The Autonomous Enterprise  /  Page 02  ·  2026

ClaraVis Medical Systems
Client Brief & Requirements

This is the single source of truth for what the Autonomous Enterprise is designed to achieve for ClaraVis.

TOGAF Phase A Input MoSCoW Prioritisation EU AI Act · ISO 13485 12 Stakeholders 4 Strategic Decisions
ADR-001 · ADR-002 referenced on this page

§1 Architectural Positioning

Three systems. Zero orchestration.

ClaraVis runs Salesforce, SAP S/4HANA, and four regional Ariba instances — each a capable, well-run system within its own domain. None of them were designed to reconcile with each other. The first question any CTO or enterprise architect asks is: why build on GCP when Salesforce Einstein already does AI? That question is the sharpest version of a broader one — does any single vendor in this stack solve the actual problem? The answer, for Einstein and for SAP's and Ariba's native intelligence alike, is architectural: each optimises within its own data boundary. The Autonomous Enterprise exists in the space between those boundaries — the space none of them were built to occupy.

Canonical Positioning Statement
Salesforce Einstein, SAP's embedded analytics, and Ariba's native supplier scoring each deliver intelligence within their own data model. The Autonomous Enterprise delivers intelligence across the enterprise — spanning the installed asset base, the ERP, the supplier network, the contract corpus, and the compliance obligations that no single vendor's boundary contains. Where Einstein optimises the CRM layer, the AE orchestrates the full Quote-to-Cash-to-Field-to-Compliance lifecycle across all four process pillars, with explainability and human oversight engineered in to satisfy EU AI Act requirements that no proprietary vendor model — Einstein included — is built to meet.
ADR-002 · GCP alongside Salesforce, not instead of it
DOMAIN — 01
Physical asset intelligence — 12,000 MRI units in the field
MRI unit telemetry, DICOM service events, sensor readings, and utilisation patterns do not live in Salesforce and never will. Salesforce is not a time-series IoT platform. Predicting Remaining Useful Life on a physical medical device requires BigQuery, Vertex AI, and a Pub/Sub streaming pipeline ingesting field events at scale.
AE on GCP — Einstein has no access to this data domain
DOMAIN — 02
EU AI Act Annex III — explainability that satisfies Article 14
Annex III requires human-reviewable SHAP explanations per inference, written to an immutable audit log before any action commits. Einstein's models are proprietary — feature attribution is not exposed to the operator. For a German medical OEM, this is a structural disqualification for high-risk AI classification, not a configuration gap.
AE on GCP — architectural requirement Einstein cannot satisfy
DOMAIN — 03
Revenue recognition across SAP S/4HANA and Salesforce
ASC 606 classification — lease vs sale, single vs multiple performance obligations — requires an ML model trained on ClaraVis's contract portfolio, producing a SHAP explanation, routing through a Finance Controller HITL checkpoint, then writing to SAP S/4HANA. This flow crosses three systems. No single vendor orchestrates it.
AE on GCP — cross-system orchestration outside any single vendor
DOMAIN — 04
Full-document contract intelligence on the raw document
Clause-level risk scoring, non-standard term detection, and negotiation brief generation require reasoning across the full contract document. Gemini 1.5 Pro reads the entire contract in one pass via its one-million-token context window. Einstein's document understanding operates on Salesforce CLM metadata — not the source document.
AE on GCP — document-native reasoning beyond CRM metadata
DOMAIN — 05
Cross-system orchestration — the layer nobody owns
ClaraVis's enterprise spans Salesforce, SAP S/4HANA, four regional Ariba instances, six regional asset telemetry systems, a document management platform, and a compliance audit store. No single vendor owns all of that — and critically, none of these systems were built to talk to each other. Ariba scores supplier risk within its own network; it has no visibility into SAP's financial exposure or Salesforce's contract risk. The AE is the connective tissue — a coherent, explainable, human-supervised orchestration layer across every system ClaraVis operates, across every pillar.
AE on GCP — purpose-built for cross-system enterprise scope

This argument is not unique to Quote-to-Cash. Procure-to-Pay faces its own version: Ariba scores supplier risk well within its network, but it does not read 310 supplier MSAs at clause level, and it has no mechanism to feed that contract risk into a cross-pillar financial exposure view. Supply Chain faces it too: SAP IBP forecasts demand competently, but it does not monitor 310 suppliers for geopolitical and financial distress in real time, and it cannot aggregate that risk alongside Quote-to-Cash's contract exposure and Finance Operations' treasury position. Each pillar has a sharpest-vendor-comparison of its own. The AE's claim is the same in every case: orchestration and explainability across the boundary, not a better model inside it.

As-Is — Three Systems, No Orchestration
SFDC
Salesforce
System of record
Opps · Quotes · Contracts
No integration
SAP
SAP S/4HANA
ERP system of record
Finance · Logistics
No integration
ARIBA
Ariba
4 regional instances
Sourcing · PO
No integration
×6
Asset Telemetry
6 regional systems
No common schema
Four systems. Zero orchestration. Each one a system of record for its own domain — none aware the others exist.
To-Be — One Orchestration Layer, Every System Keeps Its Role
SFDC
Salesforce
System of record
Opps · Quotes · Contracts
REST API
Developer Edition
ADR-001
AE
Autonomous Enterprise
Orchestration layer
Intelligence · XAI · HITL
BAPI / RFC
via middleware
SAP
SAP S/4HANA
ERP system of record
Finance · Logistics
Ariba Network API
middleware
ARIBA
Ariba
4 regional instances
Sourcing · PO
Pub/Sub
streaming
GCP
Google Cloud
Vertex AI · BigQuery
Asset telemetry · MLOps
One orchestration layer. Every system keeps its role as system of record. Nothing is replaced.

§2 Organisation Profile

ClaraVis Medical Systems — the anchor client.

A composite of real regulated-industry enterprise patterns. Every requirement, constraint, and architectural decision on this page is grounded in the specific operational context of a medical imaging OEM operating under EU AI Act, FDA 21 CFR 820, and ISO 13485 simultaneously.

