Two lifecycles run in parallel: the company-level adoption lifecycle (organizing the whole program) and the per-agent lifecycle (each individual agent moving through it).
11.1 Company-level adoption (six phases, adapted from Microsoft CAF)
Strategy → Plan → Ready → Govern → Secure → Manage
^ |
|_________________|
(continuous loop)
- Strategy — define AI use cases, technology strategy, data strategy, responsible AI strategy.
- Plan — readiness assessment, skills plan, organizational alignment, data architecture.
- Ready — environments, networking, identity, foundation, reference architecture.
- Govern — risk assessment, policies, enforcement, monitoring (NIST AI RMF aligned: Govern / Map / Measure / Manage).
- Secure — discover security risks, protect resources and data, detect threats.
- Manage — operate, integrate, deploy, monitor, optimize, retire.
Govern / Secure / Manage are continuous, not one-time. We iterate them as the portfolio grows.
11.2 Per-agent lifecycle
Idea → Intake → Approved → Build → Pilot → Production → Retired
Each transition is a gate:
- Idea → Intake: a department champion fills the intake form.
- Intake → Approved: CoE reviews; risk classified; ROI estimated; KPI defined; owner assigned.
- Approved → Build: Agent Card written; data sources documented; approved stack confirmed.
- Build → Pilot: passes pre-build checklist + responsible-AI review + security review (per risk tier).
- Pilot → Production: meets KPI in pilot; passes pilot-to-prod checklist; monitoring + on-call defined; runtime guardrails confirmed.
- Production → Retired: ROI below threshold for 2 consecutive quarters, owner leaves, replaced by better solution, or KPI failure.
Risk profile can change mid-life. A Low-risk internal summarizer becomes Medium if exposed to customers. Re-classify on every material change.