United Governance Sherpa — Product Design Spec

Author: Will Van Der Wey, Campana & Schott Date: April 8, 2026 Status: Ready for Build Day Build Day Team: TBD (1 builder + 4 non-builder roles)

1. Problem Statement

1. Business teams submit governance requests into a black box. In regulated industries like pharma, a marketing manager who wants to launch an AI-powered HCP targeting tool has no idea which governance domains apply, what evidence is required, or how long approval will take. They email a compliance contact, get partial guidance, and wait weeks — often restarting the process when they learn a second or third review body also needs to weigh in. At a company like GSK, this adds 20–40 days to initiative timelines and forces business sponsors to budget 15–25% of project hours just for governance navigation.

2. Governance reviewers (SMEs) spend more time chasing information than making decisions. Subject-matter experts in Data Governance, AI Governance, and Disclosure Authorization Committees receive incomplete, unstructured submissions and must conduct multiple rounds of back-and-forth clarification before they can evaluate risk. Across a portfolio of 50+ active cases, reviewers estimate that 60% of their time goes to administrative intake triage rather than substantive risk assessment.

3. Cross-domain dependencies are invisible until they cause delays. A single initiative — say, using a third-party data vendor's HCP data in a machine learning model — can trigger reviews from Data Governance, AI Governance, Privacy, and Medical Affairs simultaneously. But because each domain operates in its own silo with its own intake form, no one sees the full dependency map. Cases stall when one domain's approval is blocked waiting on another domain's ruling that nobody knew was required.

4. Governance decisions lack audit trails, creating regulatory exposure. When a regulator or internal auditor asks "why was this initiative approved, by whom, and based on what policy?", the answer is scattered across emails, SharePoint folders, and meeting minutes. There is no single source of truth linking the submission, the applicable rules, the reviewer's rationale, and the evidence considered. In life sciences — where 71% of companies now use generative AI but only 53% actively mitigate AI risks — this gap is a ticking compliance liability.

The deeper structural problem is that governance at most large enterprises was designed for a slower era. Organizations have dozens of overlapping governance domains, each with its own process, its own forms, and its own tribal knowledge. As AI and data initiatives accelerate, governance becomes the bottleneck — not because the rules are wrong, but because nobody has built the connective tissue between business intent, governance rules, and human decision-making. That connective tissue is what United Governance Sherpa provides.

2. Product Concept

One-sentence pitch

United Governance Sherpa is an AI-guided intake and case-management platform that turns a business team's vague initiative idea into a structured, rule-evaluated governance submission — and gives reviewers, chairs, and rule stewards the tools to decide, track, and maintain governance at enterprise scale.

How it works

The consultant (or client user) opens the Sherpa intake portal and describes their initiative in plain language — for example, "We want to use a third-party vendor's HCP prescribing data in a GenAI model for oncology targeting." The AI Sherpa, a bounded conversational agent, begins asking adaptive questions one at a time: What data types are involved? Is there a third-party vendor? Does this involve AI/ML? Will humans review outputs before they influence decisions? Each answer triggers governance rules from a deterministic rule engine behind the scenes — if the user mentions PII, rule DG-001 fires; if they mention a third-party vendor, rule DG-002 fires and requests a vendor privacy assessment.

As the conversation progresses, a live "Case Card" builds in a right-hand pane: an AI-generated executive summary reframed in governance language, a structured data elements table, a risk tier (Low/Medium/High) with triggered rules explained in plain English, an evidence checklist showing what's been provided and what's still missing, and a routing preview showing which reviewers and forums will need to weigh in with an estimated timeline to decision. After 8–12 questions, the business owner reviews the assembled Case Card and clicks Submit.

The case then appears in the SME Reviewer's Decision Workbench — a three-column interface showing the case queue, the full decision packet (with AI recommendation, confidence score, and cited policy sources), and a mandatory decision form. The reviewer selects an action (Approve, Approve with Conditions, Request Clarification, Escalate, or Reject), writes a mandatory rationale, and submits. If their decision differs from the AI recommendation, the system captures the override and the reasoning.

A Forum Chair sees all active cases in an operations dashboard with SLA indicators, cross-domain dependencies, and batch tools for building meeting agendas. A Rule Steward manages the governance rule inventory, source document registry, and can test rule changes against historical cases using a replay harness — all without writing code.

The client sees a calm, professional governance tool. The AI handles the connective tissue. Humans own every decision.

The strategic play

The initial engagement is an 8-week pilot buildout ($250K–$400K) scoped to 2–3 governance domains — enough to prove the concept and demonstrate measurable cycle-time reduction. But the real revenue engine is what comes after: a managed-service subscription ($8K–$15K/month) where Campana & Schott maintains the rule inventory, tunes the AI retrieval quality, onboards new governance domains, and provides quarterly governance health reports. Every new domain added (Privacy, Legal, Ethics, ESG) deepens the switching cost and expands the contract. Because the platform accumulates governance precedent data over time, the AI recommendations get better with use — creating a compounding data moat that makes replacing the vendor increasingly painful. The long-term play is a multi-tenant SaaS platform serving regulated industries (pharma, financial services, healthcare) at $50K–$150K ARR per client.

3. Target Buyer

Primary buyer

Chief Compliance Officer or VP of Governance / Risk at a large regulated enterprise (pharma, financial services, healthcare). Their title varies — it might be "Head of Data Governance," "VP of AI Ethics & Governance," or "Director of Commercial Compliance" — but the pain is the same: they are accountable for governance rigor across accelerating AI and data initiatives, and their current toolkit is SharePoint lists, email threads, and quarterly committee meetings. They feel the pain of audit findings, regulatory scrutiny, and frustrated business teams who view governance as an obstacle.

What they do today

They rely on a patchwork of manual processes: intake forms in SharePoint or ServiceNow that capture only surface-level information, email-based routing to domain-specific reviewers, and meeting-based decision-making where cases are discussed serially at monthly or bi-weekly forums. A single governance review takes 20–40 business days. The cost is both direct (reviewer hours, administrative coordination) and indirect (delayed product launches, missed market windows, business teams learning to avoid governance entirely).

Why they would pay

The platform delivers three things they cannot get from their current approach: (1) structured, rule-driven intake that eliminates 60% of back-and-forth clarification cycles, (2) cross-domain visibility that prevents the "surprise dependency" delays that add weeks to timelines, and (3) a complete audit trail that links every governance decision to the applicable policy, the evidence considered, and the reviewer's rationale — exactly what regulators expect. A CCO would pay $8K–$15K/month to cut governance cycle time in half and have audit-ready decision records at their fingertips.

Secondary beneficiary

Business initiative owners (product managers, marketing leads, data science team leads) who today dread the governance process. They benefit from a guided, transparent intake experience that tells them exactly what's needed, why, and how long it will take — transforming governance from a black box into a predictable, navigable process. Faster approvals mean faster time-to-market for their initiatives.

4. Architecture

Input Layer

Data enters the system through a web-based conversational intake interface — a two-pane layout where the left pane shows the AI Sherpa asking adaptive questions and the right pane shows the Case Card building in real time. The Sherpa uses a bounded conversational flow (8–12 questions) that adapts based on the user's answers: mentioning "third-party vendor" triggers vendor-specific follow-ups; mentioning "AI/ML" triggers model risk questions. Users can also attach supporting documents (vendor assessments, data flow diagrams, privacy impact assessments) that get linked to the case as evidence. No integrations are required for the hackathon — the intake portal is the sole entry point.

Transform Layer (Core IP)

This is where the defensible intellectual property lives. The system uses a three-layer AI architecture:

1. Deterministic Rule Plane: A codified inventory of 15–20 governance rules (e.g., "DG-001: Data classification review required for any initiative involving PII or PHI," "AI-001: AI/ML models processing patient data require Medical Affairs review"). Each rule has structured conditions (trigger signals from intake), required evidence, accountable reviewers, and routing outcomes. Rules are evaluated deterministically — no probabilistic AI involved in deciding which rules apply. This ensures consistency and auditability.