Organisation Facts
Legal name
ClaraVis Medical Systems GmbH
Headquarters
Munich, Bavaria, Germany
Revenue
€1.2B (FY2025)
Employees
4,200 across 12 countries
Product portfolio
MRI-7T, MRI-3T, CT-Premium, mobile MRI units
Installed base
12,000+ units across 34 countries
Sales cycle
14–20 months · 9 stakeholders per enterprise deal
Regulatory Environment
EU AI Act
Annex III high-risk — 3 ML models flagged in Q3 2025 audit
FDA 21 CFR 820
Quality System Regulation — Device History Records required
ISO 13485
Medical Devices QMS — full device lifecycle traceability
ASC 606 / IFRS 15
Revenue recognition — lease vs sale classification required
GDPR / EU DPDP
No PHI leaves EU boundary — data residency enforced
ISO 27001
Information security — zero-trust architecture required
Live
Salesforce
CRM · CPQ · CLM — System of Record
Opportunities, Accounts, Quotes, Contracts, and CPQ line items. Sales pipeline, forecasting, and contract workflow. AE integrates via REST API using Salesforce Developer Edition pattern (ADR-001).
AE reads and writes via Salesforce REST API — augments Einstein, does not replace it
Live
SAP S/4HANA
ERP — Finance · Logistics · Revenue
General ledger, revenue posting, logistics execution, and procurement. Source of truth for financial transactions. AE writes revenue recognition decisions to SAP via middleware after HITL approval.
AE writes to SAP only after Finance Controller HITL checkpoint — immutable audit record created first
EU AI Act Risk
3 ML Models in Production
Revenue Recognition · Asset Failure · Contract Risk
Built by ClaraVis data science team. All three classified as high-risk under EU AI Act Annex III. None currently produce SHAP explanations. None have documented HITL checkpoints. Flagged in Q3 2025 audit.
All three models require AE XAI and HITL retrofit before next compliance review
6 Systems
Regional Asset Telemetry
Field Service · IoT · DICOM Events
Six disconnected regional platforms receiving MRI unit telemetry — DICOM service events, error codes, utilisation data. No common schema. No unified query interface. Predictive maintenance is architecturally unavailable.
Unified Pub/Sub ingestion pipeline required — Asset IQ module addresses this domain entirely
Legacy
Document Management
Contract Storage · Compliance Records
On-premise document store for contracts, compliance certificates, and device history records. No full-text search. No clause-level intelligence. Contracts are stored but not analysed.
ContractGuard ingests raw documents via GCS — no dependency on existing DMS structure
Disconnected
Finance Reporting Stack
Revenue · Compliance · Audit
Combination of SAP FI/CO reports, Excel-based revenue schedules, and manual audit packs. Revenue recognition classification performed manually by Finance team. No ML-assisted recognition. Month-end close takes 12 days.
RevRec AI targets this domain — ASC 606 rules encoded as write-path constraints, not reporting logic
Live
Ariba — 4 Regional Instances
Sourcing · PO · Procurement Network — System of Record
Four regional Ariba instances handle sourcing, RFx, and purchase order generation across 310 suppliers in 22 countries. No ML-assisted risk scoring. No cross-instance visibility — a supplier disruption in one region is invisible to the others.
Sourcing Agent and PO Agent target this domain — straight-through match rate currently 58%, targeting 90%+
Disconnected
Supplier Master & Contract Corpus
310 Suppliers · 22 Countries — Shared Across Pillars
Supplier records and 310 active MSAs exist across Ariba and the legacy DMS with no clause-level intelligence and no continuous risk monitoring. A Tier-2 sole-source disruption currently surfaces with as little as 11 days' notice — after the fact, not in advance.
ContractIntelligence and SupplierSentinel both target this domain — complementary, not overlapping, scope
Live
SAP IBP
Demand Planning — System of Record
Statistical demand forecasting for MRI/CT systems and sub-assemblies, run independently of Salesforce pipeline signal and supplier risk data. Current forecast error: 34% MAPE.
DemandIQ targets this domain — reduces forecast error toward ≤12% MAPE by reading SAP IBP, Salesforce pipeline, and external signals together
Capability Gaps — Beyond System Disconnection

The estate above is disconnected. The following capabilities don't exist anywhere in the estate today, connected or not — six gaps that no current system addresses, regardless of integration state.

Capability GapWhat's Missing
EU AI Act Article 9 continuous risk managementNo system performs this today; three production models flagged non-compliant in the Q3 2025 audit
Supplier risk monitoringAnnual questionnaire only, no real-time signal; an 11-day-notice Tier-2 disruption is the documented consequence
Invoice reconciliation intelligence3-way match is manual today at 58% straight-through, requiring a six-person team
MDR Article 87 vigilance reportingNo automated device genealogy tracing or 72-hour SLA mechanism exists
CSRD Scope 3 Category 1/4 reportingManual quarterly process across six freight portals and 310 supplier questionnaires
Cross-pillar financial risk aggregationNo system today synthesises Quote-to-Cash, Finance Operations, and Procure-to-Pay exposure into one view

§3 Stakeholder Register

Twelve stakeholders. Twelve different conversations.

An enterprise architecture that satisfies the CTO's infrastructure requirements but cannot answer the Compliance Officer's audit question will not be adopted. Each stakeholder below has a primary concern, a specific question the AE must answer for them, and a set of modules that address their domain directly.

S-01 · Executive Sponsor
Chief Technology Officer
Technology & Innovation
Primary Concern
Architectural coherence across a multi-vendor enterprise stack. Whether the AE creates new technical debt or resolves existing fragmentation.
Question the AE must answer
How does this sit alongside Salesforce and SAP without creating a third system of record?
All Modules ADR-002 Layer Architecture
S-02 · Risk & Compliance
Chief Compliance Officer
Legal & Regulatory Affairs
Primary Concern
EU AI Act Annex III exposure across all nine compliance frameworks the Compliance Command Centre tracks — not isolated to one pillar. Whether the production ML models across Quote-to-Cash, Procure-to-Pay, and Supply Chain can be brought into compliance before the next regulatory review without re-architecting from scratch.
Question the AE must answer
Show me the audit trail for a revenue recognition decision made last Tuesday. Every feature weight that drove it — and show me the same for a supplier risk score or a vigilance report.
RevRec AI ContractGuard SupplierSentinel QualityTrace XAI Layer HITL Compliance Command Centre
S-03 · Financial Governance
Chief Financial Officer
Finance & Treasury
Primary Concern
The €40M annual warranty over-reserve, the 12-day month-end close, and the €95M inventory carrying cost — three pillars, one P&L. Each is a symptom of missing intelligence in a different domain.
Question the AE must answer
How does this reduce the warranty reserve and accelerate revenue close — with evidence, not projections?
RevRec AI Asset IQ FinRisk Sentinel InventoryOrchestrator
S-04 · Sales Leadership
VP Sales & Commercial
Global Sales Organisation
Primary Concern
The 47-day CPQ cycle. By the time a quote reaches a hospital, the clinical team has already evaluated a competitor. Speed is a competitive differentiator in this market.
Question the AE must answer
Which steps in the quote process can the agent handle autonomously, and what exactly does it hand to a human and when?
CCAI Sales Agent ContractGuard HITL Spec
S-05 · Clinical Operations
VP Clinical & Applications
Clinical Engineering
Primary Concern
Configuration accuracy. An MRI unit configured incorrectly for a hospital's clinical workflow requires expensive field remediation. The CPQ process must validate clinical requirements before quoting.
Question the AE must answer
Does the agent understand clinical configuration requirements, or does it just pass through SKU selections?
CCAI Sales Agent Asset IQ
S-06 · Field Operations
VP Field Service & Operations
Global Service Operations
Primary Concern
Unplanned downtime. A failed MRI unit in a hospital creates immediate patient care disruption and a costly emergency dispatch. The 3.2× cost differential between reactive and predictive maintenance is the field operations budget problem.
Question the AE must answer
How far in advance can the asset model predict a failure, and how confident is that prediction?
Asset IQ RUL Model Anomaly Detection
S-07 · Legal & Contracts
General Counsel
Legal Affairs
Primary Concern
Non-standard contract terms passing through any process without legal review — not just customer-facing sales contracts. 310 active supplier MSAs carry the same liability cap, indemnification, and governing law risk as customer contracts, at greater volume.
Question the AE must answer
What is the agent's confidence threshold for escalating a clause to Legal, and can I see the precedents it used — for a customer contract or a supplier MSA?
ContractGuard Contract Agent (P2P) ContractIntelligence HITL Checkpoint Clause Scoring
S-08 · IT Architecture
Enterprise Architect
IT & Digital Transformation
Primary Concern
Integration complexity. Whether the AE adds surface area to an already complex integration landscape or reduces it by providing a single orchestration layer across existing systems.
Question the AE must answer
Show me the TOGAF Phase D diagram — for all four pillars. Where are the integration points across Salesforce, SAP, Ariba, and the asset telemetry fabric, and what are the failure modes?
TOGAF Phase D All ADRs Layer 03 Infra 4 Solution Trains
S-09 · Information Security
Chief Information Security Officer
Security & Risk
Primary Concern
Data sovereignty. No patient data, device configuration data, or commercially sensitive contract data leaves the EU boundary. Every access is authenticated, every action is logged, every log is tamper-evident.
Question the AE must answer
What is the data residency guarantee, and how is it enforced at the infrastructure layer — not just configured?
VPC-SC CMEK BeyondCorp Layer 03
S-10 · Procurement Leadership
VP Procurement
Procurement & Sourcing
Primary Concern
310 active suppliers across 22 countries running through four disconnected regional Ariba instances at 58% straight-through match — manual reconciliation absorbs a six-person team. This is the transactional lifecycle: sourcing a supplier, negotiating and signing the contract, raising the PO, matching it to the invoice. Continuous supplier risk monitoring once a contract is live belongs to VP Supply Chain Operations — my mandate ends at the PO and the payment, not at ongoing surveillance of who I've already onboarded.
Question the AE must answer
Which sourcing and reconciliation decisions can the agent handle autonomously, and at what value threshold does it hand off to a Category Manager or AP Manager?
Sourcing Agent Contract Agent PO Agent 3-Way Match Agent HITL
S-11 · Supply Chain Leadership
VP Supply Chain Operations
Global Operations
Primary Concern
€95M in annual inventory carrying cost and €32M in stockout exposure, most visibly when a Tier-2 sole-source supplier goes dark with 11 days' notice and no early-warning system exists to absorb the shock. This is the continuous lifecycle: once a supplier is onboarded and contracted, I own watching them — financial distress, geopolitical exposure, concentration risk — and I own what happens to inventory and demand planning when something goes wrong. Procurement's transactional sourcing-to-pay process is VP Procurement's mandate; mine starts the moment a contract is signed and never stops.
Question the AE must answer
How far in advance can the platform see a supplier disruption coming, and how does that signal reach inventory planning before it becomes a stockout?
DemandIQ SupplierSentinel InventoryOrchestrator ProcureGuard
S-12 · Quality & Regulatory Affairs
Quality Director
Regulatory Affairs & Vigilance
Primary Concern
MDR Article 87 vigilance reporting carries a 72-hour SLA from NCR to filed report. Today, device genealogy tracing across S/4HANA and ISO 13485 records is manual — the SLA is met through overtime, not through the system being capable of it.
Question the AE must answer
Show me a vigilance report the agent drafted, end to end — and show me exactly where it stopped and waited for my sign-off.
QualityTrace HITL MDR Article 87 FDA 21 CFR 820

§4a Value Stream Analysis

The current state — mapped precisely.

The TOGAF ADM Phase B input. Understanding where process latency and architectural debt accumulate in the current state is the prerequisite for designing the To-Be architecture. Quote-to-Cash gets the full diagnostic treatment below — the same depth each pillar's own pages give their own value stream. The three diagrams that follow hold all four pillars at once, at the altitude a portfolio decision actually needs: what they look like side by side, where the pain shows up in money, time, and effort, and how that pain was sequenced into an investment order.

Diagram 01 — As-Is Quote-to-Cash Value Stream
Nine organisational handoffs · Average cycle time: 47 days · Zero end-to-end owner
StepOwnerActionLayerDelay
1SalesforceOpportunity created (SFDC)Salesforce layer
2ManualConfig Request to App. EngineeringManual handoff~3 days
3OpsBOM Validation (App. Engineering)Operations / Legal~5 days
4SalesforceCPQ Quote built in SalesforceSalesforce layer~4 days
5LegalLegal Review — no audit trailOperations / Legal~7 days
6SalesforceContract Signed — Salesforce CLMSalesforce layer~5 days
7ManualOrder in SAP — manual entry ERPSAP layer~8 days
No SLA on handoffs
Steps 2–5 have no defined completion SLA. Delays accumulate invisibly.
No end-to-end owner
9 handoffs, 9 teams. Nobody has visibility of the full pipeline state.
Manual SAP entry
Order data re-keyed from Salesforce into SAP. Error rate: ~4%.
47
days average
total cycle time
AE To-Be: Agent-mediated state machine replaces steps 2–5 · Defined SLA per transition · Immutable audit record at every handoff · SAP write automated post-HITL approval.
Salesforce-managed
Manual handoff (delay point)
SAP-managed
No audit trail
Diagram 02 — Portfolio Value Streams at a Glance
Four pillars · Four discrete transaction lifecycles · Each with its own deadline or duration

Quote-to-Cash's value stream above is the deep dive. The other three pillars have value streams of their own — each compressed here to its representative transaction: the one with a clear start, a clear end, and a named human checkpoint, comparable in kind to Quote-to-Cash's 47-day journey.

PillarRepresentative Value StreamMetric
QTCOpportunity → Configure/Quote → Legal/Contract → Order Entry (SAP)47 days · 9 handoffs
P2PSourcing/RFx → Contract/Award → PO Generation → Invoice Match58% straight-through · 6-person manual team
Supply ChainNCR Raised → Device Genealogy Trace → Quality Director HITL → Vigilance Report Filed72-hour SLA · manual, no automated tracing today
Finance OpsTransaction Classification → Finance Controller HITL → SAP Posting → Month-End Close12 days · manual ASC 606 classification
Every pillar's representative value stream contains a named human checkpoint — Legal, AP Manager, Quality Director, Finance Controller — the same HITL principle expressed four different ways. Full step-by-step detail for each pillar's own value stream lives on that pillar's own pages.
Diagram 03 — Time, Money, Effort: Four Incommensurable Pressures
Four pillars · Four different parts of the P&L · Four different owners who may never compare notes

These four numbers do not compete for the same budget line, and they should not be forced onto one chart as if they did. A 47-day CPQ cycle is a Sales Operations problem. A €95M carrying cost is a Supply Chain Finance problem. A six-person reconciliation team is a Procurement headcount problem. A 12-day close is a Controller's problem. Each stakeholder in §3 owns one of these and may never see the other three in the same room — which is exactly the fragmentation a platform-level architecture has to address structurally, not just acknowledge.

DimensionQuote-to-CashProcure-to-PaySupply ChainFinance Operations
Time47-day cycle, 9 handoffs12-day close
Money€95M carrying cost · €32M stockout exposure
Effort6-person manual reconciliation team · 42% non-straight-throughManual ASC 606 classification, no ML-assisted recognition
Some of these incentives can even pull against each other — VP Procurement reducing supplier count to cut transaction overhead can increase VP Supply Chain's concentration risk; Sales accelerating the CPQ cycle can outrun Legal's contract review capacity. A platform that surfaces all four simultaneously is what makes those trade-offs visible before they become incidents, rather than after.
Diagram 04 — Sequencing the Portfolio: Cost of Inaction vs. Integration Risk
Four pillars plotted · One deliberate adoption order · Hardest pillar sequenced last, not least

Given that these incentives conflict, this is how they were sequenced and reconciled. Two factors decide adoption order, consistent with the Go-to-Market Strategy (Page 08): the documented cost of leaving a pillar untouched, and the integration risk of building it given ClaraVis's existing systems.

Portfolio Sequencing — Cost of Inaction vs Integration Risk COST OF INACTION → INTEGRATION RISK → 1st QTC Quote-to-Cash 2nd Fin Ops Finance Operations 3rd P2P Procure-to-Pay 4th Supply Chain Largest Solution Train 7 ARTs · hardest quadrant, not least urgent LOW COST · LOW RISK HIGH COST · LOW RISK LOW COST · HIGH RISK HIGH COST · HIGH RISK
Supply Chain is not sequenced last because it matters least — €95M in carrying cost says otherwise. It is sequenced last because it sits in the hardest quadrant: high cost of inaction and high integration risk simultaneously, the most dependent on the Portfolio's GreenOps and Data Governance enablers reaching maturity first. It inherits a proven platform rather than absorbing the platform's early instability.

§4b System Landscape

Every system ClaraVis runs — and where the orchestration layer is missing.

Where §4a showed process and pressure, this section shows the systems themselves — the complete current-state inventory and exactly where the integration gap sits between them.

Diagram 05 — As-Is System Landscape
Nine disconnected domains · Three EU AI Act-exposed models · No cross-system orchestration layer across any of the four pillars
Salesforce
CRM · CPQ · CLM
Opportunities · Quotes
Contracts · Accounts
Einstein (CRM scope only)
3 ML Models in Production
EU AI Act Annex III — High Risk
Revenue Recognition Model
No SHAP · No HITL · Audit flagged
Asset Failure Prediction Model
No SHAP · No HITL · Audit flagged
Contract Risk Scoring Model
No SHAP · No HITL · Audit flagged
6 Regional Asset Telemetry Systems
No common schema · No unified query · Disconnected
EMEA North · EMEA South
APAC East · APAC West
Americas North · Americas South
⊘ No cross-regional data sharing
SAP S/4HANA
ERP · Finance · Logistics
GL · Revenue Posting
Logistics Execution
⇡ Manual re-key from SFDC
Document Management
On-premise · No full-text search
Contracts stored, not analysed
Finance Reporting Stack
SAP FI/CO + Excel revenue schedules
Month-end close: 12 days
ASC 606 classification: manual
No ML-assisted recognition
Supplier Master & Contract Corpus
310 MSAs · 22 Countries · Split Across Systems
Supplier records — Ariba (4 regional instances)
Contracts — legacy DMS, unanalysed
⊘ No clause-level intelligence — 310 MSAs unscored
⊘ No continuous risk monitoring — annual questionnaire only
Ariba — 4 Regional Instances
Sourcing · PO · Procurement Network
310 Suppliers · 22 Countries
RFx · Purchase Orders
⊘ No visibility into SAP exposure or SFDC contract risk
SAP IBP
Demand Planning
Statistical forecasting only
34% MAPE
⊘ Runs independent of SFDC pipeline and supplier risk signal
Architectural gap: No orchestration layer connects Salesforce · SAP · Ariba · Asset Systems · ML Models into a coherent, auditable, human-supervised enterprise flow — across any of the four process pillars.
Salesforce ecosystem
SAP ecosystem
Ariba ecosystem
EU AI Act exposure
Disconnected / no integration

§5 Requirements Catalogue

What ClaraVis requires — documented and prioritised, pillar by pillar.

Every requirement below is traceable to a stakeholder concern, a regulatory obligation, or a business pain point identified in the preceding sections. Prioritised using MoSCoW — Must Have requirements are architectural constraints on the AE design. Grouped by pillar where a requirement is pillar-specific, and by Platform/Crown where it applies structurally across all four.

11
Business Requirements
Commercial outcomes ClaraVis requires the AE to achieve, grouped by pillar: Quote-to-Cash, Procure-to-Pay, Supply Chain, and Platform/Crown.
14
Architecture Requirements
Structural properties the AE must have — explainability, HITL, compliance, integration. Non-negotiable by design, and largely pillar-agnostic.
8
Constraints
Fixed boundaries — budget, existing systems, regulatory, and integration. The design works within these, not around them.
Business Requirements
Architecture Requirements
Constraints
Quote-to-Cash
IDRequirementDescriptionMoSCoWAE Module
BR-01
Quote-to-Cash cycle accelerationThe end-to-end Q2C cycle — from Opportunity creation to revenue posting in SAP — must be orchestrated with defined SLAs per transition and an immutable audit record at every handoff. The current 47-day average is the primary commercial pain point for VP Sales.MustCCAI Sales Agent · ContractGuard · RevRec AI
BR-02
ASC 606 revenue recognition automationLease vs sale classification and performance obligation identification must be handled by an ML model trained on ClaraVis's contract portfolio, with every classification producing a SHAP explanation and routing through a Finance Controller HITL checkpoint before posting to SAP.MustRevRec AI · SAP Integration
BR-03
Customer contract clause intelligence and risk scoringEvery inbound customer contract must be analysed at clause level — liability caps, indemnification, governing law, IP ownership — with non-standard terms flagged to Legal with a risk score, precedent references, and a draft counter-position before any countersigning event.MustContractGuard
BR-04
CCAI Sales Agent for inbound MRI inquiriesAn intelligent sales agent must handle the first stages of an inbound MRI inquiry autonomously — qualification, clinical configuration fit, pricing estimate — and escalate to a Senior AE with a full briefing document when commercial terms are required. Autonomy boundary specified in HITL spec.ShouldCCAI Sales Agent · Salesforce Integration
BR-05
Unified asset telemetry and predictive maintenanceThe six regional asset telemetry systems must feed a single streaming pipeline enabling fleet-level RUL prediction and unit-level anomaly detection. The warranty reserve over-provision is a direct consequence of the inability to model failure probability at scale.MustAsset IQ · Pub/Sub Pipeline
Procure-to-Pay
IDRequirementDescriptionMoSCoWAE Module
BR-06
Procure-to-Pay straight-through automationThe full source-to-pay lifecycle — sourcing, contract award, PO generation, and invoice reconciliation — must be orchestrated end-to-end with defined risk classifications and named human checkpoints at each stage. ClaraVis runs 310 active suppliers across 22 countries through four regional Ariba instances at a 58% straight-through match rate today, requiring a six-person manual reconciliation team to close the gap. This is the Procure-to-Pay equivalent of BR-01's Q2C acceleration mandate.MustSourcing Agent · Contract Agent · PO Agent · 3-Way Match Agent
Supply Chain
IDRequirementDescriptionMoSCoWAE Module
BR-07
Continuous supply chain risk and demand intelligenceSupplier financial distress, geopolitical exposure, and sub-tier concentration risk must be monitored continuously rather than via an annual questionnaire — the current process gave zero advance warning when a Tier-2 sole-source supplier went dark with 11 days' notice. Demand forecasting must improve from a 34% MAPE baseline toward ≤12% by reading SAP IBP, Salesforce pipeline, and external signals together. Related telemetry signal: see BR-05 (Asset IQ), which feeds inventory and field-service planning from a different system boundary within Quote-to-Cash.MustDemandIQ · SupplierSentinel · ProcureGuard · InventoryOrchestrator
BR-08
MDR Article 87 vigilance automationNon-conformance reports must trace full device genealogy across S/4HANA and ISO 13485 records and produce a draft vigilance report within the regulator-mandated 72-hour SLA. This is currently a manual process with no automated genealogy tracing, met through overtime rather than systemic capability. Every report routes through Quality Director HITL before filing.MustQualityTrace
Platform / Crown
IDRequirementDescriptionMoSCoWAE Module
BR-09
EU AI Act compliance across all production and forthcoming modelsAll three existing ML models — revenue recognition, asset failure, contract risk — must be brought into EU AI Act Annex III compliance, requiring SHAP explanations, documented HITL checkpoints, and a versioned risk management system before the next compliance review. This obligation is not unique to the three current models: every model reaching production in Procure-to-Pay (Contract Agent, 3-Way Match) and Supply Chain (DemandIQ, SupplierSentinel, ProcureGuard, ContractIntelligence, InventoryOrchestrator, QualityTrace) carries the same Annex III classification and the same continuous risk-management obligation under Article 9 from the moment it goes live.MustRevRec AI · Asset IQ · ContractGuard · XAI Layer (platform-wide, applies to all current and future models)
BR-10
Data sovereignty — no data leaves EU boundaryAll PII, PHI, device configuration data, and commercially sensitive contract data must remain within the EU GCP region boundary. This is a hard constraint from the CISO and a GDPR requirement. Enforcement must be architectural — VPC-SC — not policy-based.MustLayer 03 Infrastructure · VPC-SC
BR-11
Executive strategy dashboard with full-platform OKR visibilityC-suite requires a unified view of portfolio performance — pipeline health, asset fleet status, revenue recognition posture, compliance status — in a single dashboard. Current state requires pulling from Salesforce, SAP, Ariba, and six regional systems manually. Procure-to-Pay and Supply Chain panels are on the Strategy Dashboard's own roadmap as those pillars reach the same data-fabric contract Quote-to-Cash already satisfies — this requirement is platform-wide in intent, current in delivery for Quote-to-Cash only.ShouldStrategy Dashboard · BigQuery
Platform / Crown
IDRequirementDescriptionMoSCoWRegulatory Basis
AR-01
SHAP explanation per ML inferenceEvery ML model inference that informs a business decision must produce a SHAP explanation identifying the top contributing features, their directional effect, and the model confidence score. The explanation must be written to the audit log before any downstream action executes.MustEU AI Act Art. 13 & 14
AR-02
HITL checkpoint as formal state machine nodeEvery high-risk decision must route through a named human approver via a formal HITL state — with defined entry condition, presentation contract, decision interface (approve/reject/escalate), timeout behaviour, and immutable audit record. HITL is a first-class architectural component, not a process note.MustEU AI Act Art. 14
AR-03
Immutable audit trail for all agent actionsEvery agent action — tool call, state transition, HITL event, model inference — must be written to an immutable audit store (Firestore) before the action is considered complete. The audit record must be queryable but not modifiable. Deletion requires a separate access-controlled process with its own audit trail.MustEU AI Act Art. 12 · ISO 13485
AR-05
Model Cards for every ML modelEvery model in production must have a Model Card documenting intended use, training data summary, evaluation metrics, known limitations, bias analysis, and the HITL checkpoint specification. Model Cards are versioned alongside the model in Vertex AI Model Registry and reviewed as part of the promotion gate.MustEU AI Act Art. 11 · Google Model Cards
