System Context
§3.1 C4 Level 1 · System Context
The C4 Level 1 diagram answers a single question: what does the Autonomous Finance system do, and who does it talk to?[cite: 6] The system boundary is opaque[cite: 6]. The agents, the Event Bus, the HITL manager — none of these appear here[cite: 6]. They are container-level concerns documented in C4 L2 below[cite: 6].
Four human actors sit outside the boundary: CFO, Group Controller, Treasury Manager, and AP Lead[cite: 6]. Eight external software systems surround the boundary[cite: 6]. Every arrow carries a relationship description and integration protocol[cite: 6]. Vertex AI and Cloud Pub/Sub are GCP-managed platform dependencies — they appear as external software systems at L1 because the system does not own or deploy them, it consumes them via API[cite: 6].
The BTP Integration Suite is shown as a distinct relay node between the system and SAP S/4HANA — it is not a direct RFC connection from GCP to on-premise[cite: 6].
§3.2 Inside the Boundary
C4 Level 2 opens the system box and shows the major containers — deployable/runnable units[cite: 6]. Agents are containers[cite: 6]. Cloud Pub/Sub and Vertex AI are GCP-managed platform dependencies — not internal components the system owns[cite: 6]. They appear inside the system's GCP project boundary but with a distinct visual treatment indicating they are managed services[cite: 6].
§3.3 Event & Signal Flow
Cloud Pub/Sub is a GCP-managed service[cite: 6]. Agents publish to it; they do not own it[cite: 6]. Topic names follow a structured namespace — domain.entity.event-type — reflecting the enriched, structured nature of the payloads (not raw SAP dumps)[cite: 6]. The HITL State Manager subscribes to finance.action.proposed and routes to human review or autonomous execution based on the risk classification schema[cite: 6].
| Action Type | Risk Tier | Trigger Condition | Disposition | EU AI Act Basis |
|---|---|---|---|---|
| GL journal post — IC settlement | High · HITL Required | Amount > €50k OR cross-jurisdiction OR new counterparty entity | Group Controller approval queue · 4h SLA | Annex III §5(b) — AI influencing financial decisions for legal persons[cite: 6] |
| GL journal post — IC settlement | Low · Autonomous | Amount ≤ €50k AND same-jurisdiction AND known entity AND confidence ≥ 0.92 | Direct SAP write via BTP · logged to Audit Trail | Annex III §5(b) — below materiality threshold, explainability logged[cite: 6] |
| FX hedge recommendation | High · HITL Required | Notional > €500k OR tenor > 90 days OR model confidence < 0.80 | Treasury Manager approval queue · 2h SLA | Annex III §5(b) — material financial risk to legal entity[cite: 6] |
| AP payment release routing | High · HITL Required | New supplier (first 3 invoices) OR disputed PO OR invoice > €100k | AP Lead review queue · 8h SLA | Annex III §5(b) — payment instruction with financial consequence[cite: 6] |
| AP exception classification | Low · Autonomous | Known supplier · matched PO · amount within 2% tolerance · confidence ≥ 0.90 | Auto-route to resolution queue · no SAP write · logged | Classification only — no financial action, exempted[cite: 6] |
| Model inference (all agents) | Logged · No Gate | Every inference call | SHAP attribution + confidence logged to Audit Trail · no human gate on inference itself | Art. 13 Transparency — model output explainability requirement[cite: 6] |
§3.4 Integration Pattern Register
Open Banking (PSD2) and ISO 20022 are distinct protocols with different transport formats, authentication mechanisms, and data semantics — they are listed separately[cite: 6]. SLA targets and availability tiers are specified for each integration[cite: 6]. GCP-managed services (Vertex AI, Cloud Pub/Sub) are listed with their VPC-SC and regional endpoint configuration requirements[cite: 6].
