The Autonomous Enterprise / Page 03

TOGAF ADM
Architecture Development Method
Phases A through F

The TOGAF 10 Architecture Development Method applied to the ClaraVis Autonomous Enterprise engagement. Every phase produces a living artifact that traces back to a requirement documented on Page 02. This is not a textbook summary — it is a working architecture engagement record.

TOGAF 10 · ADM 12 Architecture Principles 5 Architecture Artifacts 6 ADRs 3 Migration Horizons
Architecture Development Method

The ADM applied to ClaraVis.

TOGAF's Architecture Development Method provides the process framework. Each phase below produces a specific artifact for the ClaraVis engagement. Requirements Management is continuous — every requirement from Page 02 is live throughout every phase.

Prelim
Preliminary
Architecture Principles · Governance model · Tailoring decisions
Phase A
Architecture Vision
Statement of Architecture Work · Stakeholder map · Solution concept
Phase B
Business Architecture
To-Be value stream · Capability model · Business interaction map
Phase C
IS Architecture
Canonical data model · Application portfolio · Integration catalog
Phase D
Technology Architecture
GCP reference architecture · Network topology · Security zones
Phase E
Opportunities & Solutions
Gap analysis · Work package definitions · Implementation options
Phase F
Migration Planning
3-horizon roadmap · Transition architectures · Priority ranking
Phase G
Implementation Governance
Architecture contracts · Compliance reviews · Change requests
Continuous
Requirements Management
BR · AR · C from Page 02 — live throughout every phase
Preliminary Phase

Architecture Principles — the rules the design cannot break.

Twelve principles established before any architecture work begins. These are not aspirational guidelines — they are binding constraints on every design decision that follows. Any component that violates a principle requires a formal ADR documenting the exception and its consequences.

