Technology Enterprise Software & IT Data Platforms & Analytics

Data Governance

Platform decisions with deep integration complexity, organizational change, and long-term data stakes.

Collibra Alation Informatica IBM
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles (CDO, GC, CTO), exam timeline, and 60-day POC success criteria.

      Alignment Questions

      Quick Introductions — Who’s Driving This Effort?

      • Who is the primary sponsor or owner for this initiative? Options: Chief Data Officer (CDO), General Counsel (GC), Chief Technology Officer (CTO), Head of Compliance, CISO, Other
      • Who else is at the table (names, titles, and role in decision-making)?
      • What is the target decision timeline for selecting a platform? Options: Immediately / 30 days, 30–60 days, 60–90 days, 3–6 months, Undetermined
      • What recent event or trigger brought this to the top of the agenda? Options: Regulatory exam finding, Failed internal audit, Data breach / incident, New regulation, Executive request, Other
      • Briefly describe the regulator’s ask or the internal finding in one or two sentences.

      Are We Still Relying on Fragile Inventories?

      • When an examiner asks for a complete inventory of systems holding customer personal information, what do you typically have to produce—and what do you wish you had instead?
      • How is your current inventory maintained today? Options: Spreadsheets / manual lists, CMDB, Point-tool inventories (ad hoc), Partially automated crawler, No single inventory
      • When was the inventory last updated in a way you’d trust for an exam? Options: Within 7 days, Within 30 days, 1–3 months, 3–6 months, Longer / unknown
      • What are the top three system types where you suspect coverage is weakest (e.g., analytics, third-party SaaS, archival storage)?
      • Tell us about a specific time when inventory gaps caused a regulatory or operational problem — what happened and what was the impact?

      What’s Broken About Lineage Right Now?

      • If an auditor asked you to show column-level lineage for a customer personal data element, where would you expect to hit the biggest roadblock? Options: Unregistered pipelines, Code-based transformations (Python/Scala), Third-party SaaS exports, Event/streaming data, Lack of metadata (schemas)
      • Which data platforms must we be able to trace across for the POC? Options: Oracle / DBMS, Snowflake, Databricks, Redshift, S3 / Blob Storage, Kafka / streaming, Third-party SaaS (Salesforce, Zendesk), Other
      • How do you currently capture or represent transformations (ETL jobs, SQL, notebooks, data pipelines)? Options: Automated lineage in a tool, Manual documentation, Job-level logs only, No systematic capture, Other
      • Typically, how long does it take your team to trace the flow of a single sensitive column from source to report? Options: < 1 day, 1–3 days, 1–2 weeks, Multiple weeks, Unknown
      • Describe a recent investigation where missing lineage extended remediation work or triggered risk escalation.

      Where Should Automation Immediately Reduce Risk?

      • If you could have one manual task replaced by automation in the next 60 days, which would have the greatest regulatory impact? Options: Automated asset discovery, Column-level lineage mapping, Evidence packaging for deletion/retention, Policy enforcement across copies, Other
      • Which data domain should be the POC focus to demonstrate maximum regulatory value? Options: Customer personal information (PII), Payment/account data, Loan origination, Claims data, Employee data, Other
      • What percentage of your production systems must be discoverable in the POC for you to consider it meaningful? Options: 10–20%, 20–40%, 40–60%, 60–80%, 80–100%
      • Which sensitivity / classification tags are essential for discovery to capture (select all that apply)? Options: PII/Personal Data, Financial Account, SSN/National ID, Payment Card Data, Health-related, Subject to retention law, Other
      • What objections or cultural friction do you expect from teams about crawling production systems?

      Can We Safely Crawl Production — What’s Non-Negotiable?

      • What single operational requirement would make you immediately refuse a production crawl? Options: No read-only access granted, Any change to pipelines, Inability to pause/rollback, Lack of encryption in transit, Other
      • Which access patterns are acceptable for connectors in your environment? Options: Read-only DB replicas, Audit/observer accounts, Service account with scoped permissions, Network jump host, Other
      • Do you require a dry-run, throttling, or sampling approach before full crawls? Options: Dry-run first, Throttled crawling, Sampling only, Full crawl allowed immediately, Undecided
      • What rollback or stop controls must be available before the CTO will sign off? Options: Immediate kill switch, Auto-throttle on latency spike, Connector-level pause, Detailed run logs, Other
      • List the network/security owners and their preferred contact method and SLA for approvals.

      What Will ‘Examiner-Ready Evidence’ Actually Look Like?

      • If the GC were asked to present proof that deletion requests were honored across systems, what artifact would satisfy them? Options: Time-stamped deletion logs, End-to-end lineage with timestamps, Automated compliance report (PDF), Signed attestation with evidence bundle, Other
      • Which elements must the evidence include for legal acceptance? Options: Immutable timestamps, System identifiers/asset IDs, User/process that executed action, Hashes or checksums, Chain-of-custody notes
      • How granular does enforcement evidence need to be (system-level, table-level, column-level, instance-level)? Options: System-level, Table-level, Column-level, Instance/record-level
      • What format and delivery cadence does the examiner expect for POC evidence? Options: One-time evidence bundle, Daily snapshots, Weekly report + artifacts, On-request export
      • Share an example of evidence you’ve previously delivered (what worked, what fell short).

      Who Signs Off on Success — Metrics and People?

      • If you had to pick the three most important acceptance criteria for the 60-day POC, what would they be? Options: Catalog coverage (assets discovered), Column-level lineage depth, Verified enforcement actions, Non-disruptive integration, Examiner-ready evidence packaging
      • For each selected criterion above, what is the numeric or qualitative target you’d accept?
      • Who will provide the formal acceptance sign-off at the end of the POC? Options: CDO, GC, CTO, Head of Compliance, Cross-functional committee
      • If a criterion is not met, what remediation or extension options are acceptable? Options: 30-day extension, Targeted re-run of specific connectors, Additional engineering support, No extension — deal off
      • Describe your escalation path if the POC reveals a major compliance gap.

      Integration Deal-Breakers — What Must Never Change?

      • What integration requirement would cause the CTO to veto the platform immediately? Options: Requires pipeline refactor, Adds measurable latency to production flows, Requires privileged network changes, Agent installation on prod nodes, Other
      • Which connector types are preferred and which are forbidden in your environment? Options: Preferred: read-only replicas, Preferred: API-based connectors, Forbidden: write-capable agents, Forbidden: root access
      • What are your latency and performance thresholds we must respect during crawls? Options: No measurable impact allowed, <1% latency increase allowed, <5% latency increase allowed, Acceptable if off-peak only
      • Which security controls must a vendor demonstrate before any production access is granted? Options: Pen test report, SOC2 / ISO certification, Network segmentation proof, Encryption key handling details, Other
      • List any internal policies or compliance standards the integration must adhere to (e.g., data residency, encryption, logging).

      Policy Enforcement — What Counts as Success?

      • If policy enforcement is part of the POC, which automated actions are mandatory to demonstrate value? Options: Retention enforcement (deletion), Masking/pseudonymization, Access controls / entitlement changes, Alerting + workflow for remediation, Other
      • How often must enforcement checks run to meet compliance expectations? Options: Real-time / streaming, Hourly, Daily, Weekly, On-demand only
      • What level of human approval is required before automated deletion or masking can execute? Options: No manual approval, Automated with audit trail, Pre-approved by GC/Data Owner, Case-by-case approval
      • What historical enforcement failures would you want the POC to detect or prevent?
      • Which teams must be included in enforcement playbooks or runbooks created during the POC? Options: Data Engineering, Security / InfoSec, Legal / GC, Records / Archiving, Business Data Owners

      What Would It Feel Like After a Successful POC?

      • Imagine the regulator leaves satisfied — what two concrete outcomes would you point to that prove the problem is solved?
      • What ongoing operational model do you prefer after the POC? Options: Vendor-managed service, Hybrid (vendor + internal ops), Fully internal operations, Undecided
      • What training or handover will your teams need to sustain the capability? Options: Admin training, Technical integration workshops, Runbook + runbook drills, On-call vendor support
      • How quickly would you want to expand beyond the POC domain if it succeeds? Options: Immediately (next 30 days), Within 2–3 months, Within 6 months, Longer / dependent on budget
      • What risks or internal blockers could still derail adoption even after a successful POC?

