checklist
Data lineage evidence checklist
A checklist for assessing whether lineage, ownership, controls, and evidence are strong enough to support audit, AI governance, migration, and regulatory questions.
Use this checklist when a dataset, report, AI use case, migration, or regulatory process depends on data lineage. The useful question is not whether a diagram exists. The useful question is whether the organization can prove what happened.
1. Scope and criticality
- The business process, report, model, or decision supported by the data is named.
- Critical data elements are identified.
- The dataset owner and downstream consumer are clear.
- Materiality is understood: financial, regulatory, customer, operational, or reputational impact.
- The expected lineage depth is proportionate to risk.
2. Source and transformation traceability
- Original sources are listed.
- Transformation steps are documented or discoverable from executable pipelines.
- Joins, filters, aggregations, enrichment, and manual interventions are visible.
- Dataset versions or refresh times can be reconstructed.
- Known lineage gaps are recorded, not hidden.
3. Ownership and control points
- Each critical handoff has an owner.
- Quality checks are attached to control points.
- Exceptions have a triage and remediation path.
- Manual adjustments are logged with rationale.
- Control ownership does not disappear during platform migration.
4. Evidence quality
- Evidence is generated from systems where possible, not only assembled manually.
- Architecture diagrams, catalog entries, pipeline code, and access records agree.
- Evidence can be reproduced for a past reporting date or model version.
- Evidence covers data movement across platforms, regions, and vendors where relevant.
- Evidence is understandable to audit, risk, architecture, and engineering stakeholders.
5. AI and analytics consumption
- AI, BI, reporting, and downstream application consumers are visible.
- Retrieval pipelines and vector indexes are included where AI systems consume derived data.
- Access policy is preserved through downstream consumption.
- The organization can answer which model, report, or process consumed which dataset version.
- Sensitive data restrictions survive transformation and reuse.
6. Migration and modernization resilience
- Lineage remains valid during cloud migration, platform replacement, or data product refactoring.
- Decommissioning plans identify downstream dependencies before retirement.
- Parallel-run reconciliation is documented.
- Legacy and modern platforms share a common evidence model where possible.
- The organization can prove that modernization did not break critical reporting or AI controls.
7. Questions to ask
- Can we reconstruct this data path for a date in the past?
- Which controls are automated, and which are manual?
- What breaks if one platform is replaced?
- Which AI systems or reports consume this data?
- Who can explain and defend the evidence under audit pressure?
Practical scoring
Green means lineage is operationally useful and evidence can be reproduced. Amber means the major path is understood but gaps remain. Red means the organization depends on informal knowledge, static diagrams, or manual reconstruction for critical decisions.