Platform · Risk · Integration · Systems

Most Data Architects Work in 2D.
PRISM Works in Three Dimensions.

PRISM — Platform, Risk, Integration and Systems Methodology — is a five-layer deterministic framework for enterprise data architecture assessment, integration mapping, and migration planning. Developed through real engagements across government, finance, and professional services. Not adapted from a textbook.

Every system catalogued. Every integration risk-scored. Every API endpoint security-assessed. Fifty rules fire automatically. The output is an evidence-based assessment your board can act on and your delivery team can execute from.

Start a Conversation →See the Methodology
0
Years Experience
0
Projects Delivered
0
Deterministic Rules
// The Problem

Most Data Architecture Work Is Two-Dimensional.

Structure without risk.

Architects map what exists. They document integrations, draw diagrams, catalogue systems. Then a migration hits and the diagram cannot tell you what breaks, what the impact costs, or in what order to cut things over.

Connections without consequence.

It shows structure but not risk. Connections but not consequence. Current state but not migration impact. This is not a skills problem. It is a methodology problem. Adding more detail to a 2D diagram will not solve it.

The cost of getting this wrong.

A programme that commits to a sequence it cannot execute. A cutover that discovers — mid-migration — that three systems nobody documented depend on the one being retired. A financial integration that drops records silently.

// The consequence

A PRISM assessment delivered before programme planning begins is not a cost. It is the document that prevents the programme from committing to a plan that cannot be executed.

The cost of getting this wrong is not a failed sprint. It is an AI component that modifies production data without a review gate because nobody asked whether one existed. It is a financial integration that drops records silently because nobody defined what happens when it fails.

// What PRISM Actually Does

The Answer to Every Question a Diagram Cannot.

Five layers. Five pipeline zones. Fifty deterministic rules. The same input always produces the same output.

No error goes unhandled.

Every integration must define its failure disposition, escalation threshold, escalation owner, and recovery procedure. An integration without this documentation does not pass the assurance gate.

No AI output is acted upon without human authorisation.

AI generates, analyses, and recommends. Humans decide, approve, and execute. Without exception — regardless of how sophisticated the AI system is or how urgent the use case feels.

No system is trusted by default.

Zero Trust: every access request is authenticated, authorised, and continuously validated. Every integration authenticates explicitly. Every data asset is classified. Every access event is logged.

Most data architects will not go to this level of detail. Here is what PRISM produces that a standard architecture review does not:

Error handling specification for every integration — failure disposition, escalation threshold, escalation owner, and recovery procedure
AI governance assessment for every AI component — human review gate status, action scope definition, drift monitoring, evaluation strategy
Endpoint security registry — every API endpoint assessed for authentication, encryption, input validation, rate limiting, and credential handling
Blast radius analysis — what breaks downstream AND what breaks upstream, to depth three, severity-rated
Data contracts — versioned schema agreements between every producer and consumer, with SLA obligations and validation rules
Operational runbooks for high-risk integrations — failure modes, diagnostic steps, escalation path, recovery procedure
Testing specifications per integration — acceptance criteria, data validation tests, performance thresholds, rollback triggers
Accepted risk log — every gap that cannot be resolved before go-live is formally owned, documented, and reviewed on a defined schedule
// Who This Is For

You Have Been Handed a Complex Engagement. You Need a System.

A platform migration, a system replacement, a data estate nobody fully understands. You know the risk is in the architecture. You need a systematic way to find it, quantify it, and present it.

Data architects on enterprise migrations

You have been handed a programme with 40, 60, or 100 integrations — many of them undocumented, several carrying PII or financial data, and at least one that will break in a way nobody predicted. PRISM finds them all before the cutover.

Integration architects on platform replacements

You need to know exactly which integrations change, which stay, and which retire — classified by risk, documented with error handling specs, and sequenced in the right migration order. That is the integration register PRISM produces.

Technical consultants assessing data estates

Your client's architecture has AI components nobody has governed, security gaps nobody has documented, and API endpoints nobody has reviewed in years. PRISM applies 50 rules and gives you a findings report you can take to the client on day one.

Programme leads and CTOs

You need to walk into a steering committee with a quantified risk score, a priority action list, a phased migration plan, and evidence that the architecture has been systematically assessed — not a diagram someone drew on a whiteboard.

