ClaraVis — Client Brief & Requirements

Architectural Positioning

The AS alongside Salesforce Einstein — five domains that determine the boundary.

ClaraVis runs Salesforce as the system of record for its commercial operations. Salesforce Einstein provides capable AI within that boundary. The first question any CTO or enterprise architect asks is: why build on GCP when Einstein exists? The answer is architectural, not commercial.

Canonical Positioning Statement

Salesforce Einstein delivers intelligence within the Salesforce data model. The Autonomous Seller delivers intelligence across the enterprise — spanning the installed asset base, the ERP, the contract corpus, and the compliance obligations that no single vendor's boundary contains. Where Einstein optimises the CRM layer, the AS orchestrates the full Quote-to-Cash-to-Field-to-Compliance lifecycle, with explainability and human oversight engineered in to satisfy EU AI Act requirements that proprietary models cannot structurally meet.

ADR-002 · GCP alongside Salesforce, not instead of it

DOMAIN — 01

Physical asset intelligence — 12,000 MRI units in the field

MRI unit telemetry, DICOM service events, sensor readings, and utilisation patterns do not live in Salesforce and never will. Salesforce is not a time-series IoT platform. Predicting Remaining Useful Life on a physical medical device requires BigQuery, Vertex AI, and a Pub/Sub streaming pipeline ingesting field events at scale.

Architectural Rationale

Constraint: Einstein has no access to DICOM telemetry, sensor streams, or regional asset systems. IoT-scale time-series prediction is outside CRM platform scope.

AS response: Unified Pub/Sub ingestion pipeline → BigQuery feature store → Vertex AI RUL model. All data remains in GCP EU region.

ADR-006 · Pub/Sub event fabric · BR-03

DOMAIN — 02

EU AI Act Annex III — explainability that satisfies Article 14

Annex III requires human-reviewable SHAP explanations per inference, written to an immutable audit log before any action commits. Einstein's models are proprietary — feature attribution is not exposed to the operator. For a German medical OEM, this is a structural disqualification for high-risk AI classification, not a configuration gap.

Architectural Rationale

Constraint: Einstein does not expose SHAP values, model internals, or feature attribution. EU AI Act Art. 13–14 compliance is structurally unavailable on proprietary hosted models.

AS response: Vertex AI models with TreeExplainer/LinearExplainer SHAP pipeline. Explanation written to BigQuery audit dataset before any downstream action. Full operator transparency.

ADR-005 · XAI Layer · EU AI Act Art. 13–14

DOMAIN — 03

Revenue recognition across SAP S/4HANA and Salesforce

ASC 606 classification — lease vs sale, single vs multiple performance obligations — requires an ML model trained on ClaraVis's contract portfolio, producing a SHAP explanation, routing through a Finance Controller HITL checkpoint, then writing to SAP S/4HANA. This flow crosses three systems. No single vendor orchestrates it.

Architectural Rationale

Constraint: No single vendor — Salesforce, SAP, or Google — owns the full Salesforce→ML→HITL→SAP GL write flow. Cross-system orchestration requires a neutral layer.

AS response: RevRec AI agent orchestrates classification → SHAP → HITL checkpoint → SAP write as a single Pub/Sub-driven state machine. ASC 606 rules encoded as write-path constraints.

ADR-002 · ADR-006 · AR-08 · ASC 606

DOMAIN — 04

Full-document contract intelligence on the raw document

Clause-level risk scoring, non-standard term detection, and negotiation brief generation require reasoning across the full contract document. Gemini 1.5 Pro reads the entire contract in one pass via its one-million-token context window. Einstein's document understanding operates on Salesforce CLM metadata — not the source document.

Architectural Rationale

Constraint: Salesforce CLM stores contract metadata, not the full document. Clause-level reasoning requires the full contract text. Einstein operates on structured CRM fields, not document corpora.

AS response: GCS document ingestion → Document AI pipeline → Gemini 1.5 Pro clause classification with 1M token context window. Full document intelligence, not metadata extraction.

ADR-005 · ContractGuard · EU AI Act Annex III

DOMAIN — 05

Cross-system orchestration — the layer nobody owns

ClaraVis's enterprise spans Salesforce, SAP S/4HANA, six regional asset telemetry systems, a document management platform, and a compliance audit store. No single vendor owns all of that. The AS is the connective tissue — a coherent, explainable, human-supervised orchestration layer across every system ClaraVis operates.