      Immediate Next Steps — Aligning People, Dates, and Deliverables

      • If we don’t agree on immediate next steps right now, what usually slows projects like this most? Options: CTO/architecture hold, Legal/commercial negotiation, Lack of engineering time, Unclear success criteria, Budget approval
      • Which deliverables would you like to see in a POC statement of work? Options: Asset inventory list, Lineage depth report, Enforcement evidence bundle, Security/impact assessment, Runbook and handoff plan
      • What is the earliest feasible kickoff date for a scoped 60-day POC? Options: Within 2 weeks, 2–4 weeks, 1–2 months, Later / dependent on approvals
      • Who are the named engineering and security contacts that must approve connector access (name, title, email)?
      • Do you consent to an initial discovery crawl of the agreed POC scope under a read-only, non-disruptive contract clause? Options: Yes — consent, Maybe — need more information, No — not at this time
    2. Current State Mapping

      Capture existing inventories, known gaps in system visibility, pipeline constraints, and data risk areas.

      Current State

      Starting Point: Why Are We Here Today?

      • What prompted you to open this discussion about data governance right now? Options: Regulatory examiner finding, Internal audit, Board request, Major incident or data breach, Proactive modernization, Other
      • Who is formally owning the evaluation and selection for this initiative? Options: Chief Data Officer, General Counsel, Chief Technology Officer, Head of Risk/Compliance, Other executive
      • How urgent is a demonstrable fix—what timeline are you under to show progress to examiners or auditors? Options: Immediate (weeks), 60 days (POC window), 3 months, 6 months, No firm deadline
      • When you picture success at the end of an initial engagement, what single outcome matters most to your execs? Options: Verified inventory of systems, Column-level lineage for a domain, Proof of policy enforcement/deletion, Readable examiner evidence, Other
      • Who else on your team should we involve in discovery so we don’t miss key constraints (names/roles preferred)?

      Are You Comfortable Being Surprised by Where Customer Data Lives?

      • How confident are you today that you could, within two business days, produce a complete list of systems containing customer personal information? Options: Very confident, Somewhat confident, Not confident, No idea
      • Tell us about a time a review or request revealed data in an unexpected place—what happened and how did it feel for the team?
      • How often do you find previously unknown copies, exports, or analytics outputs containing customer records? Options: Weekly, Monthly, Quarterly, Rarely, Never tracked
      • If an examiner asked for proof that a deletion request was honored across every downstream copy, how comfortable would you be with the evidence you could produce today? Options: Completely comfortable, Partially comfortable, Uncomfortable, Can't produce evidence
      • Which of these emotions best describes how the data team reacts when an unknown system is discovered? Options: Frustration, Urgency to fix, Embarrassment, Calm, expected, Confusion

      Where Does Data Disappear (or Multiply) in Your Estate?

      • Which platforms and pipeline types currently host or process customer personal information in your environment? Options: Relational DBs (Oracle, SQL Server, Postgres), Cloud warehouses (Snowflake, Redshift, BigQuery), Data lakes (S3/ADLS), Streaming systems (Kafka, Kinesis), Analytics platforms (Tableau, Looker), SaaS apps (CRM, marketing platforms), Custom ETL/Code pipelines
      • Are there known dark spots (e.g., undocumented reports, ad-hoc exports, contractor environments) where visibility is limited? Options: Yes—many, Yes—some, A few, but we track them, No
      • Describe an example of a pipeline or process that routinely creates downstream copies—what tools, teams, and handoffs are involved?
      • Who currently holds operational responsibility for tracing lineage when an issue arises (role/team)? Options: Data Engineering, Platform/Infrastructure, Data Governance/Stewardship, Security/Privacy, No clear owner
      • Which of the following best describes your current method for tracking where customer PII lives? Options: Spreadsheets/manual inventory, Partial automated discovery, Enterprise catalog (limited scope), No formal method

      What Would Passing an Examiner Actually Feel Like?

      • If an examiner demanded evidence, which artifacts would convince you that the answer is rock-solid? Options: Column-level lineage diagrams, Time-stamped audit logs of enforcement, Automated scan reports with screenshots, Reproducible queries that validate inventory, Signed attestation from data owners
      • What minimum catalog coverage percentage (by systems, tables, or lineage hops) would you need to accept a POC as successful? Options: >90%, 75–90%, 50–75%, <50% or unsure
      • How deep does lineage need to go for you to feel comfortable—surface-level system mapping, table-level, or column-to-column with transformation detail? Options: System and table-level, Column-level with basic transformations, Column-to-column with full code details, Depends on domain
      • Which enforcement outcomes would you need demonstrated during the POC to present to GC and the examiner? Options: Automated deletion across copies, Masking in analytics, Retention enforcement with proof, Policy violations flagged for remediation
      • Who must sign off on the POC acceptance—list names/roles and their top concern (e.g., GC: evidentiary sufficiency)?

      If We Run a 60‑Day Proof, What’s Non‑Negotiable?

      • What CTO or platform constraints would immediately disqualify a vendor or POC approach? Options: Requires pipeline refactor, Adds measurable latency to production, Requires privileged DB access we won't grant, Installs persistent agents, Other
      • Which type of production access can you realistically grant for a controlled POC (read-only credentials, service account, metadata-only, other)? Options: Read-only DB credentials, Service account with scoped permissions, Metadata/connector access only, No production access allowed
      • What windows or maintenance schedules must we work around to run crawlers or scans without impacting teams?
      • If we request a temporary connector or role for 60 days, what security checks or approvals will that require (list stakeholders)?
      • What rollback or emergency controls do you require to feel safe authorizing crawling against production systems? Options: Kill-switch for connectors, Read-only enforcement guarantee, Monitoring and alerting to ops, Pre-approved runbook for issues, Other

      Where Does Enforcement Need to Happen Without Drama?

      • Which enforcement actions matter most to your compliance team during a POC—deletion, masking, quarantine, or policy flagging? Options: Automated deletion, Masking/anonymization, Quarantine or freeze, Policy violation alerts only, Other
      • Have you had situations where enforcement in one system caused problems downstream (e.g., stopped reporting or broke dashboards)? Tell us about one.
      • How do you expect a governance platform to coordinate enforcement across heterogeneous systems—fully automated, human-in-the-loop, or hybrid? Options: Fully automated, Human-in-the-loop, Hybrid
      • What SLAs or time-to-action would be required for an automated enforcement (e.g., delete propagated within 24 hours)? Options: Immediate (minutes), Within hours, Within 24 hours, Within days, Unsure
      • What evidence of enforcement will satisfy auditors—time-stamped logs, replayable actions, signed attestations, or other artifacts? Options: Time-stamped audit logs, Replayable action scripts, Screenshots/reports, Signed attestation from data owner, Other

      What Will Integration Actually Look Like for Your Teams?

      • Who will own day-to-day POC operations on your side (names/roles) and who will be the escalation contact?
      • What internal teams must be engaged for connectors, network approvals, or security reviews? Options: Data Engineering, Platform/Infra, Security/InfoSec, Legal/Privacy, Business/Data Owners, Third-party vendors
      • What monitoring and reporting do your engineers want during the POC to feel in control (latency metrics, error rates, resource usage)?
      • If integration required a short runbook or playbook, what three items must be included for your ops team to allow it?
      • Which teams should receive automated alerts versus which should get summary reports? Options: On-call/platform ops (alerts), Data engineering (alerts + reports), Data governance/stewards (reports), Execs (summary only), Legal/Privacy (reports)

      Deciding Risks, Rewards, and Red Lines

      • What contractual or legal constraints would make you decline a POC even if the technology validated every claim (data residency, audit rights, liability caps)?
      • What minimum privacy and security controls must a vendor demonstrate before legal allows access to production metadata or systems? Options: SOC2/ISO certification, Encryption-in-transit and at-rest, Third-party pentest report, Scoped access with short-lived creds, Other
      • How will GC evaluate the sufficiency of examiner-ready evidence—what format and sign-offs are required? Options: Formal report + logs, Signed attestation + supporting logs, Replayable evidence bundle, Other
      • Are there any internal procurement or contract clauses (e.g., indemnities, IP, data handling) that are absolute non-starters?
      • If a technical approach required a minor contract amendment to enable production connectivity, how long would legal typically take to review? Options: <1 week, 1–2 weeks, 3–4 weeks, Longer

      What Would Make You Say Yes—Right Now?

