WalkerNash.ai Get started
WalkerNash · Trust posture

The audit record is the artifact, not an auditor's letter.

Why a SOC 2 report does not answer the PHI question for compliance AI.

When you send resident data to a cloud AI tool, the vendor hands you a SOC 2 report and the conversation is supposed to end there. It shouldn't. A SOC 2 report attests that one vendor followed its own controls during an audit window. Your residents' PHI travels much further than that one vendor. Follow the path a single prompt actually takes.

WHAT A SOC 2 REPORT ATTESTS — ONE VENDOR, DURING THE AUDIT WINDOW the red path is your residents' PHI, in the clear, the entire way PERSISTENT STORE PERSISTENT STORE ...and every sub-processor each layer calls OUTSIDE THE SOC 2 BOUNDARY — THE LETTER IS SILENT ON THESE CDN WAF provider hyperscaler compute GPU operator logging platform billing database moderation API Your prompt + resident PHI names, diagnoses, MRNs, dates 01 API gateway TLS / WAF / auth / rate-limit / validate ~5ms 02 Load balancer Envoy / NGINX to GPU clusters ~2ms 03 Tokenization text to BPE token IDs ~3ms 04 Model router capability-aware queue 05 Inference engine prefill / KV-cache / decode / GPU 250-300ms THE MODEL IS ONE LAYER 06 Post-processing sampling + safety models + format ~5ms 07 Response & billing usage written to data warehouse 08 Logging & observ. request body + ids + timestamps logged Answer returns and the prompt now rests in logs & caches

One prompt, ~400ms, fourteen infrastructure layers. The model is one box on the path. Your residents' PHI rides through, and comes to rest in, the rest, plus every sub-processor outside the dashed line. A SOC 2 report covers the front-most vendor. It does not cover the journey.

Why the letter doesn't answer the question

A SOC 2 Type II report is a real document about a real thing. It is just not the thing a HIPAA breach analysis turns on. Four reasons.

01The PHI doesn't stop at the vendor boundary.

Once the prompt enters the API gateway, it travels to every sub-processor each subsystem depends on: CDN, WAF, hyperscaler compute, GPU operator, logging platform, billing database, moderation API. The vendor's SOC 2 report says nothing about what those parties do with the bytes once they arrive.

02Each layer is a real handler with its own breach surface.

The observability pipeline logs the request body. The billing warehouse records token-level usage. Both are persistent stores of prompt content that live outside the model, and each inherits the trust posture of whoever operates it.

03The safety boxes are themselves models.

The moderation and safety-filter layers ingest the prompt to classify it. Each is its own model, with its own training-data retention, its own sub-processor chain, and its own audit boundary. The vendor's letter does not bind them.

04A past audit window does not cover this morning's call.

SOC 2 Type II is retrospective and periodic. A busy facility puts tens of thousands of prompts through this pipeline between audit periods. The attestation describes processes that existed at audit time, not what touched the specific bytes of your resident's PHI today.

What WalkerNash does instead

We do not try to win the attestation contest. We remove the thing the attestation was invented to reassure you about.

A cloud compliance-AI tool

Resident PHI enters layer 1.

The raw prompt, identifiers and all, crosses into the pipeline above. Every box, every log, every sub-processor handles it. The SOC 2 letter is the only thing standing in for inspection, and it covers one box.

Crucible AI

Only tokens enter layer 1.

Resident identifiers are stripped on your own machine before anything leaves, and a fail-closed firewall rejects anything PHI-shaped at the judge's door. Every box on the path still runs. None of them sees the resident's PHI, because what entered the gateway was already tokens.

Two gates, both outside the cloud. A tokenizer on the compliance officer's own computer strips resident identifiers before egress, and an officer-confirmed egress gate shows the outbound payload before it sends. At the judge's ingress, a default-deny firewall rejects any submission in which PHI is detected. The cloud holds no token-to-PHI map, so resident names are restored only on your machine, on a clean verdict.

Nothing to attest, because nothing is there. No resident records, documents, or PHI are stored in the cloud. A tenant is an authentication identity and a usage counter. The one durable record is the PHI-free audit record chain. That is why the BAA's scope is near-empty by design: it is a selling point, not a gap.

The artifacts

A facility doing diligence does not have to take the architecture on faith. These are the documents that back it.

Business Associate Agreement

Near-empty scope by design, because no PHI reaches the cloud. Available for review on request.

Forthcoming
Independent architecture review

A third-party review of whether the architecture keeps resident PHI off the cloud as designed.

Forthcoming
Signed audit record

Every verdict signed and hash-chained, content-addressable, and PHI-free. Verifiable without trusting our tooling.

Shipped
PHI Tokenizer

The local application that strips resident identifiers before egress and holds the map on your machine.

The first gate

Read the architecture in one line

They can publish a diagram of every system your residents' PHI passes through before the model even sees it. We send the model tokens instead.

See how it works Contact WalkerNash