Data Governance: The Platform Foundation
Every Feature Has a Lineage
one canonical schema · zero per-region adapters
14,892 records processed · 247 quarantined
stateless, event-driven Cloud Run
Data Governance is deployed in Horizon 1 — before any ML model, before any HITL checkpoint, before any inference in any process pillar. It validates every record entering the data fabric of The Autonomous Enterprise Platform, tags every feature with a traceable lineage, and quarantines anything that fails. Without it, the SHAP explanations that satisfy EU AI Act Article 11 have no verified provenance. All process pillars — Quote-to-Cash, Procure-to-Pay, Finance Operations, Supply Chain — are blocked until this module is live.
The module uses TFX's deterministic validation engine and BigQuery lineage tables — no ML inference. Every record passes through three gates: schema conformance, quality scoring, and lineage tagging. Records that fail schema validation are never silently discarded; they move to a QUARANTINED state and wait for a data steward decision. This is the only human decision point in the module — schema triage, not financial or safety judgment.
§1 System Context
Data Governance sits at the boundary between raw regional data sources and the Autonomous Enterprise Platform's data fabric. Everything entering the Feature Store, BigQuery financial stream, and contract event stream — from any process pillar — passes through Data Governance first. All pillars are blocked until this module is live.
§2 Canonical Schema
The 6-region canonical schema v2.0 is the contract between every regional data source and the AE data fabric. All suites are blocked until this schema is validated and live. Schema changes must be registered before deployment — unregistered changes trigger quarantine automatically.
| Field | Type | Constraint | Version | Notes |
|---|---|---|---|---|
entity_id | STRING | Required | v1.0 | Unique asset identifier · format: {REGION}-{TYPE}-{SEQ} |
event_id | STRING | Required | v1.0 | Pub/Sub message ID · used as lineage_ref anchor |
event_timestamp | TIMESTAMP | Required | v1.0 | UTC · ISO-8601 · type mismatch triggers quarantine |
source_region | STRING | Required | v1.0 | ENUM: EMEA-North · EMEA-West · APAC-East · APAC-South · AMER-East · AMER-West |
asset_type | STRING | Required | v1.0 | ENUM: MRI-7T · CT-Premium · MRI-3T · Ultrasound-Elite |
bearing_vibration_hz | FLOAT | Required | v1.0 | Range: 0–500 · anomaly threshold: fleet_mean ± 3σ |
bearing_temp_c | FLOAT | Required | v1.0 | Range: -10–150°C · null triggers quality score deduction |
bearing_temp_optical_c | FLOAT | Optional | v2.1 | New canonical field · maps from optical_sensor_temp_c (APAC-East firmware v4.2.1) |
power_draw_kw | FLOAT | Required | v1.0 | Range: 0–50kW · feeds GreenOps carbon model |
firmware_version | STRING | Required | v1.0 | Semver · tracks schema drift to firmware release correlation |
free_text_notes | STRING | Optional DLP Scan | v1.0 | Engineer field notes · DLP API scanned inline before TFX · PII detection routes to DLP Hold, not schema quarantine |
schema_version | STRING | Required | v1.0 | Written by DG agent post-validation · used as lineage_ref component |
quality_score | FLOAT | Required | v1.0 | Written by DG quality scorer · 0–1 · threshold 0.85 for Feature Store · 0.60 for BigQuery |
lineage_ref | STRING | Required | v1.0 | Composite: event_id + schema_version + ingest_ts · EU AI Act Art. 11 anchor |
free_text_notes (an optional field, present in ~12% of records at ClaraVis volume) is submitted to the Cloud DLP Content API. Structured numeric fields are not inspected — DLP has no value on FLOAT/TIMESTAMP fields. At 15,000 msg/day × 12% = ~1,800 DLP API calls/day → ~54,000/month. Cloud DLP free tier: 1 unit = 1 API call for content under 500KB. Monthly DLP cost: 54,000 calls × $0.003/unit ≈ $162/month. Full revised cost model: Cloud Run ~€0.14 + BigQuery ~€2 + Cloud DLP ~$162 ≈ $165/month total. Batch validation was not considered — see ADR-DG02. DLP cost scales linearly with free-text field prevalence; an operator flag suppresses the DLP scan when the notes field is absent.§3 Architecture — Validation Pipeline
Data Governance uses TFX's deterministic validation engine and BigQuery lineage tables — no ML inference. Every record passes through schema conformance, quality scoring, and lineage tagging before reaching the Feature Store. Records that fail schema validation go to quarantine immediately. Records that pass schema but score below 0.60 quality also quarantine.