      • If we could guarantee non-disruptive discovery, column-level lineage for one high-risk domain, and examiner-ready artifacts in 60 days, what remaining concern would still stop you from greenlighting the POC?
      • What practical first step would you be willing to commit to this quarter (e.g., sign off on scope, provide read-only creds to two systems, schedule an integration call)? Options: Approve POC scope, Provide credentials to 1–2 systems, Schedule technical kickoff, Legal starts review, Unsure
      • Who are the decision-makers and what is the decision process/timeline for moving from POC to enterprise license?
      • What would you like us to prepare next—a focused scope doc, security questionnaire responses, or a technical integration checklist? Options: Scope doc for domain, Security & compliance pack, Connector integration checklist, Detailed POC timeline & milestones
      • On a scale of 1–10, how ready do you feel to begin a limited production POC after we've addressed the items above? Options: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
  2. Outcome Discovery

    Define measurable acceptance criteria (catalog coverage, lineage depth, enforcement actions) for the POC.

    Discovery Questions

    Quick Grounding — Who’s driving this POC?

    • Which role best describes the person completing this form? Options: Chief Data Officer (CDO), General Counsel (GC), Chief Technology Officer (CTO), Head of Data Engineering, Privacy Officer/Data Protection Officer, Audit/Compliance Lead, Other
    • What triggered this POC right now? Options: Regulatory examination finding, Internal audit gap, Recent data incident, Board or executive request, Vendor replacement initiative, Other
    • When does the examiner expect an answer (or when would you like the POC completed)? Options: Within 30 days, 31–60 days, 61–90 days, More than 90 days, No fixed date yet
    • How confident are you, today, that you can produce an inventory and lineage that satisfies the examiner within your desired timeline? Options: Very confident, Somewhat confident, Unsure, Not confident
    • Briefly describe in your own words what a successful 60-day outcome would look and feel like to you (who celebrates, what gets notarized, what worry disappears).

    If an Examiner Asked for Everything Tomorrow, Where Would You Stumble?

    • If an examiner demanded a complete, auditable list of all systems processing customer personal information tomorrow, what specific items would you not be able to show? Options: Complete system inventory, Column-level catalog entries, End-to-end lineage, Proof of deletion/retention enforcement, Policy enforcement logs, Other
    • Approximately what percent of systems that process customer personal information are currently inventoried in any tool or spreadsheet? Options: 0–10%, 11–30%, 31–60%, 61–80%, 81–100%, Unknown
    • Where do you feel the greatest uncertainty comes from — unknown systems, duplicate copies, third-party platforms, or transformation pipelines? Options: Unknown/undocumented systems, Copies/backups/snapshots, Third-party/partner platforms, ETL/streaming transformations, Ad hoc analytics and notebooks, All of the above
    • Tell us a concrete example of a time the team tried to locate a customer record: what happened and how long did it take?
    • How does this uncertainty make you feel when you think about an upcoming examination (e.g., anxious, resigned, motivated to fix it)? Options: Anxious/urgent, Frustrated/resigned, Motivated to change, Skeptical it can be fixed quickly, Other

    Where Data Hides — Platforms, Pipelines, and Pain

    • Which of the following data platforms are in your environment and must be discoverable during the POC? Options: Relational DBs (Oracle, SQL Server, Postgres), Cloud warehouses (Snowflake, Redshift, BigQuery), Data lakes (S3/ADLS), Streaming platforms (Kafka), Analytics tools (Looker, Tableau), NoSQL (Cassandra, DynamoDB), SaaS apps (Salesforce, Workday), Other
    • Where do you most suspect column-level lineage will break or be incomplete (SQL transforms, Spark jobs, BI tools, ETL tools, or code notebooks)? Options: SQL transformation chains, Spark/Databricks jobs, ETL/orchestration tools (Informatica, Fivetran), BI tool calculations, Python/Scala notebooks and custom code, All likely problematic
    • How long does it typically take your team to trace lineage from a reporting column back to its source today? Options: Hours, Days, Weeks, Never could fully trace, Depends on the dataset
    • Which of these hidden sources worry you most because they're frequently missed by inventories? Options: Ad-hoc tables/temporary schemas, Archived backups and snapshots, Third-party vendor exports, Staging areas in cloud storage, Analyst notebooks/CSV dumps, Other
    • Describe a place in your stack you suspect contains PII but haven’t been able to prove it — why is it hard to include that source today?

    How Much Coverage and Depth Would Actually Change the Conversation?

    • At day 60, what minimum catalog coverage would make you comfortable calling the POC successful? Options: 20–40% of production systems, 41–60%, 61–80%, 81–95%, Nearly complete (95–100%), Not sure / need guidance
    • For lineage, what depth is non-negotiable for examiners: table-level only, column-level within top pipelines, or full column-level across all discovered pipelines? Options: Table-level only, Column-level for prioritized pipelines, Full column-level across discovery scope, Process/step-level provenance required, Unsure—need vendor recommendation
    • Which enforcement outcomes must be demonstrable during the POC for you to consider it meaningful? Options: Detection/alerts only, Masking or tokenization on read, Automated retention deletion, Blocking exports or shares, Proof of policy application (audit trail)
    • What maximum false positive rate (incorrectly flagged PII) would be acceptable during the POC before it becomes operationally harmful? Options: <1%, 1–5%, 6–10%, 11–20%, Unacceptable at any rate
    • Are there specific datasets, business units, or regulatory scopes we should prioritize to prove value quickly? Please list them.

    What Does 'Examiner-Ready Evidence' Mean to You?

    • Imagine the examiner asks for proof—what artifact would make you feel confident (pick all that apply)? Options: Exported catalog with timestamps and schema, Column-level lineage diagrams with transformations, Policy enforcement logs with before/after actions, Deletion receipts with data identifiers, Automated evidence package (PDF/CSV), Signed attestation from data owners
    • What format do your examiners prefer for evidence: raw exports, visual diagrams, annotated screenshots, or official audit packages? Options: Raw CSV/JSON exports, Visual lineage diagrams, Annotated screenshots with context, Formal audit package with chain-of-custody, A combination
    • How quickly must you be able to produce those artifacts when asked (while under examination)? Options: Within 24 hours, 1–3 business days, Up to two weeks, Longer than two weeks
    • Who in your organization must sign off on examiner artifacts (roles or titles)?
    • Describe any prior experience where submitted artifacts were rejected by an examiner — what was missing?

    Breaking Assumptions — Integrations, Non-Disruption and the CTO Bar

    • What integration assumptions would you be surprised to learn are necessary and that could derail the POC? Options: Network/VPC changes, Privileged credentials required, Write-capable connectors, Pipeline refactoring, Agent installation on hosts, None—we expect read-only connectors
    • Which of the following CTO constraints must the POC respect? Options: Read-only connectors, No added latency to data pipelines, No code changes to ETL, Limited number of service accounts, No run in production windows outside approved windows, Full encryption in transit and at rest
    • What security or legal approvals are gating connector access (e.g., InfoSec signoff, encryption proofs, third-party risk)? Options: InfoSec approval, Legal/contract review, Third-party risk assessment, Data owner approvals, Privacy impact assessment, None currently required
    • How do you feel about granting read-only production access for automated crawling—comfortable, cautious, or opposed? Please explain briefly. Options: Comfortable, Cautious (need controls), Opposed without extra safeguards
    • If the CTO asks for a rollback plan, what minimum elements must it include (e.g., connector disable, logs purge, access revocation)? Options: Immediate connector disable, Audit log of actions, No changes to source data, Proof of non-disruption testing, Formal sign-off steps
    • List any platform or compliance constraints (e.g., data residency, encryption keys, SOC2/HIPAA controls) that could affect connector design.

