SCP Compliance Mapping¶
EU AI Act · HIPAA · ISO 42001¶
Supervisory Control Plane — Ohana AI Strategy & Systems Architecture Contact: info@ohana-tech.com | supervisoryplane.com
EU AI Act — High-Risk AI Requirements¶
Healthcare AI systems performing clinical or administrative functions (including prior authorization) are classified as high-risk under the EU AI Act. Full compliance is required by August 2, 2026.
| Requirement | Article | SCP Coverage |
|---|---|---|
| Automatic logging — AI systems must generate logs that allow for post-hoc auditing of decisions | Art. 12 | Every context request is logged with agent identity, role, SCDs delivered, timestamp, and request ID. The log is immutable and queryable. |
| Risk management system — Continuous, documented process identifying and mitigating risks | Art. 9 | SCS bundles encode your risk policies as versioned YAML artifacts. Governance is explicit, not embedded in model weights. |
| Technical documentation — System must be documented before deployment | Art. 11 | SCS bundles are the technical documentation. Every policy, constraint, and compliance requirement is written down in a structured, versioned format before agents are deployed. |
| Human oversight — Humans must be able to oversee, understand, and intervene in AI decisions | Art. 14 | SCP's policy layer is human-controlled. Humans define what context agents receive. Governance updates are immediate and don't require retraining. |
| Transparency — Users must know what the AI knew | Art. 13 | Any context request can be replayed: what agent, what role, what policies were active, what SCDs were delivered — at any historical point. |
| Data governance — Governance over training and operational data | Art. 10 | SCS provenance fields record who created and updated each policy, when, and why. Every governance artifact has an owner and a history. |
EU AI Act status for SCP deployments: SCP provides the automatic logging infrastructure (Art. 12), technical documentation layer (Art. 11), and human oversight mechanism (Art. 14) required for high-risk AI compliance. Deployers are responsible for registering their systems in the EU high-risk AI database and appointing a responsible person.
HIPAA — Technical Safeguard Requirements¶
For AI agents accessing or processing Protected Health Information (PHI), HIPAA Technical Safeguards apply.
| Requirement | HIPAA Reference | SCP Coverage |
|---|---|---|
| Audit controls — Hardware, software, and procedural mechanisms to record and examine activity in systems containing PHI | §164.312(b) | Complete audit trail per context request: agent ID, role, SCDs delivered, intent, timestamp. Every agent interaction with PHI-relevant context is logged. |
| Access controls — Assign unique identifiers to each user or agent; restrict PHI access to the minimum necessary | §164.312(a)(1) | Each agent is registered with a unique identity and a role that defines allowed intents. Agents cannot request context outside their allowed intents — the minimum necessary standard is enforced at the policy layer. |
| Minimum necessary standard — Agents access only the PHI required for the specific task | §164.502(b) | SCP's graph-based context selection delivers only the SCDs relevant to the agent's role and intent. An agent performing a prior auth check receives clinical guidelines; it does not receive billing policies or unrelated PHI handling rules. |
| Documentation — Policies and procedures governing PHI access must be documented and maintained | §164.316(b) | PHI handling policies are encoded as SCS bundles — structured, versioned, with provenance (who wrote it, when, under what version). |
| Integrity — PHI must not be altered or destroyed improperly | §164.312(c)(1) | SCS bundles are immutable once versioned. A locked bundle cannot be modified; changes require a new version with a new audit entry. |
Prior Authorization — Specific Governance Requirements¶
Federal mandates effective January 2026 require health plans to digitize clinical documentation exchange and meet turnaround standards. AI-driven prior auth systems must demonstrate:
| Requirement | SCP Coverage |
|---|---|
| Documented decision criteria — What criteria did the agent apply? | SCS bundles encode clinical guidelines, formulary rules, and policy criteria as versioned SCDs. The criteria are explicit and auditable. |
| Consistent application — Same criteria applied across all requests | SCP delivers the same versioned bundle to every agent instance. No agent improvises. |
| Audit trail — What did the agent know at time of decision? | Every context delivery is logged. Any prior auth decision can be traced back to the exact policy version and clinical guidelines the agent had. |
| Human override — Clinicians and compliance staff must be able to review and override | SCP policies are human-authored and human-updated. Governance changes propagate immediately without retraining agents. |
What This Means for a Pilot¶
A 90-day SCP pilot in a prior authorization environment produces:
- A working audit infrastructure — Every agent decision has a logged context trail meeting EU AI Act Art. 12 and HIPAA §164.312(b) requirements.
- Documented governance artifacts — SCS bundles for your clinical guidelines, PHI handling policy, and escalation rules — structured, versioned, ready for regulatory review.
- Measurable behavioral consistency — Before/after comparison showing agents following your policies, not improvising from training data.
- A compliance narrative — When regulators ask what your AI knew, you have an answer.
Pilot program available. Contact us to discuss scope, timeline, and fit for your environment.
© 2026 Ohana AI Strategy & Systems Architecture info@ohana-tech.com · supervisoryplane.com