// The Methodology

Three Dimensions. One Assessment.

Where a 2D diagram shows you what you have, PRISM shows you what it means. Five layers. Five zones. Fifty rules. One complete assessment.

1

System Landscape

What exists. Every system catalogued by category and zone.

Input
Transform
Loop
Output
Interface
2

Change Impact

What moves, what breaks, what stays. 50 deterministic rules across 5 groups.

Payment creditChange
Gateway verifyNo Change
Daily file transferAutomation
Identity callbackChange
3

Architecture Health

What is missing, what is fragile, what should be automated.

Automation gapHigh
Endpoint auth gapHigh
AI human-gatingHigh
Logging coverageMedium
What Each Layer Produces
L1

Platform Assessment

Systems registry with every platform catalogued by category, zone, data layer, API capability, status flags, and ownership. For AI systems: governance fields covering human review gate status, action scope, evaluation strategy, and rollback capability.

L2

Risk Classification

Risk-scored integration register. Every integration receives a change type (Change, No Change, Retired, or TBD), a complexity rating, and a contribution to the overall migration risk score on a 0–100 scale weighted across complexity, PII exposure, financial risk, automation gaps, and TBD items.

L3

Integration Mapping

Complete integration register with interface specifications, data contracts, error handling documentation, and the endpoint registry. Blast radius analysis (downstream and upstream) to depth three. Compliance mapping across PCI-DSS, GDPR, SOX, HIPAA, ISO 27001, and others.

L4

Systems Analysis

Architecture health report against 50 rules: change impact (Rules 1–10), platform governance, automation and quality, AI governance, observability, migration risk, security (Rules 35–44), architecture health, and endpoint security (Rules 46–50). Every finding severity-rated with remediation guidance.

L5

Migration Planning

Phased migration sequence, testing specifications per integration, operational runbooks for high-risk integrations, RTO/RPO recovery profiles, cost and TCO summary, decision log, accepted risk log, and stakeholder-split reporting: an executive summary for the board and a full technical specification for the delivery team.

The Five Zones — refracted from a single beam
Input
Data enters the system
Web apps · payment gateways · identity providers
Transform
Processed and routed
APIs · middleware · core platforms
Loop
Intelligence feeds back
Analytics · AI/ML · monitoring
Output
Results delivered
Reports · notifications · exports
Interface
Data reaches users
Dashboards · reports · alerts
The Five Data Layers
Generation

Data is created

Source systems, events, IoT, user actions

Movement

Data is transported

Pipelines, ETL, messaging, file transfers

Operational

Data is in active use

Transactional databases, operational stores

Processing

Data is transformed

Bronze-Silver-Gold, analytics engines, ML

Consumption

Data is delivered

Reports, dashboards, downstream systems

Every system is classified by both a zone and a data layer — two independent dimensions that together define its role in the architecture.

// The Rules Engine

50 Rules Across 9 Groups.

Rule 37 fires on every PII or financial integration without encryption in transit, every time, regardless of who runs the assessment. That is the difference between an opinion-based review and a rules-based assessment.

10Integration Assessment
+
1System replacement (direct)
2Dual replacement
3Manual / file process detected
4PII data
5Financial transaction
6Real-time with replacement
7Multiple targets
8External-to-external
9Middleware retained
10System retirement
4Platform Governance
+
11Single source of truth
12Right-sizing
18Medallion architecture
26Uncosted enterprise platform
3Automation & Quality
+
13Automation gap
17Process consolidation
22High-volume manual process
6AI Governance
+
14AI usage audit
31No human review gate on AI component
32AI agent without action scope definition
33AI component without drift monitoring
34Runtime AI on structured integration
45AI output evaluation strategy absent
3Observability & Resilience
+
15Feedback loop coverage
16Logging coverage
21Bidirectional dependency
3Migration & Compliance Risk
+
19Regulatory risk
20Cutover sequencing risk
23Data layer gap
10Security
+
35MFA not documented
36Undocumented service account
37Sensitive data without encryption in transit
38Sensitive data without encryption at rest
39Missing access controls documentation
40Patch status undocumented
41No audit trail on sensitive system
42Backup not documented for critical system
43Backup RTO-RPO gap
44Data retention policy absent
6Architecture Health
+
24Data contract gap
25Missing runbook
27No RTO on high-risk integration
28No RTO on critical classification
29Error handling gap
30Silent drop on sensitive integration
5Endpoint Security
+
46Endpoint without authentication
47Endpoint transmitting sensitive data without encryption
48Endpoint without input validation
49Credential passed in query parameter
50Endpoint not reviewed in 12 months
// How It Works

Five Steps to a Complete Assessment.

