Are we ready for Production?

Introduction

Before moving from Pilot to Production, the company needs a pre-production governance stance. This is the point where the business has to decide what promises it is prepared to make, who is allowed to make changes, who can accept risk, and what evidence must exist before the production environment is created.

This is not about creating bureaucracy for its own sake. It is about preventing a Pilot environment from becoming Production by accident.

Production is a different level of commitment. By this point the company is no longer just proving that the product can work. It is making an operational promise to customers, investors and itself.

The exact architecture will depend on cost, customer promises, data requirements and the maturity of the product, but the principle is that production should be designed to survive meaningful failure.

Why this stage matters

Production is the point where the business starts making real promises. The product does not need to be perfect, but the company must understand what it is promising, what it can recover from, what risks it has accepted and how it will communicate when something goes wrong.

This gate exists because Production is not just a hosting environment. It is a business commitment covering security, data protection, contracts, support, monitoring, operations and cost.

The decision

The product is ready for Production when the company can make customer promises and operate the system with evidence, tested recovery paths and accepted risks.

Assurance

Production assurance is the point where the company checks that its data, AI and customer-isolation positions can support real customer promises. The review does not need to make the product perfect, but it should make the remaining risks visible and owned.

This control exists because Production changes the external expectation. Customers may ask how data is protected, where it is processed, whether AI is used, how tenants are isolated and whether the company has independently reviewed its position.

Security

Before Production, security needs independent challenge. A penetration test or equivalent targeted assessment gives the company a clearer view of exposed risk before customers depend on the service.

The important point is not that every finding must be fixed before launch. The important point is that findings are known, owned, remediated where necessary and explicitly accepted where the business chooses to carry risk.

Commercial trust

Production readiness includes the ability to sell honestly. The company should be able to give customers a coherent view of privacy, security, support, incident handling, subprocessors, billing and resilience without inventing answers during procurement.

The trust pack is the customer-safe expression of the operating model. It should match reality, avoid sensitive internal detail and make clear what the company can and cannot promise.

Operations

Production operations are the live-service habits that make customer promises credible. Monitoring, alerting, support, incident ownership and communication paths need to exist before the first real customer incident.

The team can stay pragmatic, especially while it is small, but it must be clear who responds, who coordinates, how customers are informed and how the company learns after something goes wrong.

Resilience and cost

Production pays for promises. The company does not need the most expensive resilience model on day one, but it does need to prove that the promised recovery position works and that the cost increase is a conscious business decision.

Early Production can tolerate more downtime if customers understand the support and recovery model. The key is to make the trade-off explicit: what can fail, how recovery works, how long it might take and what would trigger the next resilience investment.

Related guidance

Summary

The company should be able to make customer promises with evidence, tested recovery paths, known risks and a trust position that matches reality.