2. Bounded Orchestration Agent: A single LLM-powered agent (Claude via API) with an explicit, constrained tool set. The agent CAN: parse intake responses, ask adaptive follow-up questions, call the rule evaluation service, retrieve approved policy documents via RAG, assemble structured decision packets, and log all actions. The agent CANNOT: approve cases, invent policy, alter the rule inventory, bypass escalation, or expose internal reasoning. Temperature is set low (0.1–0.2) for consistency. Every agent action is logged with the tool called, inputs provided, and output returned.

3. Governed Evidence Plane: A RAG pipeline over a curated registry of 8–10 authoritative source documents (governance policies, SOPs, charters) with full metadata: document title, version, effective date, specific section cited, and content snippet. The system will not cite superseded or unapproved documents. Every AI recommendation includes traceable citations back to specific policy sections. Skills/Gems anchor the Sherpa's conversational behavior to governance-appropriate language and adaptive question flows.

Display Layer

Four role-optimized workspaces:

1. Business Owner — Guided Intake: Two-pane conversational interface with live Case Card assembly (initiative summary, data elements table, risk indicators, evidence checklist, routing preview with timeline estimate).
2. SME Reviewer — Decision Workbench: Three-column layout with case queue, decision packet (AI recommendation with confidence score, policy citations, flagged gaps), and mandatory decision form with override tracking.
3. Forum Chair — Operations Console: KPI dashboard (cases in pipeline, average cycle time, SLA status), sortable case table with traffic-light SLA indicators, batch "Add to Agenda" operations, and cross-domain dependency views.
4. Rule Steward — Rule Governance: Searchable rule library with visual condition editor, source document registry, decision inventory taxonomy, rule-to-intake mapping view, override hotspot log, and replay harness for testing rule changes against historical cases.

Tech Stack (Hackathon)

5. Hackathon Execution Plan

Timeline table

Critical risk and fallback

Biggest risk: The Claude API integration for the Sherpa's adaptive conversational flow may take longer than expected to tune, or API latency could make the demo feel sluggish.

Fallback (decide by 1:30 mark): If the live AI integration isn't smooth by the halfway point, pivot to a "wizard-style" Sherpa with pre-scripted question flows and branching logic — no live LLM calls, but the same adaptive intake experience and Case Card output. The demo narrative stays identical; the difference is behind the scenes. The Case Card, Reviewer Workbench, and Chair Dashboard are all independent of whether the Sherpa uses live AI or scripted flows, so the rest of the build is unaffected.

Role allocation table

6. Defensibility & Competitive Moat

Why a client would pay — and keep paying

1. Governance rule lock-in. Once a client's governance rules, policies, and decision taxonomy are codified in the platform — a process that takes 40–80 hours of SME interviews and artifact mining — switching to a competitor means re-doing all of that work. The rule inventory becomes a proprietary asset that the client co-creates with us, and it only works inside our system.

2. Precedent accumulation. Every governance case processed creates a precedent record: what was submitted, what rules triggered, what the reviewer decided, and why. Over 6–12 months, the platform builds a case library that makes AI recommendations increasingly accurate and useful. A new vendor would start with zero precedent data and zero calibration to the client's decision patterns.

3. Cross-domain network effect. The platform's value increases non-linearly with each governance domain added. With one domain, it's a fancy intake form. With three domains, it's the only place that shows cross-domain dependencies. With five domains, it's the central nervous system of enterprise governance. Removing it would mean re-fragmenting governance visibility that took months to unify.

4. Steward dependency. Rule stewards learn to manage governance through the platform's visual rule editor, replay harness, and override analytics. The platform becomes the operating system for governance maintenance — not just governance decisions. Ripping it out means losing the tooling that stewards use daily.

Pricing model

Anchored to value replaced, not cost to build.

A mid-size pharma company's governance function spends approximately $800K–$1.2M/year on governance administration across reviewer hours, coordination overhead, and compliance remediation. United Governance Sherpa targets a 40–50% efficiency gain.

