AI Strategy

Phase 2: Foundation and Access Layer - The Infrastructure Nobody Wants to Build

Three months into a Claude deployment, a governance review can freeze everything: a CISO asks who accessed which models, which unit spent what, and whether MFA is actually enforced, and nobody can answer. Inside Phase 2 of the enterprise deployment roadmap: eleven tasks, six groups, and the foundation work that determines whether everything built on top of it survives.

AP
Andrew Poole
··11 min read

Three months into a Claude deployment, a team gets frozen.

Not by a technical failure. By a governance review. A CISO asks three questions: which employees had accessed which Claude models, which business unit had spent what on API calls, and whether multi-factor authentication was actually being enforced across the deployment. The answers come back: we do not know, we cannot tell, and probably not for everyone.

The deployment is not insecure in a dramatic way. It is ungoverned in a quiet way. Individual developers hold direct API keys. There is no gateway to route through. Cost attribution is a spreadsheet someone updates manually when they remember to. The SSO integration exists, but MFA enforcement was never validated for all role types.

The review puts the deployment on hold pending a governance remediation that should have been the starting point. Weeks of use case work get paused while the foundation is rebuilt underneath it. When the teams go back to their use cases, half of the prompt work needs to be redone because the production routing config and caching behavior changed the effective context.

That is what Foundation deferral costs. Not a clean rework. A messy one, at a moment when momentum has already peaked.

This is the second deep-dive in the series on the enterprise Claude deployment roadmap. Phase 1 covered discovery and assessment. This one covers Phase 2: the eleven tasks that build the infrastructure layer before any use case code is written. Weeks three through five, twelve to fifteen working days.

The pillar piece named the failure mode plainly: teams build use cases first because use cases are visible and infrastructure is not. Phase 2 is the remedy. Every task here produces a component that something in Phase 3, 4, or 5 depends on. Skip or compress any of them and the dependency shows up broken later, at a point when the cost to fix it is higher and the organizational will to absorb a delay is lower.

The eleven tasks organize into six groups. They are not independent. The sequencing matters.

Phase 2 -- Eleven Tasks

Weeks 3 -- 5
2.1

Enterprise Workspace Provisioning

Identity
DEVSTAGINGPRODisolated key rotation
2.2

SSO Integration

Access
IdPSAML / OIDCWorkspaceMFA enforced
2.3

RBAC Policy Design

Access
Workspace AdminTeam AdminDeveloperKnowledge WorkerRead-Only
2.4

API Gateway

Control Plane
/v1/messages
/v1/messages/batches
/v1/messages/count_tokensfrequently missed
2.5

Model Routing Rules

Control Plane
DefaultSonnet 4.6
Complex reasoningOpus
Classification / volumeHaiku
2.6

Prompt Caching Configuration

Control Plane
70%+ target

90% cost reduction on cached input tokens

2.7

Cost Allocation

Visibility
80%
Alert
100%
Ceiling
budget thresholds per team
2.8

Observability Stack

Visibility
Request volume
Latency p50/95/99
Error rate by type
Cost per request
2.9

Acceptable Use Policy

Policy
Data classification
Prohibited use cases
PII handling
Output review
Incident escalation
2.10

End-to-End Smoke Test

Gate
SSO authAPI callGatewayLogsCost attr.all pass
2.11

RBAC Test Matrix

Gate
APIUIAdmin
Adminpasspasspass
Developerpasspassdeny
KWpassdenydeny
Read-Onlypassdenydeny
Pitfall

The most skipped tasks: direct API keys instead of a gateway, logging disabled because it is faster, and RBAC flattened to developer access for everyone. All three become governance crises in Phase 4.

2.1: Enterprise Workspace Provisioning

The starting point for everything else. The Claude Enterprise workspace gets created: org name, admin users, data retention policy, initial API keys for development, staging, and production environments. Three separate key environments, not one shared key rotated across contexts.

The data retention decision is not administrative. It has compliance implications set in Phase 1, Task 1.4. If the regulatory requirements mapping identified a ninety-day retention limit, that gets configured here. If the organization's legal hold requirements mandate longer retention, that gets configured here. A default setting chosen for convenience that conflicts with the compliance requirement will require a workspace reconfiguration later, and workspace reconfiguration in a live enterprise environment is not trivial.

The three-key environment structure is the thing most teams skip in favor of one key that developers share. The reason to separate them is that you cannot rotate a production key without disrupting development work if they are the same key. Separation is a one-time decision that prevents a recurring operational problem.

2.1 -- Three API Key Environments

Required from day one
DEV
  • --Exploratory builds
  • --No production data
  • --Key rotatable anytime
STAGING
  • --Integration testing
  • --Synthetic data only
  • --Matches prod config
PROD
  • --Live user traffic
  • --Separate rotation cycle
  • --Audit-logged access

One shared key means you cannot rotate production without disrupting development. Separation is a one-time decision that prevents a recurring operational problem.