    Who Owns What — Responsibilities, Acceptance Tests, and Escapes

    • Which acceptance tests must be owned or co-owned by your team during the POC (pick all that apply)? Options: Catalog completeness verification, Column-level lineage accuracy checks, Policy enforcement test cases, Performance/non-disruption tests, Evidence packaging and sign-off
    • Who will be the primary point of contact for day-to-day coordination (name/title)?
    • Which teams must be available for short technical workshops during the POC (select all that apply)? Options: Data Engineering, SecOps/InfoSec, Legal/Privacy, Business Data Owners, Platform/Cloud Operations, Analytics/BI team
    • What would be a deal-breaker action or finding that would cause you to stop the POC early? Options: Unexpected production impact, Unacceptable data exposure, Inability to produce examiner artifacts, Unresolved security concerns, Commercial/legal hurdle
    • If the POC succeeds, what is the realistic near-term next step you’d expect (enterprise license, phased rollout, deeper integration)? Options: Enterprise license purchase, Phased rollout to other domains, Additional integration proof-of-concepts, Extended trial with more systems, No immediate plan
    • What operational cadence do you prefer for POC checkpoints (weekly demo, bi-weekly review, milestone sign-offs)? Options: Weekly demo and feedback, Bi-weekly review, Milestone sign-offs only, Ad hoc as needed

    The Evidence Playbook — Formats, Timelines, and Signatures

    • Which types of evidence must be included in the final POC package for examiner review? Options: Timestamped catalog export, Column-level lineage export, Policy enforcement logs and screenshots, Change-history and audit trail, Signed attestation from data owners, Technical runbooks
    • Who must review and sign the final POC evidence package before it’s shared with an examiner? Options: CDO, GC/Privacy Counsel, CTO/Platform Lead, Data Owner(s), Head of Compliance, Other
    • What retention window for evidence is required for regulatory purposes (how long must we keep POC artifacts)? Options: 90 days, 1 year, 3 years, As per regulatory guidance (specify), Unsure—need guidance
    • How would you like evidence delivered if an examiner requests it—via secure export, shared portal, or formal package delivery? Options: Secure downloadable export, Shared evidence portal with access controls, Formal PDF package with signatures, On-site presentation only
    • What is your tolerance for iterative evidence requests from the examiner (e.g., expect 1 follow-up, multiple rounds, or live walkthrough only)? Options: One follow-up expected, Multiple rounds likely, Prefer live walkthrough over follow-ups, Unsure
    • If an artifact needs additional context for the examiner, who will provide the narrative (technical lead, CDO, GC)? Options: Technical lead / Data Engineer, Chief Data Officer, General Counsel / Privacy, Joint response
  3. Solution Experience

    Use the customer’s systems and a high-risk data domain to demonstrate outcome delivery: automated discovery, column-level lineage, and enforcement producing examiner-ready evidence.

    Experience Meetings

    • Solution Experience Pre-brief (Alignment & Success Criteria)
    • Data & Systems Validation (Pre-crawl Technical Check)
    • Live Solution Experience — Discovery & Column-level Lineage
    • Live Solution Experience — Enforcement Actions & Examiner Evidence
    • Solution Experience Wrap-up & Acceptance Review
    • Compliance to sign-off sample examiner artifact template or provide required edits within 48 hours.
    • Record any gaps and immediate remediation steps to reach acceptance criteria.
    • Engineering to document any missing connectors or lineage gaps observed during the live run and propose fixes.
    • Security/CTO to confirm the lineage method meets internal integration/latency constraints or list objections.
    • Schedule a targeted follow-up to resolve high-priority gaps identified in the session.
    • Recap Enforcement Acceptance Criteria
    • Demonstrate enforcement actions applied across discovered assets and linked via lineage to all downstream copies.
    • Deliver and validate that examiner-ready artifacts contain the required fields and chain-of-custody evidence.
    • Confirm with CTO that enforcement methods do not introduce unacceptable latency or require pipeline refactoring.
    • Capture any remaining legal/compliance questions about artifact formats or retention windows.
    • Introductions & Meeting Objectives
    • Engineering to provide a reproducible runbook for enforcement execution and rollback controls.
    • Customer to confirm whether production enforcement will be allowed during the POC or limited to non-prod copies.
    • Security to approve the evidence export process and retention of audit logs.
    • Measured Outcomes vs Acceptance Criteria
    • Obtain explicit acceptance (or a prioritized remediation list) against the POC success criteria from CDO/GC/CTO.
    • Agree a clear remediation plan for any failed acceptance items with owners and deadlines.
    • Decide next commercial/legal/operational steps (enterprise pilot, contract, or closure).
    • Establish communication plan for examiner engagement and artifact handover.
    • Produce final POC results packet (coverage metrics, lineage snapshots, enforcement evidence) and circulate to stakeholders.
    • Customer signatories (CDO/GC/CTO) to sign acceptance or the remediation plan within agreed SLA.
    • Schedule Validation Checklist meeting to verify remediation items are closed before final handover to production.
    • Assign single point-of-contact for examiner interactions and artifact delivery.
    • Create a single-sentence current state that all stakeholders accept.
    • Surface and quantify the regulatory / operational consequence driving urgency.
    • Agree a one-sentence future state (the outcome the experience must prove).
    • Lock the POC scope, acceptance criteria, and technical access checklist with named owners and deadlines.
    • Customer to provide the definitive one-sentence current state and a one-paragraph description of the regulatory finding for the live session.
    • Customer to sign and return the POC scope & acceptance criteria document (including named signatories: CDO, GC, CTO).
    • Engineering to confirm supported connectors required for listed systems and any sandbox/non-prod endpoints for demonstration.
    • Schedule dates for pre-crawl validation and the two live Solution Experience sessions.
    • Recap of Agreed Current/Future State & Evidence Needs
    • Ensure all in-scope systems are reachable with appropriate non-disruptive permissions.
    • Agree the concrete list of datasets and owners for the high-risk domain to be used in the live session.
    • Validate a metadata dry-run produces usable inventory entries without impacting production.
    • Confirm exact format and required fields for examiner-ready evidence artifacts.
    • Customer IT to provide test credentials/endpoints and open any required network rules for the dry-run account.
    • List and confirm dataset owners and sign-off emails for each in-scope asset.
    • Engineering to deliver dry-run results and a short support plan for any failed connectors.
    • Legal/Compliance to confirm the exact evidence fields the examiner will accept and share a sample examiner checklist if available.
    • Customer data owners to validate discovered mappings and mark any false positives/negatives.
    • One-sentence Current State Recap & Outcome to Prove
    • Demonstrate that automated discovery uncovers a meaningful portion of the in-scope PII inventory without manual registration.
    • Prove column-level lineage across heterogeneous pipelines for representative flows to the satisfaction of data owners and the CTO.
    • Obtain explicit validation (or precise exceptions) from CDO/GC/CTO that results map to the problem statement.
    • One-sentence Current State (Diagnosis)
    • Capture Lessons, Gaps & Remediation Plan
    • Live Automated Discovery Results — Inventory Coverage
    • Connector & Credential Walkthrough
    • Controlled Enforcement Demonstration
    • Produce & Review Examiner-ready Evidence Artifacts
    • Mutual Commit & Next Steps
    • Column-level Lineage Walkthrough (Representative Flows)
    • Sample Dataset & High-Risk Domain Mapping
    • Explicit Consequence
    • Tie Back to Problem — Demonstrate Consequence Mitigation
    • Dry-run Metadata Crawl / Smoke Test
    • One-sentence Future State (Success Outcome)
    • Operational Integration & Monitoring
    • Assign Owners, Deliverables & Schedule
  4. Solution Scope

    Define the POC scope, modules (discovery, lineage, policy), responsibilities, and acceptance tests.