Architectural Rationale

Constraint: No vendor provides a neutral orchestration layer across Salesforce + SAP + IoT + compliance with open explainability and EU-region data sovereignty simultaneously.

AS response: ADK multi-agent swarm on GCP. Pub/Sub event fabric as the integration bus. Every agent action auditable. Every ML decision explainable. EU AI Act satisfied structurally.

ADR-002 · Layer 02 Agent Orchestration · AR-11

SFDC

Salesforce

System of record
Opps · Quotes · Contracts

⇄

REST API
Developer Edition
ADR-001

Autonomous Seller

Orchestration layer
Intelligence · XAI · HITL

⇄

BAPI / RFC
via middleware

SAP

SAP S/4HANA

ERP system of record
Finance · Logistics

→

Pub/Sub
streaming

GCP

Google Cloud

Vertex AI · BigQuery
Asset telemetry · MLOps

Organisation Profile

ClaraVis Medical Systems — the anchor client.

A composite of real regulated-industry enterprise patterns. Every requirement, constraint, and architectural decision on this page is grounded in the specific operational context of a medical imaging OEM operating under EU AI Act, FDA 21 CFR 820, and ISO 13485 simultaneously.

Organisation Facts

Legal name

ClaraVis Medical Systems GmbH

Headquarters

Munich, Bavaria, Germany

Revenue

€1.2B (FY2025)

Employees

4,200 across 12 countries

Product portfolio

MRI-7T, MRI-3T, CT-Premium, mobile MRI units

Installed base

12,000+ units across 34 countries

Sales cycle

14–20 months · 9 stakeholders per enterprise deal

Regulatory Environment

EU AI Act

Annex III high-risk — 3 ML models flagged in Q3 2025 audit

FDA 21 CFR 820

Quality System Regulation — Device History Records required

ISO 13485

Medical Devices QMS — full device lifecycle traceability

ASC 606 / IFRS 15

Revenue recognition — lease vs sale classification required

GDPR / EU DPDP

No PHI leaves EU boundary — data residency enforced

ISO 27001

Information security — zero-trust architecture required

Live

Salesforce

CRM · CPQ · CLM — System of Record

Opportunities, Accounts, Quotes, Contracts, and CPQ line items. Sales pipeline, forecasting, and contract workflow. AS integrates via REST API using Salesforce Developer Edition pattern (ADR-001).

AS reads and writes via Salesforce REST API — augments Einstein, does not replace it

Live

SAP S/4HANA

ERP — Finance · Logistics · Revenue

General ledger, revenue posting, logistics execution, and procurement. Source of truth for financial transactions. AS writes revenue recognition decisions to SAP via middleware after HITL approval.

AS writes to SAP only after Finance Controller HITL checkpoint — immutable audit record created first

EU AI Act Risk

3 ML Models in Production

Revenue Recognition · Asset Failure · Contract Risk

Built by ClaraVis data science team. All three classified as high-risk under EU AI Act Annex III. None currently produce SHAP explanations. None have documented HITL checkpoints. Flagged in Q3 2025 audit.

All three models require AS XAI and HITL retrofit before next compliance review

6 Systems

Regional Asset Telemetry

Field Service · IoT · DICOM Events

Six disconnected regional platforms receiving MRI unit telemetry — DICOM service events, error codes, utilisation data. No common schema. No unified query interface. Predictive maintenance is architecturally unavailable.

Unified Pub/Sub ingestion pipeline required — Asset IQ module addresses this domain entirely

Legacy

Document Management

Contract Storage · Compliance Records

On-premise document store for contracts, compliance certificates, and device history records. No full-text search. No clause-level intelligence. Contracts are stored but not analysed.

ContractGuard ingests raw documents via GCS — no dependency on existing DMS structure

Disconnected

Finance Reporting Stack

Revenue · Compliance · Audit

Combination of SAP FI/CO reports, Excel-based revenue schedules, and manual audit packs. Revenue recognition classification performed manually by Finance team. No ML-assisted recognition. Month-end close takes 12 days.

RevRec AI targets this domain — ASC 606 rules encoded as write-path constraints, not reporting logic

Stakeholder Register

Nine stakeholders. Nine different conversations.

An enterprise architecture that satisfies the CTO's infrastructure requirements but cannot answer the Compliance Officer's audit question will not be adopted. Each stakeholder below has a primary concern, a specific question the AS must answer for them, and a set of modules that address their domain directly.

S-01 · Executive Sponsor

Chief Technology Officer

Technology & Innovation

Primary Concern

Architectural coherence across a multi-vendor enterprise stack. Whether the AS creates new technical debt or resolves existing fragmentation.

Question the AS must answer

How does this sit alongside Salesforce and SAP without creating a third system of record?

All Modules ADR-002 Layer Architecture

S-02 · Risk & Compliance

Chief Compliance Officer

Legal & Regulatory Affairs

Primary Concern

EU AI Act Annex III exposure. Whether the three production ML models can be brought into compliance before the next regulatory review without re-architecting from scratch.

Question the AS must answer

Show me the audit trail for a revenue recognition decision made last Tuesday. Every feature weight that drove it.

RevRec AI ContractGuard XAI Layer HITL

S-03 · Financial Governance

Chief Financial Officer

Finance & Treasury

Primary Concern

The €40M annual warranty over-reserve and the 12-day month-end close. Both are symptoms of missing intelligence in the asset and revenue layers.

Question the AS must answer

How does this reduce the warranty reserve and accelerate revenue close — with evidence, not projections?

RevRec AI Asset IQ FinRisk Sentinel

S-04 · Sales Leadership

VP Sales & Commercial

Global Sales Organisation

Primary Concern

The 47-day CPQ cycle. By the time a quote reaches a hospital, the clinical team has already evaluated a competitor. Speed is a competitive differentiator in this market.

Question the AS must answer

Which steps in the quote process can the agent handle autonomously, and what exactly does it hand to a human and when?

CCAI Sales Agent ContractGuard HITL Spec

S-05 · Clinical Operations

VP Clinical & Applications

Clinical Engineering

Primary Concern

Configuration accuracy. An MRI unit configured incorrectly for a hospital's clinical workflow requires expensive field remediation. The CPQ process must validate clinical requirements before quoting.

Question the AS must answer

Does the agent understand clinical configuration requirements, or does it just pass through SKU selections?

CCAI Sales Agent Asset IQ

S-06 · Field Operations

VP Field Service & Operations

Global Service Operations

Primary Concern

Unplanned downtime. A failed MRI unit in a hospital creates immediate patient care disruption and a costly emergency dispatch. The 3.2× cost differential between reactive and predictive maintenance is the field operations budget problem.

Question the AS must answer

How far in advance can the asset model predict a failure, and how confident is that prediction?

Asset IQ RUL Model Anomaly Detection

S-07 · Legal & Contracts

General Counsel

Legal Affairs

Primary Concern

Non-standard contract terms passing through the sales process without legal review. Liability caps, indemnification clauses, and governing law provisions carry material financial risk if not flagged before countersigning.

Question the AS must answer

What is the agent's confidence threshold for escalating a clause to Legal, and can I see the precedents it used?

ContractGuard HITL Checkpoint Clause Scoring

S-08 · IT Architecture

Enterprise Architect

IT & Digital Transformation

Primary Concern

Integration complexity. Whether the AS adds surface area to an already complex integration landscape or reduces it by providing a single orchestration layer across existing systems.

Question the AS must answer

Show me the TOGAF Phase D diagram. Where are the integration points, and what are the failure modes?

TOGAF Phase D All ADRs Layer 04 Infra

S-09 · Information Security

Chief Information Security Officer

Security & Risk

Primary Concern

Data sovereignty. No patient data, device configuration data, or commercially sensitive contract data leaves the EU boundary. Every access is authenticated, every action is logged, every log is tamper-evident.

Question the AS must answer

What is the data residency guarantee, and how is it enforced at the infrastructure layer — not just configured?

