AI Strategy

The Complete Enterprise Claude Deployment Field Guide: Six Phases, Six Gates, 73 Tasks

A pilot gets rebuilt. A system ships a PHI leak. A rollout stalls in the low double digits. A bill quietly triples. Six phases, six ways a deployment goes wrong, one identical root cause: a gate treated as optional that turned out to be load-bearing. This is the whole roadmap in one reference, with every gate, all 73 tasks, and a link to each deep-dive.

AP
Andrew Poole
··10 min read

Over the last several weeks, this series took the enterprise Claude deployment roadmap apart one phase at a time. Six deep-dives, each opening with the same kind of story: a team that had done most things right and still hit a wall. This piece puts the whole thing back together as a single reference: the six phases, the gate that sits between each one, all seventy-three tasks, and a map to every deep-dive. If you read one piece in the series, the overview was the place to start. If you keep one piece open while you actually run a deployment, this is that piece.

Start with the pattern, because it is the entire argument of the series compressed into a few sentences. A pilot gets rebuilt from scratch because no one classified the data first. A system ships that would leak protected health information through a chained tool call. A rollout reaches the whole company at once and adoption settles in the low double digits. A deployment is declared finished, the team is reassigned, and months later the bill has tripled. Different phases, and in every case the same shape of failure: a gate that felt optional under deadline pressure, skipped, and load-bearing after all. The failure never shows up at the gate that was skipped. It shows up one or two phases downstream, where it is expensive and visible.

That is why the gates are the real content of this roadmap, not the phases. A phase is a list of work. A gate is a specific, verifiable condition that earns the right to start the next phase. The phases tell you what to do. The gates tell you when you are actually done, as opposed to when you feel done, and the gap between those two is where enterprise deployments go to stall.

Six Phases at a Glance

Each phase earns the right to the next

01

Discovery

Inventory use cases, classify data, choose deployment surface.

Gate

Executive approval in writing

02

Foundation

SSO, API gateway, observability, acceptable use policy.

Gate

Security validates + first request flows end-to-end

03

Pilot

Build use cases, MCP servers, Claude Code rollout.

Gate

Value + security + budget -- all three

04

Hardening

Pentest, PII filtering, audit trails, load test.

Gate

CISO sign-off + 2x peak load passed

05

Rollout

Wave by business unit, training, CoE, prompt libraries.

Gate

Adoption targets met per business unit

06

Optimization

Cost tuning, model upgrades, use case intake, monitoring.

Gate

QBR re-approval. This phase does not end.

Constant discipline

Testing

Embedded in every phase -- not just Phase 4

Constant discipline

Ownership Clarity

Three columns: partner / client / joint

How to Use This Guide

Read this top to bottom for the shape of the whole deployment, then follow the link at the end of each phase into its deep-dive when you reach that phase in practice. The deep-dives hold the operational detail: the specific tasks, the failure modes, the configuration specifics, and the illustrative scenario that shows what skipping the gate actually costs. This guide holds the structure that keeps those details in the right order.

One framing to carry through all six phases: every task has an owner, and the honest version of the roadmap has three kinds of owner, not one. Some work belongs to the delivery partner. Some belongs to the client alone, because the authority cannot be delegated — the CISO sign-off, the executive budget approval, the security team's penetration test. Some is genuinely joint. The gates below name the owner that matters most for each decision.

The Six Phases in Brief

Phase 1, Discovery and Assessment, runs the first two weeks: inventory candidate use cases, classify the data each one touches, assess the existing infrastructure, and choose a deployment surface. Its gate is a documented executive approval of platform, use cases, and budget. The signature failure is skipping discovery because it feels like overhead, then building a pilot on the wrong problem.

Phase 2, Foundation and Access Layer, stands up the platform before the use cases: SSO and RBAC, an API gateway with cost attribution and logging, model routing, an acceptable use policy, and observability. Its gate is the security team validating access controls while the first real request flows end to end. The signature failure is building visible use cases first and discovering six months later that nobody can attribute cost or audit access.

Phase 3, Pilot Implementation, builds the prioritized use cases for real, with MCP servers connecting Claude to internal systems and an evaluation framework that defines what good looks like before the build begins. Its gate has five conditions, all required. The signature failure is pilot purgatory: a demo that proved value but was never built to be hardened, so it has to be rebuilt.

Phase 4, Hardening and Compliance, tests the pilot against production conditions it never faced: penetration testing, PII filtering, immutable audit trails, data residency, and load testing at twice projected peak. Its gate is CISO sign-off on four conditions. The signature failure is skipping hardening because the pilot worked — confusing proof of value with proof of production-readiness.

Phase 5, Enterprise Rollout, moves the hardened system to the organization in waves, with role-specific training, a prompt library, a self-service MCP catalog, and a Center of Excellence. Its gate repeats at every wave: adoption and demonstrated ROI before the next wave opens. The signature failure is the big-bang launch that mistakes provisioned seats for adoption.

Phase 6, Optimization and Evolution, is the phase that does not end: cost tuning, model-upgrade evaluation, new use case intake, and continuous platform monitoring. Its gate recurs every quarter. The signature failure is treating production as the finish line and reassigning the only people whose job it was to keep watching.

73 Tasks Across Six Phases

The whole deployment at a glance
Phase 19

Discovery

Weeks 1–2 · 9 tasks

Use case inventory, data classification, platform choice

Phase 211

Foundation

Weeks 3–4 · 11 tasks

SSO/RBAC, API gateway, routing, observability

Phase 314

Pilot

Weeks 5–8 · 14 tasks

Prompts, MCP servers, use case builds, evaluation

Phase 413

Hardening

Weeks 9–12 · 13 tasks

Pentest, PII filtering, load test, CISO sign-off

Phase 513

Rollout

Wave-gated · 13 tasks

Training, prompt library, CoE, wave launches

Phase 613

Optimization

Ongoing · 13 tasks

Cost, model upgrades, intake, platform monitoring

The tasks are not a checklist to rush through. They are a sequence where each phase earns the right to the next, and the gates enforce the sequence.

The Six Gates, in One Place

Here is every gate in the roadmap collected into a single reference. This is the table to keep open during a deployment, because it is the part most roadmaps leave out and the part that actually enforces the sequence. A phase is not complete when its task list is checked off. It is complete when its gate condition is met and someone with the authority to say so has said so.

The Six Gates — One Reference

A phase is done when its gate is met
1

Discovery

Owner: Executive sponsor

Executive sponsor approves the platform choice, prioritized pilot use cases, and budget — a documented decision with a name attached.

2

Foundation

Owner: Security team

Security validates access controls, and the first real request flows through the production path end to end: authenticated, logged, cost-attributed.

3

Pilot

Owner: Joint (delivery + client SMEs)

All five: use case quality meets acceptance criteria, pilot NPS above 8, MCP security review passed, no data incidents, cost within 20% of budget.

4

Hardening

Owner: CISO

All four: CISO sign-off, all critical/high pentest findings remediated and retested, compliance attestation complete, 2x peak load test passed.

5

Rollout

Owner: Business unit + CoE

Per wave: a majority of provisioned users active within 30 days, and ROI demonstrated for the pilot use cases before the next wave opens.

6

Optimization

Owner: Center of Excellence

Recurring: a quarterly business review re-approves continuation on demonstrated ROI, plus an annual strategy refresh. This gate never closes.

Skip a gate and the failure does not show up immediately. It shows up two phases later, when it is expensive to fix.

Two Disciplines That Run Through Every Phase

The six phases are sequential. Two disciplines are not — they run through all of them, and a deployment that treats either as a phase rather than a constant will fail.

The first is testing. Testing is not a single pass in Phase 4. It is embedded in every phase: the smoke test in Foundation, acceptance tests and a fifty-case-per-prompt regression suite in Pilot, penetration and load tests in Hardening, wave validation in Rollout, and model-upgrade regression in Optimization. A deployment that defers testing to one hardening pass discovers all of its problems at once, late, when they are most expensive to fix. The regression suite built in Phase 3 is the single asset that pays off in every phase after it, because it is the mechanism that catches a new model improving the median response while quietly regressing an edge case the old model handled.

The second is ownership clarity. Every task has an owner, and the deployments that stall are the ones that blur the line between the three kinds of owner at exactly the moment a decision is required. The gate conditions above are written the way they are — naming the CISO, the executive sponsor, the security team — precisely because those are the decisions that cannot be delegated to the delivery partner and cannot be left ambiguous without stalling the whole deployment at the gate.

Discipline 1: Testing -- Embedded in Every Phase

Foundation

Smoke tests

Pilot

Acceptance + prompt regression

Hardening

Penetration + load

Rollout

Wave validation

Optimization

Model-upgrade regression

A deployment that defers testing to a single hardening pass discovers all problems at once, when they are most expensive to fix.

Discipline 2: Ownership Clarity -- Three Columns, Not One

Delivery Partner

  • MCP server builds
  • Integration code
  • Prompt engineering
  • Technical architecture

Client Only

  • CISO sign-off
  • Executive budget approval
  • Security team pentest
  • Compliance attestation

Joint

  • Use case selection
  • Pilot scope definition
  • Rollout sequencing
  • QBR evaluation

Deployments that blur these columns stall at exactly the moments that require a decision nobody clearly owns.

The Full Series

Each phase has a deep-dive with the operational detail this guide summarizes: the tasks in full, the failure modes, and the illustrative scenario that shows what the skipped gate actually costs. Read them in order for the complete picture, or jump to the phase you are standing in right now.

Where to Start

If you are at the beginning, start at Phase 1, and resist the pull to skip it because it feels like overhead. Discovery is two weeks that saves two quarters. If you are already somewhere in the middle, the more useful exercise is to look backward: find the most recent gate behind you and ask whether it was actually met or merely declared met under deadline pressure. The failure you are worried about downstream is usually a gate that was softened upstream.

The single most common reason enterprise Claude deployments fail is that someone treated a load-bearing phase as optional and only found out which one it was after it was too late to put it back. The roadmap does not make the work shorter. It makes the sequence explicit, so the phase that gets skipped is a deliberate, owned decision rather than an accident discovered two phases too late.

Work with Riptide

Ready to put a governance framework behind your Claude deployment?

Our Claude Enterprise Readiness Assessment maps your file structure, permissions model, and MCP surface in three weeks.

Book a discovery call
AP

Andrew Poole

Founder of Riptide Consulting, an Anthropic-first AI engineering firm based in Carlsbad, CA. Building the intelligence layer for enterprise and growth-stage companies on the Anthropic platform.