    Scope Configuration

    • Deploy Database and Warehouse Connectors
    • Deploy Cloud Object Storage Scanners
    • Deploy Analytics and BI Platform Connectors
    • Deploy Streaming and Messaging Connectors
    • Run Column-Level PII Identification
    • Extract SQL-Based Column Lineage
    • Extract Code-Based Column Lineage
    • Assemble Unified Column-Level Lineage Graph
    • Deploy Policy Enforcement Engine (Retention/Masking/Deletion)
    • Activate Automated Deletion and Masking Workflows
    • Install Non-Intrusive Integration Adapters
    • Enable Data Subject Request Fulfillment Automation
    • Deploy Examiner-Facing Audit Evidence Exports
    • Enable Real-Time Catalog Sync and Change Detection

    Scope Questions

    Deploy Database and Warehouse Connectors

    • Do you want databases and cloud warehouses included in the POC connector scope? Options: Yes, No
    • Which database/warehouse platforms must be crawled? Options: Oracle, SQL Server, Postgres, MySQL, Snowflake, Redshift, BigQuery, Databricks, Other
    • How many distinct database instances, clusters, or warehouses should be connected in the POC? Options: 1-5, 6-20, 21-100, 100+
    • What connectivity model is available for connectors (choose one)? Options: Direct read-only JDBC/ODBC, Service-account privileged connector, Connector via bastion/jumpbox, Only API-based access
    • Are there any performance or maintenance windows that restrict connector runs? Options: No constraints, Nightly only, Specific maintenance windows (specify below), Cannot run on production without approval
    • List databases, schemas, or instances that must be excluded or that contain regulated/sensitive workloads (free text).

    Deploy Cloud Object Storage Scanners

    • Should cloud object stores be scanned in the POC? Options: Yes, No
    • Which object storage platforms should be included? Options: Amazon S3, Azure Blob Storage, Google Cloud Storage, Alibaba OSS, Other
    • Approximately how many buckets/containers or total objects should the scanner handle during the POC? Options: <100 buckets, 100-1,000 buckets, 1,000-10,000 buckets, 10,000+ buckets
    • What credential model is preferred for scanning buckets? Options: IAM role (recommended), Access keys, Temporary STS tokens, Via proxy/ingress
    • Are there encryption, VPC, or private endpoint constraints for accessing object stores? Options: No, Yes — private endpoints/VPC required, Yes — must use proxy/jumpbox
    • Are there specific bucket prefixes, archive layers, or file types to prioritize or exclude? (free text)

    Deploy Analytics and BI Platform Connectors

    • Do you want BI and analytics platforms scanned for data sources and queries? Options: Yes, No
    • Which analytics/BI platforms should be connected? Options: Tableau, Power BI, Looker, Qlik, MicroStrategy, Superset, Other
    • Should connector access include dashboard/report definitions and underlying SQL/query text? Options: Yes — include queries, No — metadata only, Partial — dashboards only
    • How many workspaces, accounts, or report repositories should be scanned? Options: 1-5, 6-25, 26-100, 100+
    • Are there governance restrictions (e.g., PII redaction) when exporting report definitions or queries? Options: No restrictions, Yes — redact before export, Yes — cannot export queries
    • List any vendor-specific admin roles, API tokens, or IP allowlists required for access (free text).

    Deploy Streaming and Messaging Connectors

    • Should streaming and messaging systems be included in the POC? Options: Yes, No
    • Which streaming/messaging technologies do you use? Options: Apache Kafka, AWS Kinesis, Apache Pulsar, RabbitMQ, Google Pub/Sub, Other
    • How many topics/streams or partitions should be assessed during the POC? Options: <50, 50-250, 251-1,000, 1,000+
    • Can the connectors consume from streams in a non-destructive, read-only manner (consumer groups) or is alternative access required? Options: Read-only consumer allowed, Must use mirror or sniffer, Access restricted — require engineering support
    • Is there a Schema Registry or Avro/Protobuf definitions available to assist field-level mapping? Options: Yes — Schema Registry available, Partial — some schemas available, No
    • Are there data retention or throughput concerns that would limit continuous stream sampling? (free text)

    Run Column-Level PII Identification

    • Do you want automated column-level PII/Personal Data identification in the POC? Options: Yes, No
    • Which detection techniques are acceptable for the POC? Options: Pattern/regex-based, Dictionary/lookup-based, ML-based (probabilistic), Hybrid
    • Are there custom corporate identifiers, taxonomies, or regex patterns we should apply? Options: None, Yes — provide patterns, Yes — need to discover first
    • What false-positive tolerance is acceptable for PII tagging during the POC? Options: Low (prioritize precision), Balanced, High recall (find everything)
    • Which data domains are highest priority for PII identification (e.g., customer personal info)? Options: Customer personal data, Employee records, Transaction data, Third-party data, Other
    • Are any columns or tables excluded from content inspection for privacy or legal reasons? Please list.

    Extract SQL-Based Column Lineage

    • Should SQL-based transformations and jobs be included for column-level lineage extraction? Options: Yes, No
    • Which sources of SQL text are available? Options: dbt models, Stored procedures, Materialized views, Query history/logs, ETL tool job definitions, Other
    • Approximately how many transformation jobs, stored procs, or dbt models should be analyzed? Options: <100, 100-500, 501-2,000, 2,000+
    • Is full access to query text/logs available, or are only summaries/metadata available? Options: Full query text available, Partial — some queries redacted, Only metadata/query hashes
    • Do you require lineage that traces through intermediate/staging tables and temp objects? Options: Yes — include staging/temp, No — only persistent tables, Partial — specify exceptions
    • List any transformation frameworks or scheduling systems (e.g., Airflow, dbt, Informatica) and access constraints (free text).

    Extract Code-Based Column Lineage

    • Do you want lineage extracted from code-based pipelines (e.g., Spark, Python ETL)? Options: Yes, No
    • Which languages and frameworks should be analyzed? Options: Spark (PySpark/Scala), Python scripts, Java, Flink, Dataflow, Custom containers
    • Where is pipeline code stored and can we access repositories for static analysis? Options: Git repos (accessible), Git repos (restricted), No repo access — only deployed artifacts, Other
    • Is instrumentation (runtime tracing) allowed for extracting lineage, or is static analysis required? Options: Instrumentation allowed, Static analysis only, Prefer static but can negotiate instrumentation
    • How many distinct ETL jobs or code-based pipelines should be in-scope for the POC? Options: <50, 50-200, 201-1,000, 1,000+
    • List any packaging or runtime constraints (e.g., serverless, containers, restricted clusters) that affect code access (free text).

    Assemble Unified Column-Level Lineage Graph

    • Do you require a unified, cross-platform column-level lineage graph for the POC deliverable? Options: Yes, No
    • What lineage depth is required (choose one)? Options: One-hop (source->target), Multi-hop (full upstream/backtrace), End-to-end with transformations annotated
    • What percentage coverage of high-risk assets is the acceptance target for the POC? Options: 25-50%, 51-75%, 76-90%, 90%+
    • Do you need lineage to show column-level transformations (expressions, masking, joins) or only mapping relationships? Options: Full transformation details, Mapping only, Mapping plus notes where available
    • Which export or visualization formats are required for reviewer consumption? Options: Interactive web graph, PDF diagrams, CSV/edge list, Graph database export (Neo4j), Other
    • Are there specific consumers (e.g., examiners, auditors, data owners) who require tailored views of the lineage? List roles and needs.

    Deploy Policy Enforcement Engine (Retention/Masking/Deletion)

    • Should policy enforcement (retention, masking, deletion) be part of the POC scope? Options: Yes — full enforcement, Yes — policy simulation only, No
    • Which policy types must be supported during the POC? Options: Time-based retention, PII masking, Conditional deletion, Access-based masking, Other
    • Do you require policies to run in automatic (enforce) mode or in audit/simulation mode during the POC? Options: Automatic enforce, Audit/simulation only, Hybrid (staged)
    • Are there legal, compliance, or business holds that must prevent automatic deletion for certain assets? Options: No holds, Yes — list holds separately, Partial — some assets held
    • What masking techniques are acceptable (choose any)? Options: Tokenization, Deterministic hashing, Format-preserving encryption, Redaction/NULLing, Pseudonymization
    • Describe approval workflows or segregation-of-duty requirements for policy changes or enforcement actions (free text).

