Sheepdog Prosperity Partners
Due Diligence

Foundry vs Snowflake + DBT vs Databricks for DD Analytics: Architecture Trade-Off Framework

by | May 15, 2026 | DD Tech Lab | 0 comments

What you’ll be able to do after reading this. Score your institution against a 10-dimension platform-comparison scorecard. Apply one of three elicited weight profiles (or run your own elicitation per the companion bundle). Estimate a parameterized 5-year TCO with the institution’s actual numbers substituted for the placeholders. Identify whether your situation fits a single-vendor archetype or the hybrid pattern. Document the resulting decision rationale in a workpaper that survives a board review or an examination request. None of this requires writing code. All of it requires reading the comparison carefully and substituting your institution’s specific numbers.

The due-diligence-analytics platform decision is not a vendor evaluation. It is an architecture-pattern selection that happens to involve vendors. Palantir Foundry, Snowflake plus DBT (with a custom application layer), and Databricks plus Unity Catalog all produce comparable due-diligence outcomes if implemented with comparable discipline. The differences lie in what each platform handles natively versus what the institution must build on top, where the platform-side abstractions accelerate or constrain the institution’s own engineering, and where the total-cost-of-ownership math actually lands once five years of operational reality compound.

A few terms to anchor before the comparison starts, because they appear throughout and the comparison reads differently once you know them:

  • Ontology layer — a structured, typed representation of the institution’s business entities (Counterparty, Person, Transaction, SanctionsHit) with explicit relationships between them. Think of it as the difference between a stack of disconnected database tables and a network of business objects that “know” how they connect to each other. A practitioner who has organized audit evidence in TeamMate, Caseware, or a paper-binder system has used something conceptually similar at smaller scale.
  • Lakehouse — an architecture pattern combining the cheap, append-only storage of a data lake with the schema discipline and analytical performance of a data warehouse. Databricks coined the term in academic work (Armbrust et al. 2021); Snowflake and others have absorbed similar capabilities. The practitioner does not need to operate the lakehouse to evaluate platforms that use it.
  • DBU (Databricks Unit) — Databricks’ unit of consumption pricing, roughly equivalent to one hour of compute on a defined machine size. The practitioner reads this the same way an audit-engagement reads a “billable hour”: a unit of measured work for which the vendor charges.
  • DLT (Delta Live Tables) — Databricks’ framework for declarative data pipelines; the rough Databricks-equivalent of Foundry’s Pipeline Builder or DBT’s analytics-engineering model.
  • Unity Catalog — Databricks’ governance layer over data assets, providing access control, lineage, and metadata. Functionally overlaps with parts of Foundry’s ontology-governance and audit-trail surface, with meaningful differences walked below.
  • Photon engine — Databricks’ vectorized query execution layer; an optional performance upgrade with its own cost multiplier. The practitioner does not need to know how it works internally; the practitioner needs to know it changes the price of DBUs when enabled.
  • AIP (Artificial Intelligence Platform) — Palantir’s bundled LLM-orchestration product. AIP-Driven Adverse-Media Summarization in this sub-series walks AIP in detail; the practitioner reads it here as the platform-level equivalent of an institution-built LLM-with-grounding scaffolding.

This article walks the comparison framework without reaching a vendor verdict. There is no single right answer across all institutions. Foundry’s ontology layer is genuinely distinctive. Snowflake plus DBT’s portability and SQL-native skill alignment are genuinely distinctive. Databricks’ lakehouse architecture and machine-learning pipeline integration are genuinely distinctive. The article’s purpose is to give the architect a comparison structure rigorous enough that the resulting decision is defensible to the institution’s board, regulators, and successor teams.

Three framings the reader should hold throughout. First, every comparison claim in this article is date-stamped to 2026-05 and inherently aging. Each vendor’s product surface evolves quarterly. Readers must verify against current public documentation before relying on the comparison for a procurement decision. Second, no Gartner Magic Quadrant placement is cited as validating any rating in this article. Gartner’s methodology framing is sometimes useful as context; the specific quadrant positions are not used as scoring authority. Third, the hybrid pattern in the final section is the editorial value-add. Many institutions assume the platform decision is binary — one vendor wins. The hybrid framing opens an option many overlook, and for a meaningful fraction of institutions it is the right answer.

The companion bundle ships the artifacts: a ten-dimension comparison scorecard with narrative qualifications per cell, three archetype-preset weight profiles with elicitation discipline, a parameterizable five-year TCO template with placeholder cost values, three institutional decision archetypes with case-AGAINST framings, and the hybrid-pattern reference architecture. The remainder of this article walks the substance of the comparison.

Why the comparison is hard

The honest answer to why due-diligence analytics platform selection is hard is that the three platforms differ along structural axes that do not collapse to a feature checklist. A feature-checklist comparison — does the platform support windowing functions, structured-output LLM integration, audit-trail-immutable storage — will find that all three platforms support all the features at some level of completeness. The checklist hides what actually matters: how much engineering the institution must do on top of each platform to reach equivalent outcomes, what the institutional skill base looks like five years after deployment, and where each platform’s lock-in posture creates strategic risk.

The framework this article proposes evaluates ten dimensions, each scored with a narrative qualification rather than a checkmark. Ontology layer (native versus build-yourself). Investigator UI (native versus build-yourself). Pipeline no-code transforms. Pipeline code-path transforms. LLM integration (native versus stitched). Audit-trail immutable storage. Cost model (licensed versus consumption). Skill alignment with the institutional labor market. Vendor lock-in posture. Regulatory documentation maturity.

The institution’s archetype determines which dimensions weigh most. The same scorecard cells, weighted differently, produce different platform conclusions. The framework’s value is not the conclusions but the explicit weighting and the explicit qualifications that surface what is actually being traded off.

Ontology-layer comparison

The ontology layer is the most distinctive of Foundry’s value-adds and the most useful place to start the comparison. The ontology is a typed, linked, queryable representation of the institution’s business entities — Counterparty, Person, Transaction, SanctionsHit, AuditEntry — with explicit relationships, properties, and temporal patterns. Articles 001 and 009 in this sub-series cover the ontology in detail. The operational value is that investigator workflows, pipelines, and analytical queries all reference the same canonical model rather than reconstructing the relationships in each application.

Foundry ships the ontology layer as a built-in product. The institution defines its ontology in a configuration surface; the platform handles indexing, querying, link traversal, and integration with Workshop, Quiver, AIP, and the Actions framework. Implementation time for an initial ontology covering the institution’s primary due-diligence object types is typically several weeks to a few months, dominated by the institution’s own modeling decisions rather than by platform-side build work.

Snowflake plus DBT provides no equivalent ontology layer natively. The institution that wants the ontology pattern on Snowflake builds it themselves on top of the warehouse layer. The build is typically nine to eighteen months of focused engineering — defining schemas, building entity-resolution pipelines, implementing temporal patterns in SQL, constructing a query layer that hides the ontology complexity from application code. Vendors and consultants offer accelerators, but the work is real, and the resulting build is institution-specific. Streamlit-on-Snowflake provides a presentation layer the institution can layer over the warehouse-side ontology build, closing some of the investigator-workflow gap that the absence of Workshop produces.

Databricks plus Unity Catalog occupies a middle position as of 2026. Unity Catalog provides object-level governance (tagging, access control, lineage) that overlaps with parts of ontology functionality. The temporal patterns, the entity-resolution discipline, and the explicit link types are not natively present at the Unity-Catalog level; the institution layers them on top using Databricks notebooks and Spark code. Lakeview and DBSQL provide BI-style interfaces but not the investigator-workflow surface Workshop implements.

