advanta

HomeModule LibrarySustaining

Module SUS-06 sigil: Sustaining pillar, Strategy layer, maturity bands 1 to 3.Deterministic sigil for Module SUS-06. The Pillar geometry encodes Sustaining (Pillar 8); the top-right marker S encodes the Strategy layer; the baseline meter encodes maturity bands 1 to 3.SSUS-06
P8· L-E· Bands FoundationalOperationalIntegratedOptimisedDefensible

· SUS-06

Technology Sunsetting Plan

The Technology Sunsetting Plan defines how Legal AI tools are retired without disruption to active matters, data lineage, or defensibility evidence. It specifies the criteria for initiating sunsetting (vendor failure, capability obsolescence, risk profile change, consolidation), the data migration and retention obligations, the user-transition timeline, and the post-sunset evidence archive. Without disciplined sunsetting, retired tools become abandoned data liabilities and orphan integrations accumulate operational risk. Methodology v2026.1.

Operational

·

Per-engagement

·

Typical engagement: 12–24 weeks end-to-end, depending on system criticality and data volume.

Methodology v2026.1

Executive Summary

SUS-06 defines a defensible, end‑to‑end methodology for retiring AI and other legal technology assets. It starts with a Metric 0 pre‑check to confirm policy coverage, AI Bill of Materials (AI BoM) registration, and absence of unresolved Class 6 Shadow AI incidents. A seven‑factor decision matrix and ROAI 4‑quadrant impact assessment determine whether a tool should be immediately retired, planned for retirement, optimised, or retained with monitoring. The module then operationalises a four‑phase sunsetting process: Assessment & Planning, Preparation & Communication, Migration & Transition, and Decommissioning & Closure. It embeds Risk Taxonomy 2026 triggers, emergency Class 6 Shadow AI retirement rules, and explicit Agentic Tier decommissioning gates for Level 4 AI tools. SUS-06 also codifies data protection, business continuity, financial, and contractual risk mitigations, and maps them to external frameworks such as GDPR, CCPA, HIPAA, SOX, FINRA, and ABA professional responsibility guidance. The module produces DPS‑grade evidence across Adoption, Sophistication, and Defensibility lenses, including AI BoM deregistration certificates, intervention logs, destruction certificates, and full audit trails. It is designed for repeatable portfolio optimisation, regulatory readiness, and professional liability protection.

Defensibility Evidence Produced

SUS-06 produces DPS evidence across all three lenses: Adoption lens (user notifications, training records, satisfaction surveys, usage analytics — 5-year retention); Sophistication lens (decision matrix scoring, ROAI 4-quadrant impact analysis, Risk Taxonomy 2026 Class Severity Profile, alternative solution analysis — 5-year retention); and Defensibility lens (executive sign-off, AI BoM Deregistration Certificate, Agentic Tier Decommissioning Gate records, intervention logs, data destruction certificates, contract termination documentation, Class 6 STR-07 reports, legal counsel opinions, client notification records — 7-year retention). The module operates at DPS Tier 3 (Defensible), requiring evidence availability within 48 hours of any regulatory or legal inquiry.

Elements:

Decision traceabilityEvidence framework

The operational problem

AI capability accumulates. New tools deploy; old tools persist past their useful life because no one is responsible for retiring them. The AI Bill of Materials shows three contract-review tools where one would suffice, two research systems with overlapping coverage, an eDiscovery platform whose vendor is no longer supporting the legacy API. Each retired tool that was never formally sunset becomes an orphan integration carrying unmonitored data, expired contracts, and unmaintained access — and the function carries the risk for tools no longer actively governed.

The institutional standard for Defensible AI requires that capability retirement is as disciplined as capability deployment. Without a documented sunsetting plan, the AI BoM grows but never shrinks; defensibility debt accumulates inside retired tools; data migration happens informally or not at all; and the function cannot evidence to the regulator that decommissioned capability has been properly closed out.

