According to the AAIA™ Study Guide, the first action in response to a confirmed or suspected data exfiltration attack should be containment. Isolating impacted systems helps prevent further exploitation while allowing for a secure investigation of the breach source.

“The initial response to any AI-related data breach must prioritize containment of the threat. Immediate isolation of affected systems helps mitigate further damage and supports a controlled forensic analysis.”

While regulatory notification (D) and architectural remediation (C) are important, they follow containment. Query limitations (A) reduce future risk but do not address the current attack. Thus, B is the critical first step.