The math: If a client's governance team costs $1M/year and we deliver a 40% efficiency gain ($400K saved), a $150K/year subscription represents a 2.7x ROI — well within the "no-brainer" range for enterprise procurement. The initial pilot ($300K) pays for itself within the first year of subscription savings.

Competitive positioning

The closest analogue is a "TurboTax for enterprise governance" — it guides non-expert users through a complex, rule-driven process using adaptive questions, assembles the structured output that experts need to make decisions, and maintains the audit trail that regulators require.

7. Success Criteria

Hackathon demo (April 17)

• Live walkthrough of a business owner describing a vague initiative idea and the Sherpa asking adaptive follow-up questions
• Case Card assembles visibly in real time: executive summary, data elements, risk tier, triggered rules, evidence checklist, routing preview
• Transition to Reviewer Workbench showing the submitted case with AI recommendation, confidence score, and cited policy sources
• Reviewer completes a decision with mandatory rationale; override tracking visible when decision differs from AI recommendation
• Forum Chair dashboard shows KPI cards, SLA indicators, and case pipeline with cross-domain dependencies
• Rule Steward view displays the rule library, a rule detail page with conditions and linked sources, and the override log
• Demo tells a coherent end-to-end story: messy idea in → structured governance case → informed decision → auditable record
• All four role-based workspaces are navigable and populated with realistic mock data

"Would a client pay for this?" test

1. Problem resonance: Judges can immediately name a client or engagement where this problem exists — governance intake is painful, slow, and opaque in every regulated enterprise they've worked with.
2. Specificity of solution: The demo shows concrete governance rules firing, specific policy citations appearing, and structured decision packets assembling — not a generic "AI does governance" handwave.
3. Clear buyer and budget: The pitch identifies who writes the check (CCO / VP Governance), what budget it comes from (compliance / risk management), and what dollar amount it replaces (reviewer hours, cycle time, audit remediation).
4. Recurring revenue path: The pricing model shows a clear progression from one-time pilot to monthly subscription to annual enterprise contract, with specific dollar amounts and ROI math.
5. Defensibility beyond "we built it first": The pitch articulates at least three concrete switching costs (rule lock-in, precedent accumulation, cross-domain network effect) that make the client stickier over time.

8. Open Questions

1. How much of the Sherpa conversation should be live AI vs. pre-scripted for the demo? A fully live Claude API integration is more impressive but introduces latency and unpredictability risk. A pre-scripted wizard with branching logic is reliable but less "wow." The team needs to decide by the 1:30 mark based on how the API integration is going — but the demo script should be written to work with either approach.

2. Should the demo use a real client's governance domain (anonymized) or a realistic but fictional scenario? Using GSK-inspired pharma governance (data governance, AI governance, disclosure authorization) makes the demo feel grounded and specific. But if any judges are unfamiliar with pharma, the domain complexity could distract from the product story. The team should prepare a 30-second "governance 101" framing slide as insurance.

3. How do we handle the rule engine at hackathon scale vs. production scale? For the demo, governance rules can be simple JSON objects evaluated by a TypeScript function. In production, this becomes a Camunda DMN decision table or similar enterprise rule engine. The demo needs to be honest about this gap without undermining credibility — the key message is "the architecture supports pluggable rule engines; we're showing the interaction model, not the enterprise deployment."

4. What's the right level of AI recommendation confidence to show in the demo? If the AI recommendation says "87% confidence: Approve with Conditions," judges may ask how that number is calculated. If it says "Recommendation: Approve with Conditions (based on 3 matching precedent cases and 2 applicable policies)," it's more explainable but less punchy. The team needs to decide on the confidence display format that balances impressiveness with defensibility.

5. Should we demo the replay harness (testing rule changes against historical cases) or cut it for time? The replay harness is one of the most differentiated features — no GRC platform offers it — but it requires a separate view and explanation that could eat 2–3 minutes of demo time. If the pitch window is tight, this might be better as a "and here's what we'd build next" slide rather than a live demo.