P-01
Explainability is engineered in, not added on
Every ML model is designed with its explanation contract before training begins. SHAP values are generated at inference time and written to the audit log before any downstream action executes. Post-hoc explanation is not acceptable.
ClaraVis constraint: EU AI Act Annex III · AR-01
P-02
Human oversight is a first-class state machine node
HITL checkpoints are formal states in every agent's state machine — with a defined entry condition, presentation contract, decision interface, timeout behaviour, and immutable audit record. Human oversight is designed, not assumed.
ClaraVis constraint: EU AI Act Art. 14 · AR-02
P-03
Compliance obligations are write-path constraints
Regulatory obligations — EU AI Act, FDA 21 CFR 820, ASC 606 — are encoded as constraints in the data model and enforced by the write path. Compliance is a structural property of every transaction, not a reporting posture applied retrospectively.
ClaraVis constraint: BR-02 · AR-08 · AR-09
P-04
The AE augments existing systems — it does not replace them
Salesforce and SAP remain systems of record. The AE is the orchestration and intelligence layer that operates across them. No design decision requires decommissioning or re-platforming an existing system. Integration is additive.
ClaraVis constraint: ADR-002 · C-06
P-05
Every significant architectural decision is documented
Architecture Decision Records are produced for every significant design choice — technology selection, integration pattern, data model decision. Each ADR states the decision, the alternatives considered, and the consequences. No undocumented decisions.
ClaraVis constraint: AR-10 · TOGAF ADM standard
P-06
Data sovereignty is enforced at the infrastructure layer
Data residency constraints are implemented as VPC-SC perimeter rules and Organisation Policy constraints provisioned via Terraform. They cannot be overridden by application configuration, network policy changes, or ad-hoc IAM grants.
ClaraVis constraint: GDPR · BR-06 · AR-06 · C-04
P-07
Every agent has a documented autonomy boundary
Each agent in the swarm has a formally specified set of actions it executes autonomously and a set that require human approval. The boundary is defined before implementation, expressed in the state machine specification, and enforced by the HITL checkpoint architecture.
ClaraVis constraint: EU AI Act Art. 14 · AR-02
P-08
Infrastructure is code — no manual provisioning
Every GCP resource is provisioned via Terraform. No manual console configuration is acceptable for production or demonstration environments. Infrastructure state is version-controlled, peer-reviewed, and reproducible from a single terraform apply command.
ClaraVis constraint: ISO 27001 · FDA change control
P-09
The event fabric is the integration bus
All cross-system events are published to Pub/Sub topics before downstream systems consume them. This decouples producers from consumers, enables event replay for audit purposes, and provides the foundation for the streaming ML feature pipeline. No direct system-to-system synchronous calls for data that can be event-driven.
ClaraVis constraint: AR-11 · BR-03
P-10
Model Cards are versioned artifacts, not documentation afterthoughts
Every ML model has a Model Card created before training begins and updated with actual evaluation results before promotion. Model Cards are version-controlled alongside the model in Vertex AI Model Registry and are required inputs to the HITL promotion checkpoint.
ClaraVis constraint: EU AI Act Art. 11 · AR-05
P-11
Security is zero-trust — no implicit network trust
All service-to-service authentication is via Workload Identity Federation. No service account key files. No network-based trust. BeyondCorp enforces identity verification at every access request regardless of network location. Secrets are managed exclusively through Secret Manager.
ClaraVis constraint: ISO 27001 · AR-07 · CISO requirement
P-12
Cost allocation is tagged from day one
Every GCP resource carries a module-level cost allocation label from the first terraform apply. FinOps visibility is not a Phase 2 concern — it is provisioned in the same Terraform run as the resource itself. Budget alerts are configured before any workload is deployed.
ClaraVis constraint: CFO requirement · C-01
Phase A
Architecture Vision
Output: Statement of Architecture Work
Architecture Vision Statement
To deliver a TOGAF-aligned, explainability-first enterprise AI architecture for ClaraVis that orchestrates the full Quote-to-Cash-to-Field-to-Compliance lifecycle — with human oversight engineered into every consequential decision — satisfying EU AI Act Annex III, FDA 21 CFR 820, and ISO 13485 simultaneously.
Statement of Architecture Work
Scope
All eight AE modules across the Quote-to-Cash, asset management, revenue recognition, and compliance domains. Salesforce and SAP integration in scope. PHI processing out of scope.
Architecture Sponsor
CTO (S-01) — primary sign-off. CCO (S-02) — compliance co-sponsor. CFO (S-03) — financial outcomes sponsor.
Time Constraint
EU AI Act Annex III compliance for 3 existing models required before Q2 2026 regulatory review. Hard deadline driving Horizon 1 scope.
Architecture Vision — Stakeholder Influence Map
Influence weight and concern domain for all nine ClaraVis stakeholders
Autonomous Enterprise CTO Architecture Vision CCO EU AI Act Compliance CFO Financial Outcomes VP Sales Q2C Acceleration VP Clinical Config Accuracy VP Field Service Asset Intelligence General Counsel Contract Intelligence Enterprise Architect TOGAF Phase D CISO Data Sovereignty Primary sponsor Contributing stakeholder
Phase B
Business Architecture
Output: To-Be Value Stream · Capability Model

The Business Architecture translates the Architecture Vision into a concrete model of how ClaraVis's commercial operations work after the AE is deployed. The As-Is value stream from Page 02 is the baseline. The To-Be below is the target — every manual handoff replaced by an agent-mediated state transition with a defined SLA and an audit record.

To-Be Quote-to-Cash Value Stream — AE Orchestrated
Agent-mediated state transitions · Defined SLAs · HITL checkpoints at risk thresholds · Immutable audit record at every transition
SALESFORCE (SYSTEM OF RECORD) AE AGENT LAYER (ORCHESTRATION) HUMAN REVIEW (HITL) SAP S/4HANA (ERP) Opportunity CCAI Sales Agent · Auto SLA: 2hr Config Agent BOM · Auto SLA: 4hr CPQ Quote Contract Guard · Auto SLA: 2hr Legal HITL Risk > threshold SLA: 24hr Contract Signed · SFDC RevRec AI ASC 606 · Auto Finance HITL All classifications SLA: 4hr SAP: Order + Revenue Post · Auto Automated Immutable audit record written to Firestore at every state transition · SHAP explanation attached to every agent decision · Full Q2C trail queryable in BigQuery As-Is: 9 manual handoffs · No SLAs · No audit trail Average cycle time: 47 days End-to-end owner: nobody To-Be: Agent-mediated transitions · Defined SLAs · Full audit trail Cycle time target: directionally reduced End-to-end owner: AE Orchestration Layer
Salesforce-managed
AE Agent (autonomous)
HITL checkpoint (human required)
SAP-managed
Commercial
Quote-to-Cash
Opportunity · CPQ · Contract · Order · Revenue
Operational
Asset Management
Telemetry · RUL · Anomaly · Maintenance · DHR
Financial
Revenue & Risk
ASC 606 · IFRS 15 · Anomaly detection · FinRisk
Compliance
Governance & Audit
EU AI Act · ISO 13485 · HITL · XAI · Audit trail
Phase C
Information Systems Architecture
Output: Canonical Data Model · Application Portfolio

Phase C defines what data the enterprise needs to manage and what applications manage it. The canonical data model below shows the six shared entities that underpin all eight AE modules — the proof that the AE is a coherent system, not a collection of applications.

Canonical Data Model — Shared Entities Across All 8 AE Modules
Six entities · Every AE module references at least two · The shared data fabric that makes cross-module intelligence possible
Contract contract_id · PK sfdc_contract_id · FK status · clauses[] risk_score · shap_ref hitl_event_id · FK → ContractGuard · RevRec Transaction transaction_id · PK sap_doc_id · contract_id recognition_type · ASC606 perf_obligation_tags[] hitl_event_id · shap_ref → RevRec AI · FinRisk Device device_id · serial_num model_sku · install_date region · hospital_id rul_score · last_event_ts dhr_ref · contract_id → Asset IQ · ISO 13485 Asset Event event_id · device_id · FK event_type · severity sensor_payload · ts dicom_code · region pubsub_msg_id → Asset IQ · GreenOps Agent Action action_id · agent_id action_type · status input_ref · output_ref shap_explanation_id hitl_event_id · ts confidence_score → All modules · XAI Layer HITL Event hitl_id · agent_action_id approver_id · role decision · reason_code shap_presented · ts timeout_at · escalated immutable · Firestore → All HITL checkpoints 1:N N:1 1:N triggers
Contract
Transaction
Device
Asset Event
Agent Action (central audit entity)
HITL Event (immutable)
Application Portfolio — Data Ownership by Application
Salesforce
Owns: Account, Opportunity, Quote, Contract object
Reads: Agent Action results, HITL outcomes
SAP S/4HANA
Owns: Transaction (GL), Logistics order
Reads: RevRec classification post-HITL approval
AE Agent Layer
Owns: Agent Action, HITL Event, SHAP output
Orchestrates: all cross-system flows
GCP Data Fabric
Owns: Device, Asset Event, ML features
Serves: all modules via BigQuery + Feature Store
Phase D

Technology Architecture — GCP Reference.

Two diagrams. The concept overview establishes the four-layer model and the principal services. The full technical diagram below it shows every named GCP service, the VPC-SC perimeter, network topology, IAM boundaries, and data flow paths. This is the diagram that makes a Google Cloud architect stop and read.