AR-06
VPC-SC perimeter for data sovereigntyAll data processing must occur within a VPC-SC perimeter configured to prevent data exfiltration outside the EU GCP region. The perimeter is enforced at the infrastructure layer via Terraform — it is not a network policy that can be overridden by application configuration.MustGDPR · EU DPDP · BR-10
AR-07
CMEK encryption — ClaraVis key custodyAll data at rest and in transit must be encrypted using Customer-Managed Encryption Keys via Cloud KMS. ClaraVis retains key custody — Google cannot access encrypted data without ClaraVis key authorisation. Key rotation policy: 90 days.MustISO 27001 · GDPR
AR-10
ADR documentation for every significant decisionEvery significant architectural decision must be documented as an Architecture Decision Record with status, context, decision, alternatives considered, and consequences. ADRs are version-controlled in the repository and linked from the relevant module page. This portfolio currently has ADR-001 and ADR-002 active.MustTOGAF ADM · Portfolio Standard
AR-11
Pub/Sub event fabric as the integration busAll cross-system events — asset telemetry, Salesforce opportunity updates, SAP posting confirmations, Ariba sourcing events — must be published to a Pub/Sub topic before downstream systems consume them. This decouples producers from consumers, enables replay for audit purposes, and provides the foundation for the streaming ML feature pipeline.ShouldArchitecture Principle · BR-05
AR-12
Drift detection and automated retraining triggerEvery model in production must have a Vertex AI monitoring job configured to detect data drift and concept drift against a baseline. Drift beyond a defined threshold must trigger an alert, generate a retraining recommendation, and route to the ML Engineer HITL checkpoint before any automated retraining executes.ShouldEU AI Act Art. 9 · MLOps Standard
Quote-to-Cash
IDRequirementDescriptionMoSCoWRegulatory Basis
AR-04
Salesforce as system of record — AE augmentsThe AE reads from and writes back to Salesforce via Developer Edition REST API. Salesforce remains the source of truth for commercial data. The AE does not maintain a parallel CRM. Any data written to Salesforce by the AE is tagged with the agent action ID that produced it (ADR-001, ADR-002).MustADR-001 · ADR-002
AR-08
ASC 606 rules as write-path constraintsRevenue recognition classification rules must be encoded as write-path constraints in the data model — applied at transaction time, before any posting. Recognition logic is not a reporting layer applied after the fact. Every transaction is tagged with the performance obligation it satisfies at the time of writing.MustASC 606 · IFRS 15 · BR-02
AR-09
Device History Record atomic writeEvery MRI device shipment event must write simultaneously to the Salesforce Order, the SAP logistics record, and the ISO 13485 Device History Record — in a single atomic transaction. Partial writes are not acceptable. The DHR must be created before the shipment is considered confirmed.MustFDA 21 CFR 820 · ISO 13485
Procure-to-Pay & Supply Chain
IDRequirementDescriptionMoSCoWRegulatory Basis
AR-13
Ariba and SAP IBP as systems of record — AE augmentsThe AE reads from and writes back to Ariba and SAP IBP via the same augment-not-replace principle established for Salesforce (AR-04). Ariba remains the source of truth for sourcing, RFx, and purchase order data; SAP IBP remains the source of truth for demand planning. The AE does not maintain a parallel procurement or planning system. Any data written by the AE to either system is tagged with the agent action ID that produced it, consistent with AR-04's pattern.MustADR-002 · AR-04 (parallel pattern)
Supply Chain
IDRequirementDescriptionMoSCoWRegulatory Basis
AR-14
A2A protocol mandate boundary for autonomous agent negotiationWhere agents negotiate directly with counterparty agents over the A2A protocol — ContractIntelligence and ProcureGuard's supplier negotiation capability — the autonomy boundary must be explicit and enforced at the protocol layer, not the application layer. Agents may negotiate standard delivery, payment, and warranty terms autonomously. Any deviation in jurisdiction, liability cap, IP, or indemnification terms must halt the negotiation and route to Legal HITL before any commitment is made. Counterparty authentication uses mutual Workload Identity Federation and signed Agent Cards — an unverified counterparty agent cannot enter a negotiation at all, regardless of term content.MustEU AI Act Art. 14 (parallel to AR-02, applied to agent-to-agent rather than human-facing HITL)
IDConstraintDescription & Impact on DesignMoSCoWSource
C-01
Zero additional software licensing costThe AE portfolio is a demonstration system built on free-tier and open-source components. No paid API subscriptions, no commercial data connectors, no licensed dataset providers. Salesforce Developer Edition and the Ariba developer/sandbox account (free, permanent) are the only external dependencies. All GCP services will operate within the free tier or GCP credits until the build phase begins.MustPortfolio Constraint
C-02
Salesforce Developer Edition as integration patternSalesforce integration uses Developer Edition REST API only — no Enterprise or Unlimited Edition features, no paid connectors, no ISV AppExchange dependencies. The integration pattern must be demonstrable on a free Developer Edition org with sample data. Schema is Salesforce standard objects only (ADR-001).MustADR-001 · C-01
C-03
SAP integration via middleware abstractionDirect SAP API integration is not implemented in the portfolio demo (SAP license cost). The AE design shows the integration architecture — BAPI/RFC via middleware, or BTP event mesh — and the demo uses a BigQuery table seeded with SAP-schema data to represent the ERP layer. The architecture is correct; the live integration is deferred to the client engagement phase.MustC-01 · ADR-002
C-08
Ariba developer/sandbox as integration patternAriba integration uses a live developer/sandbox account — Ariba remains the system of record for sourcing, RFx, and purchase order data, demonstrated against this consistent with the Salesforce Developer Edition pattern (C-02). No paid Ariba Network subscription tier, no production supplier data. Schema is Ariba standard objects only.MustC-01 · parallel pattern to C-02
C-04
EU data residency — GCP europe-west3 (Frankfurt)All GCP resources must be provisioned in europe-west3 (Frankfurt) or europe-west4 (Netherlands) only. No multi-region configurations that include non-EU endpoints. This is enforced via Terraform variable and Organisation Policy constraint — not configurable at the application layer.MustGDPR · BR-10 · AR-06
C-05
MVP-plus build standardEach module is built to demonstrate one complete end-to-end flow — sufficient to impress a hiring manager or enterprise architect in a live demo. Production hardening (multi-region failover, 99.99% SLA engineering, load testing) is out of scope for the portfolio phase. Architecture is designed for production; the implementation is scoped for demonstration.MustPortfolio Scope
C-06
Existing Salesforce, SAP, and Ariba investments preservedThe AE does not replace Salesforce, SAP, or Ariba. All three systems remain in place and the AE augments them. Any design decision that requires replacing any of the three is out of scope. The AE is the orchestration and intelligence layer — the systems of record stay (ADR-002).MustADR-002 · BR-10
C-07
SAFe delivery governance — light touchThe AE modules map to Agile Release Trains consistent with SAFe 6.0 principles. Full Program Board and PI Planning artifacts are documented at the architectural level (Page 04) but are not operationally executed for the portfolio build. The SAFe mapping demonstrates delivery governance understanding; it is not a live programme management process.CouldSAFe Page 04

