DAY 056 / Model Cards / Documentation

Automated Documentation: The Dynamic Model Card

Model Cards
Documentation
CI/CD
Compliance
Reproducibility

Abstract

"Documentation Drift" is the silent compliance killer. It occurs when the PDF report describing a model (v1.0) remains static while the production system auto-updates to v3.2. In regulated environments, a mismatch between documented behavior and actual behavior is not just a bug; it is a falsified record. As of August 2026, the EU AI Act mandates that high-risk AI systems maintain current, accurate technical documentation—making dynamic model documentation a legal requirement, not a best practice. This post replaces the manual "write-up" with Dynamic Model Cards—immutable artifacts generated programmatically by the CI/CD pipeline. By fusing human-authored context (Intended Use) with machine-generated facts (Accuracy, Fairness Scores), we create a "living" document that is guaranteed to match the deployed binary, serving as a single source of truth for auditors, executives, and engineers.

1. Why This Topic Matters

In traditional software, if the docs are outdated, a developer gets annoyed. In AI Engineering, if the docs are outdated:

  1. Audits Fail: You cannot prove the model currently serving loans was tested for bias against the latest protected groups.
  2. Incidents Escalate: On-call engineers cannot determine if a failure is due to a known limitation (e.g., "Does not work for low-light images") because that limitation was discovered after the initial PDF was written.
  3. Shadow AI: Stakeholders rely on tribal knowledge rather than the system record.

The shift: Treat documentation as a Build Artifact, not a post-launch administrative chore. If the documentation fails to generate, the deployment fails. Under the EU AI Act (Article 13 – Transparency, and Article 11 – Technical Documentation), this is now a legal obligation for high-risk systems: documentation must be kept up to date and accurate throughout the system's lifecycle.

2. Core Concepts & Mental Models

The Model Card

Proposed by Mitchell et al. (2019), a Model Card is the standard specification for AI reporting. It answers:

  • What does it do? (Inputs/Outputs)
  • How was it built? (Algorithm, Data versions)
  • Where should it be used? (Intended Use, Out-of-scope Use)
  • How well does it perform? (Metrics, Fairness audits)

The "Hybrid Source" Model

We cannot auto-generate everything.

  • Static Context (Human): "This model is designed for... It should not be used for..." (Stored in model_card.yaml).
  • Dynamic Facts (Machine): "Accuracy: 94%. Trained on: 2026-02-25. Data Hash: a1b2c3." (Extracted from the Pipeline).

3. Theoretical Foundations

Docs-as-Code

Documentation follows the same lifecycle as software:

  1. Version Control: The model_card.yaml lives in the Git repo.
  2. Testing: The generation script verifies that all required fields (e.g., "Ethical Considerations") are present.
  3. Release: The final Markdown file is versioned and stored alongside the model weights (e.g., in MLflow or S3).

4. Production-Grade Implementation

We implement a Documentation Compiler step in the CI pipeline.

Architecture:

  1. Training Step: Dumps metrics.json (Accuracy, F1, Fairness Disparity).
  2. Context Step: Reads static_context.yaml (Author, License, Intended Use).
  3. Compiler: Merges JSON + YAML into a Markdown template (card_template.md.j2).
  4. Gatekeeper: Checks if Fairness Score < Threshold. If yes, add a "WARNING" banner or block deployment.

5. Hands-On Project / Exercise

Goal: Create a CI script that generates a Model Card for the bias-mitigated model from Day 55.

Constraint: The build must fail if the card is missing the "Limitations" section or if the model's accuracy is below 80%.

Step 1: The Static Context (model_card.yaml)

This file lives in the repo and is updated by humans only when the product scope changes.

model_details:
  name: "Credit Default Risk Predictor"
  version: "2.1.0"
  owners:
    - "Dr. Sarah Chen (Engineering)"
    - "Alex Rodriguez (Product)"
  license: "Proprietary"

intended_use:
  primary_uses:
    - "Assessing creditworthiness for unsecured personal loans < $50k."
  out_of_scope:
    - "Mortgage underwriting."
    - "Employment screening."

considerations:
  limitations: "Performance degrades on applicants with < 2 years of credit history."
  ethical_risks: "Potential disparate impact on younger demographics (mitigated via re-weighting)."

Step 2: The Dynamic Metrics (metrics.json)

This file is output by the training script (Day 55).

{
  "run_id": "exp-20260225-xyz",
  "train_date": "2026-02-25T14:30:00Z",
  "global_accuracy": 0.89,
  "fairness_disparity_ratio": 1.12,
  "data_version_hash": "sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08"
}

Step 3: The Generator Script (generate_card.py)

# pip install pyyaml jinja2
import yaml
import json
import sys
from datetime import datetime
from jinja2 import Template

# --- 1. Load Inputs ---
try:
    with open("model_card.yaml", "r") as f:
        static_data = yaml.safe_load(f)

    with open("metrics.json", "r") as f:
        dynamic_data = json.load(f)
except FileNotFoundError as e:
    print(f"Error: Missing input artifacts. {e}")
    sys.exit(1)

# --- 2. Validation Gate ---
# Enforce Governance: card cannot ship without a Limitations description.
if not static_data.get("considerations", {}).get("limitations"):
    print("BLOCKING BUILD: 'Limitations' section is empty in model_card.yaml.")
    sys.exit(1)

