The Autonomous Enterprise  /  Page 03  ·  2026

TOGAF ADM: Architecture Development Method
Preliminary through Phase G

This is not a textbook summary — it is a working architecture engagement record, governed end to end by the Enterprise Architecture Board.

TOGAF 10 · ADM 12 Architecture Principles 7 Canonical Entities EAB · Phase G 3 Migration Horizons

§1 Architecture Development Method

The ADM, governed end to end. Not just walked through.

Each phase below produces a specific artifact for the ClaraVis engagement. The Enterprise Architecture Board (EAB) — chartered in Phase G, §9 — owns the gate between every phase: no Solution Train consumes a Phase D artifact as architecture runway until the EAB has certified it sufficient, and no work package enters delivery until its build-vs-buy decision is recorded. Requirements Management is continuous — every requirement from Page 02 is live throughout every phase.

Every decision this page produces becomes an input two pages downstream consume without re-deriving: Lean Portfolio Management (Page 04) funds Solution Trains against the runway certified here, and the Go-to-Market adoption argument (Page 08) cites the ADRs recorded here by number. This page is upstream of both — get the gate wrong here, and every page after it inherits the error.

Figure 1
The nine-phase ADM cycle, with Requirements Management as a continuous cross-cutting phase
Prelim
Preliminary
Architecture Principles · Governance model · Tailoring decisions
Phase A
Architecture Vision
Statement of Architecture Work · Stakeholder map · Solution concept
Phase B
Business Architecture
To-Be value stream · Capability model · Business interaction map
Phase C
IS Architecture
Canonical data model · Application portfolio · Integration catalog
Phase D
Technology Architecture
GCP reference architecture · Network topology · Security zones
Phase E
Opportunities & Solutions
Gap analysis · Work package definitions · Implementation options
Phase F
Migration Planning
3-horizon roadmap · Transition architectures · Priority ranking
Phase G
Implementation Governance
Architecture contracts · Compliance reviews · Change requests
Continuous
Requirements Management
BR · AR · C from Page 02 — live throughout every phase
Figure 2
What the EAB checks at each gate before the next phase is allowed to begin
Preliminary
Principles ratified before any design begins
Phase A
Vision and stakeholder map accepted (Page 02)
Phase B
Business architecture traceable to a requirement (Page 02)
Phase C
Canonical data model has no orphan entities
Phase D
Technology runway certified sufficient for all four pillars
Phase E
Every work package has a recorded build-vs-buy decision
Phase F
Horizon sequencing matches cost-of-inaction / integration-risk evidence (Page 02, §4a)
Phase G
Continuous — live on the Governance Control Plane Dashboard
Req. Mgmt
Every BR / AR / C still traces to an active phase output

The Preliminary Phase is where the EAB's authority — and the principles it enforces — are established first.

§2 Preliminary Phase

Architecture Principles — the rules the design cannot break.

Twelve principles established before any architecture work begins. These are not aspirational guidelines — they are binding constraints on every design decision that follows. Four are load-bearing enough to appear, unchanged, as the platform's headline commitments on Page 1: SHAP Before HITL, SAP Write Guard, Quarantine-Then-Review, Augment Not Replace. That repetition is deliberate — a principle that only matters at the documentation level and never surfaces where a CTO or hiring manager actually looks isn't load-bearing. The other eight govern decisions that are real but operate one layer down. Any component that violates a principle requires a formal ADR documenting the exception and its consequences.

Platform Headline · Page 1
P-01
Explainability is engineered in, not added on
Every ML model is designed with its explanation contract before training begins. SHAP values are generated at inference time and written to the audit log before any downstream action executes. Post-hoc explanation is not acceptable. This is the platform's "SHAP Before HITL" commitment.
ClaraVis constraint: EU AI Act Annex III · AR-01
Platform Headline · Page 1
P-02
Human oversight is enforced at the write path, not the policy layer
HITL checkpoints are formal states in every agent's state machine — with a defined entry condition, presentation contract, decision interface, timeout behaviour, and immutable audit record. Where an agent action is irreversible, the write function itself requires a committed HITL approval ID as a parameter — the platform's SAP Write Guard pattern. Human oversight is structurally unbypassable, not configured.
ClaraVis constraint: EU AI Act Art. 14 · AR-02 · AR-14
P-03
Compliance obligations are write-path constraints
Regulatory obligations — EU AI Act, FDA 21 CFR 820, ASC 606 — are encoded as constraints in the data model and enforced by the write path. Compliance is a structural property of every transaction, not a reporting posture applied retrospectively.
ClaraVis constraint: BR-02 · AR-08 · AR-09
Platform Headline · Page 1
P-04
The AE augments existing systems — it does not replace them
Salesforce, SAP, and Ariba remain systems of record. The AE is the orchestration and intelligence layer that operates across them. No design decision requires decommissioning or re-platforming an existing system. Integration is additive. This is the platform's "Augment, Not Replace" commitment.
ClaraVis constraint: ADR-002 · C-06
P-05
Every significant architectural decision is documented
Architecture Decision Records are produced for every significant design choice — technology selection, integration pattern, data model decision. Each ADR states the decision, the alternatives considered, and the consequences. No undocumented decisions.
ClaraVis constraint: AR-10 · TOGAF ADM standard
P-06
Data sovereignty is enforced at the infrastructure layer
Data residency constraints are implemented as VPC-SC perimeter rules and Organisation Policy constraints provisioned via Terraform. They cannot be overridden by application configuration, network policy changes, or ad-hoc IAM grants.
ClaraVis constraint: GDPR · BR-10 · AR-06 · C-04
P-07
Every agent has a documented autonomy boundary
Each agent in the swarm has a formally specified set of actions it executes autonomously and a set that require human approval. The boundary is defined before implementation, expressed in the state machine specification, and enforced by the HITL checkpoint architecture. This extends to agent-to-agent negotiation: standard terms are autonomous, but jurisdiction, liability, and IP deviations halt and route to Legal HITL.
ClaraVis constraint: EU AI Act Art. 14 · AR-02 · AR-14
Platform Headline · Page 1
P-08
Invalid data is quarantined, never discarded
A record that fails schema or quality validation is held with full provenance, not dropped silently. Every pillar's ingestion pipeline writes failures to a quarantine store and notifies a human steward — reinstatement or permanent discard is a human decision, never an automatic one. Data loss in a field-sensor or financial-event stream is operationally irreversible; silent discard is not an acceptable failure mode anywhere in the platform. This is the platform's "Quarantine-Then-Review" commitment.
ClaraVis constraint: AR-03 · Data Governance (M-08) ADR-DG02
P-09
The event fabric is the integration bus
All cross-system events are published to Pub/Sub topics before downstream systems consume them. This decouples producers from consumers, enables event replay for audit purposes, and provides the foundation for the streaming ML feature pipeline. No direct system-to-system synchronous calls for data that can be event-driven.
ClaraVis constraint: AR-11 · BR-05
P-10
Model Cards are versioned artifacts, not documentation afterthoughts
Every ML model has a Model Card created before training begins and updated with actual evaluation results before promotion. Model Cards are version-controlled alongside the model in Vertex AI Model Registry and are required inputs to the HITL promotion checkpoint.
ClaraVis constraint: EU AI Act Art. 11 · AR-05
P-11
Security is zero-trust — no implicit network trust
All service-to-service authentication is via Workload Identity Federation. No service account key files. No network-based trust. BeyondCorp enforces identity verification at every access request regardless of network location. Secrets are managed exclusively through Secret Manager.
ClaraVis constraint: ISO 27001 · AR-07 · CISO requirement
P-12
Cost allocation is tagged from day one
Every GCP resource carries a module-level cost allocation label from the first terraform apply. FinOps visibility is not a Phase 2 concern — it is provisioned in the same Terraform run as the resource itself. Budget alerts are configured before any workload is deployed.
ClaraVis constraint: CFO requirement · C-01
Figure 3
Principles-to-constraint traceability — every principle's binding reference, at a glance
IDPrincipleConstraint Reference
P-01Explainability engineered inEU AI Act Annex III · AR-01
P-02Human oversight at the write pathEU AI Act Art. 14 · AR-02 · AR-14
P-03Compliance as write-path constraintsBR-02 · AR-08 · AR-09
P-04Augment, don't replaceADR-002 · C-06
P-05Every decision documentedAR-10 · TOGAF ADM standard
P-06Data sovereignty at infrastructure layerGDPR · BR-10 · AR-06 · C-04
P-07Every agent has an autonomy boundaryEU AI Act Art. 14 · AR-02 · AR-14
P-08Invalid data is quarantined, never discardedAR-03 · ADR-DG02
P-09Event fabric is the integration busAR-11 · BR-05
P-10Model Cards are versioned artifactsEU AI Act Art. 11 · AR-05
P-11Zero-trust securityISO 27001 · AR-07
P-12Cost allocation tagged day oneCFO requirement · C-01
AR-06 is reinforced by both P-06 and P-11 — data sovereignty and zero-trust security are independently enforced, not the same control wearing two names.

The principles are binding. Phase A is where they first get tested against a real stakeholder's real question.

§3 Phase A — Architecture Vision

Phase A is fully elaborated on Page 02 — not duplicated here.

The full nine-stakeholder register has grown to twelve, and the As-Is/To-Be positioning argument now spans all four pillars. Both live on Page 02, at platform scope, in more depth than a TOGAF methodology page should attempt to hold. This section states what Phase A produced and points to where each artifact actually lives.

Phase A
Architecture Vision
Output: Statement of Architecture Work
Architecture Vision Statement
To deliver a TOGAF-aligned, explainability-first enterprise AI architecture for ClaraVis that orchestrates the full Quote-to-Cash-to-Field-to-Compliance lifecycle — with human oversight engineered into every consequential decision — satisfying EU AI Act Annex III, FDA 21 CFR 820, and ISO 13485 simultaneously.
Statement of Architecture Work
Scope
All four Solution Trains — Quote-to-Cash, Procure-to-Pay, Finance Operations, Supply Chain. Salesforce, SAP, and Ariba integration in scope. PHI processing out of scope.
Architecture Sponsor
CTO (S-01) — primary sign-off. CCO (S-02) — compliance co-sponsor. CFO (S-03) — financial outcomes sponsor.
Time Constraint
EU AI Act Annex III compliance for 3 existing production models required before Q2 2026 regulatory review. Hard deadline driving Horizon 1 scope.
Figure 4
Where each Phase A output actually lives
Vision Statement
Stays on this page — short enough not to duplicate

The vision is set. Phase B turns it into a value stream ClaraVis can actually run.

§4 Phase B — Business Architecture

Phase B is fully elaborated on Page 02, §4a — not duplicated here.

The To-Be value stream, the four-pillar comparison, the Time/Money/Effort incommensurability table, and the cost-of-inaction sequencing map all live there — Business Architecture at platform scope means comparing four pillars' value streams against each other, work that belongs at the requirements layer, not restated at the methodology layer.

Phase B
Business Architecture
Output: Capability Model

One sentence is true across all four pillars, regardless of which one a reader opens next: every manual handoff in every pillar's value stream is replaced by an agent-mediated state transition with a defined SLA and an audit record. The capability model below is the one Phase B artifact that doesn't live anywhere else — a value stream is pillar-specific by nature, but a capability model spans all four at once.

Commercial
Quote-to-Cash
Opportunity · CPQ · Contract · Order · Revenue
Operational
Asset Management
Telemetry · RUL · Anomaly · Maintenance · DHR
Financial
Revenue & Risk
ASC 606 · IFRS 15 · Anomaly detection · FinRisk
Compliance
Governance & Audit
EU AI Act · ISO 13485 · HITL · XAI · Audit trail
Figure 5
Where each Phase B value-stream output actually lives
To-Be Quote-to-Cash Value Stream
Four-Pillar Value Stream Comparison
Cost-of-Inaction Sequencing

The business architecture is defined. Phase C is where it becomes a data model every module can share.

§5 Phase C — Information Systems Architecture

Phase C
Information Systems Architecture
Output: Canonical Data Model · Application Portfolio

The canonical data model — seven entities, shared across every module in every pillar. This is the one structural proof that the AE is a coherent system, not eight applications that happen to share a brand. No module reads or writes outside this schema; no pillar invents its own version of Contract, Transaction, Supplier, or HITL Event.

Canonical Data Model — Seven Shared Entities Across All Four Pillars
Every module references at least two · Supplier added to reflect Procure-to-Pay and Supply Chain's shared corpus · Contract revised to dual-origin
Contract (dual-origin)
contract_id · PK
sfdc_contract_id · FK (customer contracts)
supplier_id · FK (supplier MSAs)
status · clauses[] · risk_score · shap_ref
hitl_event_id · FK→ ContractGuard · RevRec · Contract Agent (P2P) · ContractIntelligence (SC)
Transaction
transaction_id · PK
sap_doc_id · contract_id
recognition_type · ASC606
perf_obligation_tags[]
hitl_event_id · shap_ref→ RevRec AI · FinRisk
Device
device_id · serial_num
model_sku · install_date
region · hospital_id
rul_score · last_event_ts
dhr_ref · contract_id→ Asset IQ · ISO 13485
Asset Event
event_id · device_id · FK
event_type · severity
sensor_payload · ts
dicom_code · region
pubsub_msg_id→ Asset IQ · GreenOps
Supplier (new)
supplier_id · PK · ariba_supplier_id · FK
region · country · risk_tier
financial_distress_score · concentration_flag
contract_id[] · FK · last_reviewed_ts→ Procure-to-Pay · SupplierSentinel · ContractIntelligence
Agent Action (central audit entity)
action_id · agent_id · action_type · status
input_ref · output_ref · shap_explanation_id
hitl_event_id · ts · confidence_score→ All modules · XAI Layer · triggers HITL Event
HITL Event (immutable)
hitl_id · agent_action_id · approver_id · role
decision · reason_code · shap_presented · ts
timeout_at · escalated · immutable · Firestore→ All HITL checkpoints
Contract
Transaction
Device
Asset Event
Supplier / Agent Action
HITL Event (immutable)
FK relationships: Supplier → Contract (one supplier, many MSAs) · Supplier → Agent Action (every SupplierSentinel/ProcureGuard evaluation is itself an Agent Action) · Contract → Agent Action · Transaction → Agent Action · Device → Asset Event · Agent Action → HITL Event.
Application Portfolio — Data Ownership by Application
Salesforce
Owns: Account, Opportunity, Quote, Contract object
Reads: Agent Action results, HITL outcomes
SAP S/4HANA
Owns: Transaction (GL), Logistics order
Reads: RevRec classification post-HITL approval
AE Agent Layer
Owns: Agent Action, HITL Event, SHAP output
Orchestrates: all cross-system flows, across every pillar
GCP Data Fabric
Owns: Device, Asset Event, Supplier ML features
Serves: all modules via BigQuery + Feature Store
Ariba
Owns: Supplier record, sourcing/PO data
Reads: SupplierSentinel risk score post-evaluation

§6 Phase D — Technology Architecture

The architecture runway — certified once, consumed by every Solution Train. Layer naming reconciled with Page 1.

This is the artifact Lean Portfolio Management (Page 04, §1) calls "architecture runway" without re-deriving it: the four-layer contract every module in every pillar is built against. Get this wrong here, and four Solution Trains inherit the error independently, each discovering it at a different, more expensive moment. The concept overview establishes the four-layer model and the principal services. The full technical diagram on each pillar's own page shows every named GCP service, the VPC-SC perimeter, network topology, IAM boundaries, and data flow paths.

Phase D — Concept: Four-Layer Architecture Overview
Principal services per layer · Data flow direction · HITL and XAI integration points
LayerPrincipal ServicesFlow to Next Layer
01 · Presentation & ExperiencePortfolio Site · 8 App Dashboards · HITL Approval UI · XAI Explanation Viewer · Architecture Explorer · Audit Trail DashboardREST / gRPC
02 · Agent OrchestrationCCAI Sales Agent (ADK) · ContractGuard Agent · RevRec AI Agent (ADK) · Asset IQ Agent (ADK) · FinRisk Sentinel · Orchestrator (A2A Protocol, MCP Tool Manifest) · HITL State Machine (Firestore)Pub/Sub · VPC-native
03 · MLOps & IntelligenceVertex AI Pipelines + Models · BigQuery Data Fabric + Audit · Pub/Sub Event Fabric · Feature Store (Vertex AI FS) · SHAP / XAI Explanation Layer · Model Registry + Cards · Drift DetectionCMEK · IAM · VPC-SC
04 · Infrastructure & GovernanceTerraform IaC · VPC-SC · BeyondCorp · CMEK · KMS · IAM · WIF · GKE · Cloud Run · Cloud Build CI/CD
VPC-SC PERIMETER · europe-west3 · ClaraVis data boundary — Layers 02 through 04 sit entirely within the perimeter.
Layer 01 — Presentation
Layer 02 — Agent Orchestration
Layer 03 — MLOps & Intelligence
Layer 04 — Infrastructure
Phase D — Technology Standards Across the Portfolio
What every pillar shares, by mandate — not what any one pillar builds

Every Solution Train in the Portfolio is required to build on the same four-layer model and the same shared services shown in the concept diagram above — GCP as the sole cloud provider, the HITL state machine and XAI/SHAP contract as non-negotiable platform standards, and a single VPC-SC perimeter per pillar rather than four independent security postures. Each pillar's specific GCP reference architecture — every named service, IAM boundary, and network topology for its own workload — is documented in full on that pillar's own Infrastructure & GCP Architecture page:

The runway is certified. Phase E is where the EAB decides what gets built once, centrally, and what each pillar builds for itself.

§7 Phase E — Opportunities & Solutions

The build-vs-buy gate, decided once. Not re-litigated per pillar.

Every work package below was tested against the same question before it entered the migration roadmap: does a GCP-managed service already solve this, or does ClaraVis's specific regulatory and architectural requirement mean it has to be built? The pattern that recurs across every row — build the orchestration and the audit trail, buy the commodity signal underneath it — is the EAB's standing rule, not a one-off judgment call made fresh for each package.

Figure 6
The build-vs-buy decision rule, applied consistently across every work package
Does a GCP-managed service satisfy this need?
YES, fully
BUY
YES, partially
BUY the signal, BUILD the integration / audit layer
NO equivalent at the required granularity
BUILD
Example of each path: GreenOps buys the Carbon Footprint API outright. SHAP buys the library, builds the BigQuery-before-HITL ordering. The HITL Framework and the VPC-SC + CMEK combination are built — no commercial product encodes ClaraVis's specific Article 14 requirement.
Work PackageDecisionOwnerHorizon
WP-01 · GCP FoundationBuild — see ADR-002PortfolioH1
WP-02 · Data GovernanceBuild on TFX — see ADR-DG01PortfolioH1
WP-03 · HITL FrameworkBuild — no commercial product encodes Article 14's requirements; see Preliminary Phase P-02PortfolioH1
WP-04 · XAI / SHAP LayerBuy the library, build the integration — see ADR-003PortfolioH1
WP-05 · Quote-to-Cash agentsBuild — domain-specific agent logic, documented on Quote-to-Cash's own pagesQuote-to-CashH2
WP-06 · GreenOps schedulingBuild the scheduler, buy the signal — see ADR-GO02PortfolioH3
WP-07 · Strategy DashboardBuy the rendering layer, build the views — see ADR-SD01PortfolioH3
WP-08 · Remaining Solution TrainsBuild — Procure-to-Pay, Finance Operations, and Supply Chain each build their own ARTs on the Portfolio's H1 foundation, including the Ariba and SAP IBP integration patterns (see AR-13). Documented on each pillar's own pages.Per pillarH2–H3

The build-vs-buy pattern that recurs across every work package: build the orchestration and the audit trail, buy the commodity signal underneath it. No work package proposes building a substitute for a Google-managed service the Portfolio already has access to.

§8 Phase F — Migration Planning

Three horizons, one sequence — the single source of truth every other page points back to.

This is the definition LPM's PI cadence (Page 04) expands into nine Programme Increments, and the definition GTM's adoption argument (Page 08) restates through an adoption lens. Both pages reference H1/H2/H3 by name; neither redefines them. If this section changes, both of those pages' framing changes with it.

Horizon 1
Months 1–3
Foundation & Compliance
GCP infrastructure — Terraform, VPC-SC, IAM, CMEK (WP-01)
Data Governance — schema validation, lineage, quarantine (WP-02)
HITL Framework — state machine + Firestore audit store (WP-03)
XAI layer — SHAP integrated on all 3 existing production ML models (WP-04)
Canonical data model — Supplier entity live, Ariba and SAP IBP integration patterns established (AR-13)
Why H1 first: ClaraVis has a Q2 2026 EU AI Act Annex III compliance deadline on three existing production models. None of the four Solution Trains can ship a compliant feature until the Portfolio's HITL and XAI enablers exist — this is the forcing function for the entire sequence.
Horizon 2
Months 4–8
Core Solution Trains
Quote-to-Cash — ContractGuard, RevRec AI live in production (WP-05)
Finance Operations — Intercompany, Treasury, AP Exception live
FinRisk Sentinel — pillar-level and governance-level scopes live
Procure-to-Pay — core ARTs begin build on the H1 foundation (WP-08)
Why H2 follows H1: Every H2 feature is built on infrastructure and enablers that have already been proven in production during H1 — not a new system absorbing new risk simultaneously with new compliance obligations.
Horizon 3
Months 9–18
Full Portfolio & Optimisation
Quote-to-Cash Sales Agent ART — full ADK deployment (WP-05)
GreenOps — carbon-aware scheduling, CSRD reporting live (WP-06)
Strategy Dashboard — unified C-suite view across all 4 Solution Trains (WP-07)
Supply Chain — full 7-ART Solution Train live (WP-08)
End state: All four Solution Trains operational, full audit trail, EU AI Act compliance posture demonstrable on demand, and every architecture decision documented in the ADR index.
PI Cadence
The PI-by-PI sequencing of this roadmap — which Solution Train builds in which Programme Increment — is the Lean Portfolio Management view on Page 04. This page defines what the three horizons contain; Page 04 governs how the Portfolio funds and sequences the work across PI-1 through PI-9.
Figure 7
Horizon boundaries only — the PI-by-PI content roster is Page 04's, not restated here
PI-1
PI-2
PI-3
PI-4
PI-5
PI-6
PI-7
PI-8
PI-9