The Technology Sunsetting Plan defines that discipline. Without it, the function carries the risk of every tool it has ever procured, including the ones it stopped using two years ago.

Legal AI OS Relevance

The Technology Sunsetting Plan sits at the intersection of Pillar P8 (Sustaining, Optimization & Lifecycle) and the Execution Layer (Layer E). It produces evidence for two Defensibility Elements:

  • DE-1 Decision traceability — the four-phase sunsetting process produces a complete decision trail from retirement initiation to closure
  • DE-3 Evidence framework — the post-sunset evidence archive is itself a framework artefact maintained per the canonical retention discipline

Anchoring across all five bands (Foundational through Defensible), the Module is required at any band where the function operates AI capability. At Band 1 it operates on the first retirement event; at Band 5 it operates as a continuous portfolio-optimisation discipline integrated with the Capability Portfolio (SUS-10) Sunset-stage classification. Methodology v2026.1.

Pillar Alignment

Pillar 8 (Sustaining, Optimization & Lifecycle) is the institutional capability that completes the AI Lifecycle. Most functions execute Concept through Operate well; few execute Sunset with discipline. The Technology Sunsetting Plan is the Pillar-8 instrument that closes the Lifecycle properly.

The Pillar 8 posture this Module advances: from tool deprecated informally; data left in vendor system; contract auto-renews to four-phase sunsetting with Decision Matrix, data migration, AI BoM Deregistration Certificate, and full audit trail.

Operating Layer Impact

The Execution Layer (Layer E) is where capability is operated; SUS-06 is the Layer-E discipline that retires capability with the same rigour as deployment. The Governance Layer (G) writes against the sunsetting plan — the Risk Register (GOV-03) closes out risk-class exposure as the capability decommissions; the Evidence Register (GOV-13) archives the capability’s row set. The Capability Portfolio (SUS-10) advances the capability through Sunset to Closure.

Without disciplined sunsetting, the Capability Portfolio’s Sunset stage becomes a holding pen rather than an executed transition.

Maturity Band Relevance

The Module strengthens the Defensibility lens of the Maturity Stack.

From Band

To Band

Defensibility-lens shift

1 — Foundational

2 — Operational

First retirement executed with documentation → AI BoM accurately reflects current capability

2 — Operational

3 — Integrated

Retirement is structured → four-phase process operational

3 — Integrated

4 — Optimised

Sunsetting cadence integrated with Capability Portfolio → Sunset candidates surfaced quarterly

4 — Optimised

5 — Defensible

Sunsetting is portfolio-optimisation discipline → continuous closure with no orphan tools

Operational Outcomes

Operating the Plan produces eleven institutional artefacts:

Artefact

Purpose

Metric 0 pre-check results and Class 6 Override determinations

The retirement-readiness gate

Weighted Decision Matrix and ROAI 4-Quadrant retirement impact analysis

The retire-vs-optimise decision substrate

Approved technology retirement business case and project plan

The closure programme

Risk register with mitigation and contingency plans

The during-sunset risk discipline

Communication packs for executives, users, clients, vendors

The stakeholder management substrate

Migration runbooks, validation reports, performance baselines

The data-and-workflow transition substrate

Agentic Tier decommissioning records (where applicable)

The Tier-4-specific closure

AI BoM Deregistration Certificate and system shutdown evidence

The institutional record of closure

Data archival and destruction certificates with chain of custody

The data-lifecycle closure

Post-retirement evaluation report and lessons-learned log

The continuous-improvement substrate

DPS Adoption / Sophistication / Defensibility evidence bundles

The DPS-grade record across all three lenses

Records retain for 5-7 years per category, aligning with the longest applicable retention canon.

Defensibility and Governance Considerations

The Module produces evidence for DE-1 (Decision traceability) and DE-3 (Evidence framework). All nine Risk Taxonomy 2026 classes appear; Class 6 (Shadow AI) operates a specific override path within the Module.