Phase D — Concept: Four-Layer Architecture Overview
Principal services per layer · Data flow direction · HITL and XAI integration points
LAYER 01 · PRESENTATION & EXPERIENCE Portfolio Site 8 App Dashboards HITL Approval UI XAI Explanation Viewer Architecture Explorer Audit Trail Dashboard REST / gRPC LAYER 02 · AGENT ORCHESTRATION CCAI Sales Agent (ADK) Contract Guard Agent RevRec AI Agent (ADK) Asset IQ Agent (ADK) FinRisk Sentinel Orchestrator A2A Protocol MCP Tool Manifest HITL State Machine (Firestore) Pub/Sub · VPC-native LAYER 03 · DATA & ML PLATFORM Vertex AI Pipelines + Models BigQuery Data Fabric + Audit Pub/Sub Event Fabric Feature Store Vertex AI FS SHAP / XAI Explanation Layer Model Registry + Cards Vertex AI · Drift Detection CMEK · IAM · VPC-SC LAYER 04 · INFRASTRUCTURE & GOVERNANCE Terraform IaC VPC-SC BeyondCorp CMEK · KMS IAM · WIF GKE · Cloud Run Cloud Build CI/CD VPC-SC PERIMETER · europe-west3 · ClaraVis data boundary
Layer 01 — Presentation
Layer 02 — Agent Orchestration
Layer 03 — Data & ML Platform
Layer 04 — Infrastructure
VPC-SC perimeter
Phase D — Full Technical: GCP Reference Architecture for ClaraVis
Every named GCP service · IAM boundaries · Network topology · Salesforce and SAP integration points · Data residency enforcement
GCP PROJECT: claravis-ae-prod · REGION: europe-west3 (Frankfurt) VPC-SC PERIMETER · No data egress outside europe-west3 · CMEK enforced on all storage SHARED VPC: claravis-ae-vpc · Subnets: ae-agents-subnet / ae-data-subnet / ae-infra-subnet SUBNET: ae-agents · Cloud Run services CCAI Sales Agent Cloud Run · ADK SA: ccai-sa@ ContractGuard Cloud Run · ADK SA: cg-sa@ RevRec AI Agent Cloud Run · ADK SA: revrec-sa@ Asset IQ Agent Cloud Run · ADK SA: assetiq-sa@ Orchestrator A2A · MCP · ADK SA: orch-sa@ Gemini 1.5 Pro Vertex AI API 1M token context SUBNET: ae-data-ml · Managed services BigQuery Data fabric · Audit CMEK · eu-west3 Datasets: audit,feat,ml Cloud Pub/Sub Event fabric Topics: asset-events q2c-events · hitl-events Vertex AI Pipelines Train · Eval · Deploy Model Registry Drift monitoring Firestore Agent state · HITL Immutable audit store CMEK · eu-west3 Vertex AI FS Feature Store Online + offline Feature lineage Document AI + GCS Contract ingestion Document AI Form Parser · CMEK bucket SUBNET: ae-infra · Identity · Security · Observability IAM + Workload Identity Federation No SA key files · WIF Secret Manager All secrets · No env vars SFDC OAuth tokens Cloud KMS (CMEK) ClaraVis key custody Rotation: 90 days Cloud Armor WAF DDoS · OWASP rules Apigee gateway Cloud Monitoring SLO tracking · Alerts Security Cmd Center Cloud Build CI/CD · Artifact Registry · GKE Autopilot (batch ML) · Cloud Run (stateless agents) · Terraform state: GCS backend Every resource tagged: module · env · cost-centre · CMEK-key · data-classification SALESFORCE (External) Developer Edition · REST API OAuth 2.0 · Secret Manager token · ADR-001 System of Record SAP S/4HANA (External) BAPI/RFC via middleware BTP Event Mesh (design) Mock: BigQuery table (demo) ERP · Finance · Logistics 6 REGIONAL ASSET SYSTEMS DICOM service events → Pub/Sub ingestion agent → unified schema · BigQuery EMEA-N · EMEA-S · APAC-E/W · AME-N/S DOCUMENT STORE On-premise contracts → GCS upload → Document AI → Gemini 1.5 analysis ContractGuard source VPC-internal
Agent services (Cloud Run)
Data & ML (managed)
AI services (Vertex AI)
Infrastructure & security
