8.5 Monitoring, Feedback, Drift, and Incident Response

Launch is the start of responsible operation

AI systems can degrade after launch even when they passed initial testing. Customer behavior changes. Product policies change. Source documents become stale. A foundation model version changes. A fraud pattern adapts. Users learn how to phrase prompts that bypass weak controls. A seasonal event shifts data distribution. Responsible AI therefore needs monitoring and incident response, not just a launch checklist.

Monitoring should be tied to the approved risk register. If the main risk is biased predictions, monitor bias and segment-level outcomes. If the main risk is hallucinated policy advice, monitor unsupported answers, citation quality, retrieval misses, and user disputes. If the main risk is PII leakage, monitor sensitive data detections, log access, and prompt patterns. If the main risk is unsafe tool action, monitor action calls, denied attempts, confirmations, and rollback rates.

Amazon SageMaker Model Monitor can monitor data quality and model quality for SageMaker AI models in production, and it can support bias drift and feature attribution drift through Clarify-related monitoring. The usual pattern is to capture inference data, create a baseline, define a monitoring schedule, inspect reports, and use CloudWatch alerts for violations. A practitioner does not need to build the code, but should recognize that monitoring needs a baseline and a response plan.

Generative AI monitoring is broader than classic model accuracy. A Bedrock RAG assistant might need telemetry for prompt length, response length, latency, token cost, retrieved document IDs, citation presence, refusal rate, guardrail interventions, user feedback, and escalation outcomes. A Bedrock Agent might need traces for action selection, parameter collection, tool calls, downstream errors, confirmations, and human handoffs. Without this evidence, teams cannot tell whether a bad answer came from the model, prompt, retrieval corpus, permissions, or action design.

Monitoring also has privacy implications. Model invocation logs, prompt traces, reviewer notes, and feedback can contain sensitive information. Teams should decide what to log, how to redact or mask, how long to retain it, and who can access it. It is weak governance to collect every prompt forever without a purpose. It is also weak governance to collect no evidence for a high-risk system. The right balance depends on risk, policy, and audit needs.

Feedback loops should be deliberate. Users need a simple way to mark an answer incorrect, unsafe, incomplete, or helpful. Reviewers should record why they changed an output. Product owners should review trends rather than individual anecdotes only. Feedback should feed into prompt updates, source corrections, guardrail tuning, reviewer training, model evaluation, or feature rollback. Feedback that sits in a dashboard nobody owns is not a control.

AI incident response workflow:

1. Detect: identify the signal, such as unsafe answer, PII exposure, biased outcome, hallucination, or unauthorized action.
2. Triage: classify severity based on affected users, sensitivity, harm, recurrence, and legal or customer impact.
3. Contain: disable a prompt, tighten a guardrail, remove a data source, pause an agent action, or route all outputs to review.
4. Preserve evidence: save relevant logs, prompts, outputs, source documents, model IDs, guardrail versions, and reviewer actions according to policy.
5. Communicate: notify owners, support teams, legal or compliance, and affected users where required.
6. Remediate: fix prompts, data, permissions, guardrails, model choice, review workflow, or business process.
7. Validate: retest normal, edge, and misuse cases before restoring automation.
8. Learn: update the risk register, runbook, monitoring thresholds, and training.

Scenario: a RAG assistant starts citing outdated policy after a document migration. Monitoring shows rising user corrections and retrieval from old S3 prefixes. The incident response should remove stale documents, re-ingest the knowledge base, verify metadata filters, notify support teams, and review why source ownership failed. The answer is not simply choosing a larger model.

Scenario: a SageMaker AI fraud model begins flagging a new customer segment at a higher rate after a market campaign. The team should compare current data to the baseline, inspect model quality and bias drift, review whether the campaign changed the input distribution, and route affected decisions to analysts while investigating. Monitoring connects data drift to fairness and business process risk.

Scenario: a Bedrock Agent submits duplicate service requests because users refresh the page during slow responses. The incident is partly AI and partly application design. The fix may require idempotency keys, clearer confirmation, better timeout handling, and trace review. Responsible AI incident response includes downstream systems, not only model prompts.

CloudTrail and CloudWatch are important supporting services. CloudTrail can help answer who invoked or changed AWS resources, depending on the service and configuration. CloudWatch can collect metrics, logs, and alarms for application behavior, SageMaker monitoring jobs, and operational thresholds. AWS Config, Audit Manager, and other governance services may support broader evidence collection, but monitoring still needs business-specific signals.

For AWS Skill Builder practice, read AI scenarios as operations stories. Ask what baseline exists, what signal detects drift, who receives the alarm, what gets paused, what evidence is kept, and what must be retested. A responsible system is one the organization can operate when behavior changes.