返回 Papers
AI 扩展计划 / Playbooks

AI Reference Implementation / Pattern Library / Reuse Assurance Playbook

版本: v1.0

675AI_REFERENCE_IMPLEMENTATION_PATTERN_LIBRARY_REUSE_ASSURANCE_PLAYBOOK.md

AI Reference Implementation / Pattern Library / Reuse Assurance Playbook

版本: v1.0 日期: 2026-06-30 适用对象: Senior AI PM, AI Architect, Platform PM, Enterprise Architect, CBAP-level BA, Security, Privacy, Model Risk, Compliance, Internal Audit, Financial Retail Product and Operations Leaders

1. Purpose / Audience / Core Principle

Purpose

本 playbook 给团队一套执行方法, 用于把重复 AI solution patterns 转化为 reference implementations 和 reusable pattern library, 并把质量、安全、eval、证据、控制、偏差、生命周期和复用价值一起管理。

适用场景:

  • 多个团队重复做 RAG、policy copilot、evidence extraction、narrative draft、tool gateway 或 human review。
  • 平台团队希望提供可消费的 AI implementation skeleton, 但不希望只交付一堆 starter repos。
  • 风险、合规、安全和审计希望控制证据可复用, 但又不想让本地用例逃避责任。
  • Senior PM / BA 希望把业务流程模式、控制点和证据包沉淀成作品集级架构资产。

Core Principle

Reuse the pattern only when you can also reuse or regenerate the assurance evidence that makes the pattern safe, useful and governable in the new context.

中文表达:

AI 模式复用不是复制代码, 而是复用经过验证的架构意图、控制证据、eval baseline、threat model、observability 和生命周期纪律。

2. Source Anchors

SourceOfficial linkPlaybook 用法
NIST AI RMFhttps://www.nist.gov/itl/ai-risk-management-framework用 Govern / Map / Measure / Manage 组织 pattern risk、measurement、monitoring and management
ISO/IEC 42001https://www.iso.org/standard/81230.html用 AI management system 的 documented information、operation、performance evaluation、management review 和 improvement
ISO/IEC/IEEE 42010https://www.iso.org/standard/74393.html用 stakeholder concerns、viewpoints、architecture rationale 和 architecture description 管理 pattern architecture
CNCF Platforms White Paperhttps://tag-app-delivery.cncf.io/whitepapers/platforms/用 platform-as-product、自助消费和 paved path 思想定义平台接口
DORAhttps://dora.dev/用 lead time、change failure、restore 和 delivery flow 衡量 reference implementation 成效
OpenTelemetryhttps://opentelemetry.io/docs/用 traces、metrics、logs 设计 AI pattern observability and evidence trace

使用纪律:

  • 本 playbook 不替代企业 AI governance、model risk、security、privacy、legal、compliance 或 audit 流程。
  • 不把 pattern library 做成全量 service catalog。这里只关注 reference implementations、pattern assurance 和 reusable evidence。
  • 不把 golden paths 当作免审通道。Golden path 可以降低摩擦, 但 reference implementation 必须保留适用边界和偏差治理。

3. Executive Summary

当企业 AI 项目从 3 个变成 30 个时, 最先失控的不是模型, 而是重复实现和重复治理:

same RAG problem
same prompt boundary
same tool permission issue
same eval questions
same threat model
same evidence request
same release gate debate

本 playbook 的执行路径:

1. Identify repeated AI solution pattern
2. Write pattern card and applicability boundary
3. Build reference implementation anatomy
4. Package eval baseline, threat model and control evidence
5. Define reuse qualification and evidence inheritance rules
6. Manage variants and approved deviations
7. Instrument adoption telemetry and reuse ROI
8. Version, support, deprecate and migrate pattern assets

12 个核心资产:

