Governance & compliance mechanics

Day 42 governance and compliance

mechanics model cards plus lineage glue

plus auditability WA tool geni lens hash

big idea one sentence if you can't

explain which model which data which

version who approved it and when it ran

your genai system is non-compliant

model cards what exactly is this model a

model card is documentation not code it

answers what the model is for it was

trained on high level known limitations

and biases, safety considerations,

approved use cases, version history. In

AWS exams, model cards exist to support

governance, risk review, compliance

audits, exam signal, explanability,

intended use, limitations, risk, model

card

two, lineage. Where did this output come

from? Lineage means traceability across

the entire pipeline. Data source,

transformations, embeddings, retrieval,

model version, prompt version. AWS

expects lineage to be machine traceable,

not tribal knowledge. Where lineage

lives, exam friendly, use AWS Glue for

data cataloging, data set versioning,

schema tracking, transformation history.

Glue helps answer which data set version

fed this model run

exam trap. If lineage is described as

documented in a wiki, ni auditability,

who did what and when? This is

non-negotiable in regulated systems. Use

AWS CloudTrail to record model

invocations, prompt updates, agent tool

executions, permission changes,

approvals. Cloud trail answers. Who

changed the prompt? Who deployed the

model? When was this endpoint called?

From which identity? Exam signal, audit,

forensics, compliance, evidence, cloud

trail, NAB 4. How these pieces fit

together. This is the exam core. Think

of governance as layers, not tools.

Layered governance stack model card

intent and risk glue lineage data truth

cloud trail action evidence logs traces

execution detail no single service is

enough five AWS wellarchchitected tool

genai lens AWS doesn't just give

services it gives review frameworks the

AWS wellarchchitected tool with the

genai lens helps teams assess governance

readiness risk management auditability

responsible AI practices it asks are

models documented Is lineage traceable?

Are actions auditable? Are guardrails

enforced? Exam nuance WA tool does not

enforce, it assesses. Number six, AWS

static 2. Important twist here. Most

days are static plus one. Governance is

static plus two. Hash static. Governance

rules, audit requirements, approval

processes plus one, system execution,

auditor, reviewer, regulator. Your

system must satisfy someone who was not

present at runtime. That's why

documentation plugges both matter.

Number seven, real governance questions

your system must answer. If your

architecture can't answer these, it

fails compliance. Which model version

produced this output? Which prompt

version was used? Which data sources

were involved? Who approved this

configuration? When was it executed? Was

it within approved use? AWS exams

quietly test all six. Eight classic exam

traps. Very common. Cloud watch logs are

enough for audit. Model cards are

optional. Lineage only matters for

training. WA tool enforces compliance.

Explainability. Better prompts.

Governance. Observability. Prompt

quality.

One. Memory story. Lock it in. The court

case. Model card. Expert testimony. What

this model is allowed to do. Glue

lineage. Evidence chain. Where the data

came from. Cloud trail CCTV footage. Who

touched what? WA tool. Pre-trial

checklist. Are we compliant? If any

piece is missing, the case collapses.

Exam compression rules. Memorize.

Explain intent. Model card. Trace data.

Glue lineage. Prove actions. Cloud

trail. Assess readiness. The tool. Gen

lens. Governance equals static. Two. If

an answer focuses only on runtime logs,

incomplete. What AWS is really testing.

They're asking open quote. Could this

Geni system survive a regulatory audit 6

months later? close quote dot not open

quote does it answer questions correctly

close quote if your answer includes

documentation lineage audit trails

formal review you're answering at AWS

professional governance level below is a

full realistic endto-end governance

example that maps exactly to model cards

lineage glue auditability cloud trail WA

tool genai lens AWS static plus2

thinking had real example day 42

governance and compliance mechanics

scenario IO. A health insurance company

uses a Genai system to answer coverage

questions, explain policy clauses,

assist support agents, not customers

directly. This system is regulated. 6

months after launch, an auditor

investigates a complaint. The complaint,

this is the trigger.

On March 3rd, the AI incorrectly advised

that a treatment was covered. The

auditor asks one, which model answered,

two, which data was used, three, which

prompt version, four, who approved it?

Five, when was it run? Six, was it

allowed to do that? Your system must

answer all six. Model card proving

intent and limits. The Genai team

maintains a model card for the deployed

model. It states intended use internal

decision support only not allowed final

medical or coverage decisions known

risks ambiguity and legacy policy

wording version V3.2 to approval risk

and compliance team. Why this matters?

The auditor immediately sees this model

should not be making final decisions.

This reduces liability exam signal

explanability intuse risk review model

card. Lineage tracing the data path

glue. The auditor now asks what data did

the model rely on? The company uses AWS

Glue for lineage. Glue shows source data

set policy docs 20244Q1

ingested from S3 bucket policy source

prod by ETL job policy normalize v2

embedded using Titan embed v2 indexed on

2025 0220 critical point. You can say

the model did not see policies added

after Feb 20th. That explains the error.

Exam trap avoided lineage is machine

traceable not we think it was this data.

Hack auditability. Who did what when?

Cloud trail. Next auditor question. Who

changed anything? Using AWS cloud trail.

You show prompt updated on Feb 18th by

user policy admin. Model alias switched

on Feb 25th by CI/CD role. Agent invoked

on Mar 3rd at 2TC. Caller identity

support agent 783. Source IP corporate

VPN. Why cloud trail matters? Immutable

identity aware timeordered exam signal

audit who changed when deployed cloud

trail execution evidence tying it

together you now correlate cloud trail

who when glue lineage what data model

card what it's allowed to do you

conclude model used approved version

data was outdated but approved prompt

stayed within allowed scope output

exceeded intended use

this is governance not debugging

WA tool Geni lens pre- audit readiness

before launch the team ran the AWS well

architected tool with the Geni lens the

review asked do you maintain model cards

is lineage traceable are invocations

auditable are guardrails enforced

recommend improvement the risk was

documented before production exam nuance

WA tool does not enforce controls it

proves due diligence auditors love this

AWS static 2 this example in exam terms

static model cards, governance rules,

approval workflows. Plus one, model

execution, Mar 3rd, plus two, auditor

reviewing months later. Your system

survives time scrutiny. That's the leap

from static one, statics 2.

Why this system passes compliance?

Because it can answer with evidence.

Question answered by T. Which model?

Model card. Which version? Model card.

Cloud trail. Which data? Glue lineage.

Who approved? Model card. When executed,

was it allowed? Model card. Missing

anyone. Compliance failure. One. Memory

story. Lock. This forever. The

courtroom. Model card. Expert testimony.

What the model is allowed to do. Glue

lineage. Chain of custody. Where data

came from. Cloud trail. CCTV footage.

Who touched what WA tool pre-trial

checklist where best practices followed.

If you can't show evidence, you lose, no

matter how good the model is.

Hashed ultrashort exam cheat sheet.

Intent and risk model cards data truth

glue lineage actions and identity cloud

trail readiness review WA tool geni lens

governance equals static plus two. If an

answer only mentions logs incomplete.