How a PRR engagement runs, end to end.

Principles

• We do not propose a build until the readiness memo is written. Half the workloads we see are not ready, and we will say so.
• We work against the data you already have, not the data you wish you had. Data debt is the diagnosis, not the surprise.
• Readiness is a memo with a recommendation, not a slide deck. The output is something your board can read.

Artifacts

• Readiness memo

  A written go / no-go recommendation with the assumptions on record. Three to five pages, board-readable.

• Data inventory

  A mapped inventory of the data domains that will touch the model, with owners, refresh cadence, and known gaps.

• Risk map

  The operational, regulatory, and reputational risks the workload carries, with the named owner on your side for each.

• Gap analysis

  Where current systems sit against the named frameworks the workload will be judged against (NCUA, FFIEC, NIST AI RMF 1.0, HIPAA, FedRAMP-aligned, 42 CFR Part 2).

Who from your team

• CTO or CIO (sponsor)
• Chief data officer or equivalent
• Risk or compliance lead
• One operations leader who owns the workload outcome

Principles

• We pick one measurable outcome, not three. A pilot with three outcomes has none.
• Governance scaffolding stands up before the first commit. Model cards, change logs, and review cadences are wired in from week one, not retrofitted.
• The pilot SOW is short enough to read in one sitting and specific enough to defend in a board meeting.

Artifacts

• Scoped statement of work

  One outcome, one measurement window, one named acceptance owner. Fixed-fee where the scope permits.

• Model risk management plan

  The governance scaffolding the workload will be judged against, including validation cadence, override workflow, and challenger model strategy.

• Data-handling boundary

  A written description of which data domains enter the system, where they live, who can access them, and how they leave.

• Outcome contract

  The baseline, the target, the measurement window, and the named owner on your side and ours. Signed before the first commit.

Who from your team

• Pilot business owner (the person whose KPI will move)
• Risk or compliance lead
• Data platform owner
• Security partner (for the data-handling boundary)

Principles

• We ship the system, not the model. A model is one artifact; the production system is the model plus the inference path, the monitoring, the override workflow, the audit log, and the runbook.
• The principal who scopes the work writes the first commit. There is no handoff to junior staff after the contract signs, because there is no junior staff layer to hand off to.
• Instrumentation is wired in from day one. Completion, time-on-task, override rate, and drift are observable before the system goes to production, not after.

Artifacts

• Production system

  Deployed inside your tenant, in your region, under your IAM. We do not pool data across clients; we do not ship to a PRR-managed environment.

• Model cards and validation logs

  Per-model documentation aligned to NIST AI RMF 1.0 — purpose, intended use, performance profile, evaluation methodology, and the validation memo signed by a PRR principal.

• Runbooks

  Operational documentation written for your on-call team — restart procedures, escalation paths, override workflows, incident response runbooks.

• Change log

  Every shipped change tied to a ticket, a reviewer, a reason, and a back-out plan. The trail your examiner reads from version one through production.

Who from your team

• Engineering manager (your side)
• Security partner (for tenant access and IAM)
• Operations lead (for runbook handover)
• Risk or compliance lead (for the validation review)

Principles

• Operations and engineering share the same on-call. The engineer who shipped the change is in the channel when it pages.
• The governance evidence stays current. Model cards, validation memos, vendor risk packages, and change logs refresh on a written cadence — not when an examiner asks.
• Incidents become artifacts. Every incident produces a written post-incident review that ends up in your shared evidence folder.

Artifacts

• Monitored operations

  Service-level commitments on availability, latency, and outcome quality. Reported monthly against a written SLA.

• Incident response

  Twenty-four-hour written incident response, with a post-incident review delivered for every Sev-1 and Sev-2 within five business days.

• Living model inventory

  Every deployed model tracked with version, owner, last validation date, drift posture, and the next scheduled review.

• Refresh cadence

  Model card refresh, validation memo refresh, vendor risk package refresh — each on a written schedule your governance committee approves.

Who from your team

• Operations lead (your side, for the SLA review)
• Incident commander (for Sev-1 and Sev-2 events)
• Risk or compliance lead (for the refresh cadence)
• Engineering manager (for the on-call rotation)

Principles

• The roadmap is built from production data, not a workshop. The next increment earns its place in the queue with measurable signal, not an opinion.
• Regulatory change is a standing agenda item. Guidance moves; we read the issuances so you do not have to surface them yourself.
• We say plainly when a workload should be retired. Not every model belongs in production forever; some should be retired, not maintained.

Artifacts

• Quarterly review

  A written quarterly review with performance against outcome contract, drift posture, regulatory change summary, and the proposed next increment.

• Updated risk posture

  Risk map refresh, vendor risk re-attestation, and a written list of risks that have moved up or down since the last review.

• Prioritized roadmap

  The next two to three increments, each with a written hypothesis, a measurement plan, and a fixed-scope path.

• Retirement memos

  For workloads that should sunset, a written retirement memo with rationale, replacement plan, and data archival path.

Who from your team

• Executive sponsor (CTO or CIO)
• Pilot business owner (for the outcome read)
• Risk or compliance lead (for the risk posture update)
• Product or engineering manager (for roadmap prioritization)