Over the last several weeks, this series took the enterprise Claude deployment roadmap apart one phase at a time. Six deep-dives, each opening with the same kind of story: a team that had done most things right and still hit a wall. This piece puts the whole thing back together as a single reference: the six phases, the gate that sits between each one, all seventy-three tasks, and a map to every deep-dive. If you read one piece in the series, the overview was the place to start. If you keep one piece open while you actually run a deployment, this is that piece.
Start with the pattern, because it is the entire argument of the series compressed into a few sentences. A pilot gets rebuilt from scratch because no one classified the data first. A system ships that would leak protected health information through a chained tool call. A rollout reaches the whole company at once and adoption settles in the low double digits. A deployment is declared finished, the team is reassigned, and months later the bill has tripled. Different phases, and in every case the same shape of failure: a gate that felt optional under deadline pressure, skipped, and load-bearing after all. The failure never shows up at the gate that was skipped. It shows up one or two phases downstream, where it is expensive and visible.
That is why the gates are the real content of this roadmap, not the phases. A phase is a list of work. A gate is a specific, verifiable condition that earns the right to start the next phase. The phases tell you what to do. The gates tell you when you are actually done, as opposed to when you feel done, and the gap between those two is where enterprise deployments go to stall.
Six Phases at a Glance
Each phase earns the right to the next
Discovery
Inventory use cases, classify data, choose deployment surface.
Gate
Executive approval in writing
Foundation
SSO, API gateway, observability, acceptable use policy.
Gate
Security validates + first request flows end-to-end
Pilot
Build use cases, MCP servers, Claude Code rollout.
Gate
Value + security + budget -- all three
Hardening
Pentest, PII filtering, audit trails, load test.
Gate
CISO sign-off + 2x peak load passed
Rollout
Wave by business unit, training, CoE, prompt libraries.
Gate
Adoption targets met per business unit
Optimization
Cost tuning, model upgrades, use case intake, monitoring.
Gate
QBR re-approval. This phase does not end.
Constant discipline
Testing
Embedded in every phase -- not just Phase 4
Constant discipline
Ownership Clarity
Three columns: partner / client / joint
How to Use This Guide
Read this top to bottom for the shape of the whole deployment, then follow the link at the end of each phase into its deep-dive when you reach that phase in practice. The deep-dives hold the operational detail: the specific tasks, the failure modes, the configuration specifics, and the illustrative scenario that shows what skipping the gate actually costs. This guide holds the structure that keeps those details in the right order.
One framing to carry through all six phases: every task has an owner, and the honest version of the roadmap has three kinds of owner, not one. Some work belongs to the delivery partner. Some belongs to the client alone, because the authority cannot be delegated — the CISO sign-off, the executive budget approval, the security team's penetration test. Some is genuinely joint. The gates below name the owner that matters most for each decision.
The Six Phases in Brief
Phase 1, Discovery and Assessment, runs the first two weeks: inventory candidate use cases, classify the data each one touches, assess the existing infrastructure, and choose a deployment surface. Its gate is a documented executive approval of platform, use cases, and budget. The signature failure is skipping discovery because it feels like overhead, then building a pilot on the wrong problem.
Phase 2, Foundation and Access Layer, stands up the platform before the use cases: SSO and RBAC, an API gateway with cost attribution and logging, model routing, an acceptable use policy, and observability. Its gate is the security team validating access controls while the first real request flows end to end. The signature failure is building visible use cases first and discovering six months later that nobody can attribute cost or audit access.
Phase 3, Pilot Implementation, builds the prioritized use cases for real, with MCP servers connecting Claude to internal systems and an evaluation framework that defines what good looks like before the build begins. Its gate has five conditions, all required. The signature failure is pilot purgatory: a demo that proved value but was never built to be hardened, so it has to be rebuilt.
Phase 4, Hardening and Compliance, tests the pilot against production conditions it never faced: penetration testing, PII filtering, immutable audit trails, data residency, and load testing at twice projected peak. Its gate is CISO sign-off on four conditions. The signature failure is skipping hardening because the pilot worked — confusing proof of value with proof of production-readiness.
Phase 5, Enterprise Rollout, moves the hardened system to the organization in waves, with role-specific training, a prompt library, a self-service MCP catalog, and a Center of Excellence. Its gate repeats at every wave: adoption and demonstrated ROI before the next wave opens. The signature failure is the big-bang launch that mistakes provisioned seats for adoption.
Phase 6, Optimization and Evolution, is the phase that does not end: cost tuning, model-upgrade evaluation, new use case intake, and continuous platform monitoring. Its gate recurs every quarter. The signature failure is treating production as the finish line and reassigning the only people whose job it was to keep watching.
73 Tasks Across Six Phases
The whole deployment at a glanceDiscovery
Weeks 1–2 · 9 tasks
Use case inventory, data classification, platform choice
Foundation
Weeks 3–4 · 11 tasks
SSO/RBAC, API gateway, routing, observability
Pilot
Weeks 5–8 · 14 tasks
Prompts, MCP servers, use case builds, evaluation
Hardening
Weeks 9–12 · 13 tasks
Pentest, PII filtering, load test, CISO sign-off
Rollout
Wave-gated · 13 tasks
Training, prompt library, CoE, wave launches
Optimization
Ongoing · 13 tasks
Cost, model upgrades, intake, platform monitoring
The tasks are not a checklist to rush through. They are a sequence where each phase earns the right to the next, and the gates enforce the sequence.