VPC-SC CMEK BeyondCorp Layer 04 Infra

RACI Matrix — Modules × Stakeholders

R Responsible — does the work

A Accountable — approves / owns outcome

C Consulted — provides input

I Informed — kept updated

AS Module	S-01 CTO	S-02 CCO	S-03 CFO	S-04 VP Sales	S-05 VP Clinical	S-06 VP Field	S-07 Gen. Counsel	S-08 Ent. Arch.	S-09 CISO
CCAI Sales Agent	I	C	I	A	C	I	I	R	C
ContractGuard	I	A	C	C	I	I	A	R	C
RevRec AI	I	A	A	I	I	I	C	R	C
Asset IQ	C	C	A	I	C	A	I	R	C

As-Is & To-Be Architecture

The current state — mapped precisely.

The TOGAF ADM Phase B input. Understanding where process latency and architectural debt accumulate in the current state is the prerequisite for designing the To-Be architecture. The As-Is diagrams below establish the baseline. The To-Be value stream shows how the AS closes the gap.

Diagram 01 — As-Is Quote-to-Cash Value Stream

Nine organisational handoffs · Average cycle time: 47 days · Zero end-to-end owner

Salesforce-managed

Manual handoff (delay point)

SAP-managed

No audit trail

Diagram 01B — To-Be Quote-to-Cash Value Stream · AS Agent-Mediated

AS agent orchestration collapses steps 2–5 · Defined SLA per transition · HITL checkpoint at Legal · Target: ≤ 9 days

Salesforce-managed

AS agent-orchestrated

SAP-managed

HITL checkpoint

Diagram 02 — As-Is System Landscape

Six disconnected domains · Three EU AI Act-exposed models · No cross-system orchestration layer

Salesforce ecosystem

SAP ecosystem

EU AI Act exposure

Disconnected / no integration

Requirements Catalogue

What ClaraVis requires — documented and prioritised.

Every requirement below is traceable to a stakeholder concern, a regulatory obligation, or a business pain point identified in the preceding sections. The Raised By column links each requirement to the stakeholder register above. Prioritised using MoSCoW — Must Have requirements are architectural constraints on the AS design.

Business Requirements

Commercial outcomes ClaraVis requires the AS to achieve. Owned by VP Sales, CFO, and VP Field Service.

Architecture Requirements

Structural properties the AS must have — explainability, HITL, compliance, integration. Non-negotiable by design.

Constraints

Fixed boundaries — budget, existing systems, regulatory, and integration. The design works within these, not around them.

Business Requirements

Architecture Requirements

Constraints

ID	Requirement	Description	MoSCoW	AS Module	Raised By
BR-01	Quote-to-Cash cycle acceleration	The end-to-end Q2C cycle — from Opportunity creation to revenue posting in SAP — must be orchestrated with defined SLAs per transition and an immutable audit record at every handoff. The current 47-day average is the primary commercial pain point for VP Sales.	Must	CCAI Sales Agent · ContractGuard · RevRec AI	S-04 · S-03
BR-02	EU AI Act compliance for 3 production models	All three existing ML models — revenue recognition, asset failure, contract risk — must be brought into EU AI Act Annex III compliance. This requires SHAP explanations per inference, documented HITL checkpoints, and a versioned risk management system before the next compliance review.	Must	RevRec AI · Asset IQ · ContractGuard · XAI Layer	S-02 · S-01
BR-03	Unified asset telemetry and predictive maintenance	The six regional asset telemetry systems must feed a single streaming pipeline enabling fleet-level RUL prediction and unit-level anomaly detection. The warranty reserve over-provision is a direct consequence of the inability to model failure probability at scale.	Must	Asset IQ · Pub/Sub Pipeline	S-06 · S-03
BR-04	ASC 606 revenue recognition automation	Lease vs sale classification and performance obligation identification must be handled by an ML model trained on ClaraVis's contract portfolio, with every classification producing a SHAP explanation and routing through a Finance Controller HITL checkpoint before posting to SAP.	Must	RevRec AI · SAP Integration	S-03 · S-02
BR-05	Contract clause intelligence and risk scoring	Every inbound contract must be analysed at clause level — liability caps, indemnification, governing law, IP ownership — with non-standard terms flagged to Legal with a risk score, precedent references, and a draft counter-position before any countersigning event.	Must	ContractGuard	S-07 · S-04
BR-06	Data sovereignty — no data leaves EU boundary	All PII, PHI, device configuration data, and commercially sensitive contract data must remain within the EU GCP region boundary. This is a hard constraint from the CISO and a GDPR requirement. Enforcement must be architectural — VPC-SC — not policy-based.	Must	Layer 04 Infrastructure · VPC-SC	S-09 · S-02
BR-07	CCAI Sales Agent for inbound MRI inquiries	An intelligent sales agent must handle the first stages of an inbound MRI inquiry autonomously — qualification, clinical configuration fit, pricing estimate — and escalate to a Senior AE with a full briefing document when commercial terms are required. Autonomy boundary specified in HITL spec.	Should	CCAI Sales Agent · Salesforce Integration	S-04 · S-05