§6 AI Readiness Assessment

Where ClaraVis stands today — five dimensions.

The AI Readiness Assessment is the input to the TOGAF Architecture Vision. It defines the starting position across five dimensions and frames the gap the AE is designed to close. Scored 1–5. Findings are actionable, not evaluative.

Data Maturity
4/ 5
Salesforce and SAP maintain high-quality structured data. The gap is the six regional asset systems — no common schema, no unified API. BigQuery is not yet deployed. Data fabric is partially in place.
Action: Unified Pub/Sub ingestion pipeline + BigQuery data fabric as AE Day 1 infrastructure.
ML Infrastructure
2/ 5
Three models in production, all built without MLOps tooling. No Vertex AI Pipelines. No Model Registry. No drift detection. No automated retraining. Models are static artefacts, not managed assets.
Action: Vertex AI Pipelines + Model Registry + monitoring jobs — mandatory before next model promotion.
HITL Capability
1/ 5
No formal HITL architecture exists. Human review happens informally via email and Slack. No structured approval interface, no timeout behaviour, no audit record of the human decision. EU AI Act Art. 14 is currently unsatisfied.
Action: HITL state machine design is Phase 1 of AE build. Blocks all other module development.
Regulatory Posture
2/ 5
ISO 13485 and FDA 21 CFR 820 compliance is established for device manufacturing. AI-specific obligations under EU AI Act Annex III are not yet addressed. Q3 2025 audit flagged all three production ML models as non-compliant.
Action: XAI layer + HITL spec + Model Cards + risk management documentation — all required for compliance.
Org Change Readiness
3/ 5
CTO and VP Sales are active sponsors. Finance and Legal are cautious but engaged following the compliance audit. Field Service is enthusiastic about predictive maintenance. The compliance team requires visible HITL before endorsing any AI deployment.
Action: HITL visibility is the organisational unlock. Demonstrate it first, expand second.

§7 Strategic Decisions Enabled

Not a catalogue of capabilities — a record of decisions no single pillar could support alone.

A portfolio is not a catalogue of capabilities — each pillar's own pages already do that job, in full depth. A portfolio is the evidence base for decisions that no single pillar could support alone. The four decisions below are not things the AE does; they are things ClaraVis's leadership can now decide, where the evidence to decide them previously didn't exist in one place, or didn't exist at all.

SD-01 · Owner: CFO · S-03
Can the CFO see total enterprise financial exposure in one sitting?
Before: Quote-to-Cash's contract risk, Finance Operations' treasury exposure, and Procure-to-Pay's commitment exposure live in three systems that have never been read together. A CFO preparing for a board meeting reconstructs this manually, pillar by pillar, with no guarantee the numbers are from the same moment in time.

Now: FinRisk Sentinel's governance-level scope synthesises all three into a single cross-domain risk posture, refreshed on a cadence appropriate for board-level reporting — not real-time, not reconstructed, continuously current. The CFO opens one view instead of requesting three.
Evidence: FinRisk Sentinel (M-04), governance-level aggregation across Quote-to-Cash, Finance Operations, Procure-to-Pay
SD-02 · Owner: CCO · S-02
Can the Board get one answer to "are we EU AI Act compliant" — not four?
Before: Each pillar owner can attest their own models are compliant. No one is positioned to see whether the seams between pillars — a model whose HITL checkpoint quietly stopped firing, a framework interaction no single pillar owner would think to check — create exposure that no individual attestation would catch.

Now: Compliance Command Centre holds all nine regulatory frameworks in one posture view across all four pillars, refreshed every 15 minutes, and is built to surface an amber flag honestly rather than round it up to green. The Board gets one number, not four reassurances.
Evidence: Compliance Command Centre (M-09) — nine frameworks, four pillars, one posture, with the live EU AI Act Article 9 amber flag as proof the dashboard reports the truth rather than a managed narrative
SD-03 · Owner: CTO · S-01
Can leadership decide which pillar gets funded next using one evidence base — not four competing pitches?
Before: Quote-to-Cash, Procure-to-Pay, Supply Chain, and Finance Operations each have a compelling case for investment, expressed in incommensurable terms — days, euros, headcount. Without a common evidence base, sequencing becomes whoever pitches loudest, not whoever the architecture says should go first.

