AI Go-Live Security Checklist
The production readiness review for an AI system in plain checklist form. 20 specific checks across four lifecycle stages — pre-pilot, restricted pilot, production readiness, production. Each check carries pass criteria, evidence required, and a status column for pass/fail/conditional outcomes.
Get the spreadsheet
Enter your email to download
Excel format (.xlsx). Opens in Excel, Google Sheets, or any spreadsheet tool. You'll also receive new blog posts when they publish.
Who it's for
Security architects, AI governance leads, CISOs, and DPOs preparing an AI system for production — or reviewing one that is already live.
Use it at the production readiness gate — after pilot, before broader deployment. The completed checklist is the production readiness evidence in the Drel clearance disposition.
How to use it
- 1Work through each lifecycle stage in order: Pre-pilot → Restricted Pilot → Production Readiness → Production.
- 2Mark each check: Pass / Fail / Conditional.
- 3For Conditional outcomes, document the named conditions and owner.
- 4Treat any Fail at a gate as a deployment blocker until resolved.
- 5Treat Conditional as a documented residual risk with an owner and target date.
- 6Attach the completed checklist to the clearance disposition as production readiness evidence.
What's in the file
Twenty checks distributed across four lifecycle stages. Each row carries: stage, control category, check description, pass criteria, evidence required, status (Pass/Fail/Conditional), conditions if Conditional, owner, notes.
| Lifecycle stage | Coverage |
|---|---|
| Pre-pilot | Architecture, threat model, data flow, data minimisation (4 checks) |
| Restricted Pilot | Auth, authorisation, logging, monitoring, incident response (5 checks) |
| Production Readiness | Production prompts, tool scope, retention, authorisation, log retention, monitoring, tabletop, triggers (8 checks) |
| Production | Quarterly review, on-call, trigger monitoring (3 checks) |
From checklist to go-live decision
Spreadsheets are the starting point
This checklist is the manual version of what Drel automates. Drel runs the same lifecycle gates as a guided AI security review — mapping controls to evidence gaps, generating a risk disposition, and producing a review-ready dossier your AI Committee can actually approve or reject.
Frequently asked questions
- Is this for going from zero to production, or for production updates?
- Primarily for going from pilot to production. The pre-pilot and restricted pilot stages serve as a record that prerequisites were met before the production readiness review. For production updates (model changes, new tools), use the re-assessment trigger process from your disposition memo.
- What's the difference between Pass, Fail, and Conditional?
- Pass: the check is met and evidenced. Fail: the check is not met — this is a deployment blocker until resolved. Conditional: the check is met with documented conditions that the AI Committee accepts as residual risk — name the conditions and the acceptor.
- How is this different from a generic SDLC checklist?
- AI-specific lifecycle stages (pre-pilot, restricted pilot) reflect AI system reality more than generic SDLC. AI-specific checks (prompt design, tool surface, model version, audit log trace IDs, AI incident response) cover concerns generic SDLC misses.
- Does Pass at all checks mean the system is compliant?
- No. Pass at all checks means the system is production-ready from a security review perspective. Regulatory compliance (ISO 42001, EU AI Act) is a separate determination that requires legal and compliance review beyond what this checklist covers.
- Can I customise the checks?
- Yes. The spreadsheet is a starting point. Add system-specific checks, remove rows that don't apply (mark them N/A with a one-line rationale rather than deleting), and adjust the stage assignments to match your organisation's lifecycle terminology.
- Who owns the production readiness review?
- Typically the AI Governance Officer or the security architect, with sign-off from the AI Committee. The Owner column on each row names accountability for that specific check.