115 min

Intake

Client name, size, engagement type, primary objective. Five questions that frame the entire assessment.

21–2 hrs

Discover

Every system in the landscape registered with its category, zone, API status, and replacement status.

32–4 hrs

Map

Every integration between systems defined: method, frequency, PII, financial flags, error handling disposition, and indirect dependencies. API endpoints registered and security-assessed per system.

4Instant

Assess

50 deterministic rules fire automatically across change impact, architecture health, AI governance, cybersecurity, and endpoint security. Every finding ranked by severity with remediation guidance.

5Same day

Deliver

Professional PDF report with executive summary, integration assessment, migration roadmap, and supplementary sections covering AI governance and security compliance. Suitable for programme boards and executive stakeholders.

// Beyond the Assessment

Assessment is Step One. Migration Planning is Step Two.

Most consultancies stop at the assessment. PRISM produces a complete migration planning toolkit — phased roadmap, risk scoring, dependency analysis, error handling frameworks, data contracts, operational runbooks, endpoint security registry, AI governance reporting, and compliance mapping. All deterministic. All auditable.

Migration Risk Score
0High/ 100
LowMediumHighCritical
21/30
Complexity
12/15
PII Risk
14/15
Financial
6/10
Manual

A single number your steering committee can act on — weighted across complexity, PII exposure, financial risk, automation gaps, and architecture health.

Phased Migration Roadmap
P1
Core User Flows17
P2
Operational Files22
P3
Analytics9
⚠ Dependency warning: 2 Phase 1 integrations depend on systems with Phase 3 changes. Consider resequencing.

Architecture Diagram

Five-zone swim lane, current and future state side by side.

Blast Radius Analysis

Select any system; see exactly what breaks during cutover. BFS traversal, 3 levels deep, severity-rated.

RACI Matrix

Auto-generated from system ownership. Named R, A, C, I per integration.

Cutover Runbook

Sequenced by criticality with pre/post validation and rollback triggers for every integration.

Compliance Mapping

Every integration tagged by GDPR, PCI-DSS, SOX, HIPAA with exposure per framework.

Testing Checklist

Deterministic test requirements per integration. Exportable as PDF.

Error Handling Framework

Failure disposition, escalation threshold, escalation owner, and recovery procedure per integration.

Endpoint Security Registry

Every API endpoint assessed for authentication, encryption, input validation, rate limiting, and credential handling.

Governance Reporting (SUPP A + B)

SUPP A: AI governance for every AI component and autonomous agent. SUPP B: cybersecurity posture mapped to the ACSC Essential Eight.

// The Playbooks

Four Playbooks. One Consistent Standard.

The PRISM rules engine is governed by four companion playbooks. Every rule, every assessment, every finding traces back to a documented standard — not a consultant's opinion.

AI & Automation Governance Playbook

Governs every AI component, autonomous agent, and automation pipeline. Three invariants: deterministic first, AI second; every AI component has a human review gate; every AI agent defines its action scope. Six rules fire automatically against AI systems.

Human review gatesDrift monitoringAudit loggingRollback capability

Cybersecurity Playbook

Zero Trust foundation across eight security domains. Governs Rules 35–50: identity and authentication, data protection, patch management, logging and monitoring, backup and recovery, access controls, and the full endpoint security registry. Mapped to the ACSC Essential Eight.

Zero TrustACSC Essential Eight16 rules8 security domains

Integration Error Handling Playbook

One invariant: no error goes unhandled. Every integration must define its failure disposition (dead letter, retry, manual review, or drop), escalation threshold, escalation owner, and review procedure. Governs Rules 29 and 30.

Dead letter queuesEscalation pathsSilent drop detectionAssurance gates

Pipeline Coding Standards

Every data pipeline built to the same standard. Orchestrator-module architecture, Bronze-Silver-Gold medallion layers, deterministic transformations, and no runtime AI. Governs how recommendations translate into implementation.

Medallion architectureOrchestrator patternBronze-Silver-GoldNo runtime AI
// The 10 Golden Rules

Non-Negotiable Principles.