AssetOutput
Pattern cardproblem, context, solution, applicability, non-applicability
Reference implementationrunnable skeleton with prompt/RAG/tool/eval/telemetry hooks
Architecture descriptionstakeholder concerns, views, decisions and rationale
Reuse qualification checklistdetermines whether a use case can inherit the pattern
Evidence packinherited evidence, local evidence and release decision support
Control mappingcontrols linked to implementation checks and evidence
Eval baselinegolden, high-risk, regression, no-answer and red-team suites
Threat modelreusable risks plus local extension points
Variant modelallowed configuration and approved structural variants
Deviation processrisk-owned exception with expiry and compensating controls
Adoption telemetryqualified reuse, evidence inheritance, lead time, defect and support metrics
Lifecycle planowner, version, support state, deprecation and migration

4. Operating Model

4.1 Roles

RoleAccountabilities
Pattern Ownerowns pattern card, applicability, maturity, roadmap and deprecation
Reference Implementation Ownerowns runnable skeleton, package, tests and integration guide
Design Authorityapproves pattern admission, mandatory controls, variants and deviations
Platform PMmanages developer experience, consumption flow, support and ROI
AI Architectowns architecture description, decisions, quality attributes and control hooks
BA / Process Ownerowns workflow fit, business rules, artifacts, exception paths and local qualification
EvalOps Ownerowns eval baseline, thresholds, regression memory and reviewer calibration
Security / Privacyowns threat model, data boundary, access, logging and abuse tests
Risk / Compliance / Model Riskchallenges control evidence, residual risk and release conditions
Internal Auditreviews evidence lineage, deviation expiry and operating effectiveness
Use Case Teamconsumes the pattern and remains accountable for local evidence

4.2 RACI

ActivityPattern OwnerPlatform PMAI ArchitectBASecurity/PrivacyRisk/Model RiskUse Case Team
Identify candidate patternA/RRRRCCC
Approve pattern admissionCCA/RCCCI
Build reference implementationCA/RRCCCR
Define eval baselineCCCCCA/RR
Define threat modelCCRCA/RCC
Run reuse qualificationCCRA/RCCR
Approve deviationCCRCCA/RR
Monitor reuse ROIRA/RCCCCC
Deprecate patternA/RRRCCCI

5. Execution Roadmap

Phase 1: Pattern Discovery

StepActionEvidence
1Collect repeated AI use cases across portfoliouse case inventory
2Cluster by problem shape, not org chartpattern candidate list
3Identify repeated controls and failure modesdefect and review log
4Estimate reuse potential and riskpattern investment brief
5Select first patterns for reference implementationdesign authority decision

Selection criteria:

CriterionStrong candidate
Repetitionat least three current or near-term use cases
Riskmeaningful customer, regulatory, privacy or operational risk
Assurance effortrepeated eval, threat model, evidence or release review burden
Platform leveragecommon connectors, telemetry, gateway or evaluation assets
Business valuefaster delivery or better quality materially improves portfolio

Phase 2: Pattern Card

Create a pattern card before building code.

FieldRequired content
Pattern nameshort stable name, such as customer-facing-rag
Business problemrepeated problem in business language
Contextusers, workflow, data, risk tier and operating constraints
Forcesspeed, accuracy, control, explainability, cost, adoption and audit tension
Solution structurecomponents and responsibilities
Applicabilitywhere the pattern fits
Non-applicabilitywhere use is prohibited or requires separate design
Mandatory controlseval, security, privacy, human review, telemetry and evidence
Variantsapproved configurable differences
Maturity levelobserved, documented, template, reference, assured, managed
Ownerpattern and implementation owners

Phase 3: Reference Implementation Build

Minimum package:

Package areaContents
Runtime skeletonservice/app skeleton, config schema, sample workflow integration
Prompt packsystem boundary, task prompt, refusal, escalation and source requirement
RAG packsource registry, ACL filter, chunking and citation contract
Tool gatewaytool registry, auth context, side-effect declaration, approval and audit
Eval harnesstest runner, sample suites, rubric, thresholds, report format
ObservabilityOpenTelemetry trace fields, metrics, logs, dashboard spec
Evidence binderstandard folder/index structure for release and control evidence
Integration guidehow to adopt, configure, test and produce local evidence