The institutional question is not which vendor offers the best ontology layer. The question is whether the ontology layer’s value-add justifies the lock-in and cost difference. For institutions whose primary analytical workload depends on multi-hop relationship traversal — beneficial-ownership networks, transaction-counterparty graphs, sanctions-screening crossreference — the ontology value is high enough that building it yourself on a warehouse foundation is a multi-million-dollar engineering investment over multiple years. For institutions whose workload is more aggregation-and-reporting than relationship-traversal, the ontology value is lower and the build-yourself option becomes more attractive.

Investigator-UI comparison

Foundry Workshop is the investigator-workflow surface Workshop Application Patterns walks. The institution configures Workshop modules that consume ontology objects, render high-information-density cards with conditional formatting, integrate Actions for state-change discipline, and integrate AIP for in-card summarization. Workshop ships with the platform; the institution’s investment is in workflow design rather than UI engineering.

Streamlit-on-Snowflake is Snowflake’s native presentation layer, useful for read-mostly analytical views that benefit from Python-side interactivity. For investigator-workflow patterns that require state changes (the rating-elevation workflow Foundry Actions Framework walks), Streamlit-on-Snowflake handles the read side cleanly but the institution still builds the audit-trail-recording logic separately. Building a Workshop-equivalent investigator workflow on top of Streamlit-on-Snowflake typically runs six to twelve months of engineering per major investigator surface, depending on the institution’s UI expectations and the complexity of the underlying workflow.

Databricks Lakeview and DBSQL serve BI-style reporting and dashboarding well. The investigator-workflow surface — the case-management quality that distinguishes Workshop from a dashboard — requires custom-build on Databricks, typically using a Python web framework with Databricks SQL as the data layer. The build effort is comparable to Snowflake-side custom-build; Databricks does not specifically reduce it.

The vendor-neutral framing: Workshop’s depth for ontology-aware investigation is distinctive. Streamlit-on-Snowflake and Lakeview close part of the gap for read-only patterns. Full investigator-workflow patterns require custom build on the non-Foundry platforms. The institution’s existing engineering capacity and the institution’s tolerance for build-yourself relative to buy-into-vendor determine which trade-off is right.

Pipeline transform comparison

Pipeline Builder (Foundry’s no-code transform surface), DBT (the SQL-based analytics-engineering tool Snowflake institutions typically pair with the warehouse), and Databricks DLT plus Workflows occupy three different positions on the no-code-versus-code axis. The institutional question is which one matches the institution’s actual engineering composition.

Pipeline Builder is the most truly-no-code of the three. An analyst with strong SQL fluency can build production-quality Pipeline Builder transforms within their first week on the platform without writing Python. The operator catalog covers most analytical transformations a due-diligence pipeline requires; the twenty-percent gap — windowing, custom string-parsing, ML inference, performance-tuning — moves to Code Repositories (Code Repositories in Foundry). The mixed-pipeline pattern works when the institution maintains the discipline Code Repositories in Foundry walks.

DBT is SQL-first but code-based. Transforms are SQL files in a Git repository with templating macros, dependency management, and testing infrastructure that DBT provides. For SQL-fluent teams, DBT produces highly maintainable analytics pipelines. The trade-off is that team members need SQL proficiency, and the transforms that exceed SQL’s expressive range (the Pipeline-Builder twenty-percent gap, plus anywhere SQL itself is awkward) move to DBT Python models or to Snowpark Python — adding a second skill set the team must maintain.

Databricks DLT (Delta Live Tables) and Workflows are configuration-driven but code-prominent. Notebook-first analytical workflows in Databricks lean toward PySpark with SQL where convenient. For institutions whose data-engineering teams are Python-heavy and SQL-secondary, Databricks fits the existing skill base naturally. The trade-off is that the no-code envelope is smaller; transforms that DBT or Pipeline Builder would express compactly may require more code in the Databricks pattern.

The vendor-neutral observation: ranking is preference-of-no-code-versus-SQL-literacy, not absolute capability. All three platforms can express the analytical transformations a due-diligence pipeline requires. The institutional question is which interface aligns with the team’s actual skill base and which interface produces transforms the institution’s maintenance team will be able to read three years later.

LLM-integration comparison

AIP (Foundry’s bundled LLM orchestration with ontology grounding) is the most distinctive feature in this dimension as of 2026 publication. AIP-Driven Adverse-Media Summarization covers the AIP pattern in depth. The value-add is the platform-level integration between LLM outputs and the ontology — structured-output schemas tied to ontology object types, citation_check post-processors that automatically verify grounding against linked source objects, verifier-LLM gating that integrates with the Actions framework. The institution’s work is prompt design, calibration, and the SR 11-7 / OCC 2011-12 validation framework Time Series in Foundry‘s model-governance section walks.

Snowflake Cortex AI (the platform’s LLM-integration product as of 2026) provides structured-output enforcement and access to a small set of provider-hosted models. External LLM stitching is the alternative pattern — calling OpenAI or Anthropic APIs from Snowpark Python with the institution providing the grounding logic, citation validation, and verifier infrastructure. The work to reach AIP-equivalent functionality is meaningful — typically four to eight months of focused engineering for the citation_check and verifier infrastructure plus ongoing calibration work — and the result is institution-specific rather than vendor-supported.

Databricks Foundation Models and MLflow’s LLM serving provide model-hosting infrastructure with growing native ontology-style integration. As of 2026, the integration depth is less mature than AIP’s; the gap is narrowing but the institutional build effort to reach AIP-equivalent outcomes on Databricks is currently comparable to Snowflake — roughly four to eight months for the grounding-and-verification scaffolding.

The vendor-neutral framing: AIP’s ontology-grounded LLM integration is distinctive in 2026. The non-Foundry platforms can implement the same patterns through provider-agnostic API patterns plus institutional engineering. The institution choosing to invest in the build on top of Snowflake or Databricks ends up with a portable, fully institution-owned implementation; the institution choosing AIP gets faster time-to-value with the lock-in trade-off the rest of this comparison addresses.

Audit-trail and regulatory documentation comparison

The Actions framework (Foundry Actions Framework) is Foundry’s native audit-trail primitive. The institution configures ActionTypes; the platform produces immutable AuditEntries on every state change; the documented chain from analyst decision to audit-entry to evidence-snapshot is the platform-side foundation for the institution’s SR 11-7 / SOX §404 / FFIEC BSA/AML / OCC 2011-12 documentation discipline. The institution still must implement the bypass-control framework Foundry Actions Framework walks; without it, the platform-level immutability primitive leaks through bypass paths that Foundry Actions Framework‘s bypass_controls/ artifact enumerates.

Snowflake’s Time Travel feature provides versioned data history at the storage layer — sufficient for some audit-trail patterns, insufficient for the institutional-decision-event tracking Foundry Actions captures. The institution building an audit-trail discipline on Snowflake constructs the equivalent: dedicated audit-log tables, write-only insertion patterns, application-layer enforcement of the immutability discipline, query-layer hiding of any administrative-override paths. The build is institutionally specific and runs typically four to eight months at production-discipline quality.

Databricks Delta Lake provides versioning and time-travel similar to Snowflake’s, with the same audit-trail-discipline build requirement. The Unity Catalog lineage features add some platform-level support for tracking what processes touched which data, useful for the technical lineage view but not the same as the analyst-decision-event tracking the Actions framework provides.

The vendor-neutral framing: Foundry’s Actions framework is genuinely distinctive in providing platform-level state-change discipline. The non-Foundry platforms can implement comparable audit-trail discipline through institutional engineering. Whether the institution treats the audit-trail discipline as a vendor-bundled value or an institutional-engineering build is the strategic question — and either answer can be defensible if executed disciplined.

A worked configuration-comparison snippet

Before the cost section, one concrete example that anchors what the three platforms feel like to actually use. Suppose the institution needs to produce a daily “counterparties with adverse-media density above the 90th portfolio percentile” report. The same analytical job, three platforms:

Foundry Pipeline Builder (no-code, visual DAG editor): the analyst drags a filter operator onto a canvas, points it at the AdverseMediaMention ontology object class, filters to the trailing-90-day window, adds a group-by Counterparty operator with a count aggregation, adds a percentile-rank operator on the count, filters to rank ≥ 0.9, and writes the result to a Quiver-readable dataset. Build time: roughly thirty minutes for a senior analyst comfortable with the operator catalog. No code written. The same analyst running the report tomorrow opens the saved DAG and re-runs.

Snowflake with DBT (SQL-based, code-in-git): the analyst opens the DBT project, creates a new model file top_decile_adverse_media.sql:

WITH counts AS (
  SELECT counterparty_id, COUNT(*) AS mention_count_90d
  FROM {{ ref('adverse_media_mentions') }}
  WHERE mention_date >= DATEADD(DAY, -90, CURRENT_DATE)
  GROUP BY counterparty_id
),
ranked AS (
  SELECT counterparty_id, mention_count_90d,
         PERCENT_RANK() OVER (ORDER BY mention_count_90d) AS pct_rank
  FROM counts
)
SELECT * FROM ranked WHERE pct_rank >= 0.9

Build time: roughly twenty minutes for an analyst SQL-fluent enough to write the percentile window function from memory. DBT handles dependency tracking, scheduling, testing, and Git versioning around the SQL.

Databricks with PySpark in a notebook: the analyst opens a notebook, attaches a cluster, writes:

from pyspark.sql import functions as F, Window
mentions = spark.table("dd.adverse_media_mentions")
cutoff = F.date_sub(F.current_date(), 90)
counts = (mentions.filter(F.col("mention_date") >= cutoff)
                  .groupBy("counterparty_id")
                  .agg(F.count("*").alias("mention_count_90d")))
ranked = counts.withColumn("pct_rank",
                            F.percent_rank().over(Window.orderBy("mention_count_90d")))
ranked.filter(F.col("pct_rank") >= 0.9).write.mode("overwrite").saveAsTable("dd.top_decile_adverse_media")

Build time: roughly twenty-five minutes for an analyst comfortable with PySpark. Schedule the notebook via Databricks Workflows; the lineage and access control flow through Unity Catalog.

All three approaches produce the same analytical result. The differences are the skill set required (operator catalog versus SQL versus PySpark), the affordance for non-engineering analysts to read and modify (Pipeline Builder DAG is the most accessible to a CPA/CFE without programming coursework; SQL is accessible to most credentialed analysts; PySpark requires programming comfort), and the integration with the broader institutional change-management process (Git-based for DBT and Databricks; Foundry’s own promotion model for Pipeline Builder). The institutional choice depends less on which approach is “better” abstractly and more on which approach the institution’s actual analytics team can sustainably operate.

What the practitioner does with the comparison. When responding to an RFP, evaluating a platform RFP from a competitor, or writing a board-pack memo on a platform decision, the practitioner asks not “which tool wins” but “which tool produces results my team can defend in front of an examiner three years from now.” The comparison snippet above is the kind of evidence to attach to that workpaper: a concrete demonstration that the same analytical work is reachable on all three platforms, with the skill-set and process differences explicit.

Cost model and total cost of ownership

Foundry’s pricing is enterprise-licensed: typically annual subscription with a base fee plus per-user adders, Workshop application adders, and AIP-usage adders. The model is predictable across years; the institution budgets to a fixed annual envelope. Year-one implementation cost concentrates on initial ontology design, Workshop application build, Pipeline Builder transform development, and Code Repository scaffolding — typically one to three million dollars at bank-group scale per publicly-available case studies, with substantial variation by scope.

Snowflake pricing is consumption-based: warehouse compute credits plus storage. DBT Cloud adds a separate licensing layer. Bank-group-scale Snowflake compute typically runs four hundred thousand to one and a half million dollars in year one, varying with workload intensity. The build-yourself ontology layer adds a separate engineering investment (two to five million dollars over nine to eighteen months, depending on scope). Consumption pricing creates volatility year-over-year as workload patterns change.

Databricks pricing is also consumption-based, on DBU (Databricks Unit) credits, with Photon engine optional. Bank-group-scale Databricks compute typically runs five hundred thousand to one and eight tenths million dollars in year one. The build-yourself ontology layer is comparable to Snowflake’s. The variability and pattern resemble Snowflake’s more than Foundry’s.

At bank-group scale and over five years, the cumulative TCO across all three approaches typically lands in the same order of magnitude when implementation cost is included. The decision-relevant differences are typically in the distribution of cost over time (Foundry concentrates implementation in year one then runs predictable annual license; Snowflake and Databricks distribute compute spend more evenly but with consumption volatility), predictability under volume changes (Foundry more predictable, consumption-priced alternatives more variable), exit cost (Foundry’s lock-in produces the highest exit cost; Snowflake plus DBT the lowest), and workforce hiring constraint (Palantir-specific skills are measurably slower to hire than SQL plus Python plus Spark at most market locations).

The companion bundle’s tco_model/five_year_tco_template.yaml parameterizes the TCO comparison structure. Every cost value in the template is a REPLACE_WITH_VENDOR_QUOTE placeholder. The template’s purpose is to scaffold the institution’s own analysis with current vendor quotes; the article does not endorse any specific cost magnitudes.

An illustrative 5-year TCO comparison at a hypothetical bank-group scale (50 active analyst users; 5 TB of data growing 30% year-over-year; 8 Workshop applications active; 1,000 AIP calls per day). Every dollar figure is purely illustrative for shape comparison and MUST be replaced with current vendor quotes before the institution relies on the result. Vendor quotes vary 2-3x by contract negotiation, scope, and institutional volume.

Cost category Foundry (enterprise license) Snowflake + DBT (consumption) Databricks + Unity (consumption)
Year 1 platform/compute $2.0M license $0.8M compute + DBT $0.2M $1.0M DBU + Photon $0.2M
Year 1 implementation (SI + build) $1.5M (ontology + Workshop) $3.0M (build ontology + audit-trail) $3.0M (build ontology + audit-trail)
Year 1 internal eng (4-6 FTE @ $250K loaded) $1.0M (4 FTE Palantir-skilled) $1.4M (6 FTE SQL+Python) $1.4M (6 FTE PySpark+SQL)
Year 2-5 annual platform/compute $2.2M / yr $1.1M-1.7M / yr (variable) $1.3M-1.9M / yr (variable)
Year 2-5 annual internal eng $1.5M (6 FTE) $1.8M (8 FTE) $1.8M (8 FTE)
5-year cumulative (illustrative midpoint) ~$17M ~$18M ~$19M

Three observations the practitioner takes from this illustrative table. First, all three approaches land in the same order of magnitude at bank-group scale once implementation cost is included — the headline cost numbers are not the decision-relevant variable. Second, Foundry’s cost is more predictable year-over-year (annual license plus headcount); Snowflake’s and Databricks’ compute costs are variable (year-over-year swings of 30-50% are normal under workload shifts). Third, the year-1 implementation costs for Snowflake and Databricks reflect the “build the ontology + audit-trail discipline yourself” investment that Foundry bundles into its license — a defensible build, but one the institution’s engineering team has to actually execute.

What the practitioner does with the TCO comparison. In RFP responses, document each cost line with its source (vendor quote dated, SI quote dated, institutional headcount assumption with FTE basis). In budget memos to the audit committee, show the year-by-year cost distribution alongside the cumulative — the cumulative obscures the predictability difference that the year-over-year shape reveals. In platform-decision workpapers, retain the placeholder TCO template plus the substituted version; auditors three years later will reconstruct the decision rationale from the assumptions, not the conclusion.

Decision archetypes

The framework produces different conclusions for different institutional archetypes. Three archetypes cover the substantial majority of due-diligence-platform-selection situations.

Large bank with high compliance burden. Tier-1 or Tier-2 bank; SR 11-7 model risk management mature; SOX §404 controls already documented; OCC or Federal Reserve examination cycle active; thirty-plus-person engineering team across data and platform; budget envelope substantial. For this archetype, regulatory-documentation maturity weighs heavily, and the built-in Ontology plus Workshop plus Actions value-add closes regulatory-documentation gaps that Snowflake or Databricks would require building. Lock-in is real but typically absorbable as a strategic risk. The typical right answer is Foundry — unless the institution has a significant existing Snowflake or Databricks footprint and mature compliance-tech build capabilities, in which case the build cost is amortizable and the lock-in concern dominates.

Mid-size advisory shop with cost sensitivity. Fifty-to-two-hundred-person advisory or consulting firm; client engagements drive workload; regulatory burden lighter than a tier-1 bank; engineering team five to fifteen; cost discipline is the dominant constraint; ability to scale up and down between engagements is valuable. For this archetype, consumption pricing aligns with workload, SQL plus Python skill alignment matches the talent pool, and lower lock-in matches the firm’s strategic flexibility. The typical right answer is Snowflake plus DBT — unless the firm’s customer mix happens to favor Foundry-platform-aligned engagements (government, defense, certain financial-services subsegments), in which case platform alignment with customer base may justify the Foundry choice.

PE-DD firm with intermittent heavy use. Private-equity-focused due-diligence firm; engagements are episodic and high-intensity, ten-to-twelve weeks of dense investigation followed by weeks of low platform use; cross-engagement data portability matters; LLM integration valuable for adverse-media review at scale. For this archetype, the hybrid pattern is typically the right answer. Foundry handles the investigator-surface workload during peak engagements (Workshop, Quiver, AIP); Snowflake or Databricks holds the firm’s portable analytic foundation that survives platform-stack changes. The hybrid produces higher year-one cost but the cross-engagement portability and the investigator-surface productivity justify the integration complexity over five years.

Each archetype’s typical right answer carries a case-AGAINST framing: the situations where the typical answer is wrong and the institution should consider an alternative. The companion bundle’s decision_archetypes/decision_archetypes.md ships the full narrative.

The hybrid pattern

The hybrid pattern — Foundry for the investigator surface, Snowflake or Databricks for the warehouse foundation — is the editorial value-add of this article. The pattern fits when the institution has materially different workload patterns at the warehouse layer (large-volume batch transforms, multi-source integration, analytical queries) versus the investigator surface (interactive ad-hoc, workflow-driven case management, LLM-augmented review), when cross-engagement or cross-line-of-business data portability matters, and when the institution wants Foundry’s investigator-surface productivity without accepting warehouse-layer lock-in.

The hybrid does not fit when the institution has insufficient engineering capacity to maintain the integration layer (typically requires a two-to-three-engineer steady-state on the integration boundary), when integration latency is unacceptable (Foundry’s incremental sync from Snowflake is meaningfully slower than Foundry-native Ontology storage), or when the institution’s data volume is small enough that single-platform simplicity dominates the benefits.

The architectural decisions that make the hybrid succeed concentrate on three boundaries. Which data lives on which side (warehouse-side: raw ingestion, multi-source resolution, long-form analytical data; Foundry-side: resolved ontology objects, AuditEntry chain, active review queues, TimeSeries driving alerting). Sync mechanics (direction typically Snowflake-to-Foundry on a fifteen-minute-to-one-hour incremental cadence; reverse syncs mediated through ActionType side-effects so sync events become AuditEntries). The audit-trail boundary (AuditEntry objects on Foundry side; warehouse-side state changes produce audit-trail records using Time Travel or Delta Lake versioning; cross-boundary reconciliation is non-optional and runs continuously rather than only on examiner request).

The companion bundle’s hybrid_patterns/foundry_warehouse_hybrid.md covers the reference architecture and operational discipline in detail. The pattern’s success depends on the institution treating the boundary as a first-class architectural concern, not as plumbing. The pattern fails when the boundary is treated as plumbing.

The deeper observation about the hybrid is that it reframes the platform decision from “which vendor wins” to “which platform handles which job best.” Different jobs have different right answers. The institution that accepts this reframing produces architectures aligned with its actual workload patterns rather than its vendor preferences. The institution that resists the reframing produces single-vendor commitments that either pay a flexibility tax (Foundry for everything including warehouse workloads where it is suboptimal) or pay a build tax (Snowflake or Databricks for everything including investigator workloads where build-yourself produces extended time-to-value).

The framework this article walks does not endorse the hybrid as the universally correct answer. For institutions whose archetype is clearly single-platform (large banks where the compliance value of Foundry-bundled audit-trail discipline dominates; small advisory shops where Snowflake plus DBT plus Streamlit handles everything required), the single-platform answer is correct. The hybrid is the right answer for the third of institutions whose workload distribution and strategic priorities create the conditions for it.

A grounding case: why platform choice can become an examination finding

The institution that treats platform selection as pure cost-and-feature optimization, without explicit attention to the audit-trail discipline the platform must support, eventually meets the examiner. Two illustrative reference points the practitioner should be familiar with:

The Wells Fargo cross-selling enforcement action (CFPB Consent Order 2016-CFPB-0015, September 2016, with subsequent OCC and SEC actions through 2020) included as one finding among many that the institution’s customer-account systems had not preserved a clear audit-trail chain from individual account-opening decisions to the supporting documentation. The platform was not the cause of the underlying fraudulent conduct; the platform’s audit-trail design contributed to the difficulty of reconstructing decision lineage during the enforcement investigation. A platform decision that under-invests in audit-trail discipline — whether through a build-yourself shortcut on Snowflake / Databricks, or through neglecting Foundry’s bypass-control framework — produces this kind of secondary finding even when the primary conduct issue is separate.

The TD Bank BSA program failures (FinCEN Consent Order 2024, $1.3B penalty; DOJ guilty plea same month) reflected, among many findings, the operational difficulty the institution had in reconstructing transaction-monitoring decisions across multi-year examinations. Again the platform was not the proximate cause; the institutional control environment, including the platform-level audit-trail infrastructure, was material to how the institution could (or could not) respond to examiner reconstruction requests. The institution that chose its analytics platform without explicit attention to the FFIEC BSA/AML and SR 11-7 documentation expectations paid for that choice — over years, in penalties and remediation costs that dwarfed any savings from the original platform decision.

What the practitioner does with these references. When advocating for or against a specific platform choice, ground the argument in the regulator-facing consequence of the audit-trail design, not in vendor-marketing claims about platform capability. The platform decision is a multi-year strategic commitment whose consequences play out over examination cycles, not procurement cycles. The workpaper that documents the institution’s platform selection should include explicit treatment of how the institution’s chosen platform supports its specific regulatory documentation expectations — for SR 11-7 model-risk, for SOX §404 internal controls, for FFIEC BSA/AML transaction-monitoring lineage, for FinCEN CDD documentation. The practitioner asks not “what does this platform do” but “what will this platform let me show an examiner in 2029.”

Authority

Companion repository

Foundry vs Snowflake + DBT vs Databricks‘s full companion bundle lives at github.com/noahrgreen/dd-tech-lab-companion/articles/010_platform_tradeoff_framework/. It ships the ten-dimension comparison scorecard with narrative qualifications per cell and assessment-as-of date stamps, three archetype-preset weight profiles (large bank with high compliance burden, mid-size advisory shop with cost sensitivity, PE-DD firm with intermittent heavy use) plus a structured weight-elicitation discipline, the parameterizable five-year TCO template with REPLACE_WITH_VENDOR_QUOTE placeholders across all three vendor archetypes, the three decision archetypes with priorities and case-AGAINST framings, and the hybrid-pattern reference architecture with boundary design decisions. This article closes the Foundry sub-series; readers who reach this point have the full ontology-to-workflow-to-Actions-to-platform-choice arc.

Submit a Comment

Your email address will not be published. Required fields are marked *