VPC-SC boundary
External integration
Phases E & F
Opportunities, Solutions & Migration Planning
Output: Gap Analysis · 3-Horizon Roadmap
Gap Analysis — Current vs Target State
Capability Area Current State (As-Is) Target State (To-Be) Horizon
ML Explainability3 production models — no SHAP, no explanation contract, EU AI Act non-compliantEvery inference produces SHAP values written to audit log before downstream action. Model Cards versioned in Vertex AI Registry.H1
HITL ArchitectureAd-hoc email/Slack approvals. No formal state machine, no timeout, no audit record of human decision.HITL is a first-class state machine node in every agent. Named approver, presentation contract, decision interface, immutable Firestore record.H1
Asset Telemetry6 disconnected regional systems, no common schema, no cross-regional query capability.Unified Pub/Sub ingestion pipeline, validated common schema, BigQuery dataset for fleet analytics, RUL model in production.H1
Revenue RecognitionManual ASC 606 classification by Finance team. 12-day month-end close. No ML-assisted recognition.RevRec AI classifies each transaction with SHAP explanation, routes through Finance Controller HITL, posts to SAP automatically post-approval.H2
Contract IntelligenceContracts stored in on-premise DMS, not analysed. Legal review triggered manually, no precedent reference.ContractGuard reads full contract via Gemini 1.5 Pro, scores every clause, routes non-standard terms to Legal HITL with precedents and draft counter-position.H2
Q2C Orchestration9 manual handoffs, no SLA, no end-to-end owner, no audit trail, 47-day average cycle.Agent-mediated state machine with defined SLAs, immutable audit record at every transition, automated SAP write post-HITL approval.H2
Executive VisibilityC-suite data requires manual pulls from Salesforce, SAP, and 6 regional systems. No unified view.Strategy Dashboard unifies pipeline, fleet status, revenue posture, and compliance status in a single real-time BigQuery-backed view.H3
Sales AgentAll inbound inquiries require immediate AE involvement. 3–5 day time-to-qualified-AE.CCAI Sales Agent handles first 11 turns autonomously. Escalation to AE is a designed state transition with a full briefing document prepared by the agent.H3
Migration Roadmap — Three Horizons
Horizon 1
Months 1–3
Foundation & Compliance
GCP project provisioning — Terraform, VPC-SC, IAM, CMEK
BigQuery data fabric + Pub/Sub event bus
HITL framework — state machine + Firestore audit store
XAI layer — SHAP integration on all 3 existing models
Model Cards for 3 existing production models
Salesforce Developer Edition integration (ADR-001)
Unified asset telemetry ingestion pipeline
Horizon 2
Months 4–8
Core Module Deployment
ContractGuard — clause scoring + Legal HITL
RevRec AI — ASC 606 classification + Finance HITL
Asset IQ — RUL model + anomaly detection
FinRisk Sentinel — real-time anomaly monitoring
Vertex AI Pipelines — MLOps for all new models
Drift detection + automated retraining triggers
App dashboards for deployed modules
Horizon 3
Months 9–18
Full AE Suite & Optimisation
CCAI Sales Agent — full ADK deployment
GreenOps Platform — carbon-aware scheduling
Strategy Dashboard — C-suite unified view
Data Governance module
Cross-module optimisation — shared feature pipelines
SAP integration productionisation (BTP)
EU AI Act full compliance certification readiness
Requirements Management

