AI Governance, Security + Risk Management

Data Privacy

• PHI, PII, client confidential and proprietary data are strictly prohibited from entry into public or unapproved AI tools
• Data minimization required; anonymization enforced where applicable
• Approved enterprise platforms evaluated to prevent external model training on organizational data

Security Controls

• Risk-based security and privacy review required before tool enablement
• Role-based access with least-privilege principles applied
• Usage monitored for anomalous behavior and policy compliance
• AI-related events handled through established incident response processes

Accountability

• Associates governed by documented AI Acceptable Use, Data Protection and Information Security policies
• Human review of all AI-generated content prior to use
• Training provided on responsible use, data minimization and emerging AI risks

Data Privacy

• Logical client/tenant isolation with defined environment boundaries
• Client data is never used to train shared models without explicit approval and contractual permission
• All data inputs, outputs and integrations documented, reviewed and restricted to approved systems
• Retention and disposal aligned to client, regulatory and contractual requirements

Security Controls

• Secure SDLC with defined development, testing and security review standards
• Tightly controlled and monitored service accounts, APIs and agent permissions
• Model updates, prompt changes and logic modifications require documented review, testing and approval
• Failsafe and rollback mechanisms to ensure continuity if degradation is detected

Accountability + Oversight

• Human-in-the-loop verification required for outputs affecting patients, reimbursement, compliance or clinical/financial workflows
• Accuracy, reliability and operational impact periodically assessed with manual fallback procedures maintained
• Explainable outputs and client-facing reporting to support client oversight