Now: The portfolio holds all four pillars' cost-of-inaction and integration-risk profiles on one framework (§4a), making the trade-off — and the cases where pillars' incentives genuinely conflict — visible before the funding decision is made, not after it's regretted.
Evidence: §4a Diagrams 02–04 (value stream comparison, incommensurable pressures, cost-of-inaction × integration-risk sequencing) · ADR-016 (phased adoption, Page 08)
SD-04 · Owner: CCO · S-02
Can ClaraVis prove its compliance posture has been a sustained practice, not a pre-audit scramble?
Before: A compliance review is typically prepared for — documentation assembled retroactively, audit trails reconstructed under deadline pressure, in the weeks before the regulator arrives.

Now: Because Data Governance, the HITL framework, and the XAI layer are Horizon 1 foundation — not Horizon 3 features — by the time of any review, the audit trail has months of immutable, continuously-accumulated records across every pillar that has gone live, not a hastily-assembled file. Leadership can show a regulator a practice, not a performance.
Evidence: Data Governance (M-08, sole H1 module) · GreenOps/Strategy Dashboard sequencing precedent · Page 08 Risk 03 (Regulatory Approval Timeline) and its Horizon 1 mitigation

§8 Success Criteria

How ClaraVis will know the AE is succeeding — at the level Lean Portfolio Management funds it.

Success criteria at the portfolio level answer a different question than success criteria at the module level. A module either works or it doesn't — that detail lives on each pillar's own pages. At the portfolio level, the question is whether the three Strategic Themes that Lean Portfolio Management funds (Page 04) are actually delivering the outcome they were funded for. Each criterion below is owned by the same Epic Owner named in the Theme's funding record, observable at the system level, and reviewed at the Portfolio Sync — not a one-time before/after snapshot.

Theme 01 · Cycle Time Compression — Epic Owner: VP Sales Operations
Quote-to-Cash and Finance Operations cycles are observably compressing, not compressed once
The Quote-to-Cash cycle time is tracked as a rolling metric in the Strategy Dashboard, not a one-time baseline — the 47-day figure is a starting point with a falling trend line, reviewed at every Portfolio Sync, not a number quoted once and never revisited
Finance Operations' month-end close shows the same falling-trend treatment — the 12-day baseline must be observably compressing as RevRec AI's automated classification absorbs a growing share of transactions, with the manual share reported alongside the automated share, not hidden once it's no longer 100%
Every state transition in both cycles — Q2C handoffs and the close process — has a defined SLA with automatic escalation on breach, and breach frequency is itself a tracked metric, not just the existence of the SLA
If the trend line flattens or reverses for two consecutive Portfolio Syncs, that is itself a reportable finding to the Epic Owner — the Theme's funding is contingent on the trend continuing, not on having compressed once
Theme 02 · Regulatory Readiness — Epic Owner: Chief Compliance Officer
EU AI Act Annex III posture is auditable on demand, across all four pillars
Every ML inference above a defined risk threshold, across all four pillars — not only the three models currently in production — produces a SHAP explanation written to the audit log before the downstream action executes
Every high-risk decision, in any pillar, routes through a named human approver via a formal HITL state — no exceptions, no bypasses, and the Compliance Command Centre's HITL audit coverage section reports this as a coverage percentage, not a policy statement
A compliance audit query returns a complete, unbroken decision trail for any inference made in the last 24 months, from the BigQuery audit log directly — not a reconstructed report assembled for the request
The Compliance Command Centre's posture dashboard is permitted to show amber or red — a Theme that only ever reports green is not succeeding, it's hiding. The existing live amber flag on FinRisk's Article 9 monitoring is evidence the Theme is reporting honestly, not evidence it has failed
Theme 03 · Supply Chain Resilience — Epic Owner: VP Supply Chain
Carrying cost, stockout exposure, and disruption warning time are all measurably improving
Annual inventory carrying cost and stockout exposure are both tracked as rolling figures against the €95M and €32M baselines, with a falling trend reviewed at each Portfolio Sync — the same discipline as Theme 01's cycle-time tracking, applied to cost instead of time
SupplierSentinel's advance-warning window is the Theme's sharpest test: the next sole-source Tier-2 disruption must surface with materially more notice than the 11 days the platform was built to outpace — measured the next time it actually happens, not simulated
DemandIQ's forecast error is tracked against the 34%-toward-≤12%-MAPE target on the same rolling basis, with the gap to target reported, not just the direction of travel
QualityTrace's 72-hour vigilance SLA has a measured on-time filing rate, not just an architectural claim that the SLA can be met — a Theme that has the capability but no measured compliance rate has not demonstrated resilience, only designed for it
Platform Infrastructure — Steward: Enterprise Architect · S-08
Cross-cutting infrastructure properties hold across every pillar, with no single Theme owner
VPC-SC perimeter is provisioned via Terraform — the data residency constraint is in infrastructure code, not network policy — and this is verified by configuration audit, not by absence of an incident
CMEK keys are provisioned and owned by ClaraVis's own Cloud KMS project across every pillar's data, with Google holding no decryption access at any point
Every module page links to the ADRs that govern its design decisions — no component exists without a traceable decision record — and the ADR index is reviewed for currency at the same cadence as the Portfolio Sync, not left to go stale between major revisions
All GCP resources, across all four pillars, are deployed to europe-west3 or europe-west4 only, enforced by Organisation Policy constraint at the Terraform root — not configurable at the application layer in any pillar
ADR-001 · Salesforce Integration Pattern
Salesforce Developer Edition — REST API
Selected over BigQuery Data Transfer, CSV export, and Google Sheets mock patterns. Salesforce Q2C domain depth is the portfolio's primary differentiator — a live API integration makes that depth observable and demonstrable, not merely claimed.
Status: Accepted
ADR-002 · GCP alongside Salesforce
Augmentation, not replacement
The AE addresses five domains outside Salesforce Einstein's boundary: physical asset intelligence, EU AI Act Annex III explainability, cross-system revenue recognition, full-document contract intelligence, and cross-system orchestration. Salesforce remains the system of record.
Status: Accepted

§9 Next in the Portfolio

Requirements captured. Architecture follows.

This document is the input to TOGAF Phase A — Architecture Vision. Every diagram, decision record, and architecture component in the pages that follow traces back to a requirement, constraint, or stakeholder concern documented here.