A release review should produce an accountable decision, not only a completed checklist. The decision record should show what was reviewed, which evidence was current, what remains uncertain, and who accepted any residual risk or conditions.
Use a small, explicit decision vocabulary.
| Outcome | Meaning |
|---|---|
| Release | Required hard gates pass, evidence is sufficient for the stated scope, and no conditions remain. |
| Release with conditions | No unresolved blocker remains, but named conditions limit scope, timing, population, authority, monitoring, or follow-up work. |
| Hold | Evidence, controls, or remediation are not sufficient for the current release decision. |
| Do not release | A critical failure, prohibited condition, or unacceptable residual risk prevents release under the reviewed design. |
| Defer decision | The decision owner intentionally postpones judgment until specified evidence or an external dependency becomes available. |
Do not use “approved” without the approved scope, version, environment, and conditions.
Keep these concepts separate:
A report should not call the same item both a blocker and an accepted release condition.
For each material gate or finding, record:
| Field | Purpose |
|---|---|
| Control / question | What release proposition is being tested? |
| System scope | Model, prompt, data, tools, permissions, environment, and population covered |
| Evidence | Report, test, review, run, or artifact used |
| Provenance | Author, system, version, date, and source location |
| Freshness | How long the evidence remains relevant and what changes invalidate it |
| Method | How the result was produced and reviewed |
| Result | pass, fail, partial, not tested, or not applicable with rationale |
| Limitation | Coverage, uncertainty, evaluator, or dependency limits |
| Owner | Person accountable for the control or remediation |
| Disposition | blocker, required action, condition, exception, residual risk, or observation |
Evidence should be traceable to the reviewed system version. A current report about an earlier prompt, model, dataset, permission set, or architecture may not support the current decision.
An exception record should include:
Exceptions should expire. Repeated renewal is evidence that the standard, architecture, or operating model needs review.
A release condition must be enforceable and testable.
Weak condition:
Monitor closely after launch.
Stronger condition:
Limit the pilot to 100 authenticated internal users, keep all tools read-only, alert the service owner on any unauthorized tool attempt, and disable the pilot if two critical retrieval-boundary failures occur before the 30-day review.
A condition should state scope, owner, measurement, trigger, and action.
Record:
Risk acceptance is a decision, not a checkbox delegated to the author of the report.
# Release decision: [system / version / scope]
**Decision owner:**
**Decision date:**
**Outcome:** release | release with conditions | hold | do not release | defer
**Reviewed scope:** model, prompt, data, tools, permissions, environment, population
**Evidence cutoff:**
## Decision rationale
[Why the evidence supports this outcome.]
## Hard gates
| Gate | Result | Evidence | Limitations | Owner |
|---|---|---|---|---|
## Findings and disposition
| ID | Finding | Severity | Disposition | Owner | Due / expiry |
|---|---|---|---|---|---|
## Conditions and exceptions
| ID | Constraint / deviation | Scope | Monitoring / stop trigger | Approver | Expiry |
|---|---|---|---|---|---|
## Residual risks accepted
| Risk | Evidence and uncertainty | Scope | Accepting owner | Review trigger |
|---|---|---|---|---|
## Changes that invalidate this decision
- model, prompt, retrieval, data, tool, permission, infrastructure, user-population, or policy changes as applicable
## Follow-through
- release or hold action owner:
- evidence-retention location:
- next review:
- incident and rollback owner:
Before signing: