Sample Assessment Report

TekCapitol · Kyklos360 Assessment · Sample Deliverable · Confidential

AI Agent Risk &
Readiness Report

Prepared for Acme Manufacturing · Support Triage Agent
Sample Kyklos360 Assessment deliverable — first full report complimentary per org; $5K/workflow after.
Self-serve: tekcapitol.com/kyklos/ · EDA sample: sample-assessment-report-eda.html

Production Readiness*48 / 100 — FAIR

Audit & Compliance Readiness**58 / 100 — FAIR

Production-Ready Steps2 of 7

Leadership VerdictRemediate before enterprise deployment

Report DateMay 2026

Systems in ScopeSalesforce · SAP · Zendesk · Snowflake · Custom / Proprietary

Journey StagePiloting

Prepared ByTekCapitol, Inc. · tekcapitol.com

About this deliverable
This is a sample of the full Kyklos360 Assessment deliverable — one complimentary per organization (work-email verify), then $5K/workflow for additional workflows. Use the roadmap with your team or TekCapitol to implement — includes scores, phased remediation, work & skills estimate, orchestration, governance, kill switch, monitoring, and security Q&A.

Executive Summary

Section 01

Leadership recommendation

Remediate before enterprise deployment

The workflow may run in pilot, but production readiness is 32 points below threshold and audit/compliance posture would fail most enterprise security reviews. Complete Phase 1 blocking items before customer-facing production.

Full remediation projects 82/100 production readiness.

Bottom line

Acme Manufacturing's Support Triage Agent: remediate before enterprise deployment. Primary blocker — Zendesk organization_id does not reliably map to Salesforce AccountId or SAP kunnr — entity resolution required before automated routing.

Production Readiness* / 100

Audit & Compliance Readiness** / 100

High-Severity Risks

* Production Readiness Score. Composite 0–100 score from the Diagnose phase. Measures whether this agent workflow is technically ready for production — data, entity resolution, business rules, connectivity, and governance across every decomposed step. 80+ is the production deployment threshold.

** Audit & Compliance Readiness. Separate 0–100 score from the Govern phase. Estimates preparedness for external scrutiny — SOC 2 audits, GDPR reviews, and enterprise AI security questionnaires — based on permissions, audit trails, kill-switch documentation, and encoded controls. Not a certification; an estimate of how defensible this agent would be in audit.

Acme Manufacturing has decomposed a Support Triage Agent workflow into 7 steps. 2 of 7 steps meet production-ready thresholds. Overall readiness is 48/100 (FAIR). Primary gaps are in entity resolution and source of truth — not necessarily in the AI models themselves. Overall governance risk: MEDIUM.

⚠ Critical Finding 1

Zendesk organization_id does not reliably map to Salesforce AccountId or SAP kunnr — entity resolution required before automated routing.

⚡ Critical Finding 2

Entity resolution: Zendesk organization_id ↔ Salesforce AccountId ↔ SAP kunnr

⚡ Critical Finding 3

Encode routing rules from governance PDF into versioned config (not hardcoded in agent)

✓ Strength

Strongest dimensions: Governance (avg 70/100). Build remediation on this foundation.

⚡ Compliance Gap

Entity resolution mapping table not yet in production

Kyklos360 Readiness Scores

Section 02

Each dimension scored 0–100 across all workflow steps. 80+ is production-ready; 70+ on audit & compliance readiness supports enterprise security reviews. Scores reflect uploaded artifacts and workflow context — platform-agnostic.

Entity Resolution

15% accounts missing SAP kunnr ↔ Salesforce AccountId map.

Poor

Source of Truth

Snowflake mart lags Zendesk by up to 24h per governance doc.

Fair

Semantic Clarity

Tier and credit_hold semantics differ across Zendesk, SF, SAP.

Fair

Business Rules

Governance PDF defines HITL but routing rules not in any system export.

Fair

Data Availability

Schema columns exist; cross-system IDs incomplete.

Fair

Connectivity

SUPPORT_MART exists; Zendesk→Snowflake pipeline not validated.

Fair

Governance

agent_governance_policy.pdf confirms read-only SAP and HITL gates.

Good

Overall Readiness
Overall readiness: 48/100. Weakest dimensions: Entity Resolution (38), Source of Truth (48).

Agent Risk Register

Section 03

Agent risk register for Support Triage Agent. Risk rated High / Medium / Low per dimension.

Risk Dimension

Finding

Rating

Access Risk

Check SAP credit and delivery block; Human approval for high-risk cases — excessive access: SAP write on customer master, FD32 transaction, Case auto-close without CSM approval. Use read-only RFC connector per agent_governance_policy.pdf

🔴 High

Action Risk

Enforce HITL gate for P1 + credit_hold per governance PDF

🔴 High

Assessment Risk

Step 7: log Agent decision, model confidence, actions taken, timestamp (7 years, AU-3). Step 5: log Routing decision rationale and config version used (2 years, AU-12)

🔴 High

Recovery Risk

Hard kill: Immediate stop — no new runs, in-flight runs terminated. Soft kill: Agent pauses — triggers queued, no routing actions taken. Resume: Root cause documented in incident ticket; Mapping table freshness validated by Data Engineering; CSM sign-off on routing config version in use.

🟡 Medium

Cost / Ops Risk

Agent routing P1 tickets to wrong queue — immediate hard kill

🟡 Medium

Approval Risk

Entity resolution mapping table not yet in production HITL rules exist in PDF only, not encoded in systems Assessment log schema not defined on Salesforce Case

🔴 High

Overall Risk Assessment
4 of 6 dimensions rated High Risk. Cross-system PII flows between Zendesk, Salesforce, and SAP require scoped service accounts and HITL gates before production.

Prioritized Implementation Roadmap

Section 04

Recommendations prioritized by enterprise deal impact and production readiness lift. Effort: S (1–2 weeks) / M (2–4 weeks) / L (4–8 weeks).

Investment at a glance
Estimated 10-14 weeks calendar timeline · 1.8 FTE-months scoped work · projects 48→82 production readiness.

BLOCKING

Cross-system customer ID mapping

Zendesk organization_id does not map to Salesforce AccountId or SAP kunnr

High Impact

BLOCKING

Governance-aligned HITL gates

P1 + credit hold approval path exists only in PDF, not in systems

High Impact

SIGNIFICANT

Snowflake mart freshness SLA

SUPPORT_MART may lag Zendesk by up to 24h per governance doc

Medium Impact

SIGNIFICANT

Routing rules as config

Tier/severity/credit routing logic lives in tribal knowledge, not exports

Medium Impact

MINOR

Assessment trail to Salesforce Case

Agent decisions not written back with model confidence and timestamp

Medium Impact

Weeks to production-ready

48→82

Score after remediation

Critical gaps to close

Implementation Work Scope

Section 05

What work is required and which roles typically own it. If you have these skills in-house, staff it internally — every item in this report can be executed by your team. TekCapitol is optional delivery support if you want help implementing.

Hybrid — your team or TekCapitol on Phase 1

Delivery Model

~1.2 FTE-month fixed-scope SOW

Fixed-scope estimate

34% / 31%

Typical your team vs TekCapitol

If you have entity-resolution and analytics skills in-house, your team can own the blocking data work; you keep Zendesk routing and support policy. TekCapitol is optional for Phase 1–2 if you want implementation help — pair with your analytics lead for mart SLAs either way.

Where TekCapitol can help (optional)

Data Engineering
Analytics Engineering
Platform Engineering

Your team owns

Support Operations
Support Engineering

Staffing is your choice: in-house employees, contractors, or TekCapitol. Percentages below are a typical split when teams ask for implementation help — not a requirement to use outside resources.

Skill Gaps Identified

Data Engineering

Uncommon in-house · ~12 person-days · Staff in-house — or TekCapitol can help

Analytics Engineering

May need hire or contractor · ~8 person-days · Staff in-house — or TekCapitol can help

Platform Engineering

May need hire or contractor · ~4 person-days · Staff in-house — or TekCapitol can help

Fixed-scope effort (24 person-days), not a fractional hire. Your team can run Phase 1–2 in-house, or TekCapitol can assist over 10–14 weeks while your support team keeps Zendesk.

Staffing feasibility: Hybrid staffing — your team plus optional TekCapitol help

Effort & Estimation

Section 06

Effort in FTE-months and person-days — fixed-scope deliverables, not a fractional hire recommendation.

1.8

Total FTE-months

Person-days

10-14 weeks

Calendar timeline

Readiness projection: 48/100 → 82/100 after full remediation (10-14 weeks)

1.8 FTE-months ≈ 36 person-days across five work packages. At ~0.55 blended concurrent capacity, that maps to roughly 10–14 weeks on a calendar — faster with more parallel staffing, slower if phases run strictly in sequence.

Internal concurrency (if staffed in-house): ~0.55 blended FTE. ~0.55 blended FTE is internal concurrency only — part-time people across roles finishing in 10–14 weeks. Fixed-scope estimates use person-months.

Estimation Assumptions

• 35 person-days total across 5 remediation items (sum of roadmap effort-days).

• 1.8 FTE-months = 35 ÷ 20 working days per month.

• 10–14 calendar weeks at ~0.55 blended FTE with Phase 2 starting after entity mapping lands.

• Assumes existing Snowflake + Zendesk + Salesforce access; no net-new platform procurement.

Skills & Work Packages

Section 07

Work packages with role, concrete skills, and effort. Each row is a deliverable — not a headcount slot.

Cross-system customer ID mapping (Zendesk ↔ Salesforce ↔ SAP)

BLOCKING

Data Engineer

0.6

dbtSQLSnowflakeentity resolutionmapping tables

Governance-aligned HITL gates for support triage

BLOCKING

AI Engineer

0.25

LangGraphPythonHITL workflowsZendesk APIpolicy-as-code

Snowflake mart freshness SLA & data quality tests

SIGNIFICANT

Data Engineer

0.4

dbt testsGreat ExpectationsSLA monitoringSnowflake

Routing rules as config (tier / severity / credit hold)

SIGNIFICANT

AI Engineer

0.3

LangGraphYAML rulesZendesk triggersrouting logic

Assessment trail to Salesforce Case + Snowflake mart

MINOR

Platform Engineer

0.2

PythonSalesforce APIassessment loggingwebhooks

Role Mix & Staffing

Data Engineering

34% of effort

0.6

dbtentity resolutionSnowflakemapping tables

TekCapitol can lead (optional)

Support Operations

14% of effort

0.25

HITL workflowZendeskgovernance policy encoding

Your team owns

Analytics Engineering

23% of effort

0.4

dbt testsmart freshnessSLA monitoring

Shared delivery

Support Engineering

17% of effort

0.3

routing configKB integrationqueue taxonomy

Your team owns

Platform Engineering

11% of effort

0.2

Salesforce APIaudit trailSnowflake sync

Shared delivery

Orchestration Plan

Section 08

Model routing, token estimates, and human-in-the-loop gates per workflow step. Generated from your decomposed agent workflow.

450

Est. daily runs

Trigger: Zendesk ticket created or updated webhook fires Support Triage Agent

01. Ingest and classify inbound ticket

gemini-2.0-flash

800 / 120

Ticket classification is structured extraction from subject and tags

02. Enrich with Salesforce account tier

Deterministic (no LLM)

—

Deterministic API fetch — no LLM required

03. Check SAP credit and delivery block

Deterministic (no LLM)

—

Deterministic API fetch — no LLM required

04. Load ticket history from Snowflake mart

Deterministic (no LLM)

—

Deterministic API fetch — no LLM required

05. Apply routing and auto-response rules

claude-sonnet-4-6

2400 / 400

Routing decisions need multi-system context and policy reasoning

06. Human approval for high-risk cases

Deterministic (no LLM)

—

Deterministic API fetch — no LLM required

07. Assessment log and case update

Deterministic (no LLM)

—

Deterministic API fetch — no LLM required

Human-in-the-loop gates

Step 6

P1 priority AND SAP credit_hold_flag = true — Governance policy requires CSM approval before auto-close on credit-blocked accounts

Step 5

customer_tier = Enterprise AND open_p1_count >= 2 — Escalate to specialist queue instead of KB auto-response

Architecture notes: Use read-only Salesforce service account SA_KYKLOS_SUPPORT per governance policy SAP queries via approved RFC connector — no write access to customer master Cache SUPPORT_MART enrichment for 15 minutes to reduce Snowflake cost at volume

Anti-patterns to avoid:

Hardcoding routing rules in agent prompt instead of versioned config
Letting agent write directly to SAP customer master
Skipping entity resolution and matching customers by company name fuzzy search

Governance & Kill Switch

Section 09

Permission audit, compliance mapping, and kill-switch authority matrix — aligned to NIST AI RMF and SP 800-53.

medium

Overall risk

Audit & Compliance Readiness** / 100

GDPR, SOC2

Regulations apply

Cross-system PII flows between Zendesk, Salesforce, and SAP require scoped service accounts and HITL gates before production.

Kill switch authority matrix · MANAGE · SI-17 · CP-10

Level

Trigger & effect

Authority

Hard kill

When: P1 misroute rate > 3% for 15 minutes OR SAP write attempt detected
Effect: Immediate stop — no new runs, in-flight runs terminated

Support Ops Director + Platform Engineering

Soft kill

When: Entity resolution match rate < 85% for 30 minutes
Effect: Agent pauses — triggers queued, no routing actions taken

Support Engineering Lead

Scope limit

When: SUPPORT_MART freshness lag > 2h on P1 volume
Effect: Disable auto-routing; allow read-only enrichment and human triage only

CSM Manager

Resume requirements:

Root cause documented in incident ticket
Mapping table freshness validated by Data Engineering
CSM sign-off on routing config version in use

Audit trail spec: Log kill level, trigger (manual/auto), actor role, timestamp, affected ticket count, and config version to immutable assessment store

Priority access controls

Dedicated SA_KYKLOS_SUPPORT service account with read-only Salesforce scope AC

Versioned routing config with approval workflow before production deploy CM

Monitoring Plan

Section 10

Data quality alerts, LLM eval criteria, circuit breakers linked to kill-switch levels, ops runbook, and KPIs.