ID	Requirement	Description	MoSCoW	Regulatory Basis	Raised By
AR-01	SHAP explanation per ML inference	Every ML model inference that informs a business decision must produce a SHAP explanation identifying the top contributing features, their directional effect, and the model confidence score. The explanation must be written to the audit log before any downstream action executes.	Must	EU AI Act Art. 13 & 14	S-02 · S-08
AR-02	HITL checkpoint as formal state machine node	Every high-risk decision must route through a named human approver via a formal HITL state — with defined entry condition, presentation contract, decision interface (approve/reject/escalate), timeout behaviour, and immutable audit record. HITL is a first-class architectural component, not a process note.	Must	EU AI Act Art. 14	S-02 · S-03 · S-07
AR-03	Immutable audit trail for all agent actions	Every agent action — tool call, state transition, HITL event, model inference — must be written to an immutable audit store (Firestore) before the action is considered complete. The audit record must be queryable but not modifiable. Deletion requires a separate access-controlled process with its own audit trail.	Must	EU AI Act Art. 12 · ISO 13485	S-02 · S-09
AR-04	Salesforce as system of record — AS augments	The AS reads from and writes back to Salesforce via Developer Edition REST API. Salesforce remains the source of truth for commercial data. The AS does not maintain a parallel CRM. Any data written to Salesforce by the AS is tagged with the agent action ID that produced it (ADR-001, ADR-002).	Must	ADR-001 · ADR-002	S-01 · S-08
AR-05	Model Cards for every ML model	Every model in production must have a Model Card documenting intended use, training data summary, evaluation metrics, known limitations, bias analysis, and the HITL checkpoint specification. Model Cards are versioned alongside the model in Vertex AI Model Registry and reviewed as part of the promotion gate.	Must	EU AI Act Art. 11 · Google Model Cards	S-02 · S-08
AR-06	VPC-SC perimeter for data sovereignty	All data processing must occur within a VPC-SC perimeter configured to prevent data exfiltration outside the EU GCP region. The perimeter is enforced at the infrastructure layer via Terraform — it is not a network policy that can be overridden by application configuration.	Must	GDPR · EU DPDP · BR-06	S-09 · S-02
AR-07	CMEK encryption — ClaraVis key custody	All data at rest and in transit must be encrypted using Customer-Managed Encryption Keys via Cloud KMS. ClaraVis retains key custody — Google cannot access encrypted data without ClaraVis key authorisation. Key rotation policy: 90 days.	Must	ISO 27001 · GDPR	S-09 · S-03
AR-08	ASC 606 rules as write-path constraints	Revenue recognition classification rules must be encoded as write-path constraints in the data model — applied at transaction time, before any posting. Recognition logic is not a reporting layer applied after the fact. Every transaction is tagged with the performance obligation it satisfies at the time of writing.	Must	ASC 606 · IFRS 15 · BR-04	S-03 · S-02
AR-09	Device History Record atomic write	Every MRI device shipment event must write simultaneously to the Salesforce Order, the SAP logistics record, and the ISO 13485 Device History Record — in a single atomic transaction. Partial writes are not acceptable. The DHR must be created before the shipment is considered confirmed.	Must	FDA 21 CFR 820 · ISO 13485	S-01 · S-08
AR-10	ADR documentation for every significant decision	Every significant architectural decision must be documented as an Architecture Decision Record with status, context, decision, alternatives considered, and consequences. ADRs are version-controlled in the repository and linked from the relevant module page.	Must	TOGAF ADM · Portfolio Standard	S-08 · S-01
AR-11	Pub/Sub event fabric as the integration bus	All cross-system events — asset telemetry, Salesforce opportunity updates, SAP posting confirmations — must be published to a Pub/Sub topic before downstream systems consume them. This decouples producers from consumers, enables replay for audit purposes, and provides the foundation for the streaming ML feature pipeline.	Should	Architecture Principle · BR-03	S-08 · S-01
AR-12	Drift detection and automated retraining trigger	Every model in production must have a Vertex AI monitoring job configured to detect data drift and concept drift against a baseline. Drift beyond a defined threshold must trigger an alert, generate a retraining recommendation, and route to the ML Engineer HITL checkpoint before any automated retraining executes.	Should	EU AI Act Art. 9 · MLOps Standard	S-08 · S-02

