Write your High-Stakes Clearance and ship a defensible product · The Builder's Stack

Testing & evidence

In December 2023, the Federal Trade Commission banned Rite Aid from using facial recognition for five years. The order did not find the technology illegal in general. It found that the company had deployed the system without reasonable safeguards, testing, or oversight, and the ban filled the space where those should have been.

The same order also describes the way back. Before the technology can return, the company has to build a full governance program. The order is as much about earning permission as it is about punishment, and that program is what lets the technology come back lawfully.

You have spent this part building the pieces of that program. This closing chapter assembles them into one document that shows your product is defensible, starting with the people who have to approve it.

Governance is a loop, not a binder

The word program makes people picture a binder that sits on a shelf once it is signed.

A working governance program is a loop, not a document: you build the product, someone challenges it, someone verifies it, and every change runs back through that same cycle.

The standard structure for that loop is the three lines of defense, the model most regulated firms organize around. In plain words, it works like this.

The first line builds and owns the risk. That is you. The product team picks the model, writes the prompts, sets the thresholds, and owns the harm when something ships wrong.
The second line challenges the first independently. Risk and compliance review what you built without reporting to you, and their job is to say yes or no with written reasons.
The third line verifies that the whole arrangement works. Internal audit checks that the gates log, the reviews happen, and the sign-offs exist.

Your job as the PM is to make the first line so easy to read that the second line can say yes quickly. The reviewers are not what slows shipping down; a first line they cannot follow is. Your legal and compliance teams are the authority on where the lines sit.

Governance is how regulated teams ship fast, not what stops them

If governance sounds like the opposite of shipping, the record disagrees. The FDA's public list of AI-enabled medical devices cleared for clinical use has passed a thousand clearances. In insurance, the NAIC's model bulletin, adopted in 2023 and taken up by many states since, expects every insurer to keep a written AI governance program as a baseline. The teams shipping inside those rules did not avoid governance; they made it routine, with templated evidence, standing review slots, and change rules agreed in advance, so each launch reuses the setup the last one built.

Decide what re-triggers review before the first urgent fix

The thing that catches almost every team is change management, meaning the rules for what happens when an already-approved system changes. A new model version obviously re-opens review. A prompt change counts as a model change too, because what reviewers approved was the product's behavior, not the specific model weights behind it. A corpus update changes what the product can draw on, and a threshold change moves who gets flagged. Sort the changes you can see coming into tiers.

Changes that re-run the suite are the routine tier: a scheduled corpus refresh from an approved source ships once the full eval suite passes and the run is logged.
Changes that need second-line sign-off are the behavior-shaping tier: a prompt revision, a threshold move, or a new tool permission re-runs the suite and then waits for risk or compliance approval.
Changes that re-open the launch review are the top tier: a new model version or a new capability goes back through the whole gate map as if it were new.

Write these tiers down before the first urgent fix, because the middle of an incident is the most expensive place to invent your change policy.

Design the kill switch and the shutdown plan while things are calm

A defensible product is one you can turn off, where everyone involved already knows how. Write the answers down now, while nobody needs them yet.

Decide who can pull it, and how fast. Name roles, not individuals. The on-call engineer and the second line both hold the authority, and you learn how long it really takes to go from decision to off by running a drill, not by guessing.
Decide what the product does while it is off. Choose the fallback state in advance: requests queue to people, a static flow takes over, or the product declines with an honest message. If no one designed the off state, flipping the switch just causes an outage instead of a fallback.
Decide how it is eventually shut down for good. Products retire, but their records cannot retire with them: evals, logs, fairness results, and sign-offs have to outlive the system for as long as your retention rules require, because audits and disputes can land years later.

Assemble the High-Stakes Clearance

The part's artifact gathers it all. The High-Stakes Clearance is one fillable document that holds the envelope (what the product may do, must refuse, and hands to a person), the model dossier (the model, its version, and the testing behind the choice), the corpus and its entitlements (what the product reads, and who may see which documents), the gate map (where people review before the product acts), the fairness results, the evidence plan (what is logged and how long it is kept), and the sign-offs: who built it, who challenged it, who approved it, and what re-triggers review. Every section maps to a drill in this part, so you fill it from work you have already done.

It ties together the artifacts you already built. The Quality Bar from Stand up your eval and make it the bar defines what a good output is. The Agent Charter from Write the Agent Charter and ship with authority you chose sets the limits on what the product may do on its own. The Clearance sits above both and shows the whole product is defensible, with the decision and the name next to it. The fillable PDF lives with the rest in References & artifacts.

Try it now

Fill the Clearance for your own product. This is the capstone drill of the part, so allow thirty minutes and bring the outputs of your earlier drills.

Pull the Clearance and your drill outputs together. Open the fillable document and gather what the earlier drills produced: the envelope, the gate notes, the fairness numbers, the evidence list.

Fill every section from work that exists. Paste real results with their dates: the eval run as it scored, the gate map as built, the fairness slice as measured. Write what ran, not what is planned.

Mark each section evidence-backed or aspirational. Evidence-backed means you could produce the artifact within an hour of being asked, and aspirational means the section describes a plan. The honest label is useful; the unmarked aspiration is the theater the guardrail warns about.

Collect one signature that is not your own. Ask a teammate, a counsel, or a risk partner to read it and sign. Their questions are a preview of what the second line will ask, and wherever they hesitate before signing is the section they do not yet believe.

Treat the aspirational sections as the pre-launch backlog. Each one becomes a work item with an owner and a date, and the Clearance is finished when the word aspirational no longer appears.

Chapter Summary

Governance is not a binder you sign once. It is a loop where you build the product, someone challenges it, someone verifies it, and every change runs back through that cycle.
That loop has a standard structure, the three lines of defense: your team owns the risk, a second line challenges your work without reporting to you, and internal audit checks that the gates, reviews, and sign-offs really happened.
Make your work easy enough to read that the second line can say yes quickly. The reviewers are not what slows shipping down, an unclear first line is.
Heavily regulated products ship all the time. They do it by making governance routine, with templated evidence, standing review slots, and change rules agreed in advance.
Decide ahead of time what re-triggers review, and sort changes into tiers: some just re-run the eval suite, some also need second-line sign-off, and a new model or capability goes back through the full launch review.
Write those change rules down before the first urgent fix, because the middle of an incident is the worst time to invent your change policy.
Design the kill switch while things are calm: who can pull it and how fast, what the product does while it is off, and how its records outlive it for audits and disputes years later.
The High-Stakes Clearance is one fillable document that ties your earlier artifacts together and shows the whole product is defensible: what it may do, on what evidence, who challenged it, and whose name is on it.
Mark every section evidence-backed or aspirational, and treat the aspirational ones as your pre-launch backlog. A signed Clearance over controls that do not run is worse than none.
The standing rules stay condensed in the Playbook, and from here the work is keeping the loop turning.

Sources

Federal Trade Commission (2023). Stipulated order in the Rite Aid facial recognition matter.
U.S. Food and Drug Administration (ongoing). Public list of AI-enabled medical devices.
National Association of Insurance Commissioners (2023). Model Bulletin on the Use of Artificial Intelligence Systems by Insurers.
The Institute of Internal Auditors (2020). The Three Lines Model.

Marks this chapter complete on your course map. Reaching the end does this for you.