All Volumes/

AI Development Standards

Development lifecycle standards, DevSecOps practices, documentation requirements, code review, prompt review, model validation, and release management.

AI Project Lifecycle

The AI Project Lifecycle defines the end-to-end process for identifying, developing, deploying, and retiring AI systems within the organisation. All AI projects must follow this lifecycle to ensure consistent governance, quality, and risk management.

Phase 1: Initiation

  1. Business case development with clear AI use case definition and expected benefits.
  2. Initial feasibility assessment including technical, ethical, and regulatory viability.
  3. AI Project Charter creation with defined scope, objectives, stakeholders, and budget.
  4. Appointment of AI Project Sponsor and AI Project Manager.
  5. Submission to AI Steering Committee for concept approval.

Phase 2: Planning

  1. Detailed requirements gathering including functional, non-functional, and compliance requirements.
  2. AI Risk Assessment completion per Volume 3.
  3. Data governance plan development per Volume 4.
  4. Security architecture design per Volume 5.
  5. Procurement strategy for models, APIs, compute, and professional services.
  6. Resource allocation and team composition confirmation.

Phase 3: Development

  1. Model selection or custom development following Secure Development Lifecycle (SDLC).
  2. Data preparation, feature engineering, and dataset validation.
  3. Iterative model training with documented hyperparameters and configurations.
  4. Continuous integration of code, prompts, and model artifacts.
  5. Peer review of code, prompts, and training configurations.

Phase 4: Validation

  1. Comprehensive testing including unit tests, integration tests, bias tests, and adversarial tests.
  2. Model performance validation against defined success metrics and baselines.
  3. Security testing including prompt injection, data leakage, and model extraction attempts.
  4. Human review and approval of model outputs for high-risk use cases.
  5. Documentation completion including model cards, data sheets, and system architecture.

Phase 5: Deployment

  1. Production environment hardening and access control implementation.
  2. Gradual rollout via canary deployment or A/B testing methodology.
  3. Monitoring dashboards and alerting configured per Volume 8.
  4. User training and operational handover to AI Operations team.
  5. Executive sign-off for full production release.

Phase 6: Operations & Retirement

  1. Continuous monitoring of performance, drift, and security indicators.
  2. Periodic model retraining and performance review.
  3. Change management for model updates, retraining, or configuration changes.
  4. Formal retirement process when system is decommissioned, including data archival and model deletion.
  5. Post-implementation review and lessons learned documentation.
PhaseKey DeliverableApproverTimeline
InitiationAI Project CharterAI Steering Committee2-4 weeks
PlanningAI Risk Assessment & Project PlanCIO / CRO4-8 weeks
DevelopmentTrained Model & Code RepositoryAI Technical Lead8-16 weeks
ValidationValidation Report & Model CardAI Ethics Board4-6 weeks
DeploymentProduction Release ApprovalExecutive Sponsor2-4 weeks
OperationsMonthly Performance ReportAI Operations ManagerOngoing

Secure Development Lifecycle

The Secure Development Lifecycle (SDLC) for AI extends traditional software security practices to address AI-specific risks including model vulnerabilities, data poisoning, prompt injection, and supply chain attacks.

Security Requirements

  • All AI projects must complete a threat model during the design phase.
  • Security requirements must be documented and traceable to specific AI risks.
  • Adversarial testing must be included in test plans for all production AI systems.
  • Third-party models and APIs must undergo vendor security assessment before use.

Secure Coding Practices

  • Input validation and sanitisation for all user-provided prompts and data.
  • Output encoding to prevent injection attacks via AI-generated content.
  • Least-privilege access for model inference APIs and training pipelines.
  • Secrets management — no API keys or credentials in code repositories.
  • Dependency scanning for ML frameworks, libraries, and container images.

Code Review Requirements

Review TypeScopeReviewerFrequency
Peer ReviewAll code commitsSenior DeveloperEvery commit
Security ReviewAuthentication, API, data handlingSecurity ArchitectWeekly
Prompt ReviewAll system prompts and templatesAI Ethics OfficerEvery change
Model ReviewTraining code, configs, hyperparametersML EngineerPre-release
Architecture ReviewSystem design, integrationsEnterprise ArchitectMilestone

Documentation Standards

Comprehensive documentation ensures AI systems are maintainable, auditable, and transferable. All AI projects must produce the following documentation deliverables.

Required Documentation

AI Project Charter — scope, objectives, stakeholders, budget, timeline
AI Risk Assessment — identified risks, controls, residual risk ratings
Data Governance Plan — data sources, classification, lineage, quality metrics
Model Card — model purpose, architecture, training data, performance metrics, limitations
System Architecture Diagram — components, data flows, integrations, security boundaries
Prompt Registry — all system prompts, versions, approval history
API Documentation — endpoints, authentication, rate limits, error codes
User Guide — intended use, constraints, known failure modes, escalation procedures
Operations Runbook — deployment procedures, monitoring, incident response steps
Retirement Plan — data archival, model deletion, compliance requirements

Model Card Template

Model Cards must follow the CSA Model Card Template (Template T-008) and include: model identifier, version, creation date, intended use, training dataset summary, performance benchmarks, ethical considerations, known limitations, and approval signatures.