Model Card & Change Log Template

Mercury Security | 2025

Introduction

Model cards and change logs provide transparency into how AI systems are designed, deployed, and updated. A model card describes the system’s purpose, data, and performance, while the change log tracks updates over time. Together, these artifacts demonstrate lifecycle accountability, which is emphasized in the EU AI Act, GDPR, NIST AI RMF, and ISO/IEC 42001 (European Union, 2016; European Union, 2024; NIST, 2023; ISO, 2023).

How to Use This Template

  • Create one model card per AI system.
  • Update the change log whenever a significant modification occurs (e.g., new dataset, model retraining, guardrail adjustment).
  • Maintain both documents as part of the audit evidence pack.

Model Card Template

System Name: ___________________________________
Version: _______________________________________
Deployment Date: ________________________________
System Owner: ___________________________________

Purpose and Scope

Describe the intended purpose of the AI system and its boundaries. Include both intended use and out-of-scope use cases.

Training and Data Sources

Document training data origins, preprocessing, and data governance considerations. Note whether PII was included and if it was redacted or anonymized.

Performance Metrics

List measurable outcomes (e.g., accuracy, refusal rate, bias test results). Include confidence intervals where available.

Risks and Limitations

Identify known limitations, potential biases, or cases where the system may fail.

Human Oversight

Describe escalation paths and human-in-the-loop controls.

Regulatory Mapping

Note applicable frameworks (e.g., GDPR, AI Act Article 13 transparency, NIST AI RMF).

Change Log Template

Date

System Version

Change Description

Reason for Change

Approved By

Rollback Available

2025-08-15

v1.1

Added refusal for medical Qs

Regulatory alignment

V. Bakos

Yes

2025-09-01

v1.2

Retrained with EU data corpus

Improve localization

R. Smith

Yes

Review and Sign-Off

Model Owner Signature: ___________________________
Governance Lead Signature: _______________________
Date: _______________________

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. International Organization for Standardization.

National Institute of Standards and Technology. (2023). AI Risk Management Framework (NIST AI RMF 1.0). Gaithersburg, MD: NIST.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram