One managed-services partner runs your help desk, your SOC, and your compliance evidence agents on infrastructure you control, under a signed BAA, with a customer-readable audit log. Built for behavioral health, substance-use disorder treatment, and any provider operating under more than one regulatory framework.
Most healthcare AI vendors ship one specialty in one framework, on their tenant, on their pricing schedule. If you operate under more than HIPAA, and most behavioral-health, SUD, and multi-line providers do, you are buying two or three of them, integrating them, and accepting an SLA promise instead of an audit log.
| What you need | AiT Hosted Agents | Typical AI-only vendor |
|---|---|---|
| Framework coverage | HIPAA + 42 CFR Part 2 + CARF + GLBA + FERPA, layered as vertical packs | HIPAA only; SUD, CARF, OhioMHAS not advertised |
| Bundling | Help desk, SOC, and compliance agents on one MSP contract | Agents only; you still own EDR, MDR, helpdesk, vCISO |
| Where data lives | Dedicated GCP project provisioned under your name; you hold IAM admin | Vendor tenant; data residency by SLA promise |
| Audit access | Append-only customer-readable log, 7-year retention, stream to your SIEM | SLA wording in a renewal-rider; logs not customer-queryable |
| Pricing model | Hybrid: per-seat base + capped metered overage + vertical-pack flat add-on | Six-figure annual floor, opaque per-claim or per-call model |
| Pilot path | 90-day flat-fee pilot, three MVP agents, no annual commit to start | Annual commit, full-suite rollout, multi-quarter SOW |
| BAA scope enforcement | Gateway enforces a model-feature allowlist; non-BAA-covered calls refused or downshifted | BAA signed at the contract level; per-feature enforcement not exposed |
The pilot ships with the three agents that most reliably pay back inside ninety days for a behavioral-health or multi-framework provider. The full catalog is published; new agents land monthly under the same contract.
Pulls control evidence from EDR, MDM, SSO, ticketing, and backup systems on a continuous loop. Renders auditor-ready packs per framework (HIPAA, 42 CFR Part 2, CARF, OhioMHAS). Replaces the quarterly evidence fire drill.
First-touch triage on every ticket. Redacts PHI before reasoning, routes to the right named queue, drafts a compliant reply, escalates anything outside its allowlist. Backs your live human help desk; never replaces it.
Turns the append-only log into a human-readable narrative on demand. Auditor asks "show me every PHI access by user X in Q2"; the narrator returns a paragraph plus the receipts. Subpoena-ready, no SQL required.
Vertical packs map controls to each framework so you stop maintaining five different evidence binders. SOC 2 Type I letter by month four; Type II window opens in month six.
No shared multi-tenant SaaS. Every call is policy-checked, BAA-scope-enforced, redacted, routed across a cost-aware model cascade, and logged before and after it touches the model.
Your data sits in a Google Cloud project provisioned under your name. The tenant boundary is the project boundary, not a shared database with row-level rules.
A model-feature allowlist runs on every call. Non-BAA-covered features are refused or downshifted to a local model before the request leaves the tenant.
Local model first, cheap LLM next, BAA-scoped frontier model last. Every routing decision is visible in the audit log, including which tier handled which call.
A 90-day flat-fee pilot derisks the first quarter. From month four you convert to a hybrid per-seat plus capped-overage plan that scales with usage without exposing you to the token-price volatility that has broken several flat-fee AI vendors in the last 12 months.
Production pricing (months 4-12) is hybrid: per-seat base plus capped metered overage plus vertical-pack flat add-on. We walk you through the full tier menu in the working session.
A composite of the multi-framework providers we are scoping right now. Tier, services, and approach are accurate; specifics are anonymized.
A regional behavioral-health network with roughly 650 employees and 14 clinic sites came in with three structural problems. No central SOC: three EDR consoles, no SIEM correlation, alerts triaged in the IT manager's inbox. No signed BAA with the helpdesk vendor. And an evidence-collection process that ate two weeks of staff time per quarter and still produced incomplete packs.
We scoped Enterprise / Regulated in the discovery call and structured the engagement around three parallel work streams: a dedicated GCP project under their name with the BAA signed before any PHI moved; an AiT SOC Sentinel correlation layer wrapping their existing EDR and MDR; and the three MVP hosted agents trained on their clinical operations playbooks.
Composite engagement scoped from real provider conversations. Customer identity, exact metrics, and clinic-level detail withheld until written sign-off. See the full anonymized story on the customers page.
Read the customer storyShort answers below. Long answers in the discovery call.
Intelligent IT signs a BAA before any PHI moves. The BAA covers the hosted agents, the gateway that routes their calls, the audit log, and the dedicated tenant. The gateway enforces a model-feature allowlist so non-BAA-covered upstream features cannot be invoked against PHI; non-covered calls are downshifted to a local model or refused outright. You see the policy decisions in the audit log.
Yes. Each MVP agent ships as a typed contract: input schema, tool-call allowlist, output schema. Vertical packs (Behavioral Health, SUD, CARF, OhioMHAS) layer on top. Customization happens in the working session and in week-two co-build, not in a 6-month services contract.
In a Google Cloud project that Intelligent IT provisions under your name, in us-central1 by default. You hold the IAM admin. We hold a least-privilege operator role tied to a service account we can show you in the working session. Tenant isolation is enforced at the project boundary, not at a shared-database row-level boundary.
Yes. Every agent call, tool invocation, prompt, redaction event, and policy decision lands in a customer-readable append-only log with a 7-year retention default. You can subpoena it, you can stream it to your SIEM, and you can replay any decision. This is not an SLA promise; it is a queryable artifact.
One contract covers the agents, the help desk that backs them, the 24/7 SOC that monitors the tenant, and the vCISO who signs off on the evidence pack. You stop coordinating four vendors and one auditor; you coordinate one MSP and one auditor. Help desk and SOC are not optional add-ons; they are how the agents stay supervised in production.
Year 1: BAA on day one, SOC 2 Type I letter by month four, SOC 2 Type II observation window opens in month six. HITRUST e1 add-on available from month nine for customers who need it. 42 CFR Part 2 control mapping ships with the behavioral-health vertical pack on day one, not as a Phase 2 deliverable.
Ninety minutes with the founder and the engineering lead. We walk through your framework load, your existing stack, and a candidate three-agent MVP. You leave with a one-page architecture, a pricing range, and a decision point, not a follow-up deck.
