Governance · Compliance · Audit
Regulated by design. Audit-ready by default.
Healthcare AI fails at the seams between vendors. Lexeme Govern is the single contract, single control plane, and single audit trail that sits beneath every model, agent, and vendor in your environment.
Lexeme Govern
What the board sees. What OCR sees. What your CISO controls.
Unified Agent Registry
Every vendor agent, every department-built tool, every Workspace seat — registered, versioned, and traceable in one place. No more shadow AI.
Runtime PHI Policy Enforcement
Policies enforced at execution. PHI leakage to external models is blocked before the request leaves your environment, not after the fact.
Replayable Audit Trail
Every reasoning step, retrieval, tool call, and model response is captured. Replay any decision for OCR, internal audit, or a board inquiry.
Human-in-the-Loop Escalation
Configurable escalation when confidence drops, when PHI is touched, or when an action is high-impact. Clinician review baked in.
Cost & Outcome Attribution
Tokens, dollars, and outcomes mapped to the workflow that consumed them. CFO-ready in week one.
Vendor Containment
Third-party agents observed, rate-limited, and scoped through one control plane — without ripping out what's already in production.
Frameworks
Aligned with the regulations your General Counsel asks about.
| Framework | Status | How Lexeme aligns |
|---|---|---|
| HIPAA | Native architecture | Security & Privacy Rules mapped to controls. PHI handled under minimum-necessary access by default. |
| 42 CFR Part 2 | Behavioral / SUD aware | Stricter consent and re-disclosure logic for substance-use and behavioral-health data. |
| HITECH | Breach-ready | Immutable logging supports breach-risk assessment and OCR reporting timelines. |
| SOC 2 Type II | In progress | Type I complete. Type II in progress with independent auditor. Documentation available under NDA. |
| HITRUST CSF | Roadmap 2026 | On the roadmap for organizations requiring HITRUST-certified vendors. |
| State Privacy | Multi-jurisdiction | CCPA/CPRA, TX HB300, WA My Health My Data — configurable enforcement per facility. |
| NIST AI RMF | Aligned | Map / Measure / Manage / Govern functions mirrored in the harness. |
| FDA SaMD | Boundary-aware | Clear separation between operational AI and any clinical decision support that could trigger SaMD review. |
Deployment
Four deployment modes. PHI controlled in each.
Managed Cloud
Lexeme-managed, single-tenant control plane in a HIPAA/BAA environment. Fastest path to governed AI.
Private VPC
Dedicated cloud tenant under your BAA. Single-tenant. PHI confined to your perimeter.
On-Premise
Inside your data center. Zero egress for PHI. Preferred for IDNs and academic medical centers.
Hybrid
Mix managed cloud components with on-premise governance nodes. Common for payors and multi-facility systems.
Need the trust-center package?
SOC 2 documentation, BAA template, security questionnaire responses, and architecture diagrams — available under NDA.