Who Should Sign Off a New AI Tool Before It Goes Live?

by

in

,

Deployment sign-off is the checkpoint before a new AI tool moves from trial or pilot into regular business use. Its purpose is simple: nothing goes live without someone accountable confirming the risk assessment is complete, the conditions are workable, and the right people know it exists.

Why have a separate sign-off step at all?

A risk assessment on its own doesn’t stop a tool being used before anyone’s actually looked at the result. Sign-off is the point where the assessment’s findings are converted into a decision, and that decision is recorded against a named person. Without it, tools tend to drift into regular use gradually – a trial extends, more people start relying on it, and there was never a moment where anyone formally said yes.

Who should have sign-off authority?

This should scale with risk. Low-risk tools (internal drafting, no personal data, easily reversible) can often be approved by a team lead or department head. Higher-risk tools – anything touching personal data at scale, feeding into decisions about individuals, or replacing a previously human judgement call – should go to someone senior enough to be accountable for the organisation’s overall risk position, typically whoever holds ultimate responsibility for data protection or compliance.

What should the sign-off actually check?

  • Has a risk assessment (and DPIA, if applicable) actually been completed, not just started
  • Are the assessment’s conditions realistic – will staff actually follow them day to day
  • Is there a named owner for the tool once it’s live
  • Has the tool been added to the system register
  • Is there a review date, rather than an open-ended approval

What happens after sign-off?

Sign-off isn’t a one-off event. The approval should specify when the tool gets reviewed again, and what would trigger an earlier review – a change in how it’s used, a vendor change, or an incident. Treating sign-off as the end of the process, rather than the start of ongoing oversight, is one of the more common gaps in otherwise well-designed governance frameworks.

If you’d like help designing a deployment sign-off process for your organisation, see our AI Governance advisory services.