--- id: model-release-approval-fine-tuned version: 0.1.0 title: Model Release Approval — Fine-tuned Models authors: - drafts@cybergurkhas.com reviewed_by: - drafts@cybergurkhas.com last_reviewed: 2026-05-09 tags: lifecycle: pre-deployment type: approval compliance: - nist-ai-rmf - iso-42001 complexity: medium summary: > Gate for releasing a fine-tuned model to production: verify training data lineage, evaluation results, rollback plan, and owner sign-off before traffic is shifted. Use when the model weights or LoRA adapters are produced inside your organization or by a contracted trainer. estimated_duration_minutes: 90 --- ## Purpose Provide a repeatable approval path for fine-tuned models so production traffic is not routed to unreviewed weights, undocumented adapters, or unevaluated failure modes. ## When to use - You are promoting a new fine-tuned checkpoint (full or LoRA) beyond staging. - The base model is third-party or open-weights and your delta is non-trivial. - Governance requires evidence of data, evaluation, and ownership for this release class. ## Prerequisites - Model card draft exists and lists base model, training data sources, and intended use. - Offline or shadow evaluation completed with documented pass criteria. - Rollback path defined (prior checkpoint ID or feature flag). ## Steps ### 1. Confirm scope and ownership **Type:** manual **Owner:** ML platform lead **SLA:** 1 business day Verify the model card names a single accountable owner for the release and that the declared use case matches what product and security expect. Flag scope creep before deeper checks. > **[IR / editorial review]** Confirm owner titles and escalation path match your organization. ### 2. Validate training data and licensing **Type:** manual **Owner:** Data governance **SLA:** 2 business days Confirm provenance and license compatibility for every training split that influenced this checkpoint. Record dataset IDs or internal catalog references in the model card. ### 3. Attach evaluation summary **Type:** file_upload **Owner:** ML engineer **SLA:** 2 business days Upload the latest evaluation packet (safety, quality, regression). Redacted customer examples are acceptable; the file name should include checkpoint ID. ### 4. Security review for extraction and abuse **Type:** form **Owner:** Application security **SLA:** 2 business days Complete the standard AI release questionnaire: prompt injection surface, PII handling, tool use (if any), and known jailbreak tests attempted. ### 5. Release approver sign-off **Type:** approval **Owner:** Security operations leader **SLA:** 1 business day Named approver attests that steps 1–4 are satisfied and that production traffic may proceed per the rollback plan. ### 6. Notify routing / platform **Type:** webhook **Owner:** ML platform **SLA:** same day Trigger the internal change ticket or deployment workflow that records the approved checkpoint and timestamp (implementation-specific).