Complete this checklist when deploying any CAB-approved AI tool into the production environment. One checklist per tool deployment. Required items must be completed before go-live.
Draft
No draft saved
Tool / Service Name
Vendor
CAB Change Reference
Deployed By
Target Go-Live Date
Actual Go-Live Date
Completion
0 / 0 items
⚠
Required (REQ) items must be completed before go-live. Recommended (REC) items should be completed within 5 business days of go-live. Optional (OPT) items are best practice but not gated.
01Pre-DeploymentBefore Go-Live
□
CAB approval confirmed -- change request signed by all four representatives
Do not proceed without full CAB sign-off. Reference the change request ID above.
REQ
□
AI Vendor Assessment on file and approved
Confirm SOC 2 report, DPA, training opt-out status, and data residency are all documented.
REQ
□
Data Processing Agreement (DPA) executed with vendor
Must be signed before any data enters the tool. File copy in vendor records.
REQ
□
Training data opt-out confirmed -- vendor not using inputs to train models
Check vendor settings or enterprise agreement. Document the setting and where it is configured.
REQ
□
SSO / Entra ID integration configured
All user access must flow through the organisation's identity provider. No local accounts for production use.
REQ
□
MFA enforced for all users of this tool
Verify MFA is required at login, not just available. Confirm via identity provider policy.
REQ
□
Role-based access controls configured -- users provisioned with least-privilege roles
No one gets admin access unless explicitly required. Document role assignments.
REQ
□
Test environment validated -- POC or UAT results reviewed and accepted
Reference the test results attached to the CAB change request. Do not skip to production without test sign-off.
REQ
□
Rollback plan documented and tested -- team knows exactly how to reverse the deployment
Rollback steps should be written down and accessible offline in case something goes wrong during deployment.
REQ
□
AI Tool Documentation Template completed and ready to publish
Users need documentation before they can use the tool safely. Complete the template before go-live.
REC
□
Maintenance window scheduled if required
For tools replacing existing workflows, schedule the cutover during a low-impact window.
OPT
02During DeploymentGo-Live Day
□
Deployment executed per implementation steps in the change request
Follow the documented steps in order. Do not improvise. If something unexpected occurs, pause and assess before continuing.
REQ
□
Initial access test completed -- at least one pilot user confirmed access and basic functionality
Do not declare go-live until at least one real user has successfully logged in and confirmed the tool works as expected.
REQ
□
SSO login confirmed working for pilot user -- not falling back to local credentials
REQ
□
Deployment log started -- recording timestamps, actions taken, and any issues encountered
Even a simple running notes document counts. This becomes your audit trail and helps with post-incident review if needed.
REC
Deployment Notes
03Post-DeploymentWithin 5 Days
□
Monitoring and alerting confirmed active -- errors and unexpected behaviour will trigger notifications
Verify the monitoring endpoint, alert thresholds, and who receives notifications. Required for SOC 2 CC7.2.
REQ
□
All intended users provisioned and access confirmed
No shadow access -- every user is documented with their assigned role.
REQ
□
AI Tool Documentation published and link shared with users
Users need the documentation to use the tool safely. Publish before or on go-live day -- not weeks later.
REQ
□
Staff briefing completed -- affected team notified of the new tool, its purpose, and any usage restrictions
REC
□
Tool added to the approved AI tools registry with deployment date and owner
The registry is the master list of approved AI tools in the environment. Keep it current.
REC
□
AI Controls Mapping updated to include this tool and its use case
Required for SOC 2 audit trail. Add the new use case row to the Controls Mapping document.
REC
□
7-day stability check scheduled -- review logs and user feedback one week post go-live
OPT
04Handoff & CloseDeployment Complete
□
Change request marked complete and filed -- signed copy archived
REQ
□
Ongoing owner assigned -- someone is responsible for this tool's health, access reviews, and vendor relationship
Without a named owner, tools drift. Assign one person accountable for this tool going forward.
REQ
□
Next access review date set -- quarterly review of who has access and whether they still need it