For Tier 4 (Agentic) capability retirement, additional gates apply:

  • Agentic Tier Decommissioning Gate — autonomous-action audit trail finalised; outstanding agent state archived; downstream-dependency review completed
  • Delegation-Authority Register (GOV-14) entry archived with the decommission record
  • Materiality Calibration (GOV-16) rows archived with the capability’s row set
  • Agentic Governance Charter (GOV-08) operational closure with final post-mortem

For Class 6 (Shadow AI) detection during sunsetting:

  • Emergency Class 6 Retirement path activates — shorter timeline, broader stakeholder notification
  • AI Task Force Chair direct authorisation
  • Operating Cadence interim session within 5 business days

The editorial-independence attestation applies — the Module makes no vendor-specific recommendations.

Institutional Use Cases

Use case 1 — A 200-lawyer in-house function sunsetting a contract-extraction tool. The vendor announced end-of-support for the deployed version. The function operates SUS-06 across 16 weeks: Metric 0 pre-check confirms governance posture intact; Decision Matrix scores the tool for immediate retirement; project plan completed; users transitioned to alternate capability; data migrated to archive; AI BoM Deregistration Certificate issued; post-retirement evaluation documented; lessons fed into VEN-02 (RFP Methodology) for next-vendor selection.

Use case 2 — A 14-partner firm executing Emergency Class 6 Retirement. Champion network surfaced unapproved use of an external research-augmentation tool by two associates. AI Task Force interim session; Emergency Class 6 path activated; the tool’s data exposure quantified; users notified; client-privilege review by external counsel; data destruction certificate issued; remediation cost £40K. Lessons drove tightening of the AI Use Policy (GOV-02) and broader champion network coverage.

Use case 3 — A global energy GC office retiring a Tier-4 autonomous renewal-triage system. Agentic Tier Decommissioning Gate activates: autonomous-action audit trail spanning 14 months sealed and archived; outstanding agent state archived to long-term retention; Delegation-Authority Register (GOV-14) entry archived with the post-mortem; Materiality Calibration (GOV-16) rows archived; Agentic Governance Charter (GOV-08) closure session; replacement capability (Tier 3) deployed under fresh Delegation-Authority entry.

Recommended Stakeholders

RACI role

Stakeholders

Owner

Legal Operations Lead

Approvers

General Counsel · Head of Legal Operations · CIO / CISO

Contributors

AI Task Force · Engineering / IT · Procurement

Informed

Board · Risk and Compliance

The Legal Operations Lead operates the sunsetting plan day-to-day; the AI Task Force (per STR-07) approves at the four-phase gates; the CIO/CISO contributes to data-migration and access-revocation discipline.

Implementation Complexity

Dimension

Specification

Typical end-to-end engagement

12–24 weeks

Cross-team dependencies

IT · Risk · Procurement · Practice Groups · External Counsel (where client-data implicated)

Self-serve viability

Partial — Tier 1 / 2 retirement self-serve; Tier 3+ benefits from advisory

Advisory recommendation

Programme Design for first Tier 3+ retirement; Strategic Retainer for portfolio-scale sunsetting cadence

The Module is methodology-versioned (v2026.1); the four-phase project plan and the evidence retention tracker are versioned alongside.

Inputs

Input

Source

Current AI Use Policy (GOV-02) and Governance Framework (GOV-01)

Self

AI Bill of Materials entries and Class 6 incident records

STR-07

Tool performance, usage, cost, security/compliance metrics

Operating record

Vendor contracts, SLAs, roadmap information

Procurement

Risk Taxonomy 2026 class severity assessments

GOV-04

Data inventories, retention schedules, Data Governance Policy

DAT-02

Business process maps and user/stakeholder lists

Practice Groups

Framework — the Four-Phase Plan

Metric 0 — Pre-check

Before any retirement decision, the Metric 0 pre-check confirms:

Check

Pass criterion

AI Use Policy coverage

Capability is operated under documented policy

AI BoM registration

Capability has a current BoM entry

Class 6 incident clearance

No open Class 6 (Shadow AI) incident on the capability

Risk Register currency

GOV-03 entry for the capability is current

Evidence Register currency (Band 3+)

GOV-13 rows for the capability are populated

Failure on any check triggers remediation before retirement proceeds, except when Class 6 Override path is activated (which proceeds despite Metric 0 failure).