    Activate Automated Deletion and Masking Workflows

    • Do you want fully automated deletion/masking executed during the POC or only test runs with manual approval? Options: Fully automated, Manual approval required, Test-only (no destructive action)
    • What retention windows or deletion criteria should be demonstrated in the POC? Options: Time-based (e.g., 7 years), Event-based (e.g., account closure), DSAR-triggered, Other
    • Are backups, archives, or replicas in scope for deletion/masking, or will those be excluded? Options: Include backups/replicas, Exclude backups/replicas, Include only when specified
    • What rollback controls and test validation are required before executing destructive actions? Options: Dry-run report, Staged approval (multiple approvers), Rollback snapshot required, Other
    • Who are the approvers and owners for deletion/masking actions (roles/emails) and are they available during the POC?
    • List any regulatory or legal constraints that prevent automated deletion for certain datasets (free text).
  5. Mutual Commit

    Finalize commercial and legal terms, CTO integration constraints, and confirm readiness to execute the POC.

    Agreement Modules

    • Non-Disclosure Agreement (NDA)
    • Master Services Agreement (MSA)
    • Statement of Work (SOW) — POC
    • Order Form & Commercial Terms
    • Technical Integration Addendum (CTO Constraints)
    • Data Processing Agreement (DPA) / Privacy Addendum
    • Security & Compliance Addendum
    • POC Acceptance Criteria & Test Plan
    • Implementation Schedule & Responsibility Matrix
    • Rollback, Safeguards & Non-Disruption Agreement
    • Change Order / Scope Amendment
    • Termination & Exit Plan
    • Intellectual Property & Source Escrow
    • Executive & Legal Sign-off Checklist
    • Insurance, Indemnity & Liability Schedules
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Validate production access, non-disruptive connector plans, data owner sign-offs, and rollback controls before crawling.

      Readiness Questions

      Quick Win: Who's Already Caring About This?

      • Who will be the core team evaluating and signing off on this POC? (pick all that apply) Options: Chief Data Officer (CDO), General Counsel (GC)/Privacy, Chief Technology Officer (CTO), Head of Data Engineering, Security/InfoSec, Business Unit Owner, Compliance Officer, Other
      • Who is the single point of accountability for moving the POC forward? Options: CDO, GC/Privacy, CTO, Head of Data Engineering, Compliance Officer, Other
      • What is the regulatory/exam timeline we are trying to meet? (choose the range closest to your deadline) Options: Urgent: <30 days, Short: 30–60 days, Medium: 61–120 days, Long: >120 days, No fixed deadline
      • Which single outcome would make you feel this POC was a clear success at day 60? Options: Complete inventory of systems holding customer PII, Column-level lineage for a high-risk domain, Automated enforcement evidence for retention/deletion, Repeatable deployment pattern for production connectors, Other
      • If you could summarize one worry you hope this POC will remove, what would you say?

      If an Examiner Called Right Now, What Would You Do?

      • If an examiner demanded a full inventory of every system holding customer personal data today, what would your first reaction be?
      • How are inventories and system registries created at your institution today? Options: Manually maintained spreadsheets, Internal tooling/catalog, Ad hoc team knowledge, Partially automated discovery, Third-party vendor list, Other
      • What confidence level would you give your current inventory if inspected by an examiner? (estimate) Options: Very high (90–100%), High (75–89%), Moderate (50–74%), Low (25–49%), Very low (<25%)
      • What specific blockers prevent you from being able to answer the examiner within the requested timeframe? (select all that apply) Options: Lack of automated discovery, No column-level lineage, Disconnected ownership across teams, Incomplete access to production systems, Lack of documented retention/deletion evidence, Legal/privacy concerns, Other
      • When you think about the last time you failed to meet an information request, what emotion best describes the leadership reaction? Options: Urgent alarm/panic, Frustration and blame, Pragmatic problem-solving, Minimization/deny risk, Embarrassment/pressure

      Where Your Customer Data Is Actually Living (and Hiding)

      • Which data platforms and locations do you expect to contain customer PII for the POC? (select all that apply) Options: On-prem relational DBs (Oracle, SQL Server), Cloud warehouses (Snowflake, Redshift, BigQuery), Data lakes (S3/ADLS) and lakehouses, NoSQL stores (Cassandra, MongoDB), ETL/ELT pipelines (Airflow, dbt, Spark), BI/analytics tools (Looker, Tableau), Message/event systems (Kafka), Other
      • Roughly how many distinct ingestion/transformation pipelines move customer data between systems in scope? Options: <10, 10–25, 26–50, 51–100, >100, Don't know
      • Which copies of data (backups, snapshots, downstream marts) are you most worried examiners will ask about? Options: Production backups/snapshots, Analytic copies/marts, Archived storage (tapes, cold storage), Third-party processors/partners, Shadow systems/spreadsheets, Don't know
      • How do you currently trace data at the column level through transformations and joins? Options: Manual mapping by engineers, Partially automated lineage, No column-level lineage available, Vendor tooling, We rely on sample queries/reports
      • Please list any high-risk data domains or example tables/fields we should prioritize for discovery in the POC (e.g., customer identifiers, SSNs, account numbers).

      The Moments That Break Trust — Tell Us a Story

      • Describe a specific incident where a data request, deletion, or policy enforcement failed — what happened?
      • How often do incidents like that occur (estimate)? Options: Multiple times/month, Monthly, Quarterly, Yearly, Rarely
      • Which impacts from that incident mattered most? (select all that apply) Options: Regulatory fines/penalties, Operational downtime, Executive escalations, Customer harm/reputational risk, Remediation engineering cost, Legal exposure
      • Who typically owns investigation and remediation when these issues appear? Options: Data engineering, Security/InfoSec, Legal/Privacy, Compliance, Business unit, Cross-functional task force
      • How long did it take (or would it take) to produce examiner-ready evidence about that incident? Options: Hours, Days, Weeks, Months, Unable to produce

      Why You've Stayed With Manual Processes (Even If You Hate Them)

      • What's the real reason a spreadsheet or tribal-knowledge approach has persisted here?
      • Which of these barriers best describe why automation hasn't scaled for you? (select all that apply) Options: Engineering bandwidth and priorities, CTO's integration concerns, Fear of disrupting pipelines, Data classification uncertainty, Lack of trust in vendor accuracy, Legal/privacy approval delays, Other
      • Have you trialed automated discovery or lineage tools before? If yes, what went wrong or what surprised you? Options: No prior trials, Yes — missed assets, Yes — produced inaccurate lineage, Yes — integration caused latency, Yes — stakeholder buy-in failed, Other
      • What technical assurances or guardrails would meaningfully reduce CTO resistance to connecting production systems? Options: Read-only connectors, Non-disruptive crawl windows, Limited-scope discovery first, Proof of zero added latency, Detailed rollback plan, Security architecture review
      • If you were to adopt automation, what internal change would be hardest for your teams? Options: Shifting ownership from spreadsheets, Trusting automated lineage, Maintaining connectors, Interpreting enforcement evidence, Changing incident response playbooks, Other

      If This POC Is Perfect at Day 60, What Will Be on the Table?

      • List the top 3 pieces of examiner-ready evidence you must be able to produce at the end of the POC. Options: Complete asset inventory report, Column-level lineage diagrams for scoped domain, Time-stamped enforcement action logs (deletions/masking), Access and connector logs, Policy rule definitions and exceptions, Other
      • What minimum catalog coverage would you accept for the scoped domain by day 60? Options: >90%, 75–90%, 50–74%, <50%, Coverage not the primary metric
      • For lineage, what level of detail is required to satisfy examiners and legal? (choose one) Options: Column-level end-to-end with code links, Column-level to table-level mapping, Field-level to dataset-level, Process-level lineage only, Unsure — need guidance
      • Which enforcement actions must be demonstrable during the POC to convince GC? (select all that apply) Options: Automated deletion with tamper-evident logs, Masking/redaction with audit trail, Retention policy evaluation and flagging, Reconciliation of deletion across downstream copies, Manual remediation playbook with evidence
      • Which single high-risk domain should we run first in the POC to prove value (e.g., customer PII, loan accounts, payments)? Options: Customer PII (names, SSNs), Account and transaction data, Loan and underwriting data, Claims and policyholder data, Third-party/shared data, Other
      • If you selected a percentage or metric above, please explain why that threshold is meaningful to your regulator or leadership.

