Phase 3 designs the system architecture informed by the risk assessment, selects the model approach, and establishes the data governance framework. The Statement of Business Intent is drafted and approved. Model selection uses the compliance criteria (documentability, testability, auditability, bias detectability, maintainability, determinism), evaluating the full spectrum from heuristic systems to LLMs. Model origin risk, copyright risk, and nation-alignment risk are assessed.

The layered architecture is designed with per-layer compensating controls. The data governance framework is established, including dataset documentation, data lineage infrastructure, fairness assessment methodology, and special category data handling. Version control strategy, CI/CD pipeline design, and infrastructure-as-code approach are defined. The cybersecurity threat model is developed using STRIDE/PASTA.

The insurance review is conducted during this phase, when the risk profile is sufficiently defined. Phase 3 produces the Statement of Business Intent, model selection rationale, system architecture document with dependency maps, data governance plan, version control and CI/CD design, and cybersecurity threat model. Architecture review by the Technical SME, Legal and Regulatory Advisor, and AI Governance Lead confirms the design satisfies the risk mitigation plan.

Key outputs

• Statement of Business Intent, model selection rationale, architecture document
• Data governance plan, CI/CD design, cybersecurity threat model
• Insurance review completed
• Gate: architecture review sign-off