Overall coverage
Modern
70%
99 / 132 points
Coverage = unweighted mean of the 10 dimension coverages (not points ÷ max)
Maturity distribution
Modern 8Transitional 1Tech Debt 1
Headline finding
The priority for AIden going forward should be to strengthen the overall robustness, reliability, and governance of its LLM capabilities. This should include establishing a comprehensive set of LLM evaluations that goes beyond traditional unit testing and static code analysis, with a focus on model quality, consistency, safety, and expected behaviour across relevant use cases. End-to-end tracing and a complete audit trail should also be implemented to ensure that model inputs, outputs, configurations, and key decisions remain transparent and traceable.
Primary modernization lever: Resilience & Recovery
Coverage vs. portfolio
app vs. avg (dashed)Score vs. gap by dimension
Prioritized remediation
Establish and maintain a comprehensive suite of LLM evaluations. The scope should extend beyond conventional unit testing and static code analysis to assess model quality, reliability, safety, and expected behaviour.
Implement end-to-end LLM observability, including request tracing, decision-path visibility, and a complete audit trail of model interactions, configurations, inputs, and outputs.
Define and document application-level SLAs and SLOs to support the consistent definition and calculation of relevant SLIs. Use the existing dashboard to regularly communicate service performance and reliability trends to stakeholders.
Document and test lightweight backup, restore, and recovery procedures. Clearly assign roles and responsibilities and validate the procedures through periodic recovery exercises.
Per-question assessment
click a dimension to expand · colored answer chips▸ FAIR & Discoverability 0 gaps 75%
The dataset or system is findable in a searchable catalog or inventory (e.g., ).
YesA named data owner or steward is formally assigned and documented.
YesAccess and usage conditions, including legal and compliance constraints, are documented and available to users.
YesWhat is the percentage of the data uses standardized terminologies such as RTiS.
N/AData lineage is captured for key data flows and is maintained over time.
None▸ IAM, Privacy & Security 0 gaps 100%
The system uses the approved corporate identity provider for user authentication (e.g., Roche SSO via PingFederate, OAuth 2.0, OpenID Connect).
YesData is encrypted in transit.
YesData is encrypted at rest.
YesSecrets are managed in an approved central vault (e.g., HashiCorp Vault or AWS Secrets Manager).
YesAccess rights and permissions are reviewed and formally certified at defined intervals.
YesNo shared or generic privileged accounts exist in the production environment.
Yes▸ Platform / Hosting / Infrastructure 0 gaps 100%
Infrastructure is provisioned declaratively using Infrastructure as Code.
YesThe system uses approved shared internal platforms or Golden Paths, where applicable. (e.g., Minerva Application Blueprint)
Yes▸ Architecture & Interoperability 2 gaps 75%
Can we swap in and out components without modifying the system.
PartialAll application services are exposed through clear and defined interfaces.
PartialData contracts are documented and governed.
YesAPI lifecycle management is actively implemented using Gravitee.
Yes▸ Reliability 2 gaps 50%
All critical services have defined SLAs and SLOs.
PartialMajor incidents are followed by systematic postmortems, and resulting corrective actions are tracked to closure in the backlog.
YesSLIs are defined and calculated for all established SLAs and SLOs, and are visible to stakeholders and system owners.
No▸ Scalability & Performance 1 gap 75%
The system supports automated vertical and horizontal scaling based on real-time demand, where applicable.
YesLoad and performance testing are performed routinely and included in major release cycles.
Partial▸ Deployment Automation 1 gap 80%
Core workloads are supported by a complete CI/CD pipeline.
YesBuilds, tests, and deployments are executed through fully automated processes.
YesAutomated quality gates are enforced before production deployment. (e.g., SonarQube)
NoProduction rollback or deployment occurs regularly and within the last 6 months.
YesBuild artifacts and dependencies are managed in a traceable and controlled manner.
Yes▸ Observability 1 gap 75%
All critical services generate standard telemetry, including logs, metrics, and traces.
PartialObservability data is available through approved central monitoring and observability tools.
YesIncident analysis can be performed across upstream and downstream dependencies.
N/A▸ Resilience & Recovery 2 gaps 0%
Critical services and data have defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.
NoBackup, restore, and recovery procedures, including assigned roles and responsibilities, are documented and tested.
No▸ Cost Transparency & FinOps 2 gaps 75%
Cost visibility is available at component, system, product family, or domain level.
SystemCost is reviewed regularly together with usage and business value by the owning team.
NoArchitectural decisions explicitly consider cost as a primary decision variable.
Partial