| System | Deployment | Protocol | Data In | Data Out | Latency | SLA / Availability |
|---|---|---|---|---|---|---|
| SAP BTP Integration Suite | SAP Cloud (relay) | REST/OData → RFC translation | IC delta events, GL entries, entity master data | Approved journal posts forwarded to S/4HANA via RFC | Near Real-Time | 99.9% · SAP SLA[cite: 6] |
| SAP S/4HANA | On-premise | RFC (via BTP relay) | GL/IC entries, open item lists, entity master | Journal posts, IC settlement confirmations, TP doc writes | Near Real-Time | Customer-managed · ≥99.5%[cite: 6] |
| Banking APIs ×4 (PSD2) | Cloud SaaS (banks) | PSD2 Open Banking · REST/JSON · OAuth 2.0 | Real-time account balances, retail transaction feeds, account metadata | None — read-only | Real-Time | 99.5% · PSD2 mandated[cite: 6] |
| Banking APIs ×4 (SWIFT) | SWIFT Network | ISO 20022 XML · SWIFT gpi · MX messages | Intraday liquidity position, cross-border payment confirmations, MT→MX migrated messages | None — read-only (payment initiation out of scope L1) | 15-30 min batch | 99.9% · SWIFT SLA[cite: 6] |
| FX Rate Feeds (ECB + BoC) | Public API | REST pull (scheduled) · JSON/XML | EUR/CHF/USD spot rates, forward curves, historical series | None — read-only | 15-min Poll | Public · no SLA · retry logic req'd[cite: 6] |
| Supplier Invoice Ingestion | Hybrid (email + EDI) | Email IMAP · EDIFACT D.96A · Document AI API | Structured invoice fields: supplier, PO ref, line items, amounts, currency, due date, exception flags | None — intake only; AP posting via SAP | Async / Event-driven | Best-effort · dead-letter queue[cite: 6] |
| Vertex AI Prediction (GCP) | GCP europe-west3 (managed) | gRPC · regional private endpoint · VPC-SC enforced | Feature vectors: IC mismatch signals, cash position vectors, invoice exception embeddings | Inference scores, confidence intervals, SHAP attribution values | Real-Time <200ms | 99.95% · GCP SLA · VPC-private[cite: 6] |
| Cloud Pub/Sub (GCP) | GCP europe-west3 (managed) | Pub/Sub API · push + pull · VPC-SC enforced | Agent action proposals, HITL decisions, audit events, feature deltas | Routed messages to subscribers (HITL, Audit Trail, Feature Store Adapter) | Real-Time | 99.95% · GCP SLA[cite: 6] |
| AE Data Governance (M-08) | AE Platform (GCP) | Feature Store API · synchronous gate | Feature definitions, lineage metadata for validation | Validated feature versions approved for Feature Store write; DQ score | Pre-batch gate | 99.9% · AE Platform SLA[cite: 6] |
| AE GreenOps (M-06) | AE Platform (GCP) | Scheduler API · carbon-aware (Grid Carbon API) | Retraining job manifests, carbon intensity signals | Carbon-optimised batch schedule; green execution windows; Scope 3 emissions tags per run | Batch / Scheduled | Best-effort · carbon-aware[cite: 6] |
| AE Strategy Dashboard (M-07) | AE Platform (GCP) | Pub/Sub push · ae.kpi.finance.updated topic | None — write-only | KPI feed: close duration (days), cash forecast accuracy (%), AP exception rate, IC mismatch count, hedge P&L attribution | Near Real-Time | 99.9% · AE Platform SLA[cite: 6] |
§3.5 Compliance Architecture
Compliance constraints are expressed architecturally — not as policy overlays[cite: 6]. Each framework maps to a specific structural decision[cite: 6]. CSRD is cited at the correct category level for a manufacturing group (not Category 15, which applies to financial institutions' financed emissions)[cite: 6]. GDPR is cited at the correct articles with accurate scope[cite: 6]. SOX/SEC recordkeeping compliance is expressed through jurisdiction-aware routing visible in the architecture[cite: 6].
jurisdiction: US envelope tag[cite: 6]. The routing layer applies US-specific retention (7 years per SOX §802 and SEC 17a-4 requirements), access controls aligned to SOX's internal-controls accountability principle, and ensures the Federal Reserve FX feed data path is tagged as a US-jurisdiction data flow[cite: 6]. This is visible in the Pub/Sub event envelope — not enforced only at the policy layer[cite: 6].