2.2: SSO Integration

SSO connects the organization's identity provider (Okta, Azure AD, Google Workspace) to the Claude workspace via SAML or OIDC. IdP groups map to Claude workspace roles. MFA enforcement gets enabled and validated. The login flow gets tested before any end users touch it.

2.2 -- SSO Login Flow

Tested before users onboard
1

User requests access

Browser → Identity Provider

2

IdP authenticates

SAML or OIDC assertion issued

3

MFA enforced

All role types, no exceptions

4

IdP group resolved

Group membership read at login

5

Claude role assigned

Group maps to workspace role

6

Session established

Scoped to assigned role

Pitfall

Validating that MFA actually enforces for all role types is the step most teams skip. The smoke test in Task 2.11 is what catches it.

2.3: RBAC Policy Design

The RBAC design defines five roles: workspace admin, team admin, developer (API access plus Claude Code), knowledge worker (Claude.ai only), and read-only. Each role maps back to an IdP group so that role changes happen in the IdP and propagate automatically rather than requiring manual seat management.

The failure mode here is compression in the wrong direction. Two things happen when teams rush RBAC: first, everyone gets developer access because it is easier to grant broad permissions than to design the actual role hierarchy. Second, the escalation path for role changes never gets documented, which means role changes later require finding whoever did the original setup and asking them to handle it manually. Neither of these is catastrophic immediately. Both become operational debt that compounds over the length of the deployment.

The validation for these two tasks is Task 2.11: a test matrix that verifies every role type can do what it should be able to do and cannot do what it should not. Not 'does SSO work for a developer account' but 'does a knowledge worker correctly get denied API access, does MFA actually enforce for all role types, and does an IdP group change propagate to the workspace within the expected window.' That test matrix is the evidence the security team needs to sign the Phase 2 gate.

2.3 -- Five-Role Permission Model

Mapped to IdP groups
RoleAPI AccessClaude.aiClaude CodeAdmin
Workspace AdminYesYesYesYes
Team AdminYesYesYesTeam
DeveloperYesYesYesNo
Knowledge WorkerNoYesNoNo
Read-OnlyNoViewNoNo
Pitfall

The escalation path for role changes must be documented here. If it is not written down, role changes require finding whoever did the original setup and asking them to handle it manually.

2.4: API Gateway

The gateway is the most important infrastructure component in the entire six-phase deployment. It is also the one most likely to be replaced by a workaround.

The workaround is direct API keys distributed to developers. It works at low scale and early in a deployment. It fails when you need to answer the CISO's questions from the opening of this article.

The gateway needs to handle five things: API key management and rotation for the production key, request logging with configurable detail level (some use cases cannot log request content because of data sensitivity), response logging with the same configurability, cost tagging by team and project, and routing to the correct model and endpoint. Routes required are /v1/messages, /v1/messages/batches, and /v1/messages/count_tokens. The last one is frequently missed and surfaces as a problem when teams add token counting to their applications in Phase 3 and discover the gateway does not handle that route.

2.4 -- API Gateway: Five Required Capabilities

All five, not four
1

Key rotation

Production key managed and rotated without disrupting dev environments

2

Request logging

Configurable per use case -- off for data-sensitive workloads

3

Response logging

Same configurability as request logging, on by default

4

Cost tagging

Every request tagged with team and project before it reaches the API

5

Route coverage

/v1/messages, /v1/messages/batches, /v1/messages/count_tokens

Pitfall

The /v1/messages/count_tokens route is the one teams miss. It surfaces as a broken feature in Phase 3 when applications add token counting and discover the gateway rejects the route.

2.5: Model Routing Rules

Model routing rules live in the gateway, not in application code. The default is Sonnet 4.6 at medium effort for any request that does not specify otherwise. Override rules route complex reasoning workloads to Opus and classification or high-volume workloads to Haiku. Deprecated model versions get blocked rather than silently falling through to an alias that may change behavior without notice. This logic does not belong in ten different application codebases. It belongs in one place that can be updated once and affects the entire deployment.

2.5 -- Model Routing Logic

Defined once in the gateway

Default (no override)

Any requestSonnet 4.6 at medium effort

Override rules

Complex reasoning workloadsOpus
Classification or high-volumeHaiku
Deprecated model versionBLOCKED

Routing logic belongs in one gateway, not in ten application codebases. Updating the rule once affects the entire deployment.

2.6: Prompt Caching Configuration

Prompt caching is the most consistently underused cost control mechanism in enterprise Claude deployments. The setup is straightforward: identify system prompts that are shared across use cases, place cache_control breakpoints at the appropriate positions, and measure cache hit rates in the development environment. The target is 70 percent or higher on system prompt tokens, which translates to roughly 90 percent cost reduction on those tokens. A deployment that skips this step and runs for six months pays substantially more than necessary and then has to retrofit caching into a live system, which requires prompt restructuring and regression testing against existing evaluation baselines.

2.6 -- Prompt Caching: Cost Impact

Target: 70%+ hit rate

Without caching

Request 1

System prompt
User

Request 2

System prompt (again)
User

Full price every request

With caching

Request 1

System prompt (cached)
User

Request 2+

90% cheaper
User

90% cost reduction on cached tokens

Place cache_control breakpoints on shared system prompts. Measure hit rates in development before production cutover.

70%+ target

2.7: Cost Allocation

Cost allocation connects the Anthropic Analytics API to the organization's cost tracking. The output is a weekly report showing spend by workspace, team, project, and model. Budget thresholds per team with alerts at eighty percent and one hundred percent of budget. The alert at eighty percent matters more than the alert at one hundred. By the time a team has hit their budget ceiling, the work is done and the spend is real. The eighty percent alert creates a conversation before the overage, not after.

2.7 -- Cost Allocation: Weekly Report Structure

Budget alerts at 80% and 100%

Report dimensions

By workspace
By team
By project
By model (Sonnet / Opus / Haiku)

Budget thresholds per team

80% -- Alertconversation before overage
100% -- Ceilingspend already real

The 80% alert is what matters. By 100% the work is done.

2.8: Observability Stack

The observability stack configures OpenTelemetry export from the gateway into the organization's existing APM tool (Datadog, New Relic, Grafana, or equivalent). Four dashboards at minimum: request volume over time, latency at p50, p95, and p99, error rate broken out by error type, and cost per request by model and team. These are not vanity metrics. The latency histogram is how you detect when a use case is silently degrading. The error rate breakdown is how you distinguish an Anthropic API issue from a gateway configuration problem from an application bug. The cost per request trend is how you catch prompt regressions before they appear in the monthly bill.

2.8 -- Observability: Four Required Dashboards

OpenTelemetry export

Request Volume

req/min over time

Detect usage spikes and off-hours activity

Latency

p50 / p95 / p99

Detect silent quality degradation

Error Rate

by error type

Distinguish API vs gateway vs app errors

Cost per Request

by model and team

Catch prompt regressions before the bill

These are not vanity metrics. Each one has a specific operational use. Teams that skip observability discover problems on the monthly bill rather than in the dashboard.

2.9: Acceptable Use Policy

This task is owned jointly, but the delivery partner owns ensuring it gets done. It is the task most likely to slip because it requires a cross-functional conversation involving legal, HR, and IT, and nobody wants to facilitate that conversation.

The AUP has to specify five things: what data classifications are permitted in Claude requests (this is the direct output of Phase 1, Task 1.3, turned into a policy statement), what use cases are prohibited, how PII must be handled before it is included in a request, what the output review requirements are for any Claude-generated content that will be sent to external parties, and how incidents get reported and escalated.

The failure mode is not having an AUP and then having an incident. The second failure mode is having an AUP that nobody has read because it was published in a SharePoint folder and never referenced during onboarding. The AUP gets built into the Phase 5 onboarding flow, the rollout training materials, and the Claude.ai workspace welcome message. If it exists only as a document, it does not function as governance.

2.9 -- Acceptable Use Policy: Five Required Specifications

Cross-functional: legal, HR, IT
1

Data Classification

Which data tiers are permitted in Claude requests. Directly outputs from Phase 1 Task 1.3.

2

Prohibited Use Cases

Explicitly named use cases the organization will not support, regardless of technical feasibility.

3

PII Handling

How personally identifiable information must be treated before it is included in a Claude request.

4

Output Review Requirements

Which Claude-generated outputs require human review before being sent to external parties.

5

Incident Escalation

How AI-related incidents are reported, who is notified, and what the response process is.

Pitfall

An AUP that exists only as a SharePoint document does not function as governance. It must be built into Phase 5 onboarding and the Claude.ai workspace welcome message.

2.10: End-to-End Smoke Test

The smoke test is the gate condition in operational form. A developer authenticates through SSO, receives an API key scoped to their role, sends a request through the gateway, receives a response, and the team verifies that logs appeared in the observability stack and cost attributed correctly to the developer's team. This test is documented with expected results written down before the test runs. It is not a manual click-through. It is a repeatable test case that gets run again after any infrastructure change and again at the start of Phase 3.

2.10 -- End-to-End Smoke Test

Documented before the test runs
1

Authenticate via SSO

Role-scoped API key received

2

Send request through gateway

Response returned successfully

3

Verify log entry

Appears in observability stack

4

Verify cost attribution

Tagged to developer's team

Not a manual click-through. A repeatable test case with expected results written before execution. Run again after any infrastructure change and at the start of Phase 3.

2.11: RBAC Test Matrix

The RBAC test matrix covers every role type attempting every operation. The test records both the operations that should succeed and the operations that should fail. A knowledge worker attempting an API call should get a clean denial with an appropriate error message, not a silent failure or an unexpected success. An admin changing an IdP group should see the change propagate to workspace roles within a defined window. MFA should be enforced for all role types without exception.

Both tests need to produce written evidence. Not screenshots of a successful login. Documented test cases with expected results, actual results, and pass or fail determinations. That documentation is what the security team signs against at the Phase 2 gate.

2.11 -- RBAC Test Matrix

Written evidence for gate sign-off
RoleAPI CallClaude.aiAdmin PanelRole Change
Workspace Adminpasspasspasspass
Team Adminpasspassteamteam
Developerpasspassdenydeny
Knowledge Workerdenypassdenydeny
Read-Onlydenyviewdenydeny

A knowledge worker attempting an API call should receive a clean denial with an appropriate error message -- not a silent failure or an unexpected success. Both are failures of the test.

The Gate

Four conditions, all required.

The security team validates SSO and RBAC using the test matrix evidence from Task 2.11. The platform team confirms the API gateway is routing correctly and the observability stack is capturing data. Finance confirms cost tracking is attributing spend to the correct teams. The first real API request traverses the production path end to end: authenticated, through the gateway, logged, cost-attributed, and with the response confirmed in the application.

That last condition is specific. Not 'the gateway is deployed and we believe it works.' A named request, through the production path, with the log entry and cost attribution record as evidence. That specificity is what separates a genuine gate from a checkbox.

Without all four conditions met, Phase 3 does not start. Phase 3 builds use cases against the foundation. If the foundation is not verified, use case work built on top of it inherits every assumption that turned out to be wrong, and those wrong assumptions do not surface until Phase 4, when fixing them requires putting use case code into maintenance mode while the infrastructure underneath it is corrected.

Phase 2 -- Foundation and Access Layer

Before use cases
1

SSO and RBAC

Authentication and role-based access before the first user touches anything.

Identity
2

API Gateway

Cost attribution, logging, and routing rules across all Claude workloads.

Control Plane
3

Model Routing Rules

Which model, at what tier, for which use case. Defined in policy, not ad hoc.

Governance
4

Acceptable Use Policy

Written, approved, and distributed before the first real request.

Policy
5

Observability

Latency, cost, error rate, and audit trail visible from day one.

Visibility

Gate: security team validates controls + first real request flows end-to-end, authenticated, logged, cost-attributed

Pitfall

Building use cases before foundation means no cost attribution, no audit trail, and a governance freeze six months later when finance and security finally ask questions.

What Gets Deferred and Why

Three tasks see the most pressure in Phase 2.

The API gateway gets replaced by direct keys because the gateway requires infrastructure work that delays the first working API call by several days. The delay is real. The cost is paid in Phase 4 when the governance review happens and the questions the CISO asks cannot be answered.

Response logging gets disabled because someone on the client team is concerned about sensitive data appearing in logs, and disabling logging is faster than configuring per-use-case logging rules. The correct solution is configurable logging that is on by default and disabled selectively for sensitive use cases. The shortcut is no logging, which means the observability stack has request volume and latency but no way to debug a quality regression or investigate a potential data incident.

RBAC gets flattened because the role hierarchy design conversation takes longer than expected and everyone needs access before the conversation concludes. Everyone gets developer access as a temporary measure that becomes permanent. The escalation path for role changes never gets documented. Six months later the deployment has no meaningful access control because the structure was never built.

Phase 3, Pilot Implementation, opens next. It is where the use cases get built against the foundation Phase 2 creates, where the MCP servers that connect Claude to internal systems get constructed, and where the evaluation frameworks that determine whether the pilot has earned the right to move to hardening get established. The Phase 3 gate is the most demanding in the deployment: it requires value confirmation, security approval, and cost alignment, all three, before Phase 4 begins. Next in the series: what that build actually looks like across fourteen tasks.

Work with Riptide

Ready to put a governance framework behind your Claude deployment?

Our Claude Enterprise Readiness Assessment maps your file structure, permissions model, and MCP surface in three weeks.

Book a discovery call
AP

Andrew Poole

Founder of Riptide Consulting, an Anthropic-first AI engineering firm based in Carlsbad, CA. Building the intelligence layer for enterprise and growth-stage companies on the Anthropic platform.