§1 Why Now
The architectural conditions for enterprise AI at scale are now in place.
Four things had to be true simultaneously for an autonomous quote-to-cash system to be architecturally viable: the regulatory framework had to be clear enough to design against, the tooling had to be mature enough to build production systems with, and the data infrastructure had to be fast enough to act on in real time.
In 2024–25, all four converged. The Autonomous Quote-to-Cash is a response to that convergence — a complete architectural design that takes each of the four enabling factors below and expresses it as a concrete engineering decision.
Factor — 01
Regulatory Clarity Arrived
The EU AI Act entered enforcement in August 2024. High-risk AI systems — including anything that touches medical devices, credit, or employment — now require explainability, human oversight, and documented architecture by law. Compliance is no longer optional, and it's no longer vague. This is the forcing function that turns "nice to have" XAI into a contractual necessity.
EU AI Act · Aug 2024
Factor — 02
LLMs Reached Enterprise Grade
Gemini 1.5 Pro's 1M token context window means an LLM can now read an entire contract portfolio, a full Q2C history, or a decade of asset maintenance logs in a single pass — and reason across them. This isn't incremental. It collapses the boundary between structured enterprise data and unstructured documents that has blocked enterprise AI adoption for fifteen years.
Context Window · 2024
Factor — 03
Agentic Tooling Matured
Google's Agent Development Kit (ADK), the Model Context Protocol (MCP), and the Agent-to-Agent (A2A) communication protocol gave the industry its first production-grade framework for multi-agent systems. For the first time, you can design a swarm of specialist agents with formal state machines, tool contracts, and audit trails — without building the orchestration layer from scratch.
ADK / MCP / A2A · 2025
Factor — 04
Enterprise Data Fabric Is Ready
BigQuery, Vertex AI Feature Store, Pub/Sub, and Firestore now compose into a real-time enterprise data fabric that didn't exist in its current form three years ago. The gap between an event in the field — a sensor anomaly on an MRI unit, a contract clause triggering a price adjustment — and an AI-driven response has collapsed from days to seconds.
GCP Data Platform · 2024–25
§2 The Anchor Problem
Anchor Client · Medical Imaging OEM
ClaraVis Medical Systems
Munich, Germany · €1.2B Revenue · 4,200 Employees
MRI & CT Imaging Portfolio · Installed Base: 12,000+ Units · 34 Countries
€40M
Annual warranty over-reserve
3.2×
Reactive vs predictive maint. cost
Every MRI configuration requires sequential handoffs between Sales, Applications Engineering, Legal, Service, Finance, Revenue Recognition, Logistics, and Post-Sales. Each handoff is a human, an email, and a 3–5 day delay. The system wasn't designed — it accumulated. Nobody owns the end-to-end, so nobody can fix it.
Target with AS: CPQ cycle under 9 days. Revenue close reduced by 31 days.
ClaraVis's existing data science team built three predictive models — revenue recognition, asset failure prediction, and contract risk scoring — all of which are classified as high-risk under EU AI Act Annex III. None of them currently produce a human-reviewable explanation. None have a documented human oversight checkpoint. A compliance audit in Q3 2025 flagged all three.
The AS satisfies Article 14 by making human oversight a state machine node. Every high-risk inference routes through a named approver — with a SHAP explanation and confidence score presented — before any write operation commits.
Installed MRI units send DICOM service events, error codes, and utilisation data to 6 different regional systems with no common schema. Predictive maintenance is impossible. Field service is reactive. The €40M warranty reserve exists because nobody can predict failures — so finance provisions for the worst case every quarter.
Unified asset event pipeline → RUL prediction model → 40% reduction in unplanned downtime.
§3 Design Philosophy
Four principles. Non-negotiable in a regulated context.
These aren't best-practice guidelines. In the EU AI Act and FDA regulatory environment, they are architectural constraints. Every component of the AS must satisfy all four.