Phase 4: Assurance Package

Assurance assetMinimum standard
Eval baselinegolden, high-risk, regression, no-answer and adversarial samples
Threat modelprompt injection, data exfiltration, unauthorized retrieval, tool abuse
Control mappingeach mandatory control maps to implementation check and evidence
Privacy classificationprompt, retrieval, logs, traces and evidence retention classes
Security testsACL, injection, secret/log scan, tool permission and abuse checks
Human review modelreviewer role, queue, sampling, override reason and escalation
Release gatepass/fail evidence, exception path and rollback condition

Phase 5: Pilot Adoption

StepAction
1Select one low-to-medium complexity use case inside pattern scope
2Run reuse qualification with BA, architect, risk and platform
3Configure skeleton and add local data/source/workflow bindings
4Add local eval samples and local threat model extensions
5Produce inherited plus local evidence pack
6Release under controlled pilot
7Measure lead time, defects, deviations, adoption and support burden

Phase 6: Scale and Lifecycle

ActionOutput
Promote pattern maturity after successful reusematurity update
Add incidents and defects to regression suiteshared learning
Publish version notes and migration guideconsumer update
Review deviations quarterlyexpiry and closure
Deprecate weak patternsno-new-use decision
Retire unsupported assetsmigration complete evidence

6. Pattern Taxonomy

Use this taxonomy as a starting map, not a fixed enterprise standard.

Pattern familyTypical use casesMandatory assurance focus
Customer-facing RAGservice chatbot, fee policy Q&A, dispute status explanationsource authority, citation, handoff, complaint and vulnerable customer escalation
Internal policy copilotbranch policy search, contact-center SOP assistantrole-based retrieval, policy version, answer boundary
Evidence extractionKYC document extraction, dispute packet extraction, complaint fact extractionsource span, schema validation, confidence band, human validation
Investigation workbenchAML, fraud, dispute, complaint, collectionsevidence graph, analyst accountability, high-risk escalation
Narrative draftingregulatory narrative, case note, customer letter draftgrounded draft, maker-checker, approval, source trace
Tool gatewayaccount lookup, case update, workflow task creationleast privilege, approval, idempotency, audit, rollback
Human review workflowQA sampling, exception review, escalation queuereviewer capacity, override taxonomy, defect feedback
Eval and regressionshared RAG eval, extraction eval, agent action evalgolden set, high-risk slice, regression memory, threshold
Observability and evidencerelease trace, cost, latency, quality, adoptiontrace schema, metric contract, evidence lineage

7. Reference Implementation Anatomy Checklist

AreaCompletion standard
Pattern identitypattern id, owner, maturity, support level and approved scope
Architecture viewscontext, component, data flow, control, deployment and runtime views
Runnable skeletoncan run in a controlled environment with sample data
Configuration modeltyped config for model route, source profile, tools, thresholds and telemetry
Prompt/RAG/tool skeletonincludes boundaries, ACL, citations, approvals and audit events
Eval baselineincluded in package and runnable by adopting team
Threat modelcommon threats plus local extension guide
Control mappingmandatory controls mapped to evidence objects
Telemetryrequired traces, metrics, logs and privacy classes
Evidence binderclear folder/index with inherited and local evidence
Deviation processhow to request, approve, expire and monitor deviations
Lifecycle metadataversion, compatibility, deprecation and migration rules

8. Reuse Qualification Checklist

Run this before a use case adopts a reference implementation.

QuestionGreenAmberRed
Workflow fitSame workflow shape and decision boundarySimilar workflow with local exceptionsDifferent decision rights or final decision automation
User populationSame role type and training assumptionsNew role with similar controlsExternal customer or untrained role not covered
Risk tierInside approved pattern tierSlightly higher risk with added controlsMaterially higher risk than pattern scope
Data classSame or lower sensitivityNew sensitive fields with privacy reviewRestricted data not allowed by skeleton
Source authorityApproved owner, freshness and ACL existSource cleanup requiredNo source owner or freshness path
Tool actionRead-only or draft-only as baselineNew low-risk write action with controlsIrreversible customer-impacting action
Eval coverageBaseline covers major casesLocal samples requiredBaseline misses core risk cases
Human oversightReview queue and override reasons readyCapacity constrained but manageableNo credible oversight path
TelemetryRequired events can be emittedPartial telemetry with remediation dateKey evidence fields impossible
Support modelTeam can operate pattern versionExtra support requiredUnsupported fork planned

Decision rule:

  • Green majority with no red: proceed with standard adoption.
  • Any amber: document local controls and evidence.
  • Any red: stop adoption or request formal deviation with design authority and risk owner.

