AI Development Standards
Development lifecycle standards, DevSecOps practices, documentation requirements, code review, prompt review, model validation, and release management.
AI Project Lifecycle
The AI Project Lifecycle defines the end-to-end process for identifying, developing, deploying, and retiring AI systems within the organisation. All AI projects must follow this lifecycle to ensure consistent governance, quality, and risk management.
Phase 1: Initiation
- Business case development with clear AI use case definition and expected benefits.
- Initial feasibility assessment including technical, ethical, and regulatory viability.
- AI Project Charter creation with defined scope, objectives, stakeholders, and budget.
- Appointment of AI Project Sponsor and AI Project Manager.
- Submission to AI Steering Committee for concept approval.
Phase 2: Planning
- Detailed requirements gathering including functional, non-functional, and compliance requirements.
- AI Risk Assessment completion per Volume 3.
- Data governance plan development per Volume 4.
- Security architecture design per Volume 5.
- Procurement strategy for models, APIs, compute, and professional services.
- Resource allocation and team composition confirmation.
Phase 3: Development
- Model selection or custom development following Secure Development Lifecycle (SDLC).
- Data preparation, feature engineering, and dataset validation.
- Iterative model training with documented hyperparameters and configurations.
- Continuous integration of code, prompts, and model artifacts.
- Peer review of code, prompts, and training configurations.
Phase 4: Validation
- Comprehensive testing including unit tests, integration tests, bias tests, and adversarial tests.
- Model performance validation against defined success metrics and baselines.
- Security testing including prompt injection, data leakage, and model extraction attempts.
- Human review and approval of model outputs for high-risk use cases.
- Documentation completion including model cards, data sheets, and system architecture.
Phase 5: Deployment
- Production environment hardening and access control implementation.
- Gradual rollout via canary deployment or A/B testing methodology.
- Monitoring dashboards and alerting configured per Volume 8.
- User training and operational handover to AI Operations team.
- Executive sign-off for full production release.
Phase 6: Operations & Retirement
- Continuous monitoring of performance, drift, and security indicators.
- Periodic model retraining and performance review.
- Change management for model updates, retraining, or configuration changes.
- Formal retirement process when system is decommissioned, including data archival and model deletion.
- Post-implementation review and lessons learned documentation.
| Phase | Key Deliverable | Approver | Timeline |
|---|---|---|---|
| Initiation | AI Project Charter | AI Steering Committee | 2-4 weeks |
| Planning | AI Risk Assessment & Project Plan | CIO / CRO | 4-8 weeks |
| Development | Trained Model & Code Repository | AI Technical Lead | 8-16 weeks |
| Validation | Validation Report & Model Card | AI Ethics Board | 4-6 weeks |
| Deployment | Production Release Approval | Executive Sponsor | 2-4 weeks |
| Operations | Monthly Performance Report | AI Operations Manager | Ongoing |
Secure Development Lifecycle
The Secure Development Lifecycle (SDLC) for AI extends traditional software security practices to address AI-specific risks including model vulnerabilities, data poisoning, prompt injection, and supply chain attacks.
Security Requirements
- All AI projects must complete a threat model during the design phase.
- Security requirements must be documented and traceable to specific AI risks.
- Adversarial testing must be included in test plans for all production AI systems.
- Third-party models and APIs must undergo vendor security assessment before use.
Secure Coding Practices
- Input validation and sanitisation for all user-provided prompts and data.
- Output encoding to prevent injection attacks via AI-generated content.
- Least-privilege access for model inference APIs and training pipelines.
- Secrets management — no API keys or credentials in code repositories.
- Dependency scanning for ML frameworks, libraries, and container images.
Code Review Requirements
| Review Type | Scope | Reviewer | Frequency |
|---|---|---|---|
| Peer Review | All code commits | Senior Developer | Every commit |
| Security Review | Authentication, API, data handling | Security Architect | Weekly |
| Prompt Review | All system prompts and templates | AI Ethics Officer | Every change |
| Model Review | Training code, configs, hyperparameters | ML Engineer | Pre-release |
| Architecture Review | System design, integrations | Enterprise Architect | Milestone |
Documentation Standards
Comprehensive documentation ensures AI systems are maintainable, auditable, and transferable. All AI projects must produce the following documentation deliverables.
Required Documentation
Model Card Template
Model Cards must follow the CSA Model Card Template (Template T-008) and include: model identifier, version, creation date, intended use, training dataset summary, performance benchmarks, ethical considerations, known limitations, and approval signatures.