The horizons are sequenced. Phase G is where the EAB keeps every Solution Train honest against this sequence as it executes.

§9 Phase G — Implementation Governance

The EAB, chartered. Not designing — certifying.

Every certification this page has made — the runway in §6, the build-vs-buy ownership in §7, the horizon sequencing in §8 — is only as good as the body that keeps checking it's still true after the ink dries. The Enterprise Architecture Board is that body. It does not design architecture; Phases A through F already did that. It certifies that what's being built still matches what was designed, continuously, for as long as the platform runs.

Phase G
Implementation Governance
Output: EAB Charter · Conformance Gate
EAB Charter
Composition
Enterprise Architect (chair, S-08) plus one architecture representative per Solution Train. Not the Epic Owners from Lean Portfolio Management — they own business outcomes, not conformance. Not the CTO alone — Phase A's vision sponsor is a different function from ongoing checking.
What it certifies
Runway sufficiency before a Solution Train draws on it (§6) · build-vs-buy ownership before a work package enters delivery (§7) · cross-pillar conformance — no Solution Train's HITL state machine or integration pattern drifts from the certified standard · horizon forward-compatibility, re-verified at each boundary.
Figure 8
The conformance gate every shipped feature passes through
Solution Train ships a feature
EAB conformance gate
Pass — live status on Governance Control Plane Dashboard
Fail — returned with the specific principle or ADR violated, logged as a Phase G finding
EAB in Operation

Phase G is not a quarterly review cycle here — it runs continuously, and the evidence is the Governance Control Plane Dashboard →: live SLO error budgets, HITL queue depth, EU AI Act Model Registry currency, model drift, Terraform drift, and FinOps spend, across all four pillars.

Reading the dashboard honestly
The dashboard currently shows one finding open — Supplier Risk XGBoost's Annex III review is due. That's Phase G working as designed: a finding surfaced before it becomes an incident, not evidence the platform is non-compliant.

The EAB watches conformance. Requirements Management watches whether the requirements themselves are still the right ones.

§10 Requirements Management

Continuous, not a phase you pass through once. Every requirement, traced.

Every BR, AR, and Constraint from Page 02 stays live across every phase above — this section is the traceability record proving each one actually landed somewhere, rather than being captured in Phase A and quietly forgotten by Phase F. Where the EAB (§9) checks whether the build still matches the design, Requirements Management checks whether the design still matches the requirement — a different failure mode, equally fatal if no one's watching for it.