9. Evidence Pack

9.1 Evidence Binder Structure

SectionContents
01-pattern-cardpattern definition, applicability, non-applicability, owner
02-architectureviews, ADRs, component responsibilities, data and control flow
03-reference-implementationpackage version, configuration, test results, integration guide
04-reuse-qualificationfit checklist, decision, local assumptions
05-evalinherited suites, local samples, run results, reviewer notes
06-threat-modelcommon threats, local extensions, mitigations
07-security-privacyACL tests, DLP/logging review, data class and retention
08-control-mappingcontrol claims, evidence objects, owners
09-telemetrytrace schema, metrics, dashboard and event completeness
10-deviationsdeviation records, compensating controls, expiry
11-releasegate decision, approvals, rollback and monitoring plan
12-lifecycleversion, support state, migration and deprecation notes

9.2 Inherited vs Local Evidence Matrix

Evidence objectInheritLocalize
Pattern rationaleYesAdd business outcome and workflow
Architecture skeletonYesAdd actual systems and data stores
Prompt boundaryPartialAdd use-case terminology and forbidden advice
RAG source controlsPartialAdd actual source owners and freshness
Tool gateway controlsPartialAdd local tool permissions and action risk
Eval rubricYesAdd local samples and thresholds if risk differs
Threat modelYesAdd channel, data and abuse cases
Privacy classPartialConfirm real data class and retention
Release gateYesAdd local approvals and residual risk
ObservabilityYesAdd outcome metrics and dashboard thresholds

10. Control Mapping Worksheet

Control questionImplementation hookEvidence
Who owns the pattern and approves changes?pattern registry and owner fieldregistry record
Where is the pattern applicable?pattern card and reuse qualificationapproved checklist
How are architecture concerns documented?architecture views and ADRsarchitecture description
How is output quality measured?eval harness and reviewer rubriceval report
How is unsafe or unsupported output controlled?refusal rules, escalation, critical failure gatesafety eval and gate memo
How is prompt injection tested?adversarial eval suitered-team report
How is unauthorized retrieval prevented?ACL filter and entitlement testsaccess test result
How are tool actions controlled?tool contract, approval, idempotency, audittool gateway test
How is sensitive logging minimized?telemetry privacy class and DLP scanlog sample review
How is human oversight proven?review queue, override reason, QA samplereview metrics
How is runtime drift monitored?OTel metrics and dashboardruntime report
How are deviations managed?deviation workflow with expirydeviation record
How is continual improvement shown?regression updates and version notesrelease notes and backlog

11. Variant and Deviation Management

11.1 Variant Types

VariantAllowed without deviation when
Source variantsource registry follows same owner, freshness, ACL and citation contract
Workflow label variantworkflow stages map to required telemetry fields
Model route variantroute is approved for same data class and eval parity passes
Language varianteval and reviewer coverage exists for that language
Risk-tier variantstays within approved pattern scope

11.2 Deviation Triggers

Formal deviation is required when:

  • Internal-only pattern becomes customer-facing.
  • Read-only tool becomes write or execute action.
  • New data class enters prompt, retrieval or logs.
  • Required eval suite is skipped or threshold is relaxed.
  • Required trace fields cannot be emitted.
  • Human review is reduced below baseline.
  • Source freshness or ownership cannot be proven.