ID	Constraint	Description & Impact on Design	MoSCoW	Source	Raised By
C-01	Zero additional software licensing cost	The AS portfolio is a demonstration system built on free-tier and open-source components. No paid API subscriptions, no commercial data connectors, no licensed dataset providers. Salesforce Developer Edition (free, permanent) is the only external dependency. All GCP services will operate within the free tier or GCP credits until the build phase begins.	Must	Portfolio Constraint	Portfolio
C-02	Salesforce Developer Edition as integration pattern	Salesforce integration uses Developer Edition REST API only — no Enterprise or Unlimited Edition features, no paid connectors, no ISV AppExchange dependencies. The integration pattern must be demonstrable on a free Developer Edition org with sample data. Schema is Salesforce standard objects only (ADR-001).	Must	ADR-001 · C-01	S-08 · C-01
C-03	SAP integration via middleware abstraction	Direct SAP API integration is not implemented in the portfolio demo (SAP license cost). The AS design shows the integration architecture — BAPI/RFC via middleware, or BTP event mesh — and the demo uses a BigQuery table seeded with SAP-schema data to represent the ERP layer. The architecture is correct; the live integration is deferred to the client engagement phase.	Must	C-01 · ADR-002	S-08 · C-01
C-04	EU data residency — GCP europe-west3 (Frankfurt)	All GCP resources must be provisioned in europe-west3 (Frankfurt) or europe-west4 (Netherlands) only. No multi-region configurations that include non-EU endpoints. This is enforced via Terraform variable and Organisation Policy constraint — not configurable at the application layer.	Must	GDPR · BR-06 · AR-06	S-09 · S-02
C-05	MVP-plus build standard	Each module is built to demonstrate one complete end-to-end flow — sufficient to impress a hiring manager or enterprise architect in a live demo. Production hardening (multi-region failover, 99.99% SLA engineering, load testing) is out of scope for the portfolio phase. Architecture is designed for production; the implementation is scoped for demonstration.	Must	Portfolio Scope	Portfolio
C-06	Existing Salesforce and SAP investments preserved	The AS does not replace Salesforce or SAP. Both systems remain in place and the AS augments them. Any design decision that requires replacing either system is out of scope. The AS is the orchestration and intelligence layer — the systems of record stay (ADR-002).	Must	ADR-002 · BR-06	S-01 · S-03
C-07	SAFe delivery governance — light touch	The AS modules map to Agile Release Trains consistent with SAFe 6.0 principles. Full Program Board and PI Planning artifacts are documented at the architectural level (Page 04) but are not operationally executed for the portfolio build. The SAFe mapping demonstrates delivery governance understanding; it is not a live programme management process.	Could	SAFe Page 04	S-08 · S-01

AI Readiness Assessment

Where ClaraVis stands today — five dimensions.

The AI Readiness Assessment is the input to the TOGAF Architecture Vision. It defines the starting position across five dimensions and frames the gap the AS is designed to close. Scored 1–5. Findings are actionable, not evaluative.

Data Maturity

4/ 5

Salesforce and SAP maintain high-quality structured data. The gap is the six regional asset systems — no common schema, no unified API. BigQuery is not yet deployed. Data fabric is partially in place.

Action: Unified Pub/Sub ingestion pipeline + BigQuery data fabric as AS Day 1 infrastructure.

