AI governance
AI-specific lifecycle artefacts auditors expect — impact assessments, risk assessments, system inventory, TEVV, post-deployment monitoring.
This section covers the AI-specific lifecycle artefacts that ISO 42001, the EU AI Act, NIST AI RMF, and AIUC-1 expect. Each artefact has a template the platform maintains and an audit trail that captures changes.
The lifecycle
An AI system in Scrydon (a workflow, an automation, an agent) moves through a defined lifecycle:
Pilot → Beta → Production → Maintained → Deprecated → DecommissionedEach stage triggers artefacts. The platform records the artefact in the workflow's metadata and produces an audit event on each transition.
Required artefacts
| Artefact | When | Owner |
|---|---|---|
| Purpose statement | Pilot | Workflow owner |
| Impact assessment | Pilot → Beta | Workflow owner + stakeholder rep |
| Risk assessment | Pilot → Beta | Workflow owner + AI risk owner |
| System inventory entry | Beta | Auto-generated |
| TEVV record | Beta → Production | QA / validator |
| Decisions log | Throughout | Continuous |
| Post-deployment monitoring profile | Production | Workflow owner |
| Continuous improvement record | Maintained | Continuous |
| Decommissioning record | Decommissioned | Workflow owner + auditor |
Templates
Purpose statement
- What the system does.
- Who uses it.
- What problem it solves.
- What it explicitly does not do.
Impact assessment
- Affected stakeholders (employees, customers, regulators, partners).
- Direct vs. indirect impact.
- Severity (low, moderate, high, severe).
- Reversibility (reversible, partly reversible, irreversible).
- Mitigations.
Risk assessment
- Risk catalogue (hallucination, bias, prompt injection, data leakage, model drift, …).
- Likelihood × impact scoring.
- Treatment per risk (mitigate, accept, transfer, avoid).
- Residual risk + sign-off.
System inventory entry
Auto-populated from workflow metadata:
- ID, owner, classification, deployment stage.
- Integrations used (model providers, data sources).
- Knowledge bases referenced.
- Managed tables read / written.
- Decisions log link.
TEVV record
Test, Evaluate, Verify, Validate:
- Test cases run.
- Evaluator scores (accuracy, robustness, fairness).
- Coverage of edge cases.
- Sign-off by validator.
Decisions log
A running log of design decisions: model choices, prompt changes, integration choices, threshold changes. Each entry includes:
- Date.
- Decision.
- Rationale.
- Alternatives considered.
- Approver.
Post-deployment monitoring profile
- Metrics tracked (latency, error rate, evaluator score distribution, cost).
- Thresholds and alerts.
- Review cadence.
Continuous improvement record
Quarterly capture of:
- Issues observed.
- Improvements implemented.
- Improvements deferred (with rationale).
Decommissioning record
- Reason for decommissioning.
- Data disposition.
- Stakeholder notification.
- Final audit-log entry.
Where these live
Artefacts live on the workflow / automation entity in the platform. They're editable from the workflow detail page and visible to anyone with the right grant.
Every artefact creation, edit, and approval emits an audit event. See Audit logging.
Vanta automation
Some artefacts are picked up automatically by Vanta (system inventory, TEVV records, audit events). Others are manual evidence that lives in the platform but isn't auto-synced. The framework pages note which controls Vanta picks up.