What TOGAF and SABSA Have to Do with Your AI Strategy

When I mention TOGAF or SABSA in conversations about AI development, I get one of two reactions. Either people have never heard of them, or they associate them with the kind of heavyweight enterprise processes that produce binders of documentation nobody reads.

Both reactions miss the point.

TOGAF gives you a methodology for thinking about complex systems in layers. Business architecture, data architecture, application architecture, technology architecture — each with defined relationships and dependencies. When you’re building an agentic system with models, retrieval pipelines, tool integrations, agent orchestration layers, and governance controls, that layered thinking isn’t overhead. It’s how you keep the complexity manageable.

SABSA approaches architecture from a security and risk perspective — what are the business attributes we need to protect, and how do we design systems that preserve them through every layer? When your agents are making autonomous decisions with access to sensitive data and real-world actions, that risk-driven design perspective isn’t optional.

The frameworks themselves aren’t the point. Nobody’s suggesting you run a full TOGAF ADM cycle for an agentic proof-of-concept. What matters are the principles underneath: layered thinking, defined component boundaries, documented interfaces, risk awareness baked into the design, lifecycle management from the start.

These aren’t new principles. They’ve been refined over decades of building complex enterprise systems. The agentic era doesn’t make them obsolete. It makes them urgent.

The builders who figure out how to apply these architectural principles — adapted for the speed and flexibility agentic systems demand — are going to be the ones building things that last. Everyone else is going to keep producing impressive demos that never quite make it to production.