Deployment Readiness Checklist

Checklist DEPLOY

Purpose

A pre-deployment checklist ensuring all security, performance, and governance requirements are met before go-live.

Related Controls

Deployment Readiness Gate
ISO A.5 NIST MG-1

1. System Information

Identify the system being deployed and key metadata.

System Name: [SYSTEM NAME]

Version: [VERSION]

Deployment Date: [DATE]

Target Environment: Staging / Production

Deployment Lead: [NAME], [ROLE TITLE]

Risk Tier: Low / Medium / High

Change Request ID: [CR-NNN]

2. Pre-Deployment Checks

All items must be checked before deployment can proceed. Any unchecked critical item blocks deployment.

Security

  • [ ] Threat model completed and signed off
  • [ ] Security testing passed (SAST, DAST, AI-specific)
  • [ ] No critical or high vulnerabilities open
  • [ ] API keys and credentials stored in secrets management (not in code)
  • [ ] Network security controls verified (firewall rules, WAF, rate limiting)
  • [ ] Data encryption configured (transit and rest)

AI-Specific

  • [ ] Model card completed and reviewed
  • [ ] Prompt security testing completed (injection, jailbreak, extraction)
  • [ ] Output filtering and validation implemented
  • [ ] Agent permissions documented and follow least privilege
  • [ ] Iteration limits and timeouts configured
  • [ ] Fallback behavior tested (model unavailability, error states)

Performance

  • [ ] Load testing completed — meets SLA targets
  • [ ] Latency benchmarks recorded (p50, p95, p99)
  • [ ] Resource utilization within capacity (CPU, memory, GPU)
  • [ ] Auto-scaling configured and tested (if applicable)

Operational

  • [ ] Monitoring dashboards configured
  • [ ] Alerting rules set for key metrics
  • [ ] Logging configured (application, security, audit)
  • [ ] Runbooks created for common operational tasks
  • [ ] On-call rotation assigned and notified

Governance

  • [ ] All required review gates passed (G1-G4)
  • [ ] Rollback plan documented and tested
  • [ ] Incident response plan updated for this system
  • [ ] Compliance requirements documented and verified

3. Approval Matrix

Define required approvals based on risk tier.

Risk TierRequired ApproversNameApprovedDate
LowSystem Owner + Engineering LeadYes / No
MediumSystem Owner + Engineering Lead + SecurityYes / No
HighSystem Owner + Engineering Lead + Security + CISO + LegalYes / No

Deployment Decision: GO / NO-GO

Decision By: [NAME], [ROLE TITLE]

Decision Date: [DATE]

4. Post-Deployment Validation

Checks to perform immediately after deployment to confirm system is healthy.

Immediate (First 30 Minutes)

  • [ ] Application starts successfully
  • [ ] Health check endpoints responding
  • [ ] Key functionality verified via smoke tests
  • [ ] No error rate spike in monitoring
  • [ ] Logging and metrics flowing to dashboards

First 24 Hours

  • [ ] Error rate within baseline tolerance (< [X]%)
  • [ ] Latency within SLA targets
  • [ ] No security alerts triggered
  • [ ] User feedback channel monitored
  • [ ] AI output quality spot-checked (minimum [X] samples)

First Week

  • [ ] Performance trends stable
  • [ ] No model drift detected
  • [ ] Customer/user satisfaction metrics reviewed
  • [ ] Deployment retrospective scheduled

5. Retrospective Notes

Capture lessons learned from this deployment for continuous improvement.

What went well:

  1. [NOTE]
  2. [NOTE]

What could be improved:

  1. [NOTE]
  2. [NOTE]

Action items for next deployment:

  1. [ACTION — OWNER — DEADLINE]
  2. [ACTION — OWNER — DEADLINE]

Deployment Duration: [START TIME] to [END TIME]

Rollback Used: Yes / No — If yes, reason: [REASON]

← Back to all templates