Enterprise Governance & Risk

Sunsetting AI Features: A Decommissioning Checklist

Launching an AI feature gets reviews, sign-offs, and a party. Retiring one gets a Friday-afternoon ticket — which is how orgs end up with live API keys for products that no longer exist.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Decommissioning is the neglected end of the AI lifecycle. A feature that is "turned off" but not decommissioned leaves behind exactly the residue auditors find: credentials that still work, uploaded files nobody remembers, a registry entry frozen at "production," and no record of why the thing went away. The fix is a checklist run by the use case's Owner (see defining AI roles) and closed out in the AI registry. What follows is recommended practice, in the order that avoids the common traps.

Step 1: decide, record, announce

Retirement is a governance decision like launch was. Record who decided, when, and why — cost, low usage, replacement, risk, or a failed sunset review. Notify users with a date and a migration path if one exists. If the feature ever made or influenced decisions about people, involve legal before deleting anything: records of past behavior may need to outlive the feature, and retention obligations trump tidiness.

Step 2: cut traffic, then watch for stragglers

Disable the feature at the application layer first, then verify traffic actually stopped before revoking anything — usage reports grouped by workspace or API key will show stragglers you forgot: a scheduled job, an internal script, a second frontend. On the Claude API, usage data typically appears within minutes, so a quiet week is real evidence. Chasing down each unexpected caller now prevents mysteriously broken workflows after Step 3.

Step 3: revoke access

This is the step most often skipped, because the feature "already doesn't work." Close it anyway:

Remember that on the Claude API, keys belong to the organization and workspace, not to people — a key does not die when its creator leaves, so nothing revokes it except you.

Step 4: clean up stored data

Transient prompts and outputs age out on their own under the Claude API's default retention (deletion within 30 days), but stateful features do not clean up after themselves — by design. Anthropic's documentation is explicit that Files API files are retained until explicitly deleted and Managed Agents session transcripts persist until you delete them. So inventory and delete: uploaded files, agent sessions, skills, and batch inputs/outputs on the Anthropic side; and on your side, prompt logs, cached responses, vector indexes, and evaluation datasets containing production data. On Bedrock and Google Cloud, the cloud provider is the data processor — sweep the buckets, logs, and datasets in your own cloud environment under that platform's controls. Whatever your retention policy requires you to keep (see Step 6), move to archival storage with an expiry, and document the disposition either way.

Step 5: retire the configuration

Archive — do not silently delete — the system prompts, tool definitions, guardrail configurations, and prompt-version history. They are part of the historical record of what ran (your prompt versioning should make this trivial), and stale copies left in live config repositories have a way of being resurrected by someone who finds them and assumes they are current. Mark them clearly as retired. Remove feature flags, dashboards, and alerts so your monitoring surface reflects reality.

Step 6: close the registry entry — don't delete it

Set the registry status to retired with the date, the decision record from Step 1, and the data disposition from Step 4. A deleted entry is an undocumented gap; a retired entry is an answer. Examiners ask about systems that used to run — "we retired it on this date, here is the record" is the response you want available. Keep validation results, change logs, and incident records for the period your compliance team specifies.

Rule of thumb: decommissioning is done when three lookups return clean — no active credentials, no unaccounted stored data, and a registry entry that says retired with a date and a decision behind it.

Where to go next

Upstream of this checklist sit sunset review triggers and retention and deletion policy; the registry practices that make Step 6 trivial are in maintaining an enterprise AI registry.

Sources