Architecture-First Governance
Crucible AI is an on-premise compliance monitoring platform. It runs entirely on a facility-owned device inside the client network. No client data is transmitted to WalkerNash or any cloud service. This architectural decision is the foundation of our governance model -- privacy and security are enforced by design, not by policy alone.
Zero Data Transmission
Client data never leaves the facility network. No cloud inference, no external API calls, no telemetry. The LLM runs locally on CPU.
Data Sovereignty
The facility owns all data on the Crucible device. WalkerNash has no copy, no remote access, and no cloud backup of client information.
Data Minimization
The Chrome extension strips sensitive identifiers at the point of capture per the HIPAA Minimum Necessary Rule. Only operational event data is retained.
Air-Gap Capable
Crucible operates fully offline with no internet phone-home requirement. Regulatory knowledge is pre-packaged and shipped with the device.
NIST AI Risk Management Framework Alignment
We voluntarily align with the NIST AI RMF to demonstrate structured, responsible governance of our AI system. The framework organizes AI risk management into four functions.
| NIST Function | Requirement | Crucible Implementation | Status |
|---|---|---|---|
| GOVERN Ownership & Accountability |
AI system ownership defined | CEO owns product decisions. COO orchestrates operations. Each AI function has defined scope and escalation rules. | Satisfied |
| Policies prohibit fabrication | Anti-fabrication policy enforced across all AI outputs. Every compliance claim must cite a specific enforcement case by entity name, year, and penalty. | Satisfied | |
| Roles and responsibilities documented | Operations manual defines each role, autonomy boundaries, and escalation triggers. BAA structure documents vendor obligations. | Satisfied | |
| Risk tolerance defined | Crucible provides advisory information only. Human operators review all AI output and make compliance decisions. No autonomous actions. | Satisfied | |
| MAP System Inventory & Context |
AI system inventory | Single model documented with benchmarks: local AI model running on-premise hardware. No GPU required. Model selection rationale recorded. | Satisfied |
| Data flow documented | Two-system architecture: walkernash.ai (public, no PHI) and Crucible (on-premise, handles operational data). Chrome extension data flow and stripping rules specified. | Satisfied | |
| Use cases defined | Compliance guidance, enforcement monitoring, regulatory alerts, survey readiness. No hiring, lending, diagnosis, or consequential individual decisions. | Satisfied | |
| MEASURE Testing & Evaluation |
Model quality benchmarked | Compliance-specific prompt suite tested across candidate models. Baseline accuracy documented against regulatory knowledge tasks. | Satisfied |
| Performance monitoring | Response latency tracked on target hardware. Model evaluated against multiple alternatives before selection. | Satisfied | |
| Ongoing evaluation program | New model releases evaluated against compliance benchmark as they become available. Model can be upgraded without changing architecture. | In Progress | |
| MANAGE Action & Response |
Incident response defined | Breach risk profile documented. On-premise architecture eliminates cloud breach vectors. Secure erase procedures for device returns. | Satisfied |
| Human oversight maintained | All AI output is advisory. Staff review Crucible guidance before taking action. Role-based access controls with five tiers documented. | Satisfied | |
| Vendor obligations documented | BAA based on HHS recommended template. WalkerNash obligations: protect PHI, no unauthorized access, no new PHI exposure in updates, audit support. | Satisfied | |
| Data handling at termination | Facility data remains accessible after license expiry. WalkerNash IP encrypted with AES-256 and deactivated. Zero vendor lock-in on client data. | Satisfied |
Why We Don't Hold Voluntary Certifications
WalkerNash holds no third-party certifications that we are not legally compelled to hold. This is policy, not omission.
Most enterprise procurement processes treat the certification list as a proxy for trust. SOC 2 Type II, HITRUST CSF, FedRAMP, ISO 27001 — these certifications attest that a vendor's systems handle customer data safely while the customer is using them. They are designed for vendors who process, store, and transmit customer data on their own infrastructure.