Decision Matrix

The seven-factor weighted Decision Matrix scores retire-vs-optimise:

Factor

Weight

Score 1–4

Vendor viability

0.18

1=failing; 4=durable

Capability obsolescence

0.15

1=current; 4=obsolete

Risk profile change

0.15

1=stable; 4=elevated

Cost efficiency

0.12

1=efficient; 4=cost-inefficient

User adoption

0.12

1=high; 4=abandoned

Strategic alignment

0.14

1=core; 4=non-strategic

Integration complexity

0.14

1=integrated; 4=isolated

Weighted score ≥ 2.8 = immediate retire; 2.2–2.8 = planned retire; 1.8–2.2 = optimise; < 1.8 = retain with monitoring.

Phase 1 — Assessment and Planning (Weeks 1–4)

Activity

Output

Metric 0 pre-check executed

Pass / Fail + remediation plan

Decision Matrix scored

Retire-tier classification

ROAI 4-Quadrant retirement impact analysis

Quantified cost of retirement vs cost of retention

Stakeholder map drafted

Internal + external stakeholder list

Risk register populated for the retirement

Pre-mitigation risk profile

Retirement business case approved at AI Task Force

Phase-1 gate decision

Phase 2 — Preparation and Communication (Weeks 4–10)

Activity

Output

Communication packs drafted (executives, users, clients, vendor)

Distribution-ready packs

Vendor notification per contract terms

Notice issued; vendor confirmation logged

Data migration plan drafted

Data scope; target system; retention compliance

User-transition plan drafted

Alternate capability; training; cut-over timeline

Class 6 risk-review completed

Confirmation no Shadow AI usage prior to retirement

Phase 3 — Migration and Transition (Weeks 8–18)

Activity

Output

Data migration executed

Migration runbook executed; validation report

User cut-over executed

Users transitioned; access to retiring capability revoked

Performance-baseline check on the alternate capability

Baseline established for ROAI continuity

Active-matter transition validated

All active engagements transitioned without data loss

Vendor contract termination process initiated

Termination notice per contract; commercial close-out

Phase 4 — Decommissioning and Closure (Weeks 18–24)

Activity

Output

System shutdown executed

Shutdown confirmation from vendor

Data archival completed

Archive with chain-of-custody record

Data destruction executed where required

Destruction certificate per data-class retention

AI BoM Deregistration Certificate issued

Capability removed from BoM

Evidence Register (GOV-13) rows archived

Archive entries with retention-clock continuation

Delegation-Authority entry (GOV-14) archived (Tier 3+ only)

Archive entry

Materiality Calibration rows (GOV-16) archived (Tier 3+ only)

Archive entries

Post-retirement evaluation report

Lessons learned for next sunsetting cycle

DPS evidence bundles closed

Adoption / Sophistication / Defensibility lens packs

Class 6 Emergency Retirement path

When Shadow AI is detected during sunsetting or as a triggering event:

Activity

Cadence

AI Task Force interim session

Within 5 business days

AI Task Force Chair authorises Emergency Path

Same session

Data-exposure assessment

Within 10 business days

Client-privilege review (where applicable)

Within 20 business days

Data destruction or quarantine

Within 30 business days

Class 6 incident closure record

Filed in GOV-03 + GOV-13

Lessons fed back into GOV-02 (AI Use Policy)

At next Cadence quarterly

Agentic Tier Decommissioning Gates

For Tier 4 (Autonomous agent) capability retirement, additional gates between Phases 3 and 4:

Gate

Pass criterion

Autonomous-action audit trail sealed

Final audit record signed and archived

Outstanding agent state archived

No live state in production

Downstream-dependency review

No active dependencies on the autonomous capability

GOV-08 Charter closure

Standing Agentic Governance session closed with post-mortem

Worked Example

A 200-lawyer in-house function sunsets a legacy contract-extraction tool.

