WORKFLOW MOAT SPRINT (Template) Goal: Define one workflow you can own end-to-end (intake → context → draft → approval → execution → audit) in a way procurement and operators can accept. 1) Workflow Name: - Example: “Support ticket → engineering bug report” 2) Business Owner (role/title): - Who is accountable for outcomes? (Not a department—name the role.) 3) Current System-of-Record: - Pick ONE primary system where the workflow must end up (e.g., Jira, ServiceNow, Salesforce, Zendesk). 4) Trigger (Intake): - What starts the workflow? (New ticket, inbound email, Slack mention, form submission.) 5) Required Context Sources (list 3–6): - Include where truth lives (e.g., Zendesk ticket, GitHub repo, Datadog logs, Confluence runbook, Salesforce account notes). - For each: note permission model (per-user, per-team, global). 6) Actions the AI can take (write verbs, not features): - Draft: - Create: - Update: - Notify: - Classify: 7) Actions the AI must NEVER take without approval: - Examples: send external email, close ticket, deploy change, approve refund, change access permissions. 8) Approval Gates: - For each restricted action, define: - Approver role - Approval UI (diff view, checklist, or explicit confirm) - Timeout / escalation path 9) Audit Events (minimum set): Create an event list you will log as structured records: - context_retrieved (source, document id, permission check result) - draft_generated (type, target system) - approval_requested (action, approver role) - approval_decision (approved/rejected, by whom) - tool_called (system, endpoint/action) - write_succeeded / write_failed (external id, error class) - rollback_executed (what was reverted) 10) Rollback Plan: - What does “undo” mean for each write action? - If rollback is impossible, what compensating action is required? 11) First Production Scope (keep it small): - Exact allowed actions: - Exact disallowed actions: - Which teams/users get access: 12) Security/IT Readiness Checklist: - SSO requirement: yes/no - SCIM requirement: yes/no - Data retention policy: what is stored and for how long? - Export needs: audit logs export format Output: You should be able to hand this document to an engineering lead AND a security reviewer and get concrete feedback, not vague objections.