Module 6: Ship the Professional Capstone · 45 min

Deploy, Log, Monitor, and Maintain an AI Workflow

Learning goal

Turn this lesson into one checked practice output

By the end, you should be able to explain the core idea behind “Deploy, Log, Monitor, and Maintain an AI Workflow” in your own words, apply it to one small real or sample task, and identify what still needs human review.

  1. 1

    Learn

    Read the 45-minute lesson without copying an output blindly.

  2. 2

    Try

    Use a small, non-sensitive example that you can inspect line by line.

  3. 3

    Review

    Check facts, fit, and risk; save one improvement note for next time.

Direct answer

Deploying an AI workflow means placing a versioned system in an environment where authorized users can reach it, failures are contained, operations are observable, and a team can roll back or maintain it. A public URL is only one piece. A professional deployment has separated environments, server-side secrets, durable state, bounded queues, structured logs, service-level targets, alerts with owners, a runbook, and a release process tied to evaluations.

Design for change. Models, prompts, source documents, tools, policies, and traffic patterns will change independently. Record their versions so you can explain why today's output differs from yesterday's.

Draw the production path

A practical workflow often contains:

  1. Client: a mobile or desktop interface that authenticates the user and sends a request.
  2. API layer: validates input, applies rate limits, creates a request or job ID, and returns promptly.
  3. Queue: buffers work when tasks are slow or traffic spikes.
  4. Worker: executes the versioned workflow, model calls, retrieval, and tools.
  5. State store: records transitions, idempotency keys, approvals, and results.
  6. Knowledge store: contains permitted and versioned evidence.
  7. Observability: receives logs, metrics, traces, and alerts.
  8. Human review: handles approvals, low-confidence cases, and incidents.

Keep the API nodes stateless where possible so horizontal scaling does not lose a user's job. Store durable workflow state outside one process. Apply backpressure when downstream dependencies slow: limit queue concurrency and reject or delay excess work instead of launching unlimited model calls.

Separate development, staging, and production. Staging should use synthetic or sanitized data and its own credentials, limits, and indexes. Promote an immutable workflow version after checks pass; do not edit production prompts invisibly from a laptop.

Worked build: a lead-intake drafting workflow

A training company receives course enquiries through a form. The workflow validates consent and contact fields, retrieves current course facts, classifies the requested topic, drafts a response with citations, and queues it for staff review. It never invents seats, discounts, earnings, or admissions decisions.

The synchronous API can return 202 Accepted with a job ID, while a worker performs retrieval and drafting. A status endpoint returns QUEUED, RUNNING, AWAITING_REVIEW, COMPLETE, or a safe error. If the provider is temporarily unavailable, the job waits and retries within a defined budget. If the knowledge base is stale, it escalates rather than drafting.

Use structured events instead of scattered prose logs. This runnable JavaScript helper emits one JSON object per line:

function logEvent(event, fields = {}) {
  if (typeof event !== "string" || !/^[a-z]+(?:[._-][a-z]+)*$/.test(event)) {
    throw new Error("Invalid event name");
  }
  const allowed = new Set([
    "requestId", "state", "latencyMs", "toolCalls", "citationCount",
    "retryCount", "errorClass"
  ]);
  const safe = Object.fromEntries(
    Object.entries(fields).filter(([key]) => allowed.has(key))
  );

  process.stdout.write(JSON.stringify({
    ...safe,
    timestamp: new Date().toISOString(),
    event,
    service: "lead-drafter",
    workflowVersion: process.env.WORKFLOW_VERSION ?? "dev",
  }) + "\n");
}

logEvent("workflow.completed", {
  requestId: "req_demo_123",
  state: "AWAITING_REVIEW",
  latencyMs: 842,
  toolCalls: 1,
  citationCount: 2,
});

This flat allowlist is only a teaching example, not complete redaction. In production, validate the type and size of every allowed value, sanitize nested objects, restrict access, and test that secrets and personal data never appear. The reserved envelope fields are written last so caller data cannot replace the event name, timestamp, service, or workflow version. Generate opaque request IDs rather than putting email addresses or phone numbers in identifiers.

What to log and measure

For each run, record:

  • request, job, and trace IDs;
  • environment and workflow version;
  • model configuration identifier and prompt version, not secret contents;
  • source/index version and retrieved source IDs;
  • state transitions and durations;
  • tool name, sanitized argument summary, status, latency, and retry count;
  • approval event and payload version;
  • input/output token counts or provider usage fields;
  • final state, abstention reason, and error class.

Metrics aggregate behaviour: request rate, queue depth, completion and error rate, retry rate, tail latency, citation support, approval wait time, token usage, cost per completed task, and blocked safety events. Break them down by workflow version and important user path without creating unnecessary personal profiles.

Define service-level objectives that reflect the product. Example: “99% of accepted jobs reach a final or review state within five minutes over 30 days” is more useful than “server up 99%.” Add quality objectives such as citation support or correct abstention, checked through sampled reviews and automated evals.

Alerts need a response

Alert only when someone can act. Each alert should name severity, threshold, owner, first diagnostic query, containment action, and escalation path. Useful alerts include:

  • queue age exceeds the target;
  • error or retry rate jumps after a deployment;
  • completion cost rises sharply;
  • citation coverage falls after re-indexing;
  • authorization blocks or prompt-injection detections spike;
  • no successful synthetic check has run recently;
  • spend or rate-limit thresholds approach a configured boundary.

Provide a kill switch that disables risky tools or new requests while preserving evidence for investigation. For a read-only assistant, degraded mode might return approved static contact information. For a write workflow, fail closed rather than executing without validation.

Release, rollback, and maintenance

Use a deployment checklist:

  1. Automated unit, integration, retrieval, and eval suites pass.
  2. Threat-model controls and secret scanning pass.
  3. Database and index migrations have rollback or forward-recovery plans.
  4. Staging smoke tests use realistic synthetic inputs.
  5. A canary or small traffic slice receives the new workflow version.
  6. Operators compare quality, failure, latency, and cost metrics.
  7. Promotion or rollback is explicit and recorded.

Keep prompts and schemas under version control. Pin dependency versions, monitor deprecations, and schedule source-freshness reviews. Rotate credentials and remove former team access. Test restores from backup. Review alerts and dead-letter jobs. Update the runbook after every incident; otherwise the same failure remains tribal knowledge.

OpenAI's production guidance recommends securing API keys outside code, separating staging and production projects, planning for rate limits, and monitoring usage. Current deployment and error guides should be consulted at implementation time because limits and platform details can change.

Failure cases to rehearse

  • The provider returns rate limits during a marketing spike.
  • A deployment changes output schema while an old worker still runs.
  • The API times out but a queued job continues, so the client submits twice.
  • Retrieval indexing lags behind a newly approved policy.
  • Logs contain full enquiry text and phone numbers.
  • A model or tool dependency becomes unavailable.
  • A queue grows for hours without an alert on job age.
  • A prompt change improves style but harms citation support.
  • Rollback restores application code but not the matching source index or schema.
  • One region or network route fails while a simple uptime probe remains green.

🇵🇰 Pakistan Angle

Test deployment behaviour on mobile data, slower devices, intermittent connectivity, and power interruptions—not only office broadband. Let users safely resume with a job ID rather than resubmitting. Keep pages and status payloads small. Queue long work and show an honest state instead of a spinner that disappears when the phone reconnects.

Budget in current provider units and translate into a reviewed PKR planning range without hard-coding exchange rates into lesson claims. Use Pakistan Standard Time for operator schedules while storing machine timestamps in UTC. If hosting location, cross-border data transfer, or sector rules matter, involve qualified security and legal professionals; a generic cloud checklist is not compliance. Create a manual continuation path for critical workflows when power or internet is unavailable.

Hands-on deliverable

Prepare and demonstrate a deployment operations pack:

  • an architecture diagram covering client, API, queue, worker, state, knowledge, and review;
  • environment separation and secret-management notes;
  • a versioned release checklist with staging, canary, promotion, and rollback;
  • a structured event schema and sanitized example trace;
  • a dashboard with reliability, quality, safety, latency, and cost panels;
  • three actionable alerts with thresholds, owners, and runbook links;
  • a runbook for rate limits, provider outage, stale index, and runaway cost;
  • a maintenance calendar for sources, dependencies, access, backups, and evals.

Completion rubric

  • Workflow state survives restarts and can be resumed without duplicate actions.
  • Development, staging, and production have separate credentials and controls.
  • Logs identify versions and state transitions without secrets or unnecessary personal data.
  • Metrics cover task quality and cost as well as infrastructure uptime.
  • Every alert has an owner and containment action.
  • Release gates include evals, security checks, canary observation, and rollback.
  • The runbook covers dependency, queue, index, rate-limit, and cost failures.
  • Mobile reconnect and local operating constraints have been tested.

Key takeaway: Shipping means making the workflow controllable after launch: version it, observe it, limit it, rehearse failures, and give operators a safe way to recover.

Sources

Self-check

Before you mark Lesson 6.1 complete

  • Can I explain “Deploy, Log, Monitor, and Maintain an AI Workflow” without reading the lesson back word for word?
  • Did I complete the lesson’s practice step on a real or clearly labelled sample task?
  • Did I check the result for invented facts, private data, unsafe actions, and mismatch with the brief?