      Operational Safety: What Keeps Engineering Up at Night?

      • What is the single production safety concern engineering will raise to delay the crawl?
      • Which access and authentication patterns will we need to support for connectors? (select all that apply) Options: IAM roles/service accounts, Database read-only users, VPC peering/private endpoints, SAML/SSO-backed access, Key-based access to object storage, Other
      • Do you require connector designs that are guaranteed non-disruptive or sandboxed? If so, which option best describes your requirement. Options: Read-only non-intrusive connectors required, Sandboxed copy of data acceptable, Limited rate-limited crawls OK, No special requirement
      • Who must approve production access and what is the typical approval lead time? Options: CTO/Platform team (days), Security/InfoSec (days), Data Engineering (hours–days), Legal/Privacy (days–weeks), Cross-functional committee (weeks)
      • What rollback or mitigation controls would make the team comfortable if something looked wrong during discovery? Options: Immediate stop/cancel crawl, Scoped discovery only (sample data), Pre-approved snapshot windows, Automated rate-limiting and retries, Full audit and rollback plan documented

      Decisions, Communication, and What ‘Good’ Governance Looks Like

      • What would make you feel this POC is a partnership, not just a vendor trial?
      • Which stakeholders need to be included in weekly POC updates? (select all that should be present) Options: CDO/POC Sponsor, GC/Privacy Rep, CTO/Platform Lead, Data Engineering Lead, Security/InfoSec, Compliance Officer, Business Unit Owner, Other
      • What cadence and format do you prefer for status—standups, weekly demos, or asynchronous reports? Options: Daily standup, Twice-weekly sync, Weekly demo & report, Biweekly summary, Asynchronous written reports only
      • After a successful POC, what immediate decision will leadership need to make? Options: Proceed to enterprise license, Expand domain-by-domain for 6 months, Pilot a second domain, Pause for security/legal review, Undecided
      • What contractual/commercial or legal conditions absolutely must be in place before you can start connectors into production? Options: Standard SaaS contract, Data processing agreement (DPA), Security questionnaire passed, Limited liability/indemnity clauses, Specific SLAs/uptime guarantees, Other
      • Realistically, when could your team be ready to start the first non-disruptive crawl if approvals align? Options: Immediately (within 1 week), 2–4 weeks, 1–2 months, More than 2 months, Unknown
    2. Deployment Enablement

      Schedule crawler runs, assign owners, coordinate engineering windows, and monitor latency and system impact.

    3. Validation Checklist

      Verify catalog completeness, column-level lineage accuracy, and enforcement actions; produce examiner-ready evidence artifacts.

      Validation Questions

      Quick Introductions — Who's In The Room?

      • Who are the people we should loop into the POC conversation (name, role, and primary decision authority)?
      • What's the single business event that kicked off this evaluation (regulatory finding, audit, merger, other)? Options: Regulatory examination finding, Internal audit gap, Merger / acquisition, Project to modernize governance, Other
      • Which executive sponsors will sign off on the POC outcome (select all that apply)? Options: Chief Data Officer (CDO), General Counsel (GC), Chief Technology Officer (CTO), Head of Privacy, Head of Security, Business Unit Leader, Other
      • What is your ideal target date to start the 60-day POC? Options: Immediately (within 2 weeks), In 2–4 weeks, In 1–2 months, Later than 2 months, Unsure
      • Do you currently have an existing data inventory or catalog that we should import or compare against? Options: Yes — actively maintained catalog, Yes — a static spreadsheet, Partial / fragmented inventories, No formal inventory exists, Unsure

      If an Examiner Called Right Now, Would You Panic?

      • If an examiner demanded a complete list of systems processing customer personal information with proof within 48 hours, could you comply? Options: Yes — confidently, Partially — some systems only, No — would need weeks or months, Unsure
      • Which systems would you be able to produce immediately (select all that you can provide today)? Options: Core banking databases, Customer relationship management (CRM), Data warehouse / lake, Analytics platforms (BI tools), Cloud object storage (S3/GCS), Third-party processors, Other
      • Estimate how complete your current inventory feels as a percentage of systems that actually touch customer personal data. Options: 0–20%, 21–50%, 51–75%, 76–90%, 91–100%, Don't know
      • When was your authoritative inventory or catalog last updated? Options: Within last week, Within last month, Within last quarter, Longer than 6 months, Never formally updated
      • If you selected Partial or No above, what’s the main barrier to being able to produce a full inventory quickly? Options: Lack of automated discovery, Siloed teams, Security/access restrictions, Manual processes are too slow, Unclear ownership, Other

      Where Does Customer Data Hide That Nobody Talks About?

      • Which systems do you suspect hold customer personal information but are not in any official inventory? Options: Ad-hoc analytics clusters, Legacy departmental databases, Shared file shares, Backups and archives, Third-party SaaS exports, Shadow cloud buckets, Unknown/Other
      • Tell us about the most surprising place you found customer data—how was it discovered and how long has it been there?
      • How frequently do new 'shadow' systems or ad-hoc pipelines appear without central registration? Options: Daily, Weekly, Monthly, Quarterly, Rarely
      • When a new system is found, what usually happens next? Options: Added to central catalog, Left undocumented, Handled by local team, Escalated to governance, Other
      • Who typically discovers these hidden systems (analytics team, devops, auditors, vendor, other)? Options: Analytics / data scientists, Data engineering, IT / DevOps, Internal audit / compliance, External auditor / examiner, Other

      Which Pipelines Break the Chain of Evidence?

      • Which transformation types most often prevent you from showing clear column-level lineage end-to-end? Options: Ad-hoc Python/Scala jobs, Spark/Databricks jobs, SQL-based ETL (stored procedures), dbt transformations, Real-time streaming (Kafka)
      • For those pipeline types, where is lineage most often lost (at extraction, transformation, enrichment, or aggregation)? Options: Extraction (source mapping), Transformation (field-level changes), Enrichment (third-party joins), Aggregation/rollups, I/O to downstream stores, Unsure
      • Give an example of a report or dashboard that you cannot trace back to source columns—what system produced it and why is tracing difficult?
      • How many distinct ETL/processing jobs do you estimate touch customer PII weekly? Options: 0–10, 11–50, 51–200, 201–500, 500+
      • When lineage gaps are found, how are they currently investigated and how long does a typical investigation take? Options: Automated logs, Manual developer interviews, Code reviews, Ad-hoc query tracing, We rarely investigate

      When Retention or Deletion Is Required, What Actually Happens?

      • Have you ever been unable to prove that a deletion or retention policy was enforced across downstream copies (backups, analytics, exports)? Options: Yes — known gaps, Partial — some systems proven, No — we can prove it, Unsure
      • Which downstream copies are the hardest to control or attest to (select all that apply)? Options: Backups / snapshots, Data lake analytics, BI/visualization layer, Third-party processors, Local developer copies, Other
      • Walk me through the last time a retention or deletion request required cross-system confirmation—what went well and what broke?
      • How do you currently record and timestamp enforcement actions (deletions, masks, retention purges)? Options: Automated logs with audit trail, Manual change tickets, No consistent tracking, Ad-hoc emails and attachments, Other
      • What kind of examiner-ready evidence would satisfy you that a deletion request was enforced end-to-end? Options: Immutable logs with timestamps, Before/after snapshots, Automated attestations tied to IDs, Signed legal attestations, Other

      What Would Passing the Examiner Actually Feel Like?