Phase

Weeks

Activity

Output

1

1–4

Metric 0 pass; Decision Matrix 3.2 (immediate retire); ROAI analysis; AI Task Force approval

Phase-1 gate passed

2

4–10

Communications drafted; vendor notification issued; data migration plan to replacement system; user-transition plan

Phase-2 gate passed

3

8–18

1,400 contract extractions migrated; 47 users transitioned; alternate-capability baseline established; active matters validated

Phase-3 gate passed

4

18–24

System shutdown; data archived; AI BoM Deregistration Certificate issued; GOV-13 rows archived; post-retirement report

Closure complete

DPS evidence bundles produced across Adoption (user transition records), Sophistication (Decision Matrix scoring), and Defensibility (deregistration certificate + audit trail).

Common Failure Modes

Failure mode

Detection signal

Recovery

Tool deprecated informally; AI BoM not updated

BoM shows capability live; users have transitioned

Retroactive sunsetting cycle; close out properly

Data migration skipped

Active matters lose data lineage

Halt retirement; recover data; restart Phase 3

Vendor contract not terminated formally

Tool continues to auto-renew while not in use

Procurement standing review

Class 6 incident missed during Metric 0

Shadow AI usage discovered post-shutdown

Emergency Class 6 path retroactively

Agentic state archived but downstream dependencies unaddressed

Downstream capability fails post-retirement

Halt Phase 4; resolve dependencies; restart

Post-retirement evaluation skipped

No lessons captured; same failure modes recur

Standing Cadence agenda item

Evidence retention configuration drifts

Archived records below retention threshold

IT standing check on retention compliance

Edge Cases

The Module does not apply when:

  • The function operates no AI capability — no retirement to execute
  • The function is replacing the capability with an equivalent vendor (lift-and-shift) — the Module operates abbreviated (Phases 1 + 4 only) with data migration in parallel
  • The capability has critical regulatory dependencies that prevent decommissioning — Module produces an Operate-stage continuation plan instead
  • The function is at Band 0 retiring before standing up governance — the Module produces a Class 6-handling retirement under STR-07 emergency activation
  • The vendor has gone insolvent and data is at risk — Module operates emergency Phase 4 with regulator-notification protocol if client data is exposed

Operational Signals

sus-06.sunset-decisions-logged

Defensibility Posture Statement

Sunset decisions made with full rationale — DE-1 Decision traceability record.

Quarterly

sus-06.data-migration-completeness

Annual Legal AI OS Index

Data migration completed before retirement feeds the Annual Legal AI OS Index.

per-engagement

sus-06.orphan-integration-count

Console

Active integrations to retired tools for Console intelligence substrate.

On change

Recommended Stakeholders

Owner

  • Head of Legal Operations

Approvers

  • General Counsel
  • Head of Legal Operations
  • CIO / CISO

Contributors

  • AI Task Force
  • Engineering / IT
  • Procurement

Informed

  • Board
  • Risk & Compliance

Inputs · Outputs

Inputs

  • · Current AI Use Policy (GOV-02) and AI Governance Framework (GOV-03)
  • · AI Bill of Materials entries and STR-07 Class 6 incident records
  • · Tool performance, usage, cost, and security/compliance metrics
  • · Vendor contracts, SLAs, and roadmap information
  • · Risk Taxonomy 2026 class severity assessments
  • · Data inventories, retention schedules, and DAT-02 Data Governance Policy
  • · Business process maps and user/stakeholder lists