I
Principle — 01
Explainability engineered in — from model design to audit trail
XAI is not a dashboard you add after the model ships. Every ML model in this system is designed with its explanation contract upfront — before a single line of training code is written. The explanation must be human-readable, must identify the top features driving each decision, and must be written to the audit log before any downstream action is taken. SHAP values are generated at inference time, not retrospectively. Model Cards document intended use, known limitations, and bias analysis — and they are versioned alongside the model in the registry.
In practice: When the revenue recognition model classifies a ClaraVis MRI transaction as a lease vs a sale, the Finance Controller sees: the top 5 contract features that drove the classification, the confidence score, and a one-click override with mandatory reason code before the entry posts to the GL.
II
Principle — 02
Human oversight is a first-class state machine node, specified before implementation
EU AI Act Article 14 defines meaningful human oversight as a designed mechanism — a specific point in the decision flow where a named human reviews the agent's reasoning, the SHAP explanation, the confidence score, and chooses to approve, reject, or escalate. In this architecture, every HITL checkpoint is a formal state in the agent's state machine, with a defined entry condition, a presentation contract, a decision interface, a timeout behaviour, and an immutable audit record written before the agent proceeds.
In practice: The Contract Guard agent autonomously extracts and classifies 200+ clause types. When it flags a liability cap as non-standard, it pauses, surfaces the clause with its risk score and similar past precedents, and waits for a Legal reviewer to approve before any counter-proposal is drafted.
III
Principle — 03
Compliance obligations encoded as write-path constraints, satisfied continuously
Most enterprise compliance tools are forensic — they tell you what happened after the fact. This architecture makes compliance a live property of every transaction. ASC 606 revenue recognition rules, EU AI Act Article 13 transparency requirements, and ISO 13485 device record requirements are encoded as immutable constraints in the data model and enforced by the write path — not checked by a monthly report. Every event is tagged with the regulatory obligation it satisfies at the time of writing. The compliance audit trail is a by-product of normal operations, not a separate process.
In practice: Every ClaraVis MRI device shipment event writes simultaneously to the asset register, the revenue recognition pipeline, and the ISO 13485 device history record — in one atomic transaction with a single regulatory tag set.
IV
Principle — 04
Augment the enterprise — never replace its judgment
The agent swarm does not run the enterprise. It runs the work the enterprise shouldn't be spending human time on: extracting data, transforming it, routing it, flagging anomalies, generating options, and preparing decisions for human review. Every module has a defined autonomy boundary — a set of actions below a risk threshold it can execute without asking, and a set above the threshold where it prepares the best possible brief for a human and waits. Replacing human judgment in a medical device company is not the goal. Making it faster, better-informed, and fully documented is.
In practice: The CCAI Sales Agent handles the first 11 turns of an inbound MRI inquiry — qualification, product fit, configuration options, pricing estimate — fully autonomously. Turn 12, where deal-specific commercial terms are discussed, automatically escalates to a Senior Account Executive with a full briefing document the agent prepared.
§4 The Architecture
Four layers. One coherent contract.
Each layer has a single responsibility and a clean interface to the layer above and below it. XAI outputs and HITL checkpoints flow upward from the MLOps layer to the Experience layer. Governance and audit constraints flow downward from policy into the Infrastructure layer. Nothing bypasses a layer. Nothing is ad-hoc.
This is a concept overview. The full technical design — GCP reference architecture, Terraform IaC, ADK agent topology, and Vertex AI pipeline specs — is developed in Phase 2 (TOGAF D) and Phase 6 of the design process.
The four-layer model is deliberately borrowed from classic enterprise architecture thinking — but updated for the agentic era. Layer 1 is what users see and interact with, including the HITL approval surfaces. Layer 2 is where agent intelligence lives: the orchestration swarm, the event bus, and the A2A protocol. Layer 3 is where ML lives: the models, the XAI pipeline, the feature store, and drift detection. Layer 4 is where trust is enforced: zero-trust networking, encrypted storage, IAM, immutable audit logs, and the IaC that makes all of it reproducible and auditable.
