SystemOverflow
LearnML Infrastructure & MLOpsModel Registry4 of 4
ML Infrastructure & MLOpsModel RegistryHard⏱️ ~3 min

Model Registry Failure Modes and Mitigation Strategies

Model code skew is the most common and dangerous failure mode. A service upgrades its feature extraction code to add new fields or change preprocessing logic, but the registry still points to an older model trained on the previous schema. Online inference either fails with type errors or, worse, silently degrades as the model receives features it has never seen. For example, a fraud detection service adds geolocation features in version 2.0 but continues loading a model trained without those features, causing accuracy to drop from 0.89 to 0.72 precision. Mitigation requires storing a model signature that includes input feature names, types, and preprocessing versions. The registry enforces compatibility checks during promotion, blocking deployment if the target service declares schema incompatibility. Binding model versions explicitly to application releases, not just to stages, provides the strongest guarantee. Stale or inconsistent pointers emerge from eventual consistency in the metadata store or cache. Two deployment systems read and promote different model versions because of replication lag, causing users to see different predictions across instances. One canary instance loads v1.24 while others remain on v1.23, making A/B test results invalid. Mitigation uses optimistic locking with version fields when promoting stages, propagating changes through events rather than polling, and making promotion operations idempotent. Short cache TTLs of 30 to 60 seconds during rollout windows help converge faster. Registry outage during deploy creates a critical dependency. Training finishes and tries to register or promote, but the registry control plane is down. Deployments stall or partially update, leaving production in an inconsistent state. Mitigation separates control plane from data plane. Serving systems continue using the last resolved model version without calling the registry on the hot path. Registration events write to a durable queue with retry logic, allowing the system to catch up when the registry recovers. Write ahead logs ensure no metadata is lost. Artifact availability and cold starts cause elevated error rates when a new model is promoted but artifacts have not replicated to all regions. Instances in a distant region start, fail to download the model within the startup timeout of 60 seconds, and crash loop. Mitigation prestages artifacts in regional caches before flipping the registry pointer, verifies checksums to catch corruption, and delays promotion until health checks confirm replicas are ready in all target regions. For critical models, a fallback mechanism serves an older cached version if download fails.
💡 Key Takeaways
Model code skew occurs when service upgrades feature schema but loads old model, causing silent accuracy degradation from 0.89 to 0.72 precision
Stale pointers from eventual consistency cause different instances to load different versions, invalidating A/B test results and user experience
Registry outage stalls deployments if control plane is on critical path, mitigation caches last resolved version and uses durable queues for events
Artifact unavailability in distant regions causes instances to crash loop when download exceeds 60 second startup timeout
Metric gaming with offline evaluation looks good due to leakage but online Key Performance Indicators (KPIs) degrade, requires statistically sound canary tests
Rollback mismanagement leaves bad model serving if instances do not reload or cache TTL is too long, need forced invalidate signal
📌 Examples
Model code skew: Fraud detection service adds merchant_category feature, model trained without it receives null values, false positive rate jumps 15%
Stale pointer: Eventual consistency lag of 5 seconds causes 20 out of 200 instances to load v1.24 while others stay on v1.23 during canary window
Artifact unavailability: New 1.5 GB model promoted but not replicated to Asia Pacific region, 50 instances fail to start within 60 second timeout
Rollback failure: Registry pointer flipped back to v1.23 but 300 second cache TTL means instances continue serving bad v1.24 for 4 more minutes
← Back to Model Registry Overview