11.3 Deviation Record

FieldContent
Deviation IDstable id tied to pattern and use case
Pattern versionadopted reference implementation version
Requirement changedbaseline rule being changed
Business reasonconcrete reason standard path does not fit
Risk impactcustomer, regulatory, privacy, security and operational impact
Compensating controlreplacement or risk-reduction measure
Evidenceeval, test, review, monitoring and approval evidence
Ownerresidual risk owner and implementation owner
Expirydate or trigger for renewal or closure
Decisionapproved, rejected, or approved with restrictions

12. Lifecycle and Versioning

12.1 Version Policy

ChangeVersion impact
Documentation clarificationpatch
New sample or non-breaking eval additionpatch
New optional configurationminor
New supported variantminor
Changed prompt boundary or telemetry schemaminor or major, based on compatibility
Changed control requirementmajor
Tool action risk changemajor
Deprecated source or unsupported model routemajor with migration

12.2 Lifecycle States

StateEntry criteriaConsumer action
Candidatepattern identified and owner assigneddiscovery only
Betaskeleton runs and initial evidence existscontrolled pilot
Approveddesign authority approves evidence and scopestandard adoption
Restrictedissue or limitation narrows useadopt only with approval
Deprecatedreplacement exists or risk changedno new adoption, migrate
Retiredsupport ended and consumers migratedremove from production path

12.3 Quarterly Review Agenda

Agenda itemDecision
Reuse telemetrycontinue investing, redesign or deprecate
Defects and incidentsadd regression, patch skeleton or restrict scope
Deviationsclose, renew with stronger control, or reject
Eval driftupdate sample sets, thresholds and reviewer rubric
Security/privacy changesupdate threat model and logging controls
Platform supportimprove docs, packaging, APIs or dashboard
Consumer migrationset migration dates and support plan

13. Adoption Telemetry and Reuse ROI

13.1 Telemetry Contract

MetricDefinition
pattern_adoption_starteduse case began qualification for a pattern
pattern_adoption_approvedreuse qualification approved
implementation_configuredskeleton configured for local workflow
inherited_evidence_linkedinherited evidence attached to local evidence pack
local_eval_completedlocal eval run completed
deviation_openeddeviation requested
deviation_closeddeviation closed or expired
production_release_completedpattern-based release entered controlled production
pattern_defect_reporteddefect linked to pattern version
regression_addeddefect or incident converted into shared regression case

13.2 ROI Metrics

CategoryMetrics
Speedintake-to-pilot lead time, integration days, release evidence cycle time
Qualityeval pass rate, critical defect rate, post-release defect escape
Riskopen deviations, expired deviations, control evidence completeness
Reusequalified reuse count, evidence inheritance rate, variant count
Costsupport tickets, maintenance cost, avoided duplicate build effort
Delivery healthDORA-style lead time, change failure and restore signals for pattern consumers
Lifecycledeprecated consumer count, migration completion, unsupported fork count

13.3 Dashboard Sections

SectionWidgets
Pattern inventorymaturity, owner, version, support state
Adoption funneldiscovered, qualified, configured, pilot, production
Evidence healthmissing evidence, stale evidence, inherited/local split
Deviationsopen, expired, by pattern and risk tier
Qualityeval pass, regression failures, critical defects
Security/privacyinjection test status, ACL failure, logging issue
Runtimecost, latency, error rate, trace completeness
ROIlead time avoided, defect reduction, support burden

14. Platform / Team Interface

14.1 Consumption Flow

Use case intake
  -> pattern match
  -> reuse qualification
  -> skeleton configuration
  -> local evidence generation
  -> deviation review if needed
  -> controlled release
  -> telemetry and lifecycle tracking

14.2 Interface Contract

InterfacePlatform providesUse case team provides
Pattern registryapproved patterns, versions, owners, scopesselected pattern and business case
Implementation packagecode skeleton, config schema, test harnesslocal configuration and integration
Eval harnessreusable suites and runnerlocal samples and reviewer sign-off
Threat modelcommon risks and mitigationslocal data/channel/tool extensions
Evidence binderstructure and inherited evidencelocal evidence and approvals
Telemetryrequired schema and dashboard baseemitted events and outcome joins
Supportdocumentation, office hours, issue triageadoption feedback and defect reports
Lifecycleversion notes, migration guides, deprecationmigration execution and exception closure