Outputs

  • · Metric 0 pre-check results and Class 6 Override determinations
  • · Weighted decision matrix and ROAI 4-quadrant retirement impact analysis
  • · Approved technology retirement business case and project plan
  • · Risk register with mitigation and contingency plans
  • · Communication packs for executives, users, clients, and vendors
  • · Migration runbooks, validation reports, and performance baselines
  • · Agentic Tier decommissioning records (where applicable)
  • · AI BoM Deregistration Certificate and system shutdown evidence
  • · Data archival and destruction certificates with chain of custody
  • · Post-retirement evaluation report and lessons learned log
  • · DPS Adoption, Sophistication, and Defensibility evidence bundles

Framework Crosswalk

NIST AI Risk Management Framework

NIST

Aligns retirement risk assessment, Class 6 Shadow AI handling, and lifecycle controls with NIST AI RMF functions Govern, Map, Measure, and Manage.

EU General Data Protection Regulation (GDPR)

European Union

Maps data migration, archival, and deletion steps to GDPR principles, data subject rights, DPIA, and breach notification obligations during technology retirement.

California Consumer Privacy Act (CCPA)

State of California

Supports CCPA-aligned consumer notification, access, and deletion processes when decommissioning systems holding personal data.

HIPAA Security and Privacy Rules

U.S. Department of Health and Human Services

Provides structure for retiring systems containing PHI, including BAAs, audit trails, and secure destruction of protected health information.

ABA Model Rules of Professional Conduct

American Bar Association

Operationalises duties of competence, confidentiality, supervision, and communication when changing or retiring legal technology used in client matters.

Operational Artefacts

  • SUS-06 Decision Matrix & ROAI Calculator

    xlsx · v2026.1

    Gated
  • SUS-06 Four-Phase Sunsetting Project Plan

    docx · v2026.1

    Gated
  • SUS-06 Exit & Decommissioning Checklist

    checklist · v2026.1

    Gated
  • SUS-06 DPS Evidence Retention Tracker

    xlsx · v2026.1

    Gated

Diagnostic Relevance

Running the Technology Sunsetting Plan strengthens the Defensibility lens — expected Band progression: Operational → Integrated.

Confidence: medium

Key Takeaways

  • Standardise Metric 0 pre-checks before any technology retirement decision.

  • Use a weighted seven-criteria matrix plus ROAI quadrants to decide retire vs optimise.

  • Trigger emergency Class 6 Shadow AI retirement when ungoverned AI use is detected.

  • Run the four-phase sunsetting process to minimise disruption and protect clients.

  • Apply Agentic Tier decommissioning gates for Level 4 AI tools before shutdown.

  • Embed data protection, business continuity, and contractual risk mitigations.

  • Retain DPS-grade evidence for 5–7 years to support defensibility and audits.

Run this Module

Operational artefacts available to Practitioner Membership members. Methodology v2026.1.

View Membership

Targeting

Audience

General CounselLegal OperationsIT SecurityRisk & ComplianceData Protection OfficerProcurementAI Governance Lead

Strengthens

Defensibility lens

Module Details

Format
Module
Difficulty
Operational
Pillar
P8
Owner
Head of Legal Operations
Access
Practitioner Membership

Maturity Bands

FoundationalOperationalIntegratedOptimisedDefensible

Where this Module lives

The Sunsetting Plan closes the lifecycle that Vendor Evaluation (VEN-01) opens. It consumes risk signals from the Register (GOV-03) and audit findings (SUS-05), executes the retirement, and produces DE-1 (Decision traceability) records into the DPS. Without it, AI BoM entries persist past their useful life and the firm carries hidden risk for tools no longer actively governed.

Advisory

When this Module sits inside a Programme.

Modules are operated in-house by GC and Legal Operations teams. When the capability transformation is multi-Pillar — or when the regulator timeline tightens — Advanta operates the canonical Module sequence as a Programme.