TOGAF ADM: Architecture Development Method
Preliminary through Phase G
This is not a textbook summary — it is a working architecture engagement record, governed end to end by the Enterprise Architecture Board.
§1 Architecture Development Method
The ADM, governed end to end. Not just walked through.
Each phase below produces a specific artifact for the ClaraVis engagement. The Enterprise Architecture Board (EAB) — chartered in Phase G, §9 — owns the gate between every phase: no Solution Train consumes a Phase D artifact as architecture runway until the EAB has certified it sufficient, and no work package enters delivery until its build-vs-buy decision is recorded. Requirements Management is continuous — every requirement from Page 02 is live throughout every phase.
Every decision this page produces becomes an input two pages downstream consume without re-deriving: Lean Portfolio Management (Page 04) funds Solution Trains against the runway certified here, and the Go-to-Market adoption argument (Page 08) cites the ADRs recorded here by number. This page is upstream of both — get the gate wrong here, and every page after it inherits the error.
The Preliminary Phase is where the EAB's authority — and the principles it enforces — are established first.
§2 Preliminary Phase
Architecture Principles — the rules the design cannot break.
Twelve principles established before any architecture work begins. These are not aspirational guidelines — they are binding constraints on every design decision that follows. Four are load-bearing enough to appear, unchanged, as the platform's headline commitments on Page 1: SHAP Before HITL, SAP Write Guard, Quarantine-Then-Review, Augment Not Replace. That repetition is deliberate — a principle that only matters at the documentation level and never surfaces where a CTO or hiring manager actually looks isn't load-bearing. The other eight govern decisions that are real but operate one layer down. Any component that violates a principle requires a formal ADR documenting the exception and its consequences.
| ID | Principle | Constraint Reference |
|---|---|---|
| P-01 | Explainability engineered in | EU AI Act Annex III · AR-01 |
| P-02 | Human oversight at the write path | EU AI Act Art. 14 · AR-02 · AR-14 |
| P-03 | Compliance as write-path constraints | BR-02 · AR-08 · AR-09 |
| P-04 | Augment, don't replace | ADR-002 · C-06 |
| P-05 | Every decision documented | AR-10 · TOGAF ADM standard |
| P-06 | Data sovereignty at infrastructure layer | GDPR · BR-10 · AR-06 · C-04 |
| P-07 | Every agent has an autonomy boundary | EU AI Act Art. 14 · AR-02 · AR-14 |
| P-08 | Invalid data is quarantined, never discarded | AR-03 · ADR-DG02 |
| P-09 | Event fabric is the integration bus | AR-11 · BR-05 |
| P-10 | Model Cards are versioned artifacts | EU AI Act Art. 11 · AR-05 |
| P-11 | Zero-trust security | ISO 27001 · AR-07 |
| P-12 | Cost allocation tagged day one | CFO requirement · C-01 |
The principles are binding. Phase A is where they first get tested against a real stakeholder's real question.
§3 Phase A — Architecture Vision
Phase A is fully elaborated on Page 02 — not duplicated here.
The full nine-stakeholder register has grown to twelve, and the As-Is/To-Be positioning argument now spans all four pillars. Both live on Page 02, at platform scope, in more depth than a TOGAF methodology page should attempt to hold. This section states what Phase A produced and points to where each artifact actually lives.
The vision is set. Phase B turns it into a value stream ClaraVis can actually run.
§4 Phase B — Business Architecture
Phase B is fully elaborated on Page 02, §4a — not duplicated here.
The To-Be value stream, the four-pillar comparison, the Time/Money/Effort incommensurability table, and the cost-of-inaction sequencing map all live there — Business Architecture at platform scope means comparing four pillars' value streams against each other, work that belongs at the requirements layer, not restated at the methodology layer.
One sentence is true across all four pillars, regardless of which one a reader opens next: every manual handoff in every pillar's value stream is replaced by an agent-mediated state transition with a defined SLA and an audit record. The capability model below is the one Phase B artifact that doesn't live anywhere else — a value stream is pillar-specific by nature, but a capability model spans all four at once.
The business architecture is defined. Phase C is where it becomes a data model every module can share.
§5 Phase C — Information Systems Architecture
The canonical data model — seven entities, shared across every module in every pillar. This is the one structural proof that the AE is a coherent system, not eight applications that happen to share a brand. No module reads or writes outside this schema; no pillar invents its own version of Contract, Transaction, Supplier, or HITL Event.
sfdc_contract_id · FK (customer contracts)
supplier_id · FK (supplier MSAs)
status · clauses[] · risk_score · shap_ref
hitl_event_id · FK→ ContractGuard · RevRec · Contract Agent (P2P) · ContractIntelligence (SC)
sap_doc_id · contract_id
recognition_type · ASC606
perf_obligation_tags[]
hitl_event_id · shap_ref→ RevRec AI · FinRisk
model_sku · install_date
region · hospital_id
rul_score · last_event_ts
dhr_ref · contract_id→ Asset IQ · ISO 13485
event_type · severity
sensor_payload · ts
dicom_code · region
pubsub_msg_id→ Asset IQ · GreenOps
region · country · risk_tier
financial_distress_score · concentration_flag
contract_id[] · FK · last_reviewed_ts→ Procure-to-Pay · SupplierSentinel · ContractIntelligence
input_ref · output_ref · shap_explanation_id
hitl_event_id · ts · confidence_score→ All modules · XAI Layer · triggers HITL Event
decision · reason_code · shap_presented · ts
timeout_at · escalated · immutable · Firestore→ All HITL checkpoints
Reads: Agent Action results, HITL outcomes
Reads: RevRec classification post-HITL approval
Orchestrates: all cross-system flows, across every pillar
Serves: all modules via BigQuery + Feature Store
Reads: SupplierSentinel risk score post-evaluation
§6 Phase D — Technology Architecture
The architecture runway — certified once, consumed by every Solution Train. Layer naming reconciled with Page 1.
This is the artifact Lean Portfolio Management (Page 04, §1) calls "architecture runway" without re-deriving it: the four-layer contract every module in every pillar is built against. Get this wrong here, and four Solution Trains inherit the error independently, each discovering it at a different, more expensive moment. The concept overview establishes the four-layer model and the principal services. The full technical diagram on each pillar's own page shows every named GCP service, the VPC-SC perimeter, network topology, IAM boundaries, and data flow paths.
| Layer | Principal Services | Flow to Next Layer |
|---|---|---|
| 01 · Presentation & Experience | Portfolio Site · 8 App Dashboards · HITL Approval UI · XAI Explanation Viewer · Architecture Explorer · Audit Trail Dashboard | REST / gRPC |
| 02 · Agent Orchestration | CCAI Sales Agent (ADK) · ContractGuard Agent · RevRec AI Agent (ADK) · Asset IQ Agent (ADK) · FinRisk Sentinel · Orchestrator (A2A Protocol, MCP Tool Manifest) · HITL State Machine (Firestore) | Pub/Sub · VPC-native |
| 03 · MLOps & Intelligence | Vertex AI Pipelines + Models · BigQuery Data Fabric + Audit · Pub/Sub Event Fabric · Feature Store (Vertex AI FS) · SHAP / XAI Explanation Layer · Model Registry + Cards · Drift Detection | CMEK · IAM · VPC-SC |
| 04 · Infrastructure & Governance | Terraform IaC · VPC-SC · BeyondCorp · CMEK · KMS · IAM · WIF · GKE · Cloud Run · Cloud Build CI/CD | — |
Every Solution Train in the Portfolio is required to build on the same four-layer model and the same shared services shown in the concept diagram above — GCP as the sole cloud provider, the HITL state machine and XAI/SHAP contract as non-negotiable platform standards, and a single VPC-SC perimeter per pillar rather than four independent security postures. Each pillar's specific GCP reference architecture — every named service, IAM boundary, and network topology for its own workload — is documented in full on that pillar's own Infrastructure & GCP Architecture page:
The runway is certified. Phase E is where the EAB decides what gets built once, centrally, and what each pillar builds for itself.
§7 Phase E — Opportunities & Solutions
The build-vs-buy gate, decided once. Not re-litigated per pillar.