15. Financial Retail Execution Examples

15.1 Customer-Facing RAG

Work itemExecution
Pattern fitAuthenticated customer service Q&A with approved sources
Reference assetssource registry, citation verifier, refusal and handoff prompt, trace schema
Eval baselinefees, dispute status, account servicing, ambiguous customer requests
Local evidencesource owners, channel policy, complaint escalation, QA sampling
Deviation triggeranswer becomes final adverse decision or regulated advice

15.2 Internal Policy Copilot

Work itemExecution
Pattern fitEmployee policy lookup inside branch or contact-center workflow
Reference assetsrole-based retrieval, SOP version trace, policy answer rubric
Eval baselinepolicy conflict, outdated source, escalation boundary
Local evidencebusiness unit policy sources and training assumptions
Deviation triggeroutput is inserted into customer communication without review

15.3 AML Investigation Workbench

Work itemExecution
Pattern fitAnalyst-owned investigation support and narrative preparation
Reference assetsevidence timeline, case summary, narrative draft, QA sampling
Eval baselinemissed evidence, unsupported escalation, high-risk alert
Local evidencealert types, reviewer capacity, SAR-related data boundary
Deviation triggerAI proposes final closure or suspicious activity conclusion

15.4 KYC Evidence Extraction

Work itemExecution
Pattern fitExtract structured evidence from onboarding documents
Reference assetsdocument classifier, extraction schema, source span, confidence band
Eval baselinebeneficial ownership, missing document, expiry, high-risk country
Local evidenceproduct entity types, manual validation workflow
Deviation triggerextraction drives straight-through approval without human validation

15.5 Dispute Evidence Assistant

Work itemExecution
Pattern fitBuild evidence timeline and draft dispute packet
Reference assetsevent timeline, rule retrieval, draft packet, maker-checker
Eval baselinereason code, provisional credit, recurring charge, merchant evidence
Local evidencenetwork rules, customer letter approval, operations QA
Deviation triggerautomatic chargeback submission or customer denial letter

15.6 Regulatory Reporting Narrative Draft

Work itemExecution
Pattern fitDraft narrative from approved metrics and lineage
Reference assetsmetric contract, source trace, maker-checker, attestation boundary
Eval baselinevariance explanation, restatement, late adjustment, unsupported cause
Local evidencereport owner, data lineage, reviewer sign-off
Deviation triggerexternal filing text generated without authorized review

16. Anti-Patterns

Anti-patternConsequenceReplacement
Code repository labeled as reference implementationTeams inherit implementation but not controlsPackage skeleton with eval, threat model, controls and evidence
Pattern card without runnable assetTeams still rebuild differentlyAdd minimal reference implementation and test harness
Assurance after adoptionControls are retrofitted and weakBuild assurance package before pilot adoption
Reuse without qualificationPattern applied outside its assumptionsRun fit checklist and red-stop on high-risk mismatch
Silent forksPlatform cannot support or audit consumersRequire versioned adoption record
Deviation by conversationRisk acceptance is untraceableDeviation record with owner, evidence and expiry
Eval copied without local samplesLocal failures hiddenInherit rubric, add local high-risk cases
Threat model copied blindlyNew channel or tool risk missedLocal threat model extension
Evidence pack as static archiveEvidence becomes staleLink evidence to versions, releases and quarterly review
Reuse value measured by asset countLibrary looks large but does not improve outcomesMeasure qualified reuse, lead time, defects and control health

17. Interview Answers

Q1: How would you turn repeated AI use cases into reusable reference implementations?

I would start by clustering repeated use cases by problem shape, such as customer-facing RAG, internal policy copilot, evidence extraction, investigation workbench or narrative drafting. For each high-value pattern I would create a pattern card, runnable reference implementation, eval baseline, threat model, control mapping, telemetry contract and evidence binder. Then I would define reuse qualification, variant rules, deviation process and lifecycle ownership. The goal is to reuse assurance, not just code.

Q2: What makes a reference implementation trustworthy in a regulated financial environment?

It needs explicit applicability boundaries, architecture rationale, quality and safety evals, threat model, privacy and security controls, human review design, observability, release evidence and lifecycle management. It also needs a clear rule for what evidence can be inherited and what must be regenerated locally. Without that, the reference implementation may speed delivery while hiding risk.

