Azure Data Platform & AI Environment — Decisions & Requirements

Architecture at a glance

AI environment

Azure sandbox → dev → production. Default-deny access with explicit allow-listing. OAuth for non-PHI/marketing work; API key for production PHI work.

Data warehouse

Controlled warehouse on Azure (lakehouse pattern, Databricks). No PHI — exposes only rolled-up KPIs into production. Power BI remains the executive source of truth.

App hosting

Cloudflare retained for application/dashboard hosting. Azure scoped to the data platform and AI compute, not app delivery.

Decisions

What is settled. Owner is the accountable party, not the sole contributor.

Azure environment is the sandbox for data integrations — dev environment first, then production with PHI protections.

Scott

Build a controlled data warehouse on Azure with no PHI, exposing rolled-up KPIs that are accessible in production.

Dakota

Retain Cloudflare for app hosting instead of Azure/Microsoft app tooling.

Scott

Establish the Azure sandbox as a priority, in order to migrate off third-party services.

Ron · Scott

AI usage policy executive sponsor is Ron.

Ron

All production code goes through human code review before deployment.

Ron

De-identification work continues as ongoing engineering, handled directly rather than in formal review.

Scott

Open questions

Unresolved — required inputs before the warehouse spec can lock.

Correct definitions of "opportunities" across PureLogic, Neurality, and other platforms.
Can Azure Blob Storage serve as the digital asset manager (DAM), or is a separate solution needed?
How do Dakota's current systems map onto the Azure environment?
Can Claude Code / Cursor function properly in VM / remote-desktop environments?
Best de-identification tool across the company's various data sources?
One AI environment, or multiple (6+)?
Can Zoho Desk support agentic AI integration for ticket management?
How are compute costs controlled in a shared-VM AI environment?

Why a warehouse if agents can spin up databases on the fly? The two solve different problems. Agent-created stores are fine for an agent's own working memory — but they are ungoverned and inconsistent. The warehouse is the governed system of record: one conformed KPI definition, lineage, PHI boundary, access control, and reconciliation to executive reports. For HIPAA and IPO-readiness, a single governed data boundary is mandatory. Model: the warehouse is the floor; agents are tenants that read governed KPIs and write staged outputs back to it.