PACS · AI and Knowledge Governance

ACTI

The Moment · Section 02 of 22

Artificial intelligence is already inside PACS.

Before we propose what to do about it, a snapshot of what is happening in our environment today — across Copilot, Studio agents, vendor AI, and the ways AI is being used by staff that no one has officially sanctioned.

AI Activity · PACS Tenant

SAMPLED // 2026-05-22 TENANT LIVE

Agents in tenant

UNTRACKED

total · custom + prebuilt mix
0 with formal lifecycle governance

Copilot users

LICENSED

licensed staff · M365 E3/E5 mix
exact count pending audit

Vendor AI reviews

PROCUREMENT

completed YTD by AI Committee
scope: vendor admission only

Rollback procedures

CONTROL GAP

documented and tested
across all 406 deployed agents

Discovered · Live in Tenant

SOURCE: COPILOT ADMIN PORTAL · 2026-05-22

Agent name: Facility Visit Report Agent
Created by: Former data team engineer — employment status unverified at time of audit
Data scope: Reads and writes facility visit reports
PHI exposure: Yes — resident weight, medication context, visit notes
Owner today: None assigned
Last reviewed: Never
Rollback path: None documented

A single discovered agent that reads, retypes, and rewrites facility data — including resident weight and medication context. If it hallucinates "165 lb" where "145 lb" was the source, a downstream care decision could deliver too much medication. No one currently audits this agent. No one owns it. No one can roll it back. Discovered via Copilot Admin Portal review.

Note // Methodology

Figures are extracted from the Microsoft Copilot Admin Portal and direct observation. No formal AI inventory exists at the time of this review.

I. Patient Zero Section 03 of 22

The person proposing to govern AI goes first.

Before asking PACS to audit anyone else's AI use, an audit of my own — and a demonstration of the workflow this function would apply at scale.

Three patterns I have used to make my own work more effective, each of which would fail the governance review I am proposing — and each of which I have already remediated, or am in the process of moving, into PACS-sanctioned tooling.

This is a working example. It demonstrates how the function operates: identify, classify, remediate, document. The pattern is the same whether the subject is the governance lead or anyone else.

Shadow Pattern

Personal task aggregator

Built on PACS device · Browser-encapsulated memory · No cloud sync

A locally-scoped task and notes aggregator using Anthropic Claude on a PACS device. Browser memory only. No PACS data persisted outside the session. Thoughtful — but not on the approved tools list.

Governed Replacement

Copilot Studio task agent · M365 tenant

PACS tenant · Microsoft BAA · Tenant data boundary

Rebuilt in Copilot Studio inside the PACS M365 tenant. Microsoft BAA applies. Tenant data boundary enforced. Same productivity benefit, contractually protected data path. Migrated before this presentation.

II. BAA Coverage Matrix Section 04 of 22

Which AI surfaces are contractually covered — and which are not.

Before any AI tool touches PACS data, the BAA question has to be answered. This is the source-of-truth map. Covered means the Microsoft Online Services DPA / Business Associate Amendment reaches the surface; not-covered means no PHI, period.

Every entry below reflects PACS' current licensing posture and Microsoft's published BAA-applicable services list. Status indicators are deliberately coarse — covered, not covered, or conditional. Tier and SKU notes are surfaced inline because the same product name often carries different protection depending on the SKU (consumer vs. enterprise vs. free).

M365 Copilot family Enterprise vs. consumer distinction matters more than the brand name

Microsoft 365 Copilot — M365 E3/E5 add-on Tenant-bound · Microsoft Graph grounding · EU Data Boundary respected

✓ Covered

Microsoft 365 Copilot Chat — included with eligible M365 plans Work-mode (tenant context, EDP) · Web-mode treated separately

✓ Covered (work mode)

Consumer Copilot — copilot.microsoft.com / personal MSA accounts Not a PACS tenant surface · personal account sign-in No PHI. Treated as a third-party consumer AI; not under the PACS BAA. Use is governed by the AUP, not by Microsoft contracting.

✕ Not covered

Copilot Studio Custom agents · the build surface for parent/child architecture

Copilot Studio — within PACS M365 tenant Managed environment recommended · Power Platform DLP applies

✓ Covered

Security Copilot SOC analyst surface · separate SCU-based licensing

Microsoft Security Copilot — SCU consumption model Evaluation only at PACS today · not yet provisioned

✓ Covered

Dragon Copilot Clinical documentation · Nuance heritage · separate licensing path

Dragon Copilot — clinical ambient documentation Not licensed at PACS today · evaluation gated on clinical owner

✓ Covered (under Nuance BAA)

Azure OpenAI · Foundry Code-first surface · custom RAG · the agent-development plane

Azure OpenAI Service — within PACS Azure subscription Customer data not used for OpenAI model training · region-pinned

✓ Covered

Azure AI Foundