EAAPL-MDL002 — Shadow Model Deployment

1. Executive Summary

Shadow model deployment allows an organisation to validate a new AI model under real production conditions — full traffic load, real user inputs, live context — without exposing users to the new model's outputs. Production traffic is mirrored asynchronously to the shadow model; the shadow computes a response, which is stored and compared to the production response but never served to the user. This eliminates the principal risk of model upgrades: discovering that a new model behaves differently only after users experience it. For CIOs, shadow deployment is a mandatory risk control before promoting any model upgrade in a regulated or customer-facing context. For CTOs, it provides statistically grounded promotion criteria grounded in real traffic rather than offline benchmarks. For risk officers, it is the evidentiary record that demonstrates the organisation validated model behaviour before promoting a change. The pattern is high-complexity because it requires an asynchronous traffic mirroring infrastructure, a shadow response storage layer, and a statistical comparison pipeline — none of which exist in most organisations by default. The investment is justified for any model with material business impact: customer-facing recommendation, credit decisioning, fraud detection, medical triage support, or automated content moderation.

2. Problem Statement

2.1 Business Problem

Organisations upgrade AI models periodically to improve quality, reduce cost, or address emerging risks. Conventional practice is to test on an offline dataset, then deploy to production. The offline dataset is always stale: it does not represent the current distribution of real user inputs, seasonal patterns, or adversarial inputs. Models that pass offline benchmarks fail in production. The business discovers the failure through customer complaints, revenue impact, or regulatory action.

2.2 Technical Problem

Offline evaluation cannot capture the full complexity of production traffic. Real production requests carry user-specific context, system state, upstream service responses, and time-sensitive signals that are absent from a fixed benchmark dataset. A model that performs identically to its predecessor on a benchmark dataset may perform materially differently on the long tail of real production inputs.

2.3 Symptoms

• Model upgrades cause unexpected quality regressions discovered by customer feedback, not internal monitoring.
• Post-upgrade error rates spike before detection — mean time to detection is hours, not minutes.
• There is no statistical basis for the decision to promote a new model ("it looked good in testing").
• Rollbacks are required for >30% of model promotions in the past year.
• The organisation cannot demonstrate to a regulator that it validated model behaviour before deployment.

2.4 Cost of Inaction

3. Context

3.1 When to Apply

• Before promoting any model version in a customer-facing, regulated, or high-stakes context.
• When offline benchmark datasets may not represent current production traffic distribution.
• When the new model represents a MINOR or MAJOR version change (per EAAPL-MDL001 schema).
• When rollback risk is high and the cost of a production incident exceeds shadow infrastructure cost.

3.2 When NOT to Apply

• PATCH version changes (quantisation, minor optimisation) where behaviour change is expected to be negligible — use regression testing instead.
• Models serving internal tooling with no customer or regulatory impact.
• Contexts where traffic volume is so low that statistical comparison is meaningless (< 1,000 requests/day — use canary instead).
• Stateful write-heavy models where shadow execution risks side effects (see Section 4.4).

3.3 Prerequisites

3.4 Industry Applicability

4. Architecture Overview

4.1 Traffic Mirroring Architecture

Production traffic is mirrored asynchronously to the shadow model using a request duplication layer placed at the load balancer or service mesh level. The critical design principle is that the mirroring is asynchronous and non-blocking: the production request path is unaffected by any shadow-side processing. If the shadow model is slow or fails, the production response is never delayed or affected.

The request duplicator captures the full request payload — including headers, authentication context (anonymised), timestamp, and all inference inputs — and enqueues a copy to a shadow inference queue. The shadow model consumer reads from this queue and processes requests at its own pace. Because shadow processing is decoupled from production request latency, the shadow model can be run on lower-priority compute — scheduled spot instances, off-peak batch processing — without affecting production SLOs.

4.2 Shadow Response Storage

Every shadow inference produces a response pair: the shadow model's response and the corresponding production model's response (retrieved from the production response log by matching a request correlation ID). These pairs are stored in a shadow comparison store — a document or columnar database optimised for the comparison analysis pipeline. The store retains: request ID, timestamp, request payload hash (not cleartext for privacy), production response, shadow response, and all computed quality metrics for both responses.

Retention policy for shadow response pairs: 90 days online, then purged (unless subject to regulatory retention). The shadow store must be scoped as a non-production system: real user input data subject to privacy regulations must be anonymised or pseudonymised before storage.

4.3 Comparison Analysis Pipeline

A daily analysis pipeline processes accumulated shadow/production pairs and produces a comparison report. The pipeline computes: (1) quality metrics for both models — accuracy, BLEU/ROUGE/BERTScore for generation tasks, calibration for classification; (2) latency distribution (p50, p95, p99) for shadow vs production; (3) error rate comparison; (4) cost per inference comparison; (5) safety check results (does shadow model generate any content that production model would not?); (6) disagreement rate — the proportion of requests where the two models produce materially different outputs. The report is published to the model governance dashboard and stored in the Model Register against the shadow version.

4.4 Handling Stateful Operations in Shadow

Shadow models must operate in read-only mode. They must not write to any production database, send notifications, invoke external APIs, or modify any shared state. Shadow inference is computation-only. For models that normally invoke tools or external systems, the shadow request processor must use a stubbed tool layer that records the intended tool calls without executing them. This is enforced by infrastructure — the shadow model's service account has no write permissions on production systems.

4.5 Shadow Duration Guidelines

Shadow duration is determined by model risk tier: Low-risk internal models require a minimum of 1 week with at least 10,000 shadow requests. Medium-risk customer-facing models require a minimum of 2 weeks with at least 50,000 shadow requests. High-risk regulated models (credit, medical, fraud) require a minimum of 4 weeks with at least 100,000 shadow requests and explicit sign-off from the risk function. These are minimums — shadow should continue until promotion criteria are met, regardless of calendar time.

4.6 Promotion Criteria

Promotion from shadow to production (via canary release per EAAPL-MDL003) requires all of the following: (1) shadow quality score meets or exceeds production by the margin defined at version registration; (2) shadow p99 latency within 20% of production p99; (3) shadow error rate does not exceed production error rate; (4) shadow safety check passes (zero content safety violations); (5) minimum shadow duration met; (6) comparison report reviewed and approved by model owner and, for high-risk models, AI Governance.

5. Architecture Diagram

6. Components

7. Data Flow

7.1 Primary Flow

7.2 Error Flow

8. Security Considerations

8.1 Controls Summary

8.2 OWASP LLM Top 10 Relevance

9. Governance Considerations

9.1 Responsible AI

Shadow testing must include fairness analysis in the comparison report: do the shadow model's outputs diverge from production in ways that are disproportionate across demographic subgroups? Any fairness regression detected in shadow is a blocking criterion for promotion, regardless of overall quality metrics.

9.2 Model Risk Management

Shadow deployment is the pre-production validation stage of the MRM lifecycle. The comparison report constitutes evidence for model validation. For APRA-regulated entities, the comparison report is part of the model governance record and must be retained.

9.3 Human Approval Gates

Promotion from shadow to canary is a human decision. The comparison report informs the decision but does not automate it. The model owner must explicitly approve promotion. For high-risk models, the AI Governance function countersigns. Automated promotion without human review is not permitted.

9.4 Governance Artefacts

10. Operational Considerations

10.1 SLOs

10.2 Monitoring and Logging

Key metrics to monitor continuously during shadow period: shadow queue depth (alert if > 10,000 unprocessed), shadow consumer error rate (alert if > 1%), shadow model latency p99 (informational — not blocking production), daily comparison report publication (alert if missing), stub tool layer bypass attempts (alert immediately — P1).

10.3 Incident Response

Two incident classes specific to shadow deployment: (1) Shadow production interference — if any shadow operation writes to or calls a production system, halt shadow immediately; security investigation; version quarantined until investigation complete. (2) Shadow queue saturation impacting production — theoretically impossible if mirroring is purely async; if observed, circuit-breaker drops shadow traffic; P1 incident.