Stack: Datadog · Snowflake alerts · LangSmith · PagerDuty

Production KPIs

First-response automation rate

> 65% for L1 tickets

Zendesk tickets auto-routed vs total inbound daily

P1 misroute rate

< 1%

Manual override count / P1 tickets weekly

Mean time to enrich (SF + SAP + Snowflake)

< 10 seconds p95

Distributed trace from agent orchestrator

Circuit breakers → kill switch

P1 misroute rate

> 3% over 15 min — Agent routing P1 tickets to wrong queue — immediate hard kill

Unauthorized SAP write attempt

Any occurrence — Governance policy violation — terminate all agent runs

Ops runbook

Verify SUPPORT_MART last_refreshed_at vs ticket stream (hourly, Analytics on-call) — Page data engineering if lag > 2h on P1 volume

Review LangSmith eval scores for classification and routing steps (weekly, ML Platform) — Open incident if accuracy below threshold

Data quality alerts

Step 4

SUPPORT_MART freshness lag vs Zendesk — threshold > 2 hours for P1 tickets (critical)

Analytics Engineering

Step 2

AccountId resolution rate — threshold < 90% match on organization_id (warning)

Data Engineering

Draft Enterprise Security Questionnaire Answers

Section 11

Draft answers to the 5 most common enterprise AI security questions — based on this assessment. Review with legal before submitting to prospects.

Q1. What data does your AI agent access, and how is access controlled?

Our Support Triage Agent accesses workflow data across Salesforce · SAP · Zendesk · Snowflake · Custom / Proprietary. Required access: SAP KNA1 read, credit_hold flag. Use read-only RFC connector per agent_governance_policy.pdf. Excessive access flagged: SAP write on customer master, FD32 transaction.

Note: Valid after completing Phase 1 (BLOCKING) remediation. Current readiness score 48/100 — do not submit until access controls are implemented.

Q2. Can your AI agent modify or delete customer data?

Excessive write access has been identified and must be removed. Agent actions at step 3 (Check SAP credit and delivery block) require: Use read-only RFC connector per agent_governance_policy.pdf. Autonomous modifications require human approval where policy mandates HITL gates.

Note: Excessive access identified in permission assessment — remediate before submitting to enterprise prospects.

Q3. How do you assessment what your AI agent did and why?

Every agent action at step 7 is logged: Agent decision, model confidence, actions taken, timestamp. Retention: 7 years. Owner: Platform Engineering. NIST control: AU-3. Logs enable decision reconstruction on demand.

Q4. What happens if your AI agent makes an error that affects our data?

Governance framework includes: hard kill (Immediate stop — no new runs, in-flight runs terminated) triggered by P1 misroute rate > 3% for 15 minutes OR SAP write attempt detected; soft kill (Agent pauses — triggers queued, no routing actions taken); scope limit (Disable auto-routing; allow read-only enrichment and human triage only). Agent routing P1 tickets to wrong queue — immediate hard kill Authority: Support Ops Director + Platform Engineering.

Review kill-switch runbook with operations before submitting.

Q5. How do you ensure your AI agent doesn't use our data to train future models?

Agents use inference-only API calls to third-party LLM providers with data processing agreements prohibiting use of customer data for model training. GDPR data minimization applies: Data minimization in agent prompts; Right to erasure on audit logs. SOC2 access and assessment controls: Least-privilege service accounts; Immutable audit log for agent decisions. Training opt-out parameters set on all LLM API calls.

Verify current API agreements with your LLM providers and review with legal counsel before submitting.

Recommended Next Steps

This assessment identified the gaps. Acme Manufacturing's team can implement the roadmap in-house if you have the skills — or TekCapitol can assist. Either path builds toward AI agent workflows your enterprise customers will trust. Request a scoping call at tekcapitol.com/book.html or run another assessment at tekcapitol.com/kyklos/.

BLOCKING

2 remediation items

Must complete before any agent work begins

SIGNIFICANT

2 remediation items

Fix before pilot launch

MINOR

1 remediation items

Fix before production scale