Dependency maps show how the AI system relates to its external dependencies: the data sources it consumes, the APIs it calls, the infrastructure services it relies upon, and the downstream systems that consume its outputs. For microservice architectures, the dependency map also captures internal service-to-service relationships.

The dependency map classifies each dependency by criticality (would the system fail if this dependency became unavailable?), data sensitivity (does personal data flow to or from this dependency?), and change risk (how frequently does this dependency change, and what is the notification mechanism?). This classification informs the risk assessment and the disaster recovery planning described above.

Both declared dependencies (captured in a service catalogue such as Backstage) and observed dependencies (discovered through distributed tracing with Jaeger, Zipkin, or cloud-native tracing services) should be documented. The discrepancy between declared and observed dependencies is itself a finding that warrants investigation. The dependency map is regenerated periodically, aligned with the risk review cadence, and compared against the previous version to detect undocumented changes.

Key outputs

• Dependency map with criticality, data sensitivity, and change risk classifications
• Service catalogue entries (Backstage or equivalent)
• Distributed tracing validation of declared dependencies
• Module 3 AISDP evidence