AIG-010 AI Model Registry and Versioning
Description
A model registry tracks all ML models in development and production. Each registry entry includes: model name, version identifier, framework and library versions, training dataset reference (name and version), training date, evaluation metrics at registration, current deployment status, and owning team. Model artefacts (weights, configs) are stored in version-controlled storage. Promotion from development to production requires a recorded registry entry. Retired models are marked as deprecated, not deleted.
Rationale
Model versioning is not covered at the operational level by NIST AI RMF, ISO 42001, or the EU AI Act. Without a registry, production models cannot be traced to their training data or evaluation results — a prerequisite for debugging, incident response, and audit.
Framework Mappings (3)
| EU-AI-Art.11.1 | Technical Documentation — Preparation and Maintenance | informative |
| A.4.3 | Data resources | informative |
| GOVERN 1.6 | AI System Inventory | informative |
Evidence (2)
Model registry export from MLOps platform (e.g. MLflow, Weights & Biases, SageMaker Model Registry) listing all registered models with version identifiers, training dataset references, evaluation metrics at registration, and current deployment status.
Example: MLflow Model Registry API export (JSON, dated 2026-04-20) showing 14 registered models including name, version, training dataset name/version, evaluation metrics, stage (Staging/Production/Archived), and owning team tag
Test: Query the model registry API or export the full registry. Verify: (1) every production model endpoint corresponds to a registry entry, (2) each entry contains model name, version ID, training dataset reference, evaluation metrics at registration time, current stage, and owning team, (3) no production endpoint lacks a registry entry, (4) retired models are marked Archived rather than deleted, (5) model artefact storage path is recorded and accessible.
Model promotion approval record for a recent model version, confirming that promotion from development/staging to production required a completed registry entry and named approver sign-off.
Example: Model promotion request for fraud-detector v5.2 (Jira AI-1187): registry entry verified by ML Ops lead, metrics reviewed, and Production stage transition approved by Head of ML on 2026-02-14
Test: Request promotion records for the two most recent model version promotions. Verify: (1) registry entry was created before promotion was approved, (2) training dataset reference is included in the registry entry, (3) a named approver signed off promotion, (4) the promotion event is timestamped in the registry audit log.
Questions (3)
Does your organisation maintain a model registry that tracks all ML models in development and production?
A model registry is the prerequisite for tracing production models to their training data and evaluation results — essential for incident response, audit, and debugging. Net-new control: not addressed at this operational level by NIST AI RMF, ISO 42001, or the EU AI Act.
Which of the following are recorded in your model registry for each entry?
All six fields should be present. Missing training dataset references or evaluation metrics at registration time are the most common gaps — they prevent traceability between production behaviour and training decisions.
Is a completed model registry entry required before a model can be promoted from staging to production?
A mandatory promotion gate ensures the registry accurately reflects what is running in production. Registries that are populated after deployment rather than as a gate provide much weaker auditability.