For Health System IT, Security & Procurement

Evaluate AI vendors with runtime evidence.

Fifty vendors knocking. Forty-page security questionnaires. Model cards instead of runtime proof. Glacis gives health system IT, security, and procurement teams the questions to ask AI vendors about runtime controls and evidence — and an evidence-pack readiness sprint to run on the vendor offering you’re actually about to sign.

Get an Agent Runtime Security Assessment See a sample evidence pack

Or read the vendor due-diligence guide →

The problem

A health system CISO, on the record:

“We have 50+ AI vendors knocking on our door. Radiology wants one thing, pathology wants another, nursing wants three more. My team can barely keep up with regular security reviews, let alone AI-specific runtime evidence reviews.”

— Health System CISO

Why current process breaks

Three gaps in the AI vendor review.

No time

Security teams are stretched thin. Every new AI vendor means another 40-page questionnaire and no time to read what their controls actually do at runtime.

No playbook

Traditional security frameworks weren’t built for AI. SOC 2 doesn’t cover runtime guardrails, hallucination risk, or whether the vendor’s controls actually fired on your traffic.

Real risk

AI incidents are becoming litigation. Recent cases show why signed evidence receipts of consent capture and runtime guardrails matter at the deposition table.

Beyond compliance theater

The runtime evidence question runs through five stages.

“Compliance” is too small a word for what you need. Intake, governance, runtime monitoring, evidence-pack readiness, and action.

01 / INTAKE

Runtime-evidence questionnaire

The questions to ask AI vendors about runtime controls, signed receipts, and evidence packs — before a clinical team commits to a pilot.

02 / GOVERNANCE

Approved-vendor policy

Which vendors are approved, for which use cases, with which data access — and which controls must run at runtime to keep that approval.

03 / MONITORING

Runtime visibility

Ongoing visibility into vendor AI behavior through signed receipts. Are the controls the vendor described actually firing on your traffic?

04 / EVIDENCE

Audit-ready packs

Evidence packs that map to HIPAA, state AI laws, and your AI committee charter — signed runtime receipts, not vendor attestations.

What’s coming

Regulators are moving faster than RFPs.

Health systems that deploy vendor AI without runtime evidence of governance are taking on significant liability. The leading regulations:

Colorado AI Act: SB 24-205 (stayed) / SB 26-189 if enacted — Jan 1, 2027
Texas TRAIGA: HB 1709 — written disclosure to patients when AI used — Jan 2026
EU AI Act: High-risk classification for most healthcare AI — Aug 2026
HHS HIPAA update: AI systems must be in risk analysis — Proposed

Related guides

For the procurement team.

AI vendor
due diligence

A complete questionnaire for evaluating AI vendors — runtime controls, evidence receipts, data handling, and red flags.

READ →

AI security
questionnaire

The questions a SOC 2 letter doesn’t cover: runtime guardrails, refusal rates, signed proof.

READ →

Clinical AI
(deployment view)

If you’re running clinical AI yourself, the deployment-side runtime evidence sprint.

EXPLORE →

Run an evidence-pack readiness sprint on a vendor’s AI offering.

Fixed scope. 10 business days. One vendor offering you’re actually about to sign — runtime controls scoped against your environment, and an evidence pack your AI committee, security team, and legal can review.

Talk to our team See a sample pack

Founder design-partner engagements available for the first three customers — ask us on the call.