The Six Gates, in One Place
Here is every gate in the roadmap collected into a single reference. This is the table to keep open during a deployment, because it is the part most roadmaps leave out and the part that actually enforces the sequence. A phase is not complete when its task list is checked off. It is complete when its gate condition is met and someone with the authority to say so has said so.
The Six Gates — One Reference
A phase is done when its gate is metDiscovery
Owner: Executive sponsorExecutive sponsor approves the platform choice, prioritized pilot use cases, and budget — a documented decision with a name attached.
Foundation
Owner: Security teamSecurity validates access controls, and the first real request flows through the production path end to end: authenticated, logged, cost-attributed.
Pilot
Owner: Joint (delivery + client SMEs)All five: use case quality meets acceptance criteria, pilot NPS above 8, MCP security review passed, no data incidents, cost within 20% of budget.
Hardening
Owner: CISOAll four: CISO sign-off, all critical/high pentest findings remediated and retested, compliance attestation complete, 2x peak load test passed.
Rollout
Owner: Business unit + CoEPer wave: a majority of provisioned users active within 30 days, and ROI demonstrated for the pilot use cases before the next wave opens.
Optimization
Owner: Center of ExcellenceRecurring: a quarterly business review re-approves continuation on demonstrated ROI, plus an annual strategy refresh. This gate never closes.
Skip a gate and the failure does not show up immediately. It shows up two phases later, when it is expensive to fix.
Two Disciplines That Run Through Every Phase
The six phases are sequential. Two disciplines are not — they run through all of them, and a deployment that treats either as a phase rather than a constant will fail.
The first is testing. Testing is not a single pass in Phase 4. It is embedded in every phase: the smoke test in Foundation, acceptance tests and a fifty-case-per-prompt regression suite in Pilot, penetration and load tests in Hardening, wave validation in Rollout, and model-upgrade regression in Optimization. A deployment that defers testing to one hardening pass discovers all of its problems at once, late, when they are most expensive to fix. The regression suite built in Phase 3 is the single asset that pays off in every phase after it, because it is the mechanism that catches a new model improving the median response while quietly regressing an edge case the old model handled.
The second is ownership clarity. Every task has an owner, and the deployments that stall are the ones that blur the line between the three kinds of owner at exactly the moment a decision is required. The gate conditions above are written the way they are — naming the CISO, the executive sponsor, the security team — precisely because those are the decisions that cannot be delegated to the delivery partner and cannot be left ambiguous without stalling the whole deployment at the gate.
Discipline 1: Testing -- Embedded in Every Phase
Foundation
Smoke tests
Pilot
Acceptance + prompt regression
Hardening
Penetration + load
Rollout
Wave validation
Optimization
Model-upgrade regression
A deployment that defers testing to a single hardening pass discovers all problems at once, when they are most expensive to fix.
Discipline 2: Ownership Clarity -- Three Columns, Not One
Delivery Partner
- MCP server builds
- Integration code
- Prompt engineering
- Technical architecture
Client Only
- CISO sign-off
- Executive budget approval
- Security team pentest
- Compliance attestation
Joint
- Use case selection
- Pilot scope definition
- Rollout sequencing
- QBR evaluation
Deployments that blur these columns stall at exactly the moments that require a decision nobody clearly owns.
The Full Series
Each phase has a deep-dive with the operational detail this guide summarizes: the tasks in full, the failure modes, and the illustrative scenario that shows what the skipped gate actually costs. Read them in order for the complete picture, or jump to the phase you are standing in right now.
The Full Series — Every Deep-Dive
Start anywhere, read in orderSix Phases and the Gates Between Them →
The map at altitude: why deployments fail on sequencing, not technology.
Discovery and Assessment →
The two weeks that determine everything. Nine tasks, and the three that get skipped.
Foundation and Access Layer →
The infrastructure nobody wants to build — and everything above it depends on.
Pilot Implementation →
Building use cases that earn the right to scale. Fourteen tasks, a five-condition gate.
Hardening and Compliance →
The phase everyone wants to skip: pentest, PII, load, and the CISO sign-off.
Enterprise Rollout →
Why the big-bang launch fails even when the technology works. The wave model.
Optimization and Evolution →
The phase that doesn't end, and the gate that repeats every quarter, forever.
Where to Start
If you are at the beginning, start at Phase 1, and resist the pull to skip it because it feels like overhead. Discovery is two weeks that saves two quarters. If you are already somewhere in the middle, the more useful exercise is to look backward: find the most recent gate behind you and ask whether it was actually met or merely declared met under deadline pressure. The failure you are worried about downstream is usually a gate that was softened upstream.
The single most common reason enterprise Claude deployments fail is that someone treated a load-bearing phase as optional and only found out which one it was after it was too late to put it back. The roadmap does not make the work shorter. It makes the sequence explicit, so the phase that gets skipped is a deliberate, owned decision rather than an accident discovered two phases too late.
Work with Riptide
Ready to put a governance framework behind your Claude deployment?
Our Claude Enterprise Readiness Assessment maps your file structure, permissions model, and MCP surface in three weeks.
Book a discovery callAndrew Poole
Founder of Riptide Consulting, an Anthropic-first AI engineering firm based in Carlsbad, CA. Building the intelligence layer for enterprise and growth-stage companies on the Anthropic platform.