Shipping an AI product is not the end. It is the beginning of an ongoing responsibility to govern its behavior, ensure compliance, and measure its impact. These final phases before the postmortem complete the lifecycle.
Phase 8: Governance and Trust Plan (Week 11)
31.5.1 Policy Development
Establish clear policies for AI behavior beginning with an acceptable use policy that defines what the AI should and should not do, a data handling policy that specifies how user data is used, stored, and deleted, an escalation policy for when to involve humans in AI decisions, a feedback policy explaining how user feedback influences AI behavior, and an update policy covering how and when AI models are updated.
Running Example - FraudFinder: The FraudFinder team developed policies requiring human review for any transaction flagged above a $10,000 threshold. The AI could decline transactions under $100 automatically but had to involve a human for larger amounts.
Policy name: [Name]
Scope: [Who/what it applies to]
Requirements: [What must be done]
Exceptions: [When to deviate]
Owner: [Who is accountable]
Review frequency: [When it will be revisited]
31.5.2 Compliance Checklist
Depending on your industry and region, you may need to comply with various regulations. The EU AI Act applies in the European Union and requires risk classification, transparency measures, and human oversight for AI systems. GDPR also applies in the EU and mandates data protection, consent mechanisms, and the right to explanation for automated decisions. CCPA governs California in the USA and focuses on consumer data rights and privacy notices. HIPAA applies to healthcare in the USA and requires healthcare data protection. ISO 42001 is an international standard for AI management system certification. NIST AI RMF provides an AI risk management framework for organizations in the USA. Identify which regulations apply to your product based on your industry and user base.
Conduct a compliance self-assessment by first identifying applicable regulations based on your industry and user base, then documenting how your AI system meets each requirement. Identify gaps and create remediation plans to address them. Obtain legal review for high-risk compliance areas and schedule regular compliance reviews to maintain ongoing adherence.
31.5.3 Audit Trail Setup
AI systems must maintain comprehensive audit trails that serve multiple purposes. Input logging records what queries were made after sanitizing personally identifiable information to protect user privacy while maintaining debugging capability. Output logging captures what responses were given to track AI behavior over time. Decision logging aims to capture why the AI made specific choices, which helps with debugging and accountability. Human overrides track when humans changed AI decisions, providing insight into where AI and human judgment differ. System changes document when models, prompts, or configurations changed, creating a traceable history of the system's evolution.
Do not log raw user queries containing PII. Sanitize or hash identifying information before logging. This protects users and reduces your compliance burden.
31.5.4 Accountability Definition
Define who is accountable for AI outcomes by assigning specific roles to ensure clear ownership. The AI Product Owner holds accountability for product decisions and outcomes, including whether the product delivers value and meets user needs. The AI Engineer is accountable for technical implementation, ensuring the system is built correctly and reliably. The Compliance Lead is accountable for regulatory compliance, making sure the product meets all applicable laws and regulations. The On-call Engineer is accountable for production incidents, responding to outages and issues when they occur.
AI Decision: [What AI decides]
Human Review: [Required for which cases]
R (Responsible): [Who does the work]
A (Accountable): [Who is answerable]
C (Consulted): [Who provides input]
I (Informed): [Who is notified]
Phase 9: Metrics Dashboard (Weeks 11-12)
31.5.5 Key Metrics Selection
Select metrics that matter for your AI product across five categories. Quality metrics include eval scores, user satisfaction, and task completion, answering whether the AI is doing its job well. Reliability metrics track uptime, error rate, and latency at the fiftieth, ninety-fifth, and ninety-ninth percentiles, answering whether the system is available and fast. Adoption metrics measure daily active users, monthly active users, and feature activation, answering whether users are actually using the product. Business metrics include cost per query, revenue impact, and Net Promoter Score, answering whether the product is delivering value to the organization. Safety metrics track escalation rate, override rate, and complaint rate, answering whether the AI is causing harm or creating problems for users.
Running Example - FraudFinder: The FraudFinder team tracked fraud detection rate (did we catch the fraud?), false positive rate (did we block legitimate transactions?), and analyst review time (how much manual work remains?).
31.5.6 Dashboard Design
Build a dashboard that different stakeholders can use, with an executive view showing high-level metrics, trends, and anomalies. The product manager view displays quality metrics, user feedback, and feature adoption. The engineering view shows system metrics, error rates, and latency distributions. The compliance view provides audit logs, policy adherence, and risk indicators.
When implementing a dashboard, start with the three most important metrics for each stakeholder to avoid overwhelming them with data. Use a tool that supports real-time updates such as Grafana or Datadog so the team can see current status at a glance. Create a single source of truth that everyone trusts by ensuring data consistency across all views. Include context by showing baselines, targets, and historical trends so metrics have meaning beyond raw numbers. Finally, establish a practice of reviewing the dashboard in weekly team syncs to keep everyone aligned on product performance.
31.5.7 Alert Thresholds
Configure alerts that surface problems before they become incidents. Static thresholds define clear boundaries like error rate exceeding five percent or latency at the ninety-fifth percentile exceeding two seconds. Dynamic thresholds use anomaly detection based on historical patterns to identify unusual behavior that deviates from normal. Trend alerts catch gradual degradation that unfolds over days rather than appearing suddenly. Business metric alerts notify you when conversion rates drop or unusual user behavior patterns emerge. Configure each alert type based on what matters most for your specific product and user experience.
"Alert on outcomes, not activities. Every alert should require a decision or action. If you do not know what to do when an alert fires, it is not a good alert."
31.5.8 Review Cadence
Establish a regular review schedule at multiple cadences to ensure appropriate oversight at each level. Daily reviews consist of a system health check performed by the on-call engineer to catch immediate issues. Weekly reviews cover metrics review and AI quality trends with product and engineering teams to track progress against goals. Monthly reviews examine business impact and compliance status with leadership and compliance teams to ensure the product remains aligned with organizational priorities and regulatory requirements. Quarterly reviews involve strategy review and model evaluation by the executive team to assess long-term direction and performance.
Completing phases eight through ten requires that AI governance policies have been documented, compliance requirements have been identified and addressed, audit trail logging has been implemented, accountability has been defined with RACI, a metrics dashboard has been built and is accessible, alert thresholds have been configured, a review cadence has been established, and dashboards are reviewed in weekly syncs.