Every work package below was tested against the same question before it entered the migration roadmap: does a GCP-managed service already solve this, or does ClaraVis's specific regulatory and architectural requirement mean it has to be built? The pattern that recurs across every row — build the orchestration and the audit trail, buy the commodity signal underneath it — is the EAB's standing rule, not a one-off judgment call made fresh for each package.
| Work Package | Decision | Owner | Horizon |
|---|---|---|---|
| WP-01 · GCP Foundation | Build — see ADR-002 | Portfolio | H1 |
| WP-02 · Data Governance | Build on TFX — see ADR-DG01 | Portfolio | H1 |
| WP-03 · HITL Framework | Build — no commercial product encodes Article 14's requirements; see Preliminary Phase P-02 | Portfolio | H1 |
| WP-04 · XAI / SHAP Layer | Buy the library, build the integration — see ADR-003 | Portfolio | H1 |
| WP-05 · Quote-to-Cash agents | Build — domain-specific agent logic, documented on Quote-to-Cash's own pages | Quote-to-Cash | H2 |
| WP-06 · GreenOps scheduling | Build the scheduler, buy the signal — see ADR-GO02 | Portfolio | H3 |
| WP-07 · Strategy Dashboard | Buy the rendering layer, build the views — see ADR-SD01 | Portfolio | H3 |
| WP-08 · Remaining Solution Trains | Build — Procure-to-Pay, Finance Operations, and Supply Chain each build their own ARTs on the Portfolio's H1 foundation, including the Ariba and SAP IBP integration patterns (see AR-13). Documented on each pillar's own pages. | Per pillar | H2–H3 |
The build-vs-buy pattern that recurs across every work package: build the orchestration and the audit trail, buy the commodity signal underneath it. No work package proposes building a substitute for a Google-managed service the Portfolio already has access to.
§8 Phase F — Migration Planning
Three horizons, one sequence — the single source of truth every other page points back to.
This is the definition LPM's PI cadence (Page 04) expands into nine Programme Increments, and the definition GTM's adoption argument (Page 08) restates through an adoption lens. Both pages reference H1/H2/H3 by name; neither redefines them. If this section changes, both of those pages' framing changes with it.
The horizons are sequenced. Phase G is where the EAB keeps every Solution Train honest against this sequence as it executes.
§9 Phase G — Implementation Governance
The EAB, chartered. Not designing — certifying.
Every certification this page has made — the runway in §6, the build-vs-buy ownership in §7, the horizon sequencing in §8 — is only as good as the body that keeps checking it's still true after the ink dries. The Enterprise Architecture Board is that body. It does not design architecture; Phases A through F already did that. It certifies that what's being built still matches what was designed, continuously, for as long as the platform runs.
Phase G is not a quarterly review cycle here — it runs continuously, and the evidence is the Governance Control Plane Dashboard →: live SLO error budgets, HITL queue depth, EU AI Act Model Registry currency, model drift, Terraform drift, and FinOps spend, across all four pillars.
The EAB watches conformance. Requirements Management watches whether the requirements themselves are still the right ones.
§10 Requirements Management
Continuous, not a phase you pass through once. Every requirement, traced.
Every BR, AR, and Constraint from Page 02 stays live across every phase above — this section is the traceability record proving each one actually landed somewhere, rather than being captured in Phase A and quietly forgotten by Phase F. Where the EAB (§9) checks whether the build still matches the design, Requirements Management checks whether the design still matches the requirement — a different failure mode, equally fatal if no one's watching for it.
| ID | Requirement | Phase | Artifact | Implementing Module |
|---|---|---|---|---|
| BR-01 | Quote-to-Cash cycle acceleration | Phase B | To-Be Value Stream (Page 02, §4a, Diag. 01) | CCAI Sales Agent · ContractGuard · RevRec AI |
| BR-02 | ASC 606 revenue recognition automation | Phase B/D | Value Stream · Transaction entity (§5) | RevRec AI · Finance HITL · SAP integration |
| BR-03 | Customer contract clause intelligence | Phase B/D | Value Stream · GCP Architecture (§6) | ContractGuard · Document AI · Gemini 1.5 Pro |
