Documentation, Communication and Decommissioning
Document every decision with model cards, counterfactual explanations and remediation owners; communicate by audience; and retire systems via ten governance checkpoints with records aligned to ISO 42001.
Document every decision, tell each audience what they need, and retire systems as carefully as you launched them.
Documentation toolkit.
- Model cards / fact sheets → standardised information on the model and its function and output → including model version and the dataset used
- Counterfactual explanations → detail what new or different input would change the output of the AI process
- Adverse impact remediation → document what level of impact requires remediation and who addresses it
- Deployment method → record the platform → cloud, onsite or hybrid → and whether current infrastructure supports it. Record all decisions, regulatory or not, using standard templates → audits will demand the paper trail
| For regulators | For consumers |
|---|---|
| Compliance and disclosure obligations · explainability · risks and mitigation processes · data and risk classifications | Transparency as to the functionality of AI · what data will be used and how |
Decommissioning governance → ten checkpoints:
- Residual risk management → formal shutdown procedures → archived models or retained training data still pose risks
- Data disposal & retention → securely dispose of or anonymise training, validation and inference data → never retain beyond the intended purpose
- Model archiving → models kept for audits or legal defence → encryption, access control, a justification for retention, privacy-preserving archiving
- Documentation → records of justifications, stakeholders, residual risks, audit logs → aligned with ISO 42001
- Communications → notify stakeholders of retirement → external notifications for high-risk or regulated use cases
- Knowledge retention → capture lessons learned, performance issues, governance challenges → institutional memory
- Security risks → endpoints, APIs and artifacts taken offline and validated as nonexploitable
- Downstream dependencies → map and monitor reliant applications → failovers or redirect logic to minimise disruption
- Third-party AI → contract exit clauses → data return or deletion, liability waivers, post-deployment audits
- Governance checklist → an AI Decommission Checklist → data, models, infrastructure, documentation, risk sign-off, post-mortem reviews
Module 6's seven takeaways → (1) define objectives clearly (classification, regression or recommendation; set KPIs); (2) engage stakeholders early (agree goal, success parameters, risk ownership); (3) implement the six risk strategies in order; (4) evaluate data quality (garbage in, garbage out plus the five V's); (5) adopt 3LOD with effective challenge; (6) test and validate continuously with resources proportional to risk; (7) document everything. Mnemonic bank → Use Smart Methods, Handle Big Projects (6 risk strategies) · Do → Watch → Check (3LOD) · Volume · Velocity · Variety · Veracity · Value (5 V's) · Invert · Extract · Poison · Evade (AI-specific security threats).