Crucible's architecture removes that exposure entirely. Customer data is never in WalkerNash's possession. There is nothing for an auditor to attest about how WalkerNash handles your data, because WalkerNash never handles your data. The Crucible server runs on hardware you own, inside your network, behind your firewall. There is no multi-tenant SaaS — no shared infrastructure, no cloud database, no cross-tenant blast radius.
Pursuing those certifications anyway would (a) cost six figures annually in audit and assessment fees that would pass to customers, (b) impose ongoing audit-cycle disruption on a small engineering team, and (c) imply a multi-tenant SaaS posture that is the opposite of what Crucible is. The architectural posture itself is the trust answer.
What this means by certification
- SOC 2 Type I / Type II — not held. Designed for cloud data processors; not applicable to a vendor that never receives, processes, stores, or transmits your data.
- HITRUST CSF — not held. Designed for healthcare cloud vendors handling PHI; Crucible processes PHI only inside your network on hardware you own. WalkerNash is never in the data path.
- FedRAMP (Low / Moderate / High) — not held. Federal authorization for cloud services; Crucible is not a cloud service.
- ISO 27001 / ISO 27002 — not held. Designed for organizations that manage information assets on behalf of customers; WalkerNash does not manage information assets on behalf of customers.
- HIPAA Business Associate — deploying Crucible does not create a Business Associate relationship between your facility and WalkerNash, because no PHI is ever transmitted to or processed by WalkerNash systems. Healthcare clients deploy without a BAA being required.
- PCI DSS — not held. Crucible does not process, store, or transmit payment card data.
- GDPR (Processor / Sub-processor) — not applicable. No EU personal data is transmitted to or processed by WalkerNash systems.
Engagement policy
If your procurement process requires a vendor to hold any of the above certifications, Crucible is not a viable selection for your organization — and we will not propose to pursue those certifications to win the engagement. The architectural removal of the exposure is the answer; the engagement filter that follows from it is intentional, not negotiable, and not softened in proposals.
Procurement organizations that interpret the certification list as a checklist rather than as a proxy for actual data-handling exposure are evaluating against a vendor model Crucible was not built for. That mismatch is best identified at the start of an engagement, not at the end of one.
What we will provide
For procurement organizations evaluating Crucible against actual data-handling exposure rather than a checklist, we provide:
- Architectural documentation showing the network-boundary diagram and the absence of any outbound channel from the Crucible server
- The complete LLM system prompt and model identity / version used at the install
- The encryption parameters for the regulatory corpus (AES-256-GCM at rest) and the license-token integrity scheme
- References to the open-source components used in the local AI engine, with their licenses
- The five-tier role-based access control matrix and the local audit-log schema
- The data-flow narrative covering install, query, document ingestion, regulatory updates, and license expiry
What we cannot provide is a third-party audit attestation about systems that, by architectural design, do not handle your data. There is nothing for an auditor to inspect in the data path between your facility and WalkerNash, because there is no data path between your facility and WalkerNash.
Encryption and Security
- Client data stored in local SQLite database on the facility device. Always accessible to the facility, even after license expiry.
- Regulatory corpus encrypted with AES-256 at rest. Encryption key derived from license token plus WalkerNash master secret.
- No internet dependency -- system operates fully air-gapped. No phone-home, no telemetry, no usage tracking.
- Role-based access controls with five tiers: Staff, Charge Nurse, DON, Administrator, IT Admin. All access logged locally for audit review.
Responsible AI Commitments
- Human-in-the-loop -- Crucible provides compliance guidance. Humans make all compliance decisions. The AI never takes autonomous action.
- Transparency -- All enforcement data cites primary government sources with verifiable URLs. No proprietary black-box risk scores.
- Anti-fabrication -- Every compliance claim must reference a specific enforcement case by entity name, year, and penalty amount.
- Model-agnostic -- Crucible is not locked to any single AI provider. The LLM can be upgraded or replaced without changing the architecture.
- Data minimization -- Sensitive identifiers are stripped at the point of capture. Only operational event metadata is retained.