During a RCA, you find a specific error message associated with that incident. You deliver a new alert with some documentation about what it catches and what to do. You even generate automatically a ticket when it is raised.
Time passes.
There's a subtle change if the error message. You have another production incident but your alert hasn't fired.
The complexity comes from this: how do you know that an alert is still valid without creating an incident on purpose ?
