IAMV Consulting
Back to case studiesAI Agents

From Clinic to Classroom: Assessment, Security, and AI Agent Roadmap

Three consulting deliverables that unlocked the expansion of a conversational health platform into a new education vertical.

Critical findings identified in the assessment
5 (3 with high impact and urgency)
Evaluated and compared secrets management paths
3 (with well-founded recommendation)
Plan for rotating exposed credentials
up to 15 business days, zero downtime (dual-key standard)
Scoped MVP of the lead generation agent
4 modules + 4 post-MVP increments

The challenge

A Brazilian healthtech startup operating a conversational platform for dental clinics — built on n8n, Supabase, and LLMs — reached a turning point in 2026: to expand the same technological base into a new vertical, student recruitment for dental education institutions, starting with a college that is a final client of the company.

The question that leadership needed to answer was not "can we build it?", but rather "can the base support the expansion?". There were signs of accumulated fragility: hardcoded credentials in workflows, personal data persisted in debug artifacts, fragile multi-tenant isolation at critical points, and operational control dependent on spreadsheets. Scaling on this base would mean amplifying each of these risks — including exposure to LGPD and blockage in enterprise sales.

The solution

The engagement was structured into three targeted deliverables, each addressing a specific client decision.

1. Technical-product assessment. Static audit of n8n workflows covering architecture, external dependencies, security standards, multi-tenant isolation, and domain readiness for the new vertical. The verdict: proceed with conditions — mandatory technical gate for hardening before expansion. Five critical findings were identified, classified by impact and urgency, with maturity assessed across six dimensions and prioritization in a MoSCoW matrix.

2. Credential security solution plan. The highest residual risk finding from the assessment became its own execution plan: centralize 100% of credentials in a secrets manager (Infisical, chosen after a well-founded comparison among three paths — native n8n credentials, Infisical, and cloud secrets manager), rotate all exposed keys with a dual-key standard for zero downtime, and implement a blocking CI gate with Gitleaks to prevent recurrence. A 5-phase plan within up to 15 business days, with explicit approval gates and executable by the client's current team.

3. AI agent delivery plan. Technical roadmap for the MVP of a conversational lead generation agent for the educational institution: orchestrator with subagents for undergraduate and graduate programs, agnostic channel layer, automated follow-up, and administrative dashboard in Next.js. Scope includes 4 modules, with 4 post-MVP increments prioritized by operational impact (human handoff via Chatwoot, metrics dashboard, knowledge base with RAG, and WhatsApp via Evolution API).

How it works

The common thread among the three deliverables is the same: executive decision requires end-to-end technical visibility. Each document follows the structure executive summary → context → diagnosis with evidence → prioritized recommendations (high/medium/low) → action plan with responsible party, timeline, and effort.

In the security plan, each mapped credential received provider, criticality, and required action; the rotation was designed with a timeline approved by executive leadership and rollback ready before revoking any old keys. In the agent roadmap, every message from any channel is normalized into a single object before entering the agents' logic — adding a new channel requires only a connector, without touching the core. The design reuses the infrastructure that the client already operates (Supabase, n8n self-hosted, Chatwoot), reducing the project's foundation to schema, data seed, and configuration.

The complete conversational flow of the agent was mapped in a decision diagram: entry methods for undergraduate programs (entrance exam, ENEM, transfer, new degree), enrollment in graduate programs, handling of closed deadlines, structured human handoff, and scheduled follow-ups.

Results

  • Expansion decision made based on evidence: verdict "proceed with conditions", with a 6-week hardening window and controlled pilot before commercial rollout
  • Most severe risk category of the operation closed in an executable plan: 100% of credentials migrated to a central vault and rotated without downtime, with prevention of recurrence via CI
  • Scoped and unlocked MVP of the lead generation agent: 4 modules with acceptance criteria, dependencies, and a single external blocker identified before the start of development
  • Client team self-sufficient by design: vault operation runbook, walkthrough with the team, and a 90-day rotation cadence transfer the operation without dependency on consulting

The takeaway: product expansion rarely fails on the new feature — it fails on the base that no one audited. An honest assessment before the roadmap costs a fraction of the rework it prevents, and transforms "let's scale" from a gamble into a decision.