01

No silos. All data lives in one system.

02

Deterministic first, AI second.

03

Every component belongs to one of five zones: Input, Transform, Loop, Output, Interface.

04

Every pipeline needs at least one feedback loop.

05

Right-size the platform. Snowflake is not the answer for a small business.

06

Consolidate redundant processes. Three payment portals doing the same job is one process waiting to be built.

07

No manual processes. Everything should be automated.

08

AI is never used unsupervised at runtime. Every AI component has a human review gate.

09

No error goes unhandled. Every integration defines its failure disposition, escalation path, and recovery procedure.

10

Every data pipeline follows the Bronze, Silver, Gold medallion pattern.

// Track Record

Built From Real Engagements. Not a Textbook.

25 years designing data systems across enterprise gaming, fitness, retail, and professional services. PRISM was not adapted from a generic framework. It was built from the ground up across real client engagements.

Government Gaming

Architecture assessment and full migration planning for a government enterprise replacing a 19-year core platform. 470+ operational locations, real-time financial settlement, customer registration, identity verification, and grants management. Three-phase roadmap with compliance mapping across multiple regulatory frameworks.

32

Systems

62

Integrations

19 yrs

Platform age

Fitness Analytics

Multi-tenant analytics platform serving 205+ studios across 9 countries and 350 active users. Deterministic reporting with zero AI at runtime, full data ownership per client, and automated content generation pipelines.

205+

Studios

9

Countries

350

Active users

Marketing Services

Deterministic reporting platform used by marketing agencies across Australia. Automated data ingestion, template-driven report generation, and client-facing dashboards built on first-party analytics.

Multiple

Agencies

Automated

Reports

Zero

AI at runtime

For Enterprise Programmes

You are about to spend $5–50M replacing a platform. Do you know what you are actually replacing?

Most organisations know their headline systems. Few have a complete picture of the integrations between them — the 60 or 80 or 120 data flows that connect every system to every other system, many of which carry PII, financial data, or regulatory obligations nobody has documented.

PRISM finds them. It classifies every one of them by change impact, risk, and complexity. It identifies which integrations will break if a system changes, how far that break propagates, and in what order the migration must be sequenced to avoid cascading failures.

A PRISM assessment delivered before programme planning begins is not a cost. It is the document that prevents the programme from committing to a plan that cannot be executed.

For Mid-Market Organisations

You do not need a big consulting firm. You need the same rigour they charge for, delivered by someone who built the methodology.

Mid-market organisations face the same architectural problems as enterprise — platform consolidation, legacy replacement, data estate modernisation — but without the budget for a Big Four engagement.

PRISM was designed to be applicable at any scale. The same methodology that assessed 32 systems and 62 integrations for a government enterprise applies equally to a 15-system organisation replacing its CRM. The output is the same: a risk score, a prioritised findings report, and a migration plan you can take to your board.

The difference is you get the architect who built the methodology, not a junior who read the playbook last week.

For Recruiting Agencies

A data architect with a proprietary methodology is not the same as a contractor with experience.

Most architects working on enterprise programmes apply experience and judgement. The output quality is a function of who you placed. PRISM changes that equation. The methodology is documented, the rules are deterministic, and the output is consistent across engagements regardless of how complex the landscape is.

For your clients with platform migration programmes, digital transformation initiatives, or data estate modernisation projects, the question is not whether to do an architecture assessment. It is whether to do one that produces a diagram and some observations, or one that produces a quantified risk score, a 50-rule findings report, a compliance map, an endpoint security registry, an AI governance assessment, and a complete migration planning toolkit.

If you are placing architects on enterprise engagements where the outcome matters, PRISM is the differentiator worth knowing about.

“[Client testimonial — coming soon]”

Client Name · Organisation [ replace with real testimonial ]
// Questions

Frequently Asked Questions.

