AI Feature Governance Shipping Checklist (2026) Use this to ship an LLM/RAG/agent feature that survives enterprise procurement and incident review. 1) Define the AI capability as a bounded system - Name the exact user value (e.g., “summarize ticket thread,” “draft reply,” “create Jira issue”). - List disallowed outcomes in plain language (e.g., “never email external recipients without approval,” “never retrieve docs outside user access”). - Decide whether the model is allowed to be creative or must be extractive. 2) Data map (write it down) - Inputs: what fields can enter prompts (UI text, files, CRM notes, code, logs)? - Retrieval: what sources exist (Confluence, Google Drive, Slack, internal DB)? - Outputs: where can the model write (comments, emails, tickets, code PRs)? - Retention: what you store (prompts, traces, retrieved snippets) and for how long. 3) Permissioned retrieval (RAG) - Retrieval must enforce the same ACLs/tenant boundaries as the underlying system. - Authorization happens before search. - Return minimized snippets with citations (doc IDs/links) rather than full documents. - Log each retrieved artifact ID per request for audit. 4) Tool/agent safety cages - Permission cage: agent inherits the user’s privileges; no hidden service-account escalation. - Scope cage: restrict tools by workspace/project/entity type and time window. - Confirmation cage: human approval UI for irreversible, expensive, or external actions. 5) Observability buyers will accept - Generate a trace ID for every AI request. - Record: model used, retrieval queries/filters, retrieved doc IDs, tool calls, approvals, final output. - Provide an admin view + export mechanism (at least CSV/JSON) for audits. 6) Admin controls (make them first-class) - Per-feature toggle (disable retrieval, disable tools, disable external actions). - Per-source allowlist (which drives/spaces/projects can be accessed). - Retention controls aligned with your policy (including “no prompt storage” if feasible). - Kill switch that disables tool execution server-side (not just hides UI buttons). 7) Vendor and model strategy - Maintain a model registry (approved models/providers per capability). - Route by task risk: low-risk drafting vs high-risk decision support. - Ensure you can swap providers without rewriting the product surface. 8) Pre-ship tests (minimum) - Red-team prompt injection against tool use and retrieval boundaries. - Cross-tenant leakage tests (intentional misuse of filters/metadata). - “Hallucination impact” tests: verify required citations for factual answers. - Approval flow tests: confirm no irreversible action can bypass confirmation. If you can’t produce artifacts for items 2, 3, 5, and 6, you don’t have an AI feature. You have a demo.