ML Infrastructure

2/ 5

Three models in production, all built without MLOps tooling. No Vertex AI Pipelines. No Model Registry. No drift detection. No automated retraining. Models are static artefacts, not managed assets.

Action: Vertex AI Pipelines + Model Registry + monitoring jobs — mandatory before next model promotion.

HITL Capability

1/ 5

No formal HITL architecture exists. Human review happens informally via email and Slack. No structured approval interface, no timeout behaviour, no audit record of the human decision. EU AI Act Art. 14 is currently unsatisfied.

Action: HITL state machine design is Phase 1 of AS build. Blocks all other module development.

Regulatory Posture

2/ 5

ISO 13485 and FDA 21 CFR 820 compliance is established for device manufacturing. AI-specific obligations under EU AI Act Annex III are not yet addressed. Q3 2025 audit flagged all three production ML models as non-compliant.

Action: XAI layer + HITL spec + Model Cards + risk management documentation — all required for compliance.

Org Change Readiness

3/ 5

CTO and VP Sales are active sponsors. Finance and Legal are cautious but engaged following the compliance audit. Field Service is enthusiastic about predictive maintenance. The compliance team requires visible HITL before endorsing any AI deployment.

Action: HITL visibility is the organisational unlock. Demonstrate it first, expand second.

Scoring methodology: Dimensions and scoring rubric aligned to the Google Cloud AI Adoption Framework (five capability dimensions: Data & Infrastructure, ML Capability, MLOps Maturity, Governance & Compliance, and Organisational Readiness) and the Gartner AI Readiness Assessment model. Scale 1–5, where 1 = no capability and 5 = fully mature. Scores derived from structured discovery interviews conducted against each dimension's capability indicators with ClaraVis stakeholders S-01 through S-09.

Sources: Google Cloud AI Adoption Framework (cloud.google.com/adoption-framework) · Gartner AI Readiness Model (2024) · ClaraVis Q3 2025 internal compliance audit findings

Use Case Catalogue

Four flagship use cases — one per module.

Each use case is a specific, demonstrable capability the AS delivers for ClaraVis. Every card includes the EU AI Act risk classification and the specific architectural constraint the AS satisfies to meet it.

UC-01

CCAI Sales Agent

Autonomous MRI inquiry qualification and CPQ initiation

Inbound hospital inquiries require 3–5 days to reach a qualified Account Executive. The agent qualifies, configures, and prices autonomously through the first 11 conversation turns before escalating.

VP Sales · S-04

EU AI Act — Limited Risk

Architectural constraint satisfiedHITL-01 escalation state — agent pauses at commercial terms. Turn 11 transition logged to Firestore before AE notification sent. EU AI Act Art. 52 transparency disclosure at session start.

UC-02

ContractGuard

Clause-level risk scoring with Legal HITL escalation

Non-standard liability caps pass through the sales process without Legal review. ContractGuard reads the full contract, scores every clause, and routes non-standard terms to Legal with precedents and a draft counter-position.

General Counsel · S-07

EU AI Act — High Risk

Architectural constraint satisfiedHITL-02: all clauses above risk threshold route to Legal HITL. SHAP explanation written to audit log before counter-proposal drafted. 24hr SLA enforced by state machine. EU AI Act Annex III · Art. 14.

UC-03

RevRec AI

ASC 606 lease/sale classification with Finance Controller approval

Revenue recognition classification is manual, takes 4 days per transaction, and is flagged as non-compliant. RevRec AI classifies each transaction, generates a SHAP explanation, and routes to Finance Controller before posting.

CFO · S-03

EU AI Act — High Risk

Architectural constraint satisfiedHITL-04: no GL write without approved HITL record in Firestore. SHAP top-5 features computed at inference time via TreeExplainer. ASC 606 performance obligation tag written at transaction time. EU AI Act Annex III · Art. 13–14.

UC-04

Asset IQ

Fleet-level RUL prediction and maintenance scheduling

12,000 units across 6 disconnected regional systems. No unified failure probability model. Asset IQ unifies telemetry, predicts Remaining Useful Life at fleet level, and triggers predictive maintenance work orders before failure.

VP Field Service · S-06

EU AI Act — High Risk

Architectural constraint satisfiedHITL-06: work orders below confidence threshold route to FSM HITL — no autonomous work order creation below threshold. SHAP sensor attribution per alert. Unified Pub/Sub schema validated before BigQuery write. EU AI Act Annex III · Art. 14.

