A structured framework for governing the release lifecycle of AI systems, from development through deployment, monitoring, and retirement.
Use this repository when you need the release-stage lifecycle framework for AI systems:
- release gates
- stage-specific approval criteria
- deployment readiness structure
- post-release governance expectations
Do not start here if you need a working config validator. Use release-checklist for that.
Do not start here if you need the broader organizational operating model. Use governance-playbook.
This is a practitioner framework for structuring AI release governance. It is intended for planning, review, and operating-model design. It is not a certified release process, compliance product, safety case, or substitute for formal legal, privacy, security, regulatory, or safety review.
AI Release Lifecycle
│
├── 1. PRE-DEVELOPMENT
│ ├── Use case approval
│ ├── Risk classification
│ └── Data governance review
│
├── 2. DEVELOPMENT
│ ├── Model card initiation
│ ├── Bias evaluation plan
│ └── Security threat model
│
├── 3. PRE-DEPLOYMENT
│ ├── Technical validation gate
│ ├── Governance approval gate
│ ├── Legal/compliance gate
│ └── Infrastructure readiness gate
│
├── 4. DEPLOYMENT
│ ├── Staged rollout plan
│ ├── Monitoring activation
│ └── Incident response readiness
│
└── 5. POST-DEPLOYMENT
├── Performance monitoring
├── Drift detection
├── Periodic governance review
└── Retirement / decommissioning
| Check | Requirement | Tooling |
|---|---|---|
| Model performance | Meets accuracy/F1 threshold on holdout set | pytest, MLflow |
| Bias evaluation | Disparate impact ratio reviewed across relevant subgroups | Fairlearn, AI Fairness 360 |
| Adversarial testing | Red-team report completed | Microsoft PyRIT, Giskard |
| Latency / throughput | P99 latency within configured SLA under load | Locust, k6 |
| Security scan | No unresolved critical vulnerabilities in dependencies | Snyk, Dependabot |
| Check | Approver | Documentation required |
|---|---|---|
| AI governance review | AI Governance Lead | Signed governance checklist |
| Risk assessment complete | Risk Officer | Risk register entry |
| Model card complete | Technical Owner | Published model card |
| Explainability report | Technical Owner | SHAP/LIME or alternative explanation report where applicable |
| Check | Requirement |
|---|---|
| Regulatory mapping | Applicable regulations identified and addressed |
| Privacy review | Privacy impact assessment completed where required |
| Legal sign-off | Legal counsel review for high-risk systems |
| Industry-specific review | Domain-specific obligations addressed |
| Check | Requirement |
|---|---|
| Monitoring configured | Alerts set for degradation and drift |
| Logging enabled | Inputs, outputs, and decisions logged with retention policy |
| Rollback tested | Rollback to previous version validated in staging |
| Runbook complete | On-call runbook published and reviewed |
This framework primarily operationalizes the Measure and Manage functions.
Full mapping: docs/nist-rmf-mapping.md
This repository is shared in a personal capacity. It is not legal advice, compliance certification, regulatory approval, safety certification, or official guidance from NIST, the EU, ISO, or any employer.
References to NIST AI RMF, release gates, risk thresholds, regulatory review, and industry-specific obligations are practitioner mappings and examples. Always verify against official sources and internal requirements before using this framework for compliance, safety, or release decisions.
| Repository | What it adds |
|---|---|
| release-checklist | Working CLI validator for YAML-based release configs |
| governance-playbook | Broader organizational operating model |
| regulated-ai | Starter repo with governance and release artifacts |
| nist-rmf-guide | Practitioner implementation guide |
Maintained by Sima Bagheri