Overview & purpose

This policy defines the mandatory stages, controls, and documentation required for managing AI models. It ensures that development, deployment, and operation of AI systems meet ISO/IEC 42001, EU AI Act Annex IV, and UK data protection requirements.

Governance & principles

• Accountability: Each AI model has a designated Model Owner responsible for compliance and performance.
• Traceability: All artefacts (code, data, testing, changes) are version-controlled and linked to the AIMS evidence register.
• Human oversight: Oversight checkpoints required before promotion between stages.
• Explainability: Model design must include transparency and interpretability features.
• Security: Controls implemented to protect model, data, and interfaces from unauthorised access.

Lifecycle phases overview

Each model follows the structured five-phase lifecycle defined below:

1. Design & Planning
2. Development & Testing
3. Deployment & Release
4. Monitoring & Performance
5. Decommissioning & Archiving

1️⃣ Design & planning

• Define system purpose, scope, intended users, and operating context.
• Perform risk assessment (ISO 42001 §6.1) covering bias, security, safety, and ethics.
• Review compliance obligations under EU AI Act Annex III (risk classification).
• Define data requirements, quality thresholds, and lawful processing basis.
• Establish performance KPIs (accuracy, recall, fairness, robustness).
• Submit design brief to AI Governance Board for approval before proceeding.

2️⃣ Development & testing

• All code and data changes tracked in version control (Git, WorkDrive, etc.).
• Model trained and validated using approved datasets with provenance documentation.
• Perform bias, robustness, explainability, and adversarial testing.
• Validation team performs independent model verification prior to deployment.
• Store training logs, configurations, and test results in Evidence Register.

3️⃣ Deployment & release

• Release authorised by AI Change Advisory Board (AI-CAB).
• Deploy through controlled CI/CD pipelines with rollback capability.
• Ensure human-in-the-loop or override available for high-risk decisions.
• Record deployment ID, version, and configuration snapshot in AIMS evidence.
• Publish Transparency Statement and update model registry.

4️⃣ Monitoring & performance

• Continuous post-market monitoring of model outputs, drift, and bias metrics.
• Trigger re-validation or retraining when thresholds exceeded.
• Maintain logs of alerts, incidents, and CAPA links.
• Quarterly review by Oversight Officer with PMM dashboards and KPIs.
• Feed results into Management Review and Risk Register updates.

5️⃣ Decommissioning & archiving

• Retirement triggered by end-of-life, obsolescence, or compliance decision.
• Remove active endpoints, APIs, and user interfaces.
• Archive model artefacts, metadata, and documentation in secure storage.
• Retain evidence for ≥ 5 years post-retirement for audit traceability.
• Conduct final review verifying data deletion and residual risk closure.

Evidence & documentation

• Maintain Model Register listing all models, owners, versions, and statuses.
• Evidence collected at each phase — risk forms, test reports, deployment approvals.
• Each artefact tagged with unique model ID and stored in AIMS repository.
• Periodic internal audit validates documentation completeness.

Common pitfalls & mitigation

• Untracked experiments: Enforce strict version control and model registry updates.
• Drift not monitored: Integrate automated PMM dashboards with alerts.
• Weak documentation: Link lifecycle artefacts directly to AIMS evidence IDs.
• No retirement policy: Define decommissioning triggers and record retention controls.

Implementation checklist

• Lifecycle Policy approved by AO and integrated into AIMS.
• Model Register implemented and regularly updated.
• Lifecycle evidence captured for all models (design → retire).
• PMM and risk processes linked to lifecycle data.
• Quarterly governance review verifies lifecycle compliance.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 10 Nov 2025 • This page is general guidance, not legal advice.