10.4 Disaster Recovery

10.5 Capacity Planning

Shadow infrastructure processes the same volume as production but asynchronously. Size shadow compute at 30–50% of production inference capacity (queue provides elasticity). Shadow response store grows at: (average response size) × (daily request volume) × (retention days). For a service with 100,000 requests/day at 2KB average response size and 90-day retention: ~18 GB. Plan at 5× for safety margins and comparison metadata.

11. Cost Considerations

11.1 Cost Drivers

11.2 Scaling Risks

Shadow inference compute scales linearly with production traffic. A traffic spike doubles shadow compute cost. Mitigation: shadow consumer operates with a configurable maximum throughput; excess shadow requests are shed (shadow completeness reduces, but production is unaffected). Monitor shadow completeness: if < 80%, extend shadow duration.

11.3 Optimisations

• Use spot/preemptible instances for shadow inference (shadow is delay-tolerant).
• Process shadow requests in micro-batches for GPU efficiency (batch size 8–32 depending on model).
• Use columnar compression on shadow response store (response text compresses 5–10×).
• Skip shadow for PATCH version changes; run only comparison analysis on a sampled offline subset.

11.4 Indicative Cost Range

12. Trade-Off Analysis

12.1 Shadow vs Alternative Validation Approaches

12.2 Architectural Tensions

13. Failure Modes

13.1 Cascading Failure Scenarios

If the shadow queue grows unbounded (consumer failure during high-traffic period), the queue infrastructure may exhaust storage. If queue infrastructure is shared with production messaging systems, this can cascade into production messaging failures. Mitigation: shadow queue is isolated from all production messaging infrastructure; maximum queue depth is bounded; when maximum is reached, new shadow messages are dropped (production unaffected).

14. Regulatory Considerations

15. Reference Implementations

15.1 AWS

• Traffic Mirroring: AWS Application Load Balancer traffic mirroring; or Envoy proxy deployed on ECS/EKS with mirror filter.
• Shadow Queue: Amazon SQS FIFO queue with shadow inference Lambda consumer.
• Shadow Inference: SageMaker Endpoint (separate endpoint per shadow version); spot instance backed.
• Shadow Store: Amazon DynamoDB (response pairs); S3 for bulk comparison data.
• Comparison Pipeline: AWS Glue job (daily); results to S3 + QuickSight dashboard.

15.2 Azure

• Traffic Mirroring: Azure API Management with request duplication policy; or Azure Service Mesh (Istio on AKS).
• Shadow Queue: Azure Service Bus Premium (isolation from production).
• Shadow Inference: Azure Machine Learning managed endpoint (shadow version); spot-backed compute cluster.
• Shadow Store: Azure Cosmos DB (response pairs); Azure Blob for comparison data.
• Comparison Pipeline: Azure Synapse Analytics (daily pipeline); Power BI dashboard.

15.3 GCP

• Traffic Mirroring: Cloud Load Balancing with request mirroring; or Istio on GKE.
• Shadow Queue: Cloud Pub/Sub (dedicated topic for shadow).
• Shadow Inference: Vertex AI Endpoint (shadow version); preemptible GPU nodes.
• Shadow Store: BigQuery (response pairs, columnar for analysis efficiency).
• Comparison Pipeline: BigQuery ML + Dataflow; Looker dashboard.

15.4 On-Premises / Hybrid

• Traffic Mirroring: Nginx mirroring directive; Envoy proxy sidecar in Kubernetes.
• Shadow Queue: Apache Kafka (dedicated topic, separate consumer group).
• Shadow Inference: Kubernetes Job on dedicated GPU node pool (lower-priority node affinity).
• Shadow Store: PostgreSQL + TimescaleDB; columnar compression for response pairs.
• Comparison Pipeline: Apache Spark on-cluster; Grafana dashboard.

16. Related Patterns

17. Maturity Assessment

Overall Maturity: Proven

18. Revision History