      • What concrete evidence would make the CDO and GC comfortable that an examiner's request is satisfied? Options: Full asset catalog with timestamps, Column-level lineage diagrams to sources, Automated enforcement logs for deletions/masking, Exportable examiner report package, Signed attestation from responsible owners, Other
      • Of the evidence types above, which three are highest priority for your examiners or legal team? Options: Catalog completeness, Column-level lineage, Enforcement logs, Snapshots/audit trail, Signed attestations, Other
      • What acceptance thresholds would you set for a successful 60-day POC (catalog coverage percentage, lineage depth in hops, number of enforcement actions validated)?
      • Who will validate and sign off the POC acceptance criteria from the business, legal, and engineering perspectives (roles only)?
      • If we delivered an examiner-ready evidence bundle at the end of the POC, how would you like it packaged for review? Options: Searchable web report, PDF export per asset, CSV logs and snapshots, Combined legal attestation package, Other

      What Would the CTO Need to See to Say Yes?

      • What's the single integration or performance requirement that would cause the CTO to veto the POC? Options: Any added latency is unacceptable, No changes to production pipelines, Read-only access only, No data movement offsite, Requires in-VPC deployment, Other
      • Which of the following access patterns are acceptable for your security team? Options: Read-only JDBC/ODBC connectors, Agent-based crawlers inside VPC, API-based metadata collection, Snapshot exports to secure bucket, No external network egress
      • Do you have pre-approved deployment patterns (e.g., VPC peering, private link, on-prem appliance) we should follow? Options: Yes — VPC peering/private link, Yes — on-prem appliance allowed, No — need to review with infra/security, Unsure
      • What performance SLAs matter—maximum added latency, acceptable crawl windows, and maintenance blackout windows?
      • Who in engineering must sign off on connector types and schedule (roles and contact cadence)?

      Ready to Run a 60-Day Proof That Actually Proves Something?

      • If we scoped a focused POC today, what would be the single biggest risk to completing it within 60 days? Options: Legal/compliance approval delay, Lack of production access, Insufficient engineering support, Integration complexity, Data sensitivity concerns, Other
      • Which approvals or contracts must be completed before we begin (select all that apply)? Options: Security review, Legal contract, Data processing agreement, Network access request, Change advisory board (CAB) approval, Other
      • What is the earliest realistic start date given current approval timelines? Options: This week, In 2 weeks, In 4–6 weeks, More than 6 weeks, Unknown
      • What would you define as a minimally scoped success for the POC—what domain, how many systems, and what evidence must be produced?
      • Who will be the day-to-day POC owners on your side (roles for access coordination, engineering coordination, and legal/compliance)?

      Small But Critical Details — Constraints, Exceptions, and Non-Starters

      • Are there any explicit 'no-go' systems or data types we must never touch during the POC? Options: Customer accounts, Cardholder data (PCI), Health data (PHI), Encrypted vaults, None / no restrictions, Other
      • Do you require data to remain strictly in-region or on-premises for regulatory reasons? Options: Yes — on-premises only, Yes — in-country only, No — cloud acceptable, Depends on dataset, Unsure
      • What rollback controls or non-disruption guarantees would make your team comfortable (snapshot restores, read-only proofing modes, audit-only scans)? Options: Read-only scans, Audit-only sandbox, Snapshot-based rollback, Staged test runs, Other
      • If we encounter a critical issue during crawling, who must be notified and what is the escalation path?
      • What is an acceptable cadence for status updates during the POC (daily standups, weekly review, on-demand escalation)? Options: Daily standup, Twice-weekly check-in, Weekly review, Ad-hoc on-demand, Other

      Closing the Loop — Real Commitments and Next Steps

      • Which of the following would you like from us to make approval easiest (pre-signed connector spec, security whitepaper, sample evidence bundle, references)? Options: Connector technical spec, Security and SOC documentation, Sample examiner evidence bundle, Customer references in banking, Proof-of-concept runbook, Other
      • Who will own scheduling and coordination for the POC kickoff from your side (name and role)?
      • Before we wrap, what's the single metric or artifact that will make the CDO declare this POC a success?
      • Would you like us to draft a scoped POC statement of work based on your answers here and propose a kickoff within two business days? Options: Yes — please draft SOW, Yes — but with an internal review first, Not yet — need more internal alignment, No
      • Any other concerns, recent incidents, or institutional histories we should know about that could affect how we run the POC?
  7. Success

    Review POC outcomes vs acceptance criteria, capture lessons, and maintain a shared channel for issues and enhancements.

    Success Reviews

    • POC Outcomes Review (Acceptance Mapping)
    • Evidence Walkthrough — Examiner-Ready Artifacts
    • Lessons Learned & Remediation Plan
    • Executive Decision & Mutual Commit Review
    • Ongoing Support, Enhancement Backlog & Shared Channel Setup

    Issues & Enhancements

    • Confirm governance for post-decision communications to auditors/examiners.
    • Open tickets for any missing evidence items with proposed fixes and owners.
    • Retrospective Setup
    • Produce a prioritized remediation backlog with owners, deadlines, and required resources.
    • Agree the acceptance criteria and test harness for any retest or extended POC.
    • Establish who signs off on remediation completion (CDO/CTO/GC).
    • Create the remediation backlog in the shared channel with owners, estimated effort, and priorities.
    • Schedule remediation windows with data engineering and confirm non-disruptive connector plans.
    • Define the retest runbook and acceptance verification checklist.
    • Record the executive decision and distribute a one-page decision memo to stakeholders.
    • Executive Summary of POC Outcomes
    • Secure an executive-level decision (deploy / remediate+retest / extend POC) with named signatories.
    • Agree commercial/legal next steps and any contract amendments required to reflect the decision.
    • Welcome & Objectives
    • If proceeding to deployment, open SOW/contract amendment work and assign commercial/legal owners.
    • If remediation/extension chosen, publish the modified acceptance criteria, timeline, and sign-off matrix.
    • Shared Channel & Access Controls
    • Establish a single shared channel with clear ownership and access for ongoing issues and artifacts.
    • Agree triage rules, SLAs, and escalation matrix to ensure timely response to production issues.
    • Populate the enhancement backlog and set the initial prioritization and sprint/cadence.
    • Define monitoring and reporting cadence that satisfies CDO/CTO/GC oversight needs.
    • Create the shared communication channel, invite the defined membership list, and post governance rules.
    • Document triage process and SLAs in the shared space and link to runbooks for common issues.
    • Publish the initial enhancement backlog with priority tags and schedule the first backlog grooming session.
    • Produce a line-by-line verdict (pass/fail/partial) against each POC acceptance criterion.
    • Surface concrete consequences for any failed or partial criteria in terms of examiner risk and operational impact.
    • Secure customer validation that the measured artifacts match what GC/examers will require.
    • Agree immediate next step: accept, remediate+retest (with scope/timeline), or extend POC.
    • Publish the final POC metrics dashboard and line-by-line acceptance verdict to the shared channel.
    • List all failed/partial acceptance tests with severity, impact statement, and recommended remediation owner.
    • Schedule the Evidence Walkthrough session to validate artifacts tied to each verdict.
    • Scope & Artifact Inventory
    • Prove that artifacts exist and are reproducible with clear chain-of-evidence for examiner consumption.
    • Surface any missing artifact elements and classify them by impact to an examiner finding.
    • Agree on remediation steps and artifact completion criteria if gaps are identified.
    • Deliver a signed artifact checklist indicating which artifact elements meet examiner expectations and which require remediation.
    • Provide reproducibility playbooks/scripts and access instructions for auditors/GC.
    • One-sentence Current State
    • Catalog Evidence Walkthrough
    • Triage Process & SLA Definitions
    • Residual Risk & CTO Integration Constraints
    • Root Cause Analysis (by gap)
    • Column-level Lineage Trace (Live Example)
    • Acceptance Criteria Recap
    • Legal & Commercial Implications
    • Technical Remediation Options & Tradeoffs
    • Enhancement Backlog & Prioritization
    • Monitoring, Alerts & Runbook
    • Measured Results Dashboard
    • Operational & Governance Changes
    • Enforcement Evidence (Deletion/Masking Logs)
    • Decision & Commit Options
    • Gap & Consequence Analysis
    • Retest Acceptance Tests & Schedule
    • Reproducibility & Audit Trail
    • Immediate Executive Actions
    • Recurring Cadence & Reporting
    • Customer Interpretation & Validation
    • GC/Examiner Validation & Outstanding Gaps
    • Decision Framework & Immediate Next Steps
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.