Every requirement traced to a phase and artifact.

Requirements Management is continuous throughout the ADM. The matrix below shows how every requirement from Page 02 is satisfied by a specific phase, artifact, and module. No requirement is unaddressed. No phase produces an artifact that cannot be traced back to a requirement.

Req ID Requirement (summary) ADM Phase Artifact AE Module / Component
BR-01Q2C cycle orchestration with SLAsPhase B
To-Be Value Stream
CCAI Agent · ContractGuard · RevRec AI · Orchestrator
BR-02EU AI Act compliance — 3 modelsPhase D
XAI Layer · HITL Framework
RevRec AI · Asset IQ · ContractGuard · Vertex AI
BR-03Unified asset telemetry + predictive maintenancePhase C/D
Data Model · GCP Architecture
Asset IQ · Pub/Sub · BigQuery · Vertex AI
BR-04ASC 606 revenue recognition automationPhase B/D
Value Stream · Data Model
RevRec AI · Finance HITL · SAP integration
BR-05Contract clause intelligence + risk scoringPhase B/D
Value Stream · GCP Arch.
ContractGuard · Document AI · Gemini 1.5 Pro
BR-06Data sovereignty — no data leaves EUPhase D
GCP Reference Arch.
VPC-SC · CMEK · Organisation Policy · Terraform
AR-01SHAP explanation per ML inferencePhase D
XAI Layer design
SHAP layer · BigQuery audit · all ML modules
AR-02HITL as formal state machine nodePrelim + D
P-02 principle · HITL spec
Firestore state machine · all agent modules
AR-03Immutable audit trail for all agent actionsPhase C/D
Data Model · Firestore
Agent Action entity · Firestore · BigQuery
AR-04Salesforce as system of recordPrelim
ADR-001 · ADR-002
SFDC REST API · Developer Edition
AR-06VPC-SC for data sovereigntyPhase D
GCP Reference Arch.
VPC-SC · Terraform Organisation Policy
AR-08ASC 606 as write-path constraintsPhase C
Data Model · Transaction entity
RevRec AI · Transaction entity · BigQuery
C-01Zero additional licensing costPrelim
P-12 · ADR-001
Free tier · SFDC Dev Edition · GCP credits
C-04EU data residency — europe-west3Phase D
GCP Reference Arch.
Terraform region var · Org Policy constraint
C-05MVP-plus build standardPhase E/F
Migration horizons
H1–H3 scope definition · demo pathways
Architecture Decision Records

Six decisions. Every alternative documented.

ADR-001 and ADR-002 were established in Phase A. ADR-003 through ADR-006 are produced in Phase D. Every ADR states the decision, the alternatives considered, and the consequences — the pattern Google and major engineering organisations use to make architecture reasoning persistent.

ADR-001
Salesforce Developer Edition — REST API integration
Selected over BigQuery Data Transfer, CSV export, and Google Sheets mock. Live API makes Q2C domain depth observable in demos. Developer Edition is free and permanent.
Accepted · Phase A
ADR-002
GCP alongside Salesforce — augmentation, not replacement
AE addresses five domains outside Einstein's boundary. Salesforce remains system of record. Integration is additive. No decommissioning of existing investments.
Accepted · Phase A
ADR-003
Cloud Run over GKE for stateless agent services
Stateless agent invocations (ContractGuard, RevRec AI) deploy to Cloud Run. Only batch ML workloads use GKE Autopilot. Cloud Run scales to zero, reducing costs and operational complexity for demo-phase workloads.
Accepted · Phase D
ADR-004
Firestore for agent state and HITL audit — not Spanner
Firestore selected over Spanner for agent state machine and HITL audit store. Spanner's global distribution is not required for a single-region EU deployment. Firestore's document model maps naturally to agent state and HITL event schemas. Cost at demo scale is negligible.
Accepted · Phase D
ADR-005
SHAP over LIME for the XAI explanation layer
SHAP provides consistent, theoretically grounded feature attribution across tree-based and neural models. LIME's local approximations introduce instability on repeated calls — unacceptable for an immutable audit record. SHAP values are deterministic given a fixed model and input.
Accepted · Phase D
ADR-006
Pub/Sub as the integration event bus — not direct API calls
All cross-system events publish to Pub/Sub before consumption. Direct synchronous Salesforce-to-SAP calls create tight coupling and make event replay for audit purposes impossible. Pub/Sub decouples producers from consumers, enables at-least-once delivery guarantees, and provides the event stream for the streaming ML feature pipeline.
Accepted · Phase D
Next in the Portfolio
Architecture defined.
Delivery model follows.

The TOGAF ADM has produced the architecture. Page 04 shows how it gets delivered — the SAFe Solution Train structure, the Agile Release Train mapping for each module domain, and how cross-cutting enablers (security, data governance, HITL) are coordinated across all ARTs.

PG 04
SAFe — Solution Train & ART Mapping
ART topology · Cross-cutting enablers · PI cadence alignment
In Design
PG 02
← ClaraVis Client Brief & Requirements
The input document to this ADM cycle