The insight is that in a regulated enterprise, trust cannot be a property of the application — it must be a property of the infrastructure. If the infrastructure doesn't enforce it, any application can violate it. Layer 4 makes compliance physically un-bypassable.
4.1 What this means for your leadership team
The architecture speaks to every seat at the table.
CFO
CXO — 01
Chief Financial Officer
Every ML decision touching revenue recognition or warranty provisioning has a named approver, a confidence score, and an immutable audit record before any GL entry posts. ASC 606 rules are encoded as write-path constraints — not checked by a monthly close process.
What changes: Your Q2C audit trail is a structural by-product of operations. No remediation. No separate compliance run.
CCO
CXO — 02
Chief Compliance Officer
EU AI Act Article 14 human oversight is a state machine node, not a policy document. Every high-risk inference routes through a named approver with a SHAP explanation before any write operation commits. Your auditor reads the operational log — nothing is reconstructed after the fact.
What changes: Compliance is a live property of every transaction. The audit is already done.
CRO
CXO — 03
Chief Revenue Officer
The agent handles the first 11 turns of every inbound deal — qualification, configuration, pricing estimate — fully autonomously. Your senior reps enter at commercial terms, fully briefed. CPQ cycle target: under 9 days. Revenue close reduced by 31 days.
What changes: Your best people stop doing triage. They close deals.
4.2 Zero black-box decisions — how it works
Every ASC 606 revenue recognition inference takes this exact path — no exceptions, no shortcuts.
§5 What the Architecture Delivers
Six things the architecture delivers — by design.
Every architecture decision in this portfolio is production-grade. Every design artifact traces to a real enterprise requirement. The ClaraVis scenario is a representative composite of patterns from real regulated-industry AI deployments.
Each capability below is a structural property of the design — an outcome of the architectural decisions made across the six phases, expressed in component specifications, and enforced by the infrastructure.
A formally specified multi-agent system
Agent topology defined using Google ADK. Each agent carries a state machine specification, a tool manifest, a confidence threshold, a documented autonomy boundary, and a circuit-breaker configuration. Every component traces to a named GCP service or ADK construct.
An executable architecture
Every component in every layer maps to a named GCP service, a Terraform resource, or an ADK agent definition. Architecture Decision Records document each significant choice alongside the alternatives considered. The architecture is buildable directly from its design artifacts.
Compliance as a structural property
EU AI Act, FDA 21 CFR 820, and ASC 606 obligations are encoded as write-path constraints. A compliance audit reads the operational log — there is no separate compliance database and no remediation process. Compliance is continuous and automatic.
Full enterprise scope on a common data fabric
Sales, contracting, asset management, revenue recognition, risk monitoring, and infrastructure governance — eight modules sharing a common Pub/Sub event fabric, a common Vertex AI Feature Store, a common XAI contract, and a common HITL specification.
Domain-specific ML patterns
ASC 606 hybrid recognition rules encoded as classification logic. CQRS event sourcing for immutable audit trails. Two-tier predictive maintenance — RUL prediction at fleet level, anomaly detection at unit level. SHAP explanation contract per model, specified before training begins.
Documented tradeoffs at every decision point
Every Architecture Decision Record states what was selected, what was considered, and the technical reasoning: Firestore over Spanner for agent state, Cloud Run over GKE for stateless modules, SHAP over LIME for the XAI layer. The reasoning is the design.
§6 Regulatory Grounding
Compliance is not a layer. It is the foundation.
Each regulation below imposes specific architectural constraints — not just documentation requirements. The design satisfies them structurally, not through post-hoc reporting.
§7 The Design
The design starts here.
The following pages take every principle above and express it as concrete architecture artifacts — buyer requirements, TOGAF phases, agent topology, ML pipeline design, and infrastructure code. Each page is independently readable. Together, they form a complete AI Solutions Architecture portfolio.