Full Use Case Catalogue

The full catalogue — covering every use case the AS addresses for ClaraVis across all 4 modules, with complete stakeholder mapping, regulatory classification, and MoSCoW priority — is maintained as a living backlog in the repository.

Success Criteria

How ClaraVis will know the AS is working.

Observable architectural outcomes — not percentage projections. Each criterion is measurable at the system level and traceable to a specific requirement. These are the acceptance criteria the AS must satisfy before any module is considered production-ready.

EU AI Act Compliance

Every high-risk inference is explainable and human-supervised

Every ML inference above a defined risk threshold produces a SHAP explanation written to the audit log before the downstream action executes

Every high-risk decision routes through a named human approver via a formal HITL state — no exceptions, no bypasses

Every model in production has a versioned Model Card in Vertex AI Model Registry, reviewed and approved before promotion

A compliance audit query returns a complete, unbroken decision trail for any inference made in the last 24 months — from the BigQuery audit log, not a reconstructed report

Quote-to-Cash Orchestration

Every Q2C handoff has a defined SLA and an immutable record

Every state transition in the Q2C flow has a defined SLA — the agent tracks elapsed time and escalates automatically on breach

Every handoff produces an immutable audit record in Firestore before the next state is entered

The CCAI Sales Agent handles the qualification and configuration stages autonomously — the escalation to a human AE is a designed state transition, observable in the state machine log

Salesforce Opportunity stage and SAP order status are synchronised via the AS event bus — no manual re-keying between systems

Asset Intelligence

Fleet telemetry is unified and RUL prediction is active

All six regional asset telemetry systems feed a single Pub/Sub topic with a validated common schema — no regional system writes to its own isolated store after Day 1 of the AS data fabric

The RUL model produces a prediction confidence score for every active unit — predictions below a defined confidence threshold trigger a human review alert, not an automated action

Every predictive maintenance work order created by the AS has a SHAP explanation identifying the sensor features that drove the prediction

Revenue Recognition

ASC 606 classification is automated, explained, and approved

Every transaction is classified by the RevRec AI model — lease, sale, or multi-element arrangement — with SHAP feature attribution generated at inference time

Every classification routes through the Finance Controller HITL checkpoint before posting to SAP — no journal entry posts without an approved HITL record

ASC 606 performance obligation tags are written at transaction time — not applied retrospectively at month-end

Data Sovereignty

No data leaves the EU boundary — enforced at the infrastructure layer

VPC-SC perimeter is provisioned via Terraform — the data residency constraint is in infrastructure code, not network policy

CMEK keys are provisioned and owned by the ClaraVis Cloud KMS project — Google has no access to encrypted data

All GCP resources are deployed to europe-west3 or europe-west4 — enforced by Organisation Policy constraint applied at the Terraform root

Architecture Decision Records

Every significant design choice is documented and traceable

Every module page links to the ADRs that govern its design decisions — no component exists without a traceable decision record

Every ADR states the alternatives considered and the reasoning for the choice made — not just the decision

The ADR index is maintained as a living document — updated when decisions change, with the change reason recorded

ADR-001 · Salesforce Integration Pattern

Salesforce Developer Edition — REST API

Selected over BigQuery Data Transfer, CSV export, and Google Sheets mock patterns. Salesforce Q2C domain depth is the portfolio's primary differentiator — a live API integration makes that depth observable and demonstrable, not merely claimed. Alternatives considered: Salesforce SOAP API (deprecated for new integrations), Heroku Connect (paid tier), MuleSoft (out of budget, C-01).

Status: Accepted

ADR-002 · GCP alongside Salesforce

Augmentation, not replacement

The AS addresses five domains outside Salesforce Einstein's boundary: physical asset intelligence, EU AI Act Annex III explainability, cross-system revenue recognition, full-document contract intelligence, and cross-system orchestration. Salesforce remains the system of record. Alternatives considered: full Salesforce Einstein expansion (structurally unable to satisfy EU AI Act Annex III — see Domain 02), SAP BTP as orchestration layer (no ML explainability capability at required depth).

Status: Accepted