Most products marketed as "AI dashboards" right now are screen-scrapers with a chat box bolted to the side. The dashboard pulls data into a grid, the chat box answers questions about the grid, and the team is told they have an AI dashboard. They do not. They have a dashboard. The chat is a feature, not an architecture.

What we build at Heed is structurally different. The dashboard is the team's actual workplace, with live read-write into the systems of record, role-based UI, and an agentic layer that does work, not just answers questions. Six layers, end to end. Here is what each one is doing, in plain language, with the trade-offs we make at each layer.

Layer 1. Identity and Auth

Cloudflare Zero Trust on every login. This is not optional, and it is not a feature. It is the architectural decision that makes everything else possible.

Zero Trust means the dashboard does not trust the network the user is on. It does not matter if the user is in the office, on home wifi, or on a coffee-shop network. Every request is authenticated, every session is short-lived, every device is checked against policy. For SMBs that worry about remote work and BYOD, this turns a security headache into a security posture.

For Microsoft 365 customers, we federate to Microsoft Entra ID for single sign-on. The team logs into the dashboard with the same account they use for Outlook and Teams. No second password, no separate identity store, no shadow user list. When someone leaves and IT disables their Entra account, they are out of the dashboard the same minute.

Role-based access is enforced at this layer. A typical law firm dashboard has roles for attorney, paralegal, intake, and billing. A typical engineering firm dashboard has roles for assessor, project manager, and leadership. A field services dashboard has roles for crew lead, dispatcher, controller, and owner. Each role sees a different UI and has different write permissions on different data.

Audit logging on every action. This is the part that matters when a regulator or insurer asks who did what. Every read, every write, every AI invocation is logged with the user, the timestamp, the action, and the data touched. ISO 42001 alignment is not a marketing line; it is what the audit log enables.

Layer 2. Connectors

The dashboard is only useful if it talks to the systems the team already uses. Building yet another data silo is the failure mode we will not commit. So the connector layer is the part where most of the real engineering work happens.

The standard connectors we ship with most builds:

  • M365. Live read-write to Outlook (email, calendar), Teams (chat, meetings, transcripts), OneDrive (personal files), and SharePoint (firm files). The Graph API gives us this cleanly. The hard part is permissions, not technology.
  • Practice or job management platform. For law firms, that is often Lawcus or a comparable matter management system. For engineering and field services, it is the firm's job management tool. Live read for everything, scoped read-write for the workflows the dashboard owns.
  • RingCentral, Twilio, or similar. Inbound and outbound calls, SMS, and call recordings. The dashboard surfaces missed calls, voicemails, and call notes alongside the matter or job they relate to.
  • QuickBooks Online. Read-only for most clients, with billing event triggers in the dashboard that push invoices back into QBO. The accountant still owns QBO; the dashboard just removes the re-keying step.
  • Salesforce, HubSpot, or whichever CRM is staying. Read-only for most clients who are migrating off, full read-write for the few who are keeping it.
  • Stripe or Square for payments. Subscriptions, invoices, refunds. The dashboard is where the team interacts with the payment events, not the Stripe console.
  • Custom REST and GraphQL APIs. Almost every business has at least one in-house or vertical-specific tool. We integrate it. The connector becomes part of the dashboard.

Connectors are live, not nightly batches. The dashboard is showing the actual state of the systems, not a stale snapshot. That is the difference between a real workplace and a reporting tool.

Layer 3. Document and Data Intelligence

This is the layer that turns the firm's documents and data into something the rest of the system can reason about.

Document intelligence reads the firm's own templates and contract patterns. For the law firm, that means engagement letters, trust documents, and standard probate filings get ingested and indexed. The dashboard knows what a "standard" version of each document looks like and can flag deviations. New documents that come in get parsed against the firm's own corpus, not a generic legal-document model.

Image processing for jobsite photos, scanned documents, and IDs. The structural engineering build uses this to categorize damage types in field photos and pull metadata from permit packets. Computer vision is not the headline; it is just one tool in the layer.

Meeting transcript extraction. Teams, Zoom, and RingCentral meetings produce transcripts. The dashboard pulls them, runs decision-extraction agents on them, and creates a searchable log of what was decided in which meeting. The "what did we agree on the call last Tuesday" question goes from a 20-minute review to a one-line search.

The intelligence layer turns the firm's own data into the firm's own model. Generic LLMs are trained on the internet. The intelligence layer trains on what your team actually writes, files, and decides. That is where the leverage is.

Layer 4. Agentic Workflows

This is where AI does work, not just answers questions. We use right-model selection per task because no single model is best at everything.

Anthropic Claude handles the reasoning agents. Matter triage. Deadline extraction. Intake routing. Risk flagging in contracts. Decision logs. Anything that requires multi-step reasoning over the firm's own corpus runs on Claude. Audit-logged inputs and outputs.

OpenAI handles image generation and vision tasks where Claude is not the right fit. Marketing image production. Diagram interpretation. Scanned document parsing where the parsing benefits from a vision-tuned model. The dashboard picks the model based on the task.

Perplexity handles deep research and case-law lookups. The law firm uses it to surface relevant case law for a specific matter type. The engineering firm uses it for permitting research and code lookups. Perplexity's strength is current and cited research; we route research-shaped tasks there.

Each agent is scoped, audit-logged, and has a defined human-in-the-loop checkpoint. We do not deploy agents that take action on a regulated workflow without a human approving the action. The audit log shows what the agent recommended, what the human did, and any deviation.

Layer 5. Role-Based UI

The same dashboard renders differently for different users. This is one of the parts that surprises clients the most. They expect a single UI; they get one that adapts to who is logged in.

For the field services build: a crew lead on a phone sees photos, a punch list, and a "submit daily report" button that pre-fills from the day's activity. Nothing else. An office admin on a desktop sees the inbound queue, the routing UI, the daily report dashboard. The owner sees a real-time KPI view: jobs in flight, revenue this week, anomalies flagged for review.

For the law firm: an intake coordinator sees inbound matter intake forms, the routing recommendations from the Claude agent, and the engagement-letter generator. An attorney sees their matter list, the document pane, the time-and-billing entries, the Perplexity research panel. A paralegal sees deadline tracking and document drafting. The managing partner sees a firm-wide view: matters by stage, attorney load, AR aging, intake conversion.

For the engineering firm: an assessor sees the project IQ search interface and the photo-to-report tool. A project manager sees the project list, plan-set permitting status, and the BCF compliance view. Leadership sees the financials, the project pipeline, and the risk dashboard.

Same backend. Same connectors. Same agents. Different UI per role. That is what role-based actually means in practice.

Layer 6. Upgrade Cadence

The dashboard is not a one-time build. It is a platform that improves on a cadence the client picks.

Monthly upgrades on the higher tiers. Quarterly on the standard tiers. New features ship at no extra cost within scope. The platform fee covers the upgrade work, not the initial build alone. Pricing detail is on the Operations Platform page.

What gets shipped in a typical upgrade cycle? A new connector when the client adds a system. A new agent when a workflow surfaces that is worth automating. UI refinements based on what the team actually clicks. Model updates when the AI providers ship better versions, transparently and with the model swap audited. Security and compliance updates as regulations change.

The clients who see the most value are the ones who treat the dashboard as their team's working environment and feed back what is and is not working. The cadence is built around that feedback loop.

What It Replaces

The dashboard typically absorbs three to seven SaaS subscriptions, depending on the firm's starting point. CRM, email marketing, dedicated landing-page builder, separate e-signature, separate file-sharing tool, dedicated AI assistant subscription, project management SaaS. Each individually small, each replaceable inside the dashboard layer without losing the underlying functionality.

The detailed math is in the SaaS sprawl post, which walks through one client's 11-tool consolidation. The architectural pattern in this article is the "what" that the math in that article is paying for.

What It Costs

Three tiers on the Operations Platform.

$649 to $4,200/mo
Operations Platform tiered monthly pricing. Growth, Scale, and Enterprise. Each tier covers the dashboard, the agents, the connectors, the security, and the upgrade cadence.

Growth tier ($649/mo). The dashboard, three to five connectors, two agentic workflows, role-based UI for up to four roles, quarterly upgrades. Best fit for SMBs replacing a CRM-plus-five-other-tools stack.

Scale tier. Everything in Growth, plus more connectors, more agents, more roles, monthly upgrades, and a named platform engineer. Best fit for firms where the dashboard is the operational center.

Enterprise tier. Everything in Scale, plus dedicated engineering hours, custom security and compliance work, and an SLA. Best fit for firms with regulatory exposure or specialized integration needs.

The current pricing detail and inclusions are on the Operations Platform page. The math we run before quoting any tier is on the ROI calculation post.

The Two Case Studies

For a deep dive into the engineering firm version of this architecture, see the structural engineering case study. The firm came off an 85 percent migration to Salesforce when they realized a custom dashboard would do the job better at a fraction of the per-seat cost. We built Project IQ on the architecture above, with M365, Salesforce (read), QuickBooks Time, plan sets, and permits as the connector layer.

For the law firm version, see the law firm employee dashboard case study. The firm is a multi-attorney West San Fernando Valley estate planning practice serving high net worth families. The integrations there include Lawcus, RingCentral, M365, Anthropic, OpenAI, Perplexity, the firm's secure client portal, and QuickBooks. All under Cloudflare Zero Trust.

Same six layers in both. Different connectors, different agents, different UI per role. That is the pattern.

Where to Start If You Are Considering One

Not with the architecture. With the workflow. Pick the workflow your team complains about most and walk it end to end. Identify which systems it touches and where the team is moving data by hand. That is your candidate Proof of Concept. The architecture above is what scales out from that POC, layer by layer, once the math is clean.

If you want to see the layers in your own context, bring your stack and one workflow to a discovery call. We will walk the architecture against your specific systems and tell you what would be a clean fit and what would not.