What should be in an RFP for an enterprise workflow platform (CMDB/data model, integrations, global rollout, governance)?
IT Service Management Platforms

What should be in an RFP for an enterprise workflow platform (CMDB/data model, integrations, global rollout, governance)?

9 min read

An enterprise workflow platform RFP should not be a feature checklist. If it cannot prove how it will ground data in a trusted CMDB, connect to your systems, roll out globally, and govern every action, you are buying expensive advice with a prettier interface.

I would structure the RFP around one simple test: can the platform sense the right data, decide in context, act across workflows, and govern at scale? If the answer is no, keep looking.

What your RFP must prove

RFP areaWhat to requireWhy it matters
CMDB and data modelCanonical service/CI model, relationships, ownership, validation, reconciliation, service mappingWorkflows fail when the underlying context is noisy or incomplete
IntegrationsNative connectors, APIs, events, bi-directional sync, error handling, monitoringEnterprise value depends on reaching SAP, Salesforce, HR, security, and finance systems
Global rolloutLocalization, time zones, data residency, regional process variation, phased deploymentA real enterprise platform must work across countries and business units
GovernanceRole controls, audit trails, approvals, segregation of duties, policy enforcementYou need predictable, auditable execution, not shadow automation
AI readinessGrounding, model controls, action guardrails, agent permissions, loggingAI must act inside governed workflows, not outside them
Operating modelAdmin ownership, support, upgrade path, training, TCOThe platform has to survive go-live and keep improving

Start with the work, not the software

A good RFP starts with the workflows you want to execute.

Do not ask, “What can the platform do?” Ask, “What work must it complete?”

Prioritize high-volume, high-friction processes such as:

  • Incident management
  • Service request fulfillment
  • Employee onboarding and offboarding
  • Customer case handling
  • Vulnerability remediation
  • Change and release coordination
  • Asset and configuration updates
  • Access and approvals across IT, HR, security, and finance

For each workflow, require the vendor to show:

  • Current-state process maps
  • Decision points and approval steps
  • Exception paths
  • SLA and escalation rules
  • Volume, latency, and peak-load assumptions
  • Measurable outcomes, such as resolution time, deflection, or hours reclaimed

If the platform cannot show how it will execute the work, not just record it, it is not an enterprise workflow platform.

CMDB and data model: the source of truth for action

A workflow platform is only as strong as its data model. If the CMDB is fragmented, every routing rule, impact analysis, and remediation playbook gets weaker.

Your RFP should ask:

  • What is the canonical model for services, applications, assets, CIs, locations, users, and business relationships?
  • How are dependencies mapped across cloud, SaaS, on-prem, and end-user services?
  • How does the platform validate mandatory attributes at creation time?
  • How are duplicate records, stale relationships, and conflicting sources reconciled?
  • Who owns each data domain after go-live?
  • How does workflow logic consume CMDB data in real time?
  • How does the model support service mapping and change impact analysis?
  • How do you keep the CMDB clean when dozens of systems write into it?

If the vendor uses a canonical model such as the Common Service Data Model, ask how it is enforced, governed, and sustained over time. A model without ownership is just documentation.

One more thing: do not accept “we’ll clean up the CMDB later.” That sentence is where automation programs go to die.

Integrations: breadth matters, depth matters more

No enterprise workflow platform succeeds in isolation. It has to connect to the systems where work begins and where work finishes.

Ask the vendor to prove Any Data, Any Workflow, Any System.

At minimum, your RFP should cover:

  • Native integrations and certified connectors
  • API support for read/write operations
  • Event-driven integration patterns
  • Bi-directional synchronization
  • Batch and real-time ingestion
  • Authentication, secrets management, and identity integration
  • Error handling, retries, and monitoring
  • Versioning and change control for integrations
  • Testing and promotion across environments

Do not stop at a connector count. A long list of connectors is not an integration strategy.

Press for specifics:

  • Can the platform access data from 450+ systems, including SAP and Salesforce?
  • Can it orchestrate across ERP, CRM, HRIS, IAM, SIEM, ITOM, and finance platforms?
  • Can it detect failed transactions and trigger corrective workflows automatically?
  • Can it keep integrations stable during upgrades and schema changes?

Ask for one real example in each of these domains:

  • IT service management
  • HR service delivery
  • Customer support
  • Security operations
  • App development and deployment

If the answer is “we integrate through custom projects,” factor that into cost, timeline, and risk.

Workflow automation: show execution, not alerts

This is where many platforms overpromise.

A real workflow platform does not just notify people. It routes, approves, fulfills, remediates, and closes the loop.

Your RFP should ask the vendor to demonstrate:

  • Intake from multiple channels
  • Dynamic routing based on context
  • Approval chains and delegated approvals
  • SLA timers and escalation rules
  • Exception handling and fallback paths
  • Human-in-the-loop review where needed
  • Low-code orchestration for business teams
  • Audit trails for every state change

Require live use cases such as:

  • An incident created from CMDB impact data
  • An employee onboarding request that spans HR, identity, facilities, and device provisioning
  • A vulnerability ticket that triggers remediation and verification
  • A customer case that moves across support tiers with full context

The key question is simple: can the platform execute a governed process from start to finish without manual stitching?

Global rollout: design for one platform, many operating realities

Global rollout is not a go-live date. It is an architecture decision.

If you operate across regions, your RFP should require support for:

  • Multiple languages and localized interfaces
  • Time-zone-aware SLAs and escalation rules
  • Country-specific process variations
  • Data residency and regional compliance requirements
  • Multi-entity and multi-brand operating models
  • Delegated administration by region or business unit
  • Follow-the-sun support and handoffs
  • Phased rollout by geography, function, or process

Also ask how the platform handles:

  • Regional approval hierarchies
  • Local legal and privacy controls
  • Currency and date formats
  • Mergers, acquisitions, and divestitures
  • Shared services models across global teams

A platform that works in one business unit but collapses under regional complexity is not enterprise-ready. It is a pilot with good branding.

Governance and security: make control part of the design

Governance is not a policy PDF. It is control at the moment of action.

Your RFP should include requirements for:

  • Role-based access control
  • Segregation of duties
  • Approval controls
  • Immutable audit logs
  • Encryption in transit and at rest
  • Data retention and deletion policies
  • Configuration and release governance
  • Environment separation for dev, test, and prod
  • Exception handling and escalation for policy violations

If AI is in scope, governance has to go further. Ask how the platform provides:

  • An inventory of models, agents, workflows, and actions
  • Policy enforcement before an action is executed
  • Logging of prompts, inputs, decisions, and outputs
  • Guardrails at the moment of action
  • Human approval for sensitive workflows
  • Rollback and kill-switch controls for agents
  • Monitoring for drift, errors, and misuse

This is the difference between automation and uncontrolled automation.

AI readiness: if it cannot act safely, it is just expensive advice

Most companies have AI. Few have the data to ground it, the workflows to deploy it, and the security to govern it.

Your RFP should ask whether the platform can:

  • Ground any LLM, including OpenAI, Anthropic, or your own models, in enterprise context and business rules
  • Keep AI outputs aligned, predictable, and auditable
  • Trigger actions inside approved workflows
  • Limit agent permissions by role, task, and data domain
  • Provide explainability for decisions and recommendations
  • Track outcomes, not just interactions

Do not settle for chat. Ask for action.

A useful test: can the AI create, route, remediate, or close a workflow with the right guardrails? If not, it is not enterprise AI. It is a conversation layer.

Implementation, support, and commercial terms

The best RFPs do not stop at features. They pressure-test the operating model.

Make sure the vendor answers:

  • What is the implementation approach by phase?
  • What internal roles are required from day one?
  • How are data migration and integration dependencies handled?
  • What training is provided for admins, process owners, and developers?
  • How are upgrades tested and promoted?
  • What support model exists after go-live?
  • What are the three-year costs, including licenses, services, integrations, and support?
  • What are the exit options if the program changes direction?

Also ask for customer references with measurable outcomes, such as:

  • Faster case resolution
  • Deflected support volume
  • Hours reclaimed
  • Reduced manual handoffs
  • Faster onboarding
  • Lower remediation time

If the vendor cannot tie value to work executed, the business case is still vapor.

Red flags that should slow the deal

Walk away, or at least pause, if you hear any of these:

  • “We have lots of connectors” but no integration architecture
  • “The CMDB is optional” in a workflow-heavy environment
  • “We’ll standardize later” after the rollout starts
  • “Governance is handled by policy documents”
  • “AI can be added after launch”
  • “Global rollout is just translation”
  • “The platform helps users” but cannot execute the process

Those are not answers. They are future project risks.

The 10 questions I would not skip

If you want a fast filter, ask every vendor these 10 questions:

  1. Show me the canonical data model for services, CIs, and relationships.
  2. How do you keep the CMDB accurate when multiple systems update it?
  3. Which integrations are native, and which require custom build work?
  4. How do you handle bi-directional sync, retries, and failures?
  5. How do you support localized, regional, and data-residency requirements?
  6. Where are approvals, audit logs, and segregation of duties enforced?
  7. How do you ground and govern AI models and agents?
  8. How do workflows move from design to test to production?
  9. What does a three-year total cost model look like?
  10. Show me a reference customer with measurable operational outcomes.

Bottom line

A real enterprise workflow platform RFP should force the vendor to prove one thing: it can turn enterprise context into executed work.

That means a trusted CMDB. Deep integrations. Global rollout readiness. Governance that is built in, not bolted on. And AI that acts inside approved workflows instead of generating expensive advice.

If the platform cannot do that, it is not the backbone of enterprise reinvention. It is another tool in the stack.

Back to IT Service Management Platforms

Keep Reading

More from IT Service Management Platforms

ServiceNow Now Assist: what guardrails, permissions, and audit logging do we need before enabling it in ITSM/HRSD?

Read more

ServiceNow AI Agents: how do we set up governance, approvals, and audit logs before letting agents take actions?

Read more

ServiceNow implementation plan: what should we do in the first 90 days (incident, request, change, CMDB foundations)?

Read more