AI system lifecycle management

The initiation stage determines why an AI system needs to be developed and involves decisions that lead to the design and development stage. Initial evaluation of AI system risk and impact levels helps assign systems with rightly sized governance tasks. The decisions of the stage can be revisited during the life cycle as new information is discovered in later stages.

The design and development stage creates and delivers an AI system that is ready for verification and validation. During this stage, stakeholders should ensure the AI system fulfils its intended purpose and objectives, requirements, and other targets identified during the initiation stage. In this stage, the AI system goes through a risk management process where risks are identified, evaluated and treated in a way that leads to an acceptable residual risk level.

The verification and validation stage ensures that the AI system works according to the requirements set to it and meets objectives. Such reviews can be conducted by internal reviewers, external auditors, or both of them. The stage also includes approval, where the AI system is approved as functionally complete, at an acceptable quality level, and ready to be deployed.

The deployment stage happens when the AI system is installed, released or configured for operation in its target environment. During this stage, users are provided with the necessary capabilities and support to use the system according to its intended use and instructions. At this stage, continuous monitoring and oversight capabilities are enabled to support risk monitoring and treatment, as well as efficient incident resolution and redress.

During the operation and monitoring stage, the AI system is operating and available for use. Furthermore, the system’s normal operation is monitored, and necessary actions like updates, repair, and support are taken to ensure AI system quality. Based on insights gained from monitoring, risk treatment plans may need to be updated.

The re-evaluation stage refers to a reassessment of the AI system based on time-based triggers, or triggers learned through continuous monitoring of the system. Re-evaluation can contain an evaluation of the system’s impact, performance, as well as events identified through continuous risk monitoring. The re-evaluation typically ends in recorded re-approval of the system.

The retirement stage occurs when the AI system becomes obsolete to the extent that repairs and updates are not enough to address new requirements. This can lead to the system being decommissioned or replaced. In this stage, the system is archived in the archived systems inventory.

STANDARD

• Register system

• Determine context

• Determine intended use

• Determine risk and business impact

• Determine roles and responsibilities

STANDARD

• Determine system components

• Assign and manage suppliers

• Perform data governance

• Determine applicable policies

• Perform risk management

• Evaluate performance and safety

• Implement policy-specific requirements and controls

OPTIONAL

• Create review

• Conduct review and report findings

• Create and assign finding remediation tasks

• Implement remediation tasks

• Approve the system

STANDARD

• Configure and share transparency

• Setup human oversight and monitoring

STANDARD

• Monitor system risks and performance

• Process post-market feedback

• Implement remediation tasks

OPTIONAL

• Re-evaluate the system and report findings

• Create and assign finding remediation tasks

• Implement remediation tasks

• Re-approve the system

STANDARD

• Archive system