| BR-04 | CCAI Sales Agent for inbound inquiries | Phase B | To-Be Value Stream (Page 02, §4a) | CCAI Sales Agent · Salesforce Integration |
| BR-05 | Unified asset telemetry and predictive maintenance | Phase C | Device · Asset Event entities (§5) | Asset IQ · Pub/Sub Pipeline |
| BR-06 | Procure-to-Pay straight-through automation | Phase B/E | Value Stream (Page 02, Diag. 02) · WP-08 (§7) | Sourcing · Contract · PO · 3-Way Match Agents |
| BR-07 | Continuous supply chain risk and demand intelligence | Phase C/E | Supplier entity (§5) · WP-08 (§7) | DemandIQ · SupplierSentinel · ProcureGuard · InventoryOrchestrator |
| BR-08 | MDR Article 87 vigilance automation | Phase B/F | Value Stream (Diag. 02) · H2 horizon (§8) | QualityTrace |
| BR-09 | EU AI Act compliance — all models | Prelim/G | P-01 · P-02 (§2) · EAB gate (§9) | RevRec AI · Asset IQ · ContractGuard · XAI Layer (platform-wide) |
| BR-10 | Data sovereignty | Prelim/D | P-06 (§2) · Layer 04 (§6) | Layer 04 Infrastructure · VPC-SC |
| BR-11 | Executive strategy dashboard, full-platform OKR | Phase F | H3 horizon (§8) | Strategy Dashboard · BigQuery |
| ID | Requirement | Phase | Artifact | Regulatory / Reference Basis |
|---|---|---|---|---|
| AR-01 | SHAP explanation per ML inference | Prelim | P-01 principle (§2) | EU AI Act Art. 13 & 14 |
| AR-02 | HITL checkpoint as state machine node | Prelim | P-02 principle, revised (§2) | EU AI Act Art. 14 |
| AR-03 | Immutable audit trail for all agent actions | Prelim/C | P-08 principle, revised (§2) · Agent Action entity (§5) | EU AI Act Art. 12 · ISO 13485 |
| AR-04 | Salesforce as system of record | Prelim | P-04 principle (§2) | ADR-001 · ADR-002 |
| AR-05 | Model Cards for every ML model | Prelim | P-10 principle (§2) | EU AI Act Art. 11 |
| AR-06 | VPC-SC perimeter for data sovereignty | Prelim/D | P-06 principle (§2) · Layer 04 (§6) | GDPR · EU DPDP · BR-10 |
| AR-07 | CMEK encryption — key custody | Prelim | P-11 principle (§2) | ISO 27001 · GDPR |
| AR-08 | ASC 606 rules as write-path constraints | Prelim/C | P-03 principle (§2) · Transaction entity (§5) | ASC 606 · IFRS 15 · BR-02 |
| AR-09 | Device History Record atomic write | Phase C | Device entity (§5) | FDA 21 CFR 820 · ISO 13485 |
| AR-10 | ADR documentation for every decision | Prelim | P-05 principle (§2) | TOGAF ADM · adr-index.html |
| AR-11 | Pub/Sub event fabric as integration bus | Prelim | P-09 principle, corrected (§2) | Architecture Principle · BR-05 |
| AR-12 | Drift detection and retraining trigger | Phase G | EAB gate — Model Drift Monitor (§9, dashboard) | EU AI Act Art. 9 · MLOps Standard |
| AR-13 | Ariba and SAP IBP as systems of record | Prelim/C | P-04 principle (§2) · Supplier entity (§5) | ADR-002 · AR-04 (parallel pattern) |
| AR-14 | A2A mandate boundary for agent negotiation | Prelim | P-02/P-07 principle, revised (§2) | EU AI Act Art. 14 |
| ID | Constraint | Phase | Artifact | Source |
|---|---|---|---|---|
| C-01 | Zero additional software licensing cost | Prelim | P-12 principle (§2) | Portfolio Constraint |
| C-02 | Salesforce Developer Edition pattern | Prelim/A | P-12 · ADR-001 (§2/§3) | ADR-001 · C-01 |
| C-03 | SAP integration via middleware | Phase E | WP-08 build-vs-buy (§7) | C-01 · ADR-002 |
| C-04 | EU data residency — europe-west3 | Prelim/D | P-06 principle (§2) · Layer 04 (§6) | GDPR · BR-10 · AR-06 |
| C-05 | MVP-plus build standard | Phase E/F | WP scope (§7) · Horizon definitions (§8) | Portfolio Scope |
| C-06 | Existing SFDC/SAP/Ariba investments preserved | Prelim | P-04 principle (§2) | ADR-002 · BR-10 |
| C-07 | SAFe delivery governance — light touch | Phase F | H1–H3 horizons (§8) · LPM (Page 04) | SAFe Page 04 |
| C-08 | Ariba developer/sandbox pattern | Phase A | C-02 parallel pattern (§3) | C-01 · parallel pattern to C-02 |
Every requirement is traced. Every decision is governed. What gets funded next is Page 04's question to answer.
§11 Next in the Portfolio
The method is complete. Investment and adoption follow.
Every artifact this page produces — the runway (§6), the build-vs-buy ownership (§7), the horizon sequence (§8), the EAB's conformance authority (§9) — is now a settled input. Lean Portfolio Management funds against it. The Go-to-Market strategy adopts against it. Neither page re-derives what's already been decided here.