Business Requirements — 11 of 11 traced
IDRequirementPhaseArtifactImplementing Module
BR-01Quote-to-Cash cycle accelerationPhase BTo-Be Value Stream (Page 02, §4a, Diag. 01)CCAI Sales Agent · ContractGuard · RevRec AI
BR-02ASC 606 revenue recognition automationPhase B/DValue Stream · Transaction entity (§5)RevRec AI · Finance HITL · SAP integration
BR-03Customer contract clause intelligencePhase B/DValue Stream · GCP Architecture (§6)ContractGuard · Document AI · Gemini 1.5 Pro
BR-04CCAI Sales Agent for inbound inquiriesPhase BTo-Be Value Stream (Page 02, §4a)CCAI Sales Agent · Salesforce Integration
BR-05Unified asset telemetry and predictive maintenancePhase CDevice · Asset Event entities (§5)Asset IQ · Pub/Sub Pipeline
BR-06Procure-to-Pay straight-through automationPhase B/EValue Stream (Page 02, Diag. 02) · WP-08 (§7)Sourcing · Contract · PO · 3-Way Match Agents
BR-07Continuous supply chain risk and demand intelligencePhase C/ESupplier entity (§5) · WP-08 (§7)DemandIQ · SupplierSentinel · ProcureGuard · InventoryOrchestrator
BR-08MDR Article 87 vigilance automationPhase B/FValue Stream (Diag. 02) · H2 horizon (§8)QualityTrace
BR-09EU AI Act compliance — all modelsPrelim/GP-01 · P-02 (§2) · EAB gate (§9)RevRec AI · Asset IQ · ContractGuard · XAI Layer (platform-wide)
BR-10Data sovereigntyPrelim/DP-06 (§2) · Layer 04 (§6)Layer 04 Infrastructure · VPC-SC
BR-11Executive strategy dashboard, full-platform OKRPhase FH3 horizon (§8)Strategy Dashboard · BigQuery
Architecture Requirements — 14 of 14 traced
IDRequirementPhaseArtifactRegulatory / Reference Basis
AR-01SHAP explanation per ML inferencePrelimP-01 principle (§2)EU AI Act Art. 13 & 14
AR-02HITL checkpoint as state machine nodePrelimP-02 principle, revised (§2)EU AI Act Art. 14
AR-03Immutable audit trail for all agent actionsPrelim/CP-08 principle, revised (§2) · Agent Action entity (§5)EU AI Act Art. 12 · ISO 13485
AR-04Salesforce as system of recordPrelimP-04 principle (§2)ADR-001 · ADR-002
AR-05Model Cards for every ML modelPrelimP-10 principle (§2)EU AI Act Art. 11
AR-06VPC-SC perimeter for data sovereigntyPrelim/DP-06 principle (§2) · Layer 04 (§6)GDPR · EU DPDP · BR-10
AR-07CMEK encryption — key custodyPrelimP-11 principle (§2)ISO 27001 · GDPR
AR-08ASC 606 rules as write-path constraintsPrelim/CP-03 principle (§2) · Transaction entity (§5)ASC 606 · IFRS 15 · BR-02
AR-09Device History Record atomic writePhase CDevice entity (§5)FDA 21 CFR 820 · ISO 13485
AR-10ADR documentation for every decisionPrelimP-05 principle (§2)TOGAF ADM · adr-index.html
AR-11Pub/Sub event fabric as integration busPrelimP-09 principle, corrected (§2)Architecture Principle · BR-05
AR-12Drift detection and retraining triggerPhase GEAB gate — Model Drift Monitor (§9, dashboard)EU AI Act Art. 9 · MLOps Standard
AR-13Ariba and SAP IBP as systems of recordPrelim/CP-04 principle (§2) · Supplier entity (§5)ADR-002 · AR-04 (parallel pattern)
AR-14A2A mandate boundary for agent negotiationPrelimP-02/P-07 principle, revised (§2)EU AI Act Art. 14
Constraints — 8 of 8 traced
IDConstraintPhaseArtifactSource
C-01Zero additional software licensing costPrelimP-12 principle (§2)Portfolio Constraint
C-02Salesforce Developer Edition patternPrelim/AP-12 · ADR-001 (§2/§3)ADR-001 · C-01
C-03SAP integration via middlewarePhase EWP-08 build-vs-buy (§7)C-01 · ADR-002
C-04EU data residency — europe-west3Prelim/DP-06 principle (§2) · Layer 04 (§6)GDPR · BR-10 · AR-06
C-05MVP-plus build standardPhase E/FWP scope (§7) · Horizon definitions (§8)Portfolio Scope
C-06Existing SFDC/SAP/Ariba investments preservedPrelimP-04 principle (§2)ADR-002 · BR-10
C-07SAFe delivery governance — light touchPhase FH1–H3 horizons (§8) · LPM (Page 04)SAFe Page 04
C-08Ariba developer/sandbox patternPhase AC-02 parallel pattern (§3)C-01 · parallel pattern to C-02

Every requirement is traced. Every decision is governed. What gets funded next is Page 04's question to answer.

§11 Next in the Portfolio

The method is complete. Investment and adoption follow.

Every artifact this page produces — the runway (§6), the build-vs-buy ownership (§7), the horizon sequence (§8), the EAB's conformance authority (§9) — is now a settled input. Lean Portfolio Management funds against it. The Go-to-Market strategy adopts against it. Neither page re-derives what's already been decided here.