Enterprise AI Platform Checklist

Shadow AI Discovery

Must Have

Platform can inventory all unauthorized AI usage across the organization.

Centralized Dashboard

Must Have

Single pane of glass showing all AI usage, models, departments, and data flows.

Usage Analytics

Must Have

Real-time reporting on who's using AI, for what, how often, and what data is involved.

Automatic PHI Detection

Must Have

Real-time identification of all 18 HIPAA identifiers before data reaches AI models.

Automatic PHI Redaction

Must Have

Cleansing PHI from prompts while maintaining context for AI responses.

Data Rehydration

Nice to Have

Re-inserting redacted PHI into AI responses so users get actionable output.

Complete Audit Logs

Must Have

Immutable logs of every AI interaction with timestamp, user, model, and data shared.

BAAs with All AI Vendors

Must Have

Business Associate Agreements with OpenAI, Anthropic, Google, and any model provider.

GPT-4 / GPT-4o Access

Must Have

Latest OpenAI models for general-purpose tasks, documentation, research.

Claude Access (Anthropic)

Must Have

Claude 3.5 Sonnet and other Anthropic models for analysis and complex reasoning.

Gemini Access (Google)

Nice to Have

Google's Gemini models for research, data analysis, and multimodal tasks.

Model Selection by Use Case

Must Have

• Ability to choose the right model for each task (documentation vs.
• analysis vs.
• coding).

Role-Based Access Control

Must Have

• Different AI permissions by department, role, or user (clinical vs.
• admin vs.
• leadership).

Model-Level Restrictions

Must Have

Ability to limit which models are available to which users or departments.

Usage Quotas

Nice to Have

Set limits on AI usage per user, department, or organization-wide.

Content Filtering

Nice to Have

Block certain types of prompts (e.g., requests to generate clinical advice without oversight).

Onboarding & Training

Must Have

Guided setup, prompt engineering basics, and appropriate use case education.

Prompt Templates

Nice to Have

Pre-built, approved prompts for common healthcare tasks (discharge summaries, appeal letters, etc.).

Support & Help Resources

Must Have

Documentation, FAQs, and access to support when staff have questions.

SOC 2 Type II Certification

Must Have

Platform provider has completed SOC 2 Type II audit for security controls.

HIPAA Compliance

Must Have

Platform architecture is designed for HIPAA compliance (not just 'HIPAA-ready').

Data Residency Controls

Nice to Have

Ability to specify where data is stored and processed (US-only, specific regions).

SSO / SAML Integration

Nice to Have

Single sign-on integration with your existing identity provider.

No Shadow AI Discovery

If the platform can't inventory existing shadow AI usage, it's just adding another tool to the chaos — not solving the problem.

'HIPAA-Ready' Instead of 'HIPAA Compliant'

HIPAA-ready means 'we could be compliant if you configure it correctly.' You need actual compliance, not homework.

Single Model Access Only

• If they only offer one AI model (usually their own), it's vendor lock-in disguised as governance.
• You need multi-model access.

No PHI Protection Layer

If they rely on staff to 'remember to remove PHI,' it's not a governance platform — it's just a wrapper around ChatGPT.

No Audit Logs

• If you can't prove what data was sent where, you can't demonstrate compliance.
• Audit logs are non-negotiable.

No BAAs with Model Providers

The platform vendor might have a BAA with you, but if they don't have BAAs with OpenAI, Anthropic, etc., PHI is still exposed.