What exactly is PRISM?+
PRISM stands for Platform, Risk, Integration and Systems Methodology. It is a five-layer deterministic framework for assessing enterprise data architectures. Layer 1 produces a complete systems registry — every platform catalogued by zone, data layer, API capability, ownership, and for AI systems, governance fields covering human review gates, action scope, evaluation strategy, and rollback capability. Layer 2 produces a risk-scored integration register — every integration classified by change type, complexity, PII exposure, and financial risk, feeding a 0–100 migration risk score. Layer 3 produces the complete integration map including data contracts, endpoint registry, upstream and downstream blast radius analysis, and compliance mapping across PCI-DSS, GDPR, SOX, HIPAA, ISO 27001, and others. Layer 4 runs 50 deterministic rules across the full architecture and produces a severity-rated findings report covering change impact, platform governance, AI governance, cybersecurity, and endpoint security. Layer 5 produces the full migration planning toolkit: phased sequencing, testing specifications, operational runbooks, RTO/RPO recovery profiles, cost summary, decision log, and stakeholder-split reporting.
Why deterministic rather than AI?+
Validated in practice. Five weeks of testing AI-generated executive summaries confirmed that AI consistently failed to follow rules reliably. Deterministic templates — the same conditional logic applied to the same structured data — delivered better results at zero hallucination risk and a fraction of the cost. The same input always produces the same output. No tokens burned. No hallucination risk. No model drift. AI has a specific and valuable role: during setup, it generates candidates, templates, and pattern proposals under human supervision before anything goes to production. Structured feedback loops allow AI to propose improvements over time — but every proposed change requires human approval before it enters the system.
What kind of engagements is PRISM designed for?+
Four engagement types. Migration: a platform is being replaced. PRISM maps every integration, classifies change impact, scores migration risk, identifies the cutover sequence, and produces the full planning toolkit. New Build: a system is being designed from scratch. Layer 1 focuses on future-state design and Layer 5 produces a build sequence. Optimisation: the architecture exists but has gaps. Layer 4 architecture health rules are the primary driver. Assessment Only: a full five-layer assessment in advisory mode, producing an architecture health report and recommended roadmap without committing to a delivery plan.
What about AI systems in the architecture being assessed?+
PRISM has specific governance rules for every AI component in the landscape. Rule 14 detects AI Agent and AI/ML Component systems. Rules 31–34 check whether each one has a human review gate that is technically enforced (not just documented in policy), a defined action scope, audit logging enabled, and no runtime AI calls against structured data where deterministic code would be more reliable. Rule 45 checks whether each AI component has a documented evaluation strategy. The governance test is direct: if this AI produced a wrong output right now, what would happen before a human noticed? If the answer is "something would execute, send, change, or delete", the architecture has a governance gap. PRISM flags it.
What does the output look like?+
Two versions generated from the same underlying data. The executive summary is non-technical: migration risk score, plain-English findings, priority action list, and the migration roadmap — no integration detail, designed for a steering committee or programme board. The technical specification is the full output: systems registry, complete integration assessment, endpoint registry with security status per endpoint, blast radius analysis, architecture health findings against 50 rules, error handling specification per integration, data contracts, operational runbooks, testing requirements, compliance impact report by regulatory framework, RACI matrix, cutover runbook with rollback triggers, and where applicable, Supplementary A (AI governance in full) and Supplementary B (cybersecurity posture mapped to the ACSC Essential Eight).
How is this different from a standard architecture review?+
Most architecture reviews produce a diagram and a set of consultant observations. The quality of the output is entirely dependent on the individual doing the work — their knowledge, their attention, and what they happened to think of on the day. There is no standard. PRISM applies 50 deterministic rules to every component, integration, and API endpoint in the landscape. A financial integration without error handling documentation fails Rule 29 regardless of who runs the assessment. A PII integration without encryption in transit fails Rule 37. An AI component without a human review gate fails Rule 31. Every finding traces to a rule. Every rule traces to one of four documented playbooks. The output is structured, auditable, and repeatable.
What industries have you worked in?+
Enterprise gaming and lottery, fitness and wellness, financial services, marketing and advertising technology, and professional services. PRISM was built from real engagements across these sectors — not adapted from a generic framework. The most demanding of these was a government gaming engagement with 32 systems, 62 integrations, a 19-year-old core platform, real-time financial settlement, identity verification across 470 operational locations, and regulatory compliance across multiple frameworks. The methodology was stress-tested at that level of complexity and then generalised so it applies equally to a 15-system mid-market organisation.

Ready to See Your Architecture in three dimensions?

Whether you are planning a migration, replacing a platform, or assessing an existing data estate, start with a conversation.

Start a Conversation →

No pitch. No pressure. Just a conversation to see if PRISM fits your engagement.