AI governance migration checklist for IT leaders

Most AI governance migrations fail because they are treated as purely technical exercises, such as moving an API key or a model endpoint from one cloud to another.

If you migrate unmanaged AI usage without fixing the underlying access model, you aren’t migrating; you are just moving risk. For IT leaders, a successful migration is the only opportunity to refactor "shadow AI" into enforceable, governed workflows without freezing developer velocity.

This checklist provides a structured framework to bring existing AI usage under structured control while maintaining delivery momentum.

Phase 1: Surface the shadow AI reality

Before moving a single service, you must bridge the gap between your official policy and actual developer behavior.

• Inventory shadow AI usage: Identify unsanctioned use of third-party LLM providers or unmanaged "vibe-coding" assistants within the dev team.
• Map data touchpoints: Which AI workflows interact with regulated data (GDPR, PCI, or proprietary IP)?
• Identify implicit access: Locate agents or scripts currently running with broad, "all-access" tokens rather than scoped service accounts.
• Baseline spend: Audit the current fragmented costs of AI API usage across disparate team accounts.

Phase 2: Refactor governance (decide what to move vs. what to block)

The goal of migration is to fix what no longer scales. Some patterns should never be carried forward.

• Standardize identity: Replace personal developer tokens with platform-level service accounts.
• Define environment scopes: Ensure AI agents are blocked from production data during testing phases.
• Codify the guardrails: Move from "paper policies" to machine-readable rules.
  • The Upsun advantage: Use declarative, Git-driven configuration (upsun.yaml) to make platform rules explicit and reviewable via PR.
• Establish "pause" criteria: Identify high-risk workflows (for example, autonomous agents with write-access to production databases) that must be refactored before they are permitted to migrate.

Phase 3: The migration execution (validating boundaries)

This is where you move the workflow. The focus here is on automated boundary enforcement.

• Validate in staging/development environments: Deploy the migrated AI workflow into an isolated environment that clones production logic but stays air-gapped from live users.
  • The Upsun advantage: Use production-perfect preview environments to test how AI agents behave under new security constraints without touching production.
• Enforce via pipeline: Ensure compliance checks, such as WAF rules and audit logging, are triggered automatically during the deployment.
• Test "failure modes": Intentionally trigger a governance violation (for example, an agent trying to access an unauthorized API) to confirm the platform blocks the action.
• Audit trail confirmation: Verify that the migration process itself is documented in the Git history, showing who changed which governance control and why.

Phase 4: Operationalizing continuity (the "done" state)

A migration is only "complete" when governance becomes an inheritable capability of the platform, not a manual review task.

• Enable inheritance: Do new AI projects automatically inherit the security posture of the platform?
• Shift to monitoring: Transition from "blocking everything" to proactive observability.
• Auditor readiness: Can you generate a report of all AI environment changes over the last 30 days without manual data entry?
  • The Upsun advantage: The centralized console in Upsun provides a single source of truth for every environment, deployment, and access change across your entire AI portfolio.

Why platforms matter during governance migration

Governance migrations are significantly harder when environments and configurations vary by team. When every project has a bespoke deployment path, introducing a new security control requires a bespoke project.

Upsun makes governance migrations tractable by standardizing the foundation.

By using a platform that treats infrastructure as code and environments as disposable clones, IT leaders can introduce controls once and apply them broadly. This shifts governance from a "policing" function to a "platform" function.

How Upsun supports your migration roadmap

• Instant staging/development environments: Stop guessing if a security policy will break the app. Test it on a clone of your entire production stack first.
• GitOps workflow: Every change to your AI governance is a pull request. It is reviewable, reversible, and auditable.
• Multi-cloud portability: Standardize your governance once and deploy it across AWS, Azure, IBM Cloud, or GCP without rewriting your security model.

What to do next

If AI tools and agents are already embedded in your organization, your migration has already begun. You just haven't governed it yet.

Start by running the phase 1 audit above. Once you understand the gap between your current usage and your required security posture, you can determine if your current platform is an accelerator or a bottleneck.