§4 Record State Machine
A record that fails validation is never silently discarded — it moves to QUARANTINED, where it waits for a data steward decision. If reinstated, it re-enters the VALIDATING state with the approved mapping rule applied. If discarded, an audit tombstone is written to ae_governance.discard_log.
§5 Data Steward Interface
The data steward interface is operationally different from every other HITL in any process pillar. No time pressure (P2, not P0), no financial consequence to the individual decision, no dual-reviewer requirement. The steward's job is schema triage: understand the violation, confirm the mapping rule, reinstate or discard.
event_timestamp · Expected: TIMESTAMP · Arriving: STRING ("2026-03-15T14:22:11Z")Suggested fix:
PARSE_TIMESTAMP('%Y-%m-%dT%H:%M:%SZ', event_timestamp) AS event_timestampoptical_sensor_temp_c (FLOAT) · not in canonical schema v2.0Source: APAC-East firmware v4.2.1 added optical bore temperature sensor
Suggested:
optical_sensor_temp_c → bearing_temp_optical_c (new canonical field v2.1)1. PARSE_TIMESTAMP('%Y-%m-%dT%H:%M:%SZ', event_timestamp) AS event_timestamp
2. optical_sensor_temp_c → stored as bearing_temp_optical_c (new canonical field)
3. bearing_vibration_hz → NULL · imputed via fleet median at inference
Approving reinstates all 847 records and updates ae_schemas to v2.1.
§6 Architecture Decision Records
Three Data Governance decisions, every alternative documented.
Custom JSON schema validation (Python jsonschema or Pydantic) was the initial design. It was replaced with TFX ExampleValidator for four reasons. (1) TFX is stateful — it learns statistics from observed data and can flag distributional drift, not just structural violations. A temperature reading within the valid range but 10 standard deviations above fleet mean would pass JSON schema validation and fail TFX's anomaly detection. (2) TFX integrates natively with Vertex AI Pipelines — the same schema definitions used in offline training are enforced at serving time, eliminating train-serve skew. (3) TFX's Schema artifact is versionable in the ML Metadata store — schema evolution is tracked automatically. (4) TFX Validate data quality expectations are living documentation satisfying EU AI Act Article 11's training data requirement. Custom JSON schema has none of these properties.
The simpler design — reject schema-violating records at the Pub/Sub subscriber, log the error, and discard — was rejected for two reasons. (1) Data loss is irreversible in a real-time sensor system. A regional system sending 847 records per batch cannot easily re-send data from 4 hours ago. Quarantine preserves the raw record in BigQuery, allowing reprocessing once the schema mapping is confirmed; reject-on-arrival means the data is permanently gone. (2) Schema violations often indicate a legitimate upstream system update, not corrupted data. The APAC-East firmware update is the canonical example — the data is valid, only the schema registration is missing. Reject-on-arrival silently discards valid, irreplaceable telemetry. Quarantine-then-review surfaces the issue to a human who can determine whether the data is recoverable.
ADR-AQ02 was documented in the Asset IQ module as the schema standardisation decision. It is cross-referenced here because Data Governance is the component that makes ADR-AQ02 enforceable at runtime. The unified Pub/Sub canonical schema is not a convention that source systems are expected to follow — it is a gate that every record must pass. Without Data Governance, ADR-AQ02 is a design aspiration; with Data Governance, it is a hard technical constraint. Any regional system that updates its schema without registering the change will have its records quarantined until a steward reviews them. This creates a virtuous feedback loop — schema violations are visible, immediate, and operationally costly (P2 alert), incentivising regional teams to register schema changes before deploying.
Two PII handling approaches were evaluated. (1) Reject-on-PII-detection: discard records containing PII in free_text_notes. Rejected because field engineer notes are operationally valuable — they often contain maintenance observations that inform the RUL model's context features, and silent discard removes recoverable signal. (2) DLP Hold with redact-then-reinstate: quarantine the raw record, alert the data steward with the specific detected entity types (e.g. PERSON_NAME, EMAIL_ADDRESS), and require an explicit redaction action before reinstatement. The steward does not see a "reinstate as-is" option for DLP holds — only "redact detected fields + reinstate" or "discard".
This distinction is critical: schema quarantine reinstatement is a mapping approval; DLP reinstatement without redaction would write raw PII to the Feature Store, violating GDPR data minimisation (Art. 5(1)(c)). The DLP Hold state is therefore architecturally distinct from the QUARANTINED state — different steward UI, different approval action, different audit log entry (ae_governance.dlp_remediation_log vs ae_governance.discard_log). Cloud DLP is scoped to free_text_notes only; structured numeric/timestamp fields are not inspected. Cost: ~$162/month at ClaraVis volume — see §2.1.
§7 Stakeholder Rebuttals
Six objections raised during the platform foundation review. Each rebuttal is grounded in architectural evidence, not opinion.
lineage_ref field in the SHAP record → the Feature Store feature group entry with the lineage tag → the DG validation log entry confirming schema version and quality score → the original Pub/Sub message ID and source system. This is not a description of provenance — it is a queryable audit chain. The TFX validation log entry, quality score, and schema version are all written to ae_governance.validation_log at validation time. The Feature Store offline store records used for model training carry the same lineage tags, so the training dataset's provenance is fully documented.ae_quarantine dataset has four principals: the DG agent SA (write — inserts quarantine records), the data steward role (read — reviews violations), the DG admin SA (read-write — reinstatement processing), and the audit SA (read-only — 7-year audit access). No developer SA has access. Quarantine records are retained for 90 days after resolution (reinstatement or discard), then deleted by BigQuery table expiry. Unresolved records are retained indefinitely until a steward decision is made. VPC-SC applies to ae_quarantine as to all ae_ datasets.§8 Operational Dashboard
The Data Governance Ops Dashboard is the primary operational interface for the platform on-call engineer. It shows pipeline throughput per region, active quarantine queue depth, SLO burn rate, and DLQ status. All data is live-updated — every record processed, quarantined, or DLQ'd is visible within five seconds of the event.
| Batch ID | Region | Type | Records | Age | Status |
|---|---|---|---|---|---|
asst_ae_0315 | APAC-East | Schema | 847 | 2h 14m | Pending |
asst_ew_0088 | EMEA-West | DLP Hold | 6 | 0h 31m | Pending |
asst_as_0201 | APAC-South | Schema | 17 | 5h 02m | Resolved |
asst_ae_0288 | APAC-East | Schema | 112 | 1d 03h | Discarded |
§9 Validation Trace — Three Paths
Every record goes somewhere. Nothing is silently lost. Below are the three representative traces through the validation pipeline: a clean record reaching the Feature Store, a schema violation routing to quarantine, and a DLP trigger routing to a PII hold.
| Stage | Clean Record · Feature Store | Schema Violation · Quarantine | DLP Trigger · PII Hold |
|---|---|---|---|
| Pub/Sub message received | ✓ asst_en_0001 · EMEA-North | ✓ asst_ae_0315 · APAC-East | ✓ asst_ew_0088 · EMEA-West |
| DLP API scan | Skipped (no free_text_notes) | Skipped (no free_text_notes) | ⚠ PII detected (PERSON_NAME) |
| TFX ExampleValidator · schema check | ✓ Pass · schema v2.0 | ✗ Fail · type mismatch + new field | ✓ Pass · schema v2.0 |
| Quality scorer | ✓ 0.94 | — (blocked at schema gate) | — (held pending redaction) |
| Lineage tagger | ✓ Tagged · lineage_ref written | — | — |
| Outcome | ✓ Feature Store write | QUARANTINED · steward alert (P2) | DLP HOLD · redact-then-reinstate |
ae_schemas to v2.1. In the DLP trace, the steward sees only "redact + reinstate" or "discard" — never "reinstate as-is" — per ADR-DG03.§10 Adjacent Modules
This is where the platform begins. Data Governance is the H1 prerequisite. Deployment order: M-08 (H1 · PI-1) → M-06 GreenOps (H3 · PI-7) → M-07 Strategy Dashboard (H3 · PI-8). No suite can operate on the AE Platform until the 6-region canonical schema is validated and the Feature Store lineage pipeline is live.