# Enforce Quality: card cannot ship if model accuracy is below SLA.
if dynamic_data["global_accuracy"] < 0.80:
    print(f"BLOCKING BUILD: Accuracy {dynamic_data['global_accuracy']} is below SLA (0.80).")
    sys.exit(1)

# --- 3. The Template (Markdown) ---
template_str = """
# Model Card: {{ static.model_details.name }}

## Model Details
- **Version:** {{ static.model_details.version }}
- **Date:** {{ dynamic.train_date }}
- **Run ID:** `{{ dynamic.run_id }}`
- **Data Hash:** `{{ dynamic.data_version_hash }}`

## Intended Use
{{ static.intended_use.primary_uses | join(', ') }}

## Performance Metrics
| Metric | Value |
|--------|-------|
| Global Accuracy | **{{ "%.2f"|format(dynamic.global_accuracy) }}** |
| Fairness Disparity | **{{ "%.2f"|format(dynamic.fairness_disparity_ratio) }}** |

## Limitations & Risks
> {{ static.considerations.limitations }}

*Automated Generation via CI/CD Pipeline on {{ now }}*
"""

# --- 4. Render & Save ---
template = Template(template_str)
output = template.render(
    static=static_data,
    dynamic=dynamic_data,
    now=datetime.now().strftime("%Y-%m-%d %H:%M")
)

with open("MODEL_CARD.md", "w") as f:
    f.write(output)

print("SUCCESS: Model Card generated at MODEL_CARD.md")

Step 4: The CI Step (GitHub Actions)

# .github/workflows/deploy_model.yml
steps:
  - name: Train Model
    run: python train.py --output metrics.json

  - name: Generate Documentation
    run: python generate_card.py

  - name: Upload Artifact
    uses: actions/upload-artifact@v4
    with:
      name: model-documentation
      path: MODEL_CARD.md

  - name: Deploy
    if: success()
    run: ./deploy_to_prod.sh

6. Ethical, Security & Safety Considerations

The "False Confidence" of Automation

Automated docs can become a "check-the-box" exercise. If the intended_use field is copy-pasted from an old version and says "Safe for Medical Use" when the new model is actually "Experimental," the automation has propagated a lie.

  • Mitigation: Require a Human Review of model_card.yaml changes in every Pull Request (CODEOWNERS file).

Security: Metadata Leaks

Do not log raw data samples or PII in the card. Use hashes (data_version_hash) and aggregated statistics only.

7. Business & Strategic Implications

  1. Audit Defense: When a regulator asks, "What was running on March 12th?", you don't scramble. You pull the MODEL_CARD.md associated with that release tag. It contains the exact hash, metrics, and known limitations at that time.
  2. Vendor Transparency: If you sell AI (B2B), providing a rigorous Model Card with every API update builds immense trust with enterprise buyers who have their own compliance requirements.
  3. Onboarding: New engineers can read the card to understand the system's boundaries without reading 5,000 lines of training code.
  4. EU AI Act Compliance: For high-risk systems, EU AI Act Articles 11 and 13 require current, accurate technical documentation and transparency information. Dynamic Model Cards are the engineering implementation of these requirements—automated generation ensures documentation never lags a deployment. Non-compliant organizations face fines of up to €30M or 6% of global annual turnover.

8. Common Pitfalls & Misconceptions

  • Pitfall: PDFs.

    • Reality: PDFs are where information goes to die. Use Markdown/HTML that renders natively in your Git repo or internal developer portal (Backstage).

  • Pitfall: Omitting the "Not For" section.

    • Reality: Defining "Out of Scope" uses is more important for safety than defining "Intended Uses." (e.g., "Do not use for children under 13").

  • Pitfall: Detached Metrics.

    • Reality: Reporting "Accuracy: 90%" is useless without the test set definition. The card must link to the Evaluation Dataset ID.

9. Prerequisites & Next Steps

Prerequisites:

  • A training script that outputs JSON metrics.
  • A CI/CD runner (GitHub Actions, Jenkins).

Next Steps:

  1. Integrate: Add the generate_card.py script to your pipeline.
  2. Publish: Push the Markdown file to a static site generator (e.g., MkDocs) so stakeholders can view it via a URL.
  3. Expand: Add visualization plots (Confusion Matrix) to the generated Markdown by saving PNGs and linking them.

A Model Card documents what a model does. The next challenge is proving what a model created. Day 57: Content Provenance & Watermarking (C2PA) extends the audit trail from the model itself to every artifact it generates, using cryptographic signatures and invisible pixel-level watermarks to survive the "screenshot-and-share" attack.

10. Further Reading & Resources

  • Paper: "Model Cards for Model Reporting" (Margaret Mitchell et al., 2019) – The original specification; now the de-facto standard.
  • Tool: Google Model Card Toolkit – More complex, Protobuf-based alternative for structured generation.
  • Regulation: EU AI Act Articles 11 (Technical Documentation) and 13 (Transparency) – These articles make current, accurate model documentation a legal requirement for high-risk AI systems from August 2026.
  • Standard: ISO/IEC 42001 (AI Management Systems) – Requires documented system specifications and supports the dynamic card approach.
  • Concept: A visual example of a completed, rigorous Model Card.