Q3: How do you avoid over-standardizing AI patterns?

I separate mandatory controls from configurable variants. The pattern should standardize the things that reduce repeated risk: telemetry, eval harness, source authority, tool gateway controls, evidence structure and deviation process. It should allow local workflow, source, language, case type and business outcome differences where they do not break assumptions. When assumptions change, use deviation or a new pattern.

Q4: How would you explain reusable control evidence to audit?

Reusable control evidence means the common implementation and control tests have already been documented, versioned and reviewed. A local use case can inherit those specific evidence objects, such as prompt injection test design or telemetry schema, but it still must prove local source authority, data class, workflow fit, eval samples, approvals and residual risk. The evidence binder shows inherited versus local evidence and the pattern version.

Q5: How do you measure whether a pattern library is working?

I would measure qualified reuse, lead time reduction, evidence inheritance rate, deviation rate, post-release defect escape, support burden, regression reuse, deprecation compliance and delivery health. A good library reduces repeated work and repeated risk. A bad library has many documents, few qualified adopters, many silent forks and stale evidence.

Q6: What is the risk of using a golden path as a substitute for architecture review?

A golden path helps teams move quickly through a recommended delivery route, but it does not automatically prove that a use case fits the risk, data, workflow and control assumptions. For low-risk cases, golden path plus standard evidence may be enough. For high-risk financial retail AI, architecture review still needs reuse qualification, local evidence and deviation review where assumptions change.

18. Portfolio Exercise

Assignment

Create a reference implementation and pattern assurance pack for two financial retail AI patterns:

OptionSuggested scope
Customer-facing RAGpolicy answer, citation, handoff and complaint escalation
Internal policy copilotemployee SOP search and workflow guidance
AML investigation workbenchevidence timeline, case summary and narrative draft
KYC evidence extractiondocument extraction and validation workflow
Dispute evidence assistantevidence packet and rule-grounded draft
Regulatory reporting narrative draftdata-lineage-grounded narrative and maker-checker

Deliverables

DeliverableCompletion standard
Pattern cardsproblem, context, forces, applicability and non-applicability
Reference implementation anatomyskeleton, prompt/RAG/tool/eval/telemetry/evidence components
Architecture descriptionviews and architecture decisions using stakeholder concerns
Reuse qualification checklistgreen/amber/red fit assessment
Evidence packinherited vs local evidence matrix
Control mappinggovernance, security, privacy, eval, human review and monitoring
Eval baselinegolden, high-risk, regression, no-answer and adversarial suites
Threat modelreusable threats plus local extension
Deviation exampleone approved deviation with compensating control and expiry
Lifecycle planversion policy, support state and deprecation trigger
Adoption telemetryreuse funnel, evidence health, defect and ROI dashboard
Executive memorecommend which pattern to scale first and why

Scoring Rubric

DimensionStrong answer
Architecture rigorClear distinction between pattern, template, golden path and reference implementation
Assurance rigorEval, threat model, control mapping and evidence are first-class
Reuse judgmentQualification prevents blind copying
Financial retail realismExamples reflect customer impact, AML/KYC/dispute/reporting controls
Platform thinkingClear interface between platform and use case teams
Lifecycle disciplineVersioning, deviations, deprecation and migration are explicit
Portfolio valueROI connects speed, quality, risk and support effort

19. Quality Bar

A reference implementation pattern is ready for senior review only if:

  • It has a named owner, maturity level, version and support state.
  • It has a pattern card with applicability and non-applicability.
  • It includes a runnable skeleton, not only documents.
  • It packages prompt/RAG/tool gateway assumptions explicitly.
  • It has eval baseline, threat model, control mapping and evidence binder.
  • It defines what evidence can be inherited and what must be local.
  • It has reuse qualification and red-stop conditions.
  • It supports variant management and approved deviations with expiry.
  • It emits telemetry for adoption, evidence health, quality, cost, latency and defects.
  • It has lifecycle rules for versioning, deprecation and migration.

Final principle:

Do not scale AI by copying demos. Scale AI by turning repeated patterns into governed reference implementations with reusable evidence and explicit local accountability.