50 concerned help and website content availability. These are not interchangeable failures.
The customer evidence file should therefore classify AI dependencies by function, not only by vendor. A single vendor entry in a risk register is too coarse. The register should separate API calls, assistant workspace usage, authentication, file handling, model selection, administrative tools, audit exports, user-facing interfaces, and any third-party integration that relies on the service. It should also identify whether the workflow can tolerate delay, needs manual review, can switch models, can queue safely, can fail closed, or has to be paused.
That classification protects both sides. It protects customers from blaming a provider for local design choices that made a minor degradation into a major workflow failure. It protects providers from vague claims by requiring customers to document actual impact. It also raises the quality of provider accountability by showing which status components need clearer mapping because customers repeatedly struggle to understand whether they are affected.
The same discipline should apply to recovery. A provider may declare an incident resolved when error rates return to normal at the service level. A customer may still have queued jobs, failed requests, stale results, missing files, or users who need to resubmit work. Neither record is necessarily false. They measure different things. An accountable recovery report should avoid collapsing provider recovery, customer backlog clearance, data reconciliation, and user redress into one word.
This is especially important for AI workflows because the output can be consumed later. A failed request is obvious. A delayed request is measurable. A degraded output may be harder to detect. If a fallback model produces different quality, if a retry changes context, if a user manually substitutes an answer, or if an automated workflow proceeds with incomplete data, the operational impact may appear after the status page is green. That is why AI-workflow reliability must include post-incident review, not only uptime monitoring.
Better evidence would connect provider chronology to customer action
A stronger evidence design for OpenAI and its customers would keep three layers aligned. The first layer is the provider chronology: incident identifier, affected components, first report, investigation state, mitigation state, monitoring state, resolution time, and any follow-up. The second layer is the customer telemetry: timestamps, endpoint or product function, model or feature affected, error class, retry behavior, queue size, user impact, fallback path, and final reconciliation.
The third layer is the governance record: who decided to pause work, who notified users, who changed routing, who accepted degraded service, who reviewed the incident afterward, and what control changed.
The public status sources supply part of the first layer. They do not supply the second or third. That is not a criticism by itself; no public status page can hold every customer's local logs. The accountability concern appears when organizations act as if the first layer is enough. If a board receives only a screenshot that the provider recovered, it cannot know whether internal work was lost, delayed, manually altered, or repeated. If a customer tells users that a provider outage caused a delay but cannot show the local evidence, it transfers uncertainty downstream.
If a provider declares recovery but customers continue to experience unclassified errors, the public record becomes a contested artifact rather than a shared source of truth.
Better evidence would also separate status from redress. In many AI-service incidents, the direct remedy may be operational rather than financial: retry the request, clear a queue, switch a model, re-authenticate, re-upload a file, restore a session, or re-run a workflow. Some customers may have contractual service-credit questions, but many will need practical repair.
A useful post-incident review should ask whether affected users could tell what work needed to be repeated, whether generated outputs needed review, whether automated actions were held safely, and whether support teams had scripts that matched the provider's status language.
The provider can help by publishing stable incident pages and clear component definitions. Customers can help by building status ingestion, local error classification, and workflow runbooks. Regulators and auditors can help by asking for the evidence chain rather than treating AI-service use as an undifferentiated technology choice. Procurement teams can help by requiring status history, support commitments, assurance materials, and incident-notice practices before the tool becomes operationally embedded.
The hardest part is cultural. AI services are often discussed as capabilities: what they can draft, summarize, translate, classify, reason about, or automate. Continuity planning forces a different question: what happens when the capability is unavailable, partially degraded, or uncertain? The answer cannot be a generic statement that staff can work around it. It has to be tested by workflow. If the service fails during a customer-support surge, who triages? If it fails during a public-agency deadline, who extends the window? If it fails during a release process, who decides whether to ship?
If it fails during an education session, who preserves fairness? Status evidence is useful only if it can trigger those decisions.
Local runbooks decide whether public status becomes usable evidence
The provider status page is only one half of the operational file. The other half is the customer's runbook. Without a runbook, a public incident notice becomes a signal that someone should be concerned, but it does not decide who should act, which workflow should pause, whether a retry is safe, or when users should be notified. For AI-dependent workflows, that gap can be larger than it first appears because a single service may support many internal tasks with different risk levels. A marketing draft queue, a software-test helper, a regulated-document review step, and a public-service triage tool cannot share the same failure rule.
A useful runbook should begin with dependency classification. It should list each production or repeated workflow that uses OpenAI services, the product function or API path involved, the owner, the expected business outcome, the acceptable delay, the data sensitivity, the allowed fallback, and the person authorized to change behavior during an incident. That list should be short enough to maintain and specific enough to act on. "Uses AI" is not an operational dependency. "Customer-support summarization calls the API during ticket intake and must fail closed to human review after two retry attempts" is closer to evidence.
The second part is incident matching. A customer should be able to map a provider incident to local controls within minutes. If a status record concerns authentication, the runbook should identify sign-in dependent workflows and administrative access paths. If a status record concerns file operations, it should identify workflows that upload, retrieve, or transform files. If a record concerns elevated errors or capacity, it should identify which queues can absorb delay and which user-facing paths need immediate messaging. If a record concerns a specialized workspace, the runbook should identify workspace owners and compliance contacts.
This mapping should not be invented during the incident.
The third part is evidence capture. AI-service incidents can be transient. If local telemetry is not preserved, the organization may later know only that users complained and the provider page turned yellow. That is too weak for an accountability file. The runbook should preserve timestamps, endpoint or function labels, error classes, request counts, retry counts, queue depth, user-facing messages, manual overrides, and recovery time for each affected workflow. It should also preserve negative evidence: workflows checked and not affected, controls that did not trigger, and fallback paths that were not needed.
Negative evidence matters because it prevents later reviews from expanding a provider incident into an unsupported claim about all AI work.
The fourth part is communication discipline. Customers should not quote provider status language directly to every affected audience if the local impact is narrower or broader. A public status notice may say that errors were elevated. A customer's message should say what users can do, which local functions are affected, whether work is saved, whether users should retry, whether staff are processing requests manually, and when the next local update will arrive. The provider controls the public incident text. The customer controls its own relationship with users, employees, students, citizens, or clients.
Accountability depends on not confusing those two voices.
That discipline is particularly important when AI output is part of a human decision. If an assistant-service workflow is unavailable, staff may revert to manual processing. If it is degraded, staff may rely on lower-confidence output. If it is delayed, staff may rush review after recovery. Each alternative has a different risk. The runbook should specify whether a workflow fails closed, fails to manual review, queues for later processing, switches to a lower-tier path, or stops until the provider record is resolved and local testing confirms recovery. A fallback that no one has authority to invoke is not a fallback.
Fallback has to be tested against common-mode failure
The easiest continuity story is that a customer can switch to another model, another endpoint, another vendor, or manual work. The harder question is whether that fallback survives the same failure that caused the disruption. A second model inside the same provider account may share the same authentication path, quota policy, service component, billing status, network dependency, administrative workspace, or organizational rate limit. A different endpoint may still depend on the same identity provider or customer integration. A manual process may still depend on files, prompts, or context stored in the unavailable service.
A different vendor may not be legally approved to process the same data.
This is why common-mode analysis belongs in the AI-workflow reliability file. The customer should identify which dependencies are shared across primary and fallback paths. Shared account identity is a common mode. Shared network egress is a common mode. Shared secrets management is a common mode. Shared data-preparation code is a common mode. Shared staff knowledge is a common mode. Shared legal approval is a common mode. A fallback plan that looks diverse at the model layer can still fail at the operational layer.
Testing should be realistic. It is not enough to prove that a developer can call a second endpoint from a laptop. The organization should rehearse the business process: receive the request, route it through fallback, preserve audit evidence, review output quality, notify users if needed, reconcile any delayed work, and return to the primary path without losing state. The test should include degraded-provider scenarios, not only total outage. Partial degradation is harder because the service may still answer some requests, and teams may disagree about whether to continue. A clear threshold prevents informal decisions from becoming the control.
The provider's production and error documentation can support that design by giving customers stable error categories, rate-limit expectations, and resilience advice. But customer testing is still required. If the provider says a mitigation is being monitored, the customer must know what local metric will confirm recovery. If the provider says all impacted services have recovered, the customer must know whether queued jobs should be replayed, whether failed tasks should be resubmitted, and whether users should be told that normal processing has resumed. Provider recovery is a necessary signal; local recovery is an evidence claim.
Boards should therefore ask for fallback proof, not fallback promises. Which AI workflows were tested under provider unavailability? Which were tested under elevated errors? Which were tested under authentication failure? Which were tested under file-operation failure? Which were tested under capacity limits? Which tests showed unacceptable output quality or unacceptable manual workload? Which workflows have no fallback and therefore need an explicit risk acceptance? These questions are not hostile to AI adoption. They are what make adoption operationally honest.
The public status record becomes stronger when customers build this local evidence layer. A provider incident can then be joined to internal telemetry and decisions. The organization can say which workflows were affected, which fallback worked, what evidence supports recovery, and what control changed. Without that layer, the same incident becomes a vague story about a vendor outage. That vagueness is the accountability failure this case warns against.
External standards can help keep that review from becoming too narrow. The NIST AI Risk Management Framework at https://www.nist.gov/itl/ai-risk-management-framework is useful because it treats AI risk as a governed system of measurement, management, and accountability rather than as a one-time model choice. The NIST Cybersecurity Framework at https://www.nist.gov/cyberframework is useful because it gives recovery, response, governance, identification, and protection vocabulary that can be applied to AI-service dependency without pretending that an AI outage is the same as a breach. These standards do not decide what happened inside OpenAI during any listed incident. They give customers and auditors a public language for asking whether AI workflows were identified, monitored, protected, recovered, and improved.
Reader evidence file
This article uses the following public sources as the evidence file for OpenAI API and assistant-service outage records, status chronology, customer workflow dependency, and AI service continuity accountability. Provider-authored status pages are treated as evidence of what the provider publicly reported. Documentation pages are treated as current product and customer-design context, not as proof of any private root-cause record. Assurance and contract pages are used for relationship context, not as independent incident findings.
- Public source used for the evidence file: https://status.openai.com/
- Public source used for the evidence file: https://status.openai.com/api/v2/incidents.json
- Public source used for the evidence file: https://status.openai.com/api/v2/components.json
- Public source used for the evidence file: https://status.openai.com/incidents/01KX46HHYJ0YB8VPBZTB0KZ03V
- Public source used for the evidence file: https://status.openai.com/incidents/01KX7Y6ETMKP3ATQ85Z33J0EHN
- Public source used for the evidence file: https://status.openai.com/incidents/01KV6NGBYE50GK3TRXHD2EMTXA
- Public source used for the evidence file: https://status.openai.com/incidents/01KV67B3HB2B6JKHAMHCCYS0KZ
- Public source used for the evidence file: https://status.openai.com/incidents/01KTWCER83NNKE698QXNXJG11M
- Public source used for the evidence file: https://status.openai.com/incidents/01KVTDW6E1PXBTY2A9XEBT4MY4
- Public source used for the evidence file: https://status.openai.com/incidents/01KVEZD06ZFM2CMDZQMQYDV9RK
- Public source used for the evidence file: https://status.openai.com/incidents/01KVB9JAB1PP9GS4A6AZ52TT5Y
- Public source used for the evidence file: https://status.openai.com/incidents/01KX6Y1QMFX4NASV5DD591AD50
- Public source used for the evidence file: https://status.openai.com/incidents/01KXDBYJ7BWBE2NRDAQTKPM5WK
- Public source used for the evidence file: https://developers.openai.com/api/docs/guides/rate-limits
- Public source used for the evidence file: https://developers.openai.com/api/docs/guides/production-best-practices
- Public source used for the evidence file: https://developers.openai.com/api/docs/guides/error-codes
- Public source used for the evidence file: https://trust.openai.com/
- Public source used for the evidence file: https://openai.com/policies/services-agreement/
- Public source used for the evidence file: https://www.nist.gov/itl/ai-risk-management-framework
- Public source used for the evidence file: https://www.nist.gov/cyberframework
Board review questions
A board or risk committee should not ask only whether OpenAI had an outage. It should ask how the organization used OpenAI services, which workflows depended on API or assistant-service availability, which owner subscribed to status updates, which local metrics confirmed impact, which fallback was tested, and which work had to be retried, paused, or reviewed after recovery. The answer should be dated and auditable.
The review should also preserve source boundaries. The status page can prove public notice chronology. The customer's logs can prove local impact. Product documentation can show expected customer-side controls. Contract and assurance materials can frame the relationship. None of those records should be made to do the work of the others. That separation is the difference between a useful accountability file and a general vendor-risk story.
For this specific case, the governing question remains: who had practical control over model-serving capacity, dependency transparency, status-page specificity, enterprise customer notice, workflow fallback design, and proof that AI-service outages were measured as operational dependency rather than novelty failure? A complete answer should name provider controls, customer controls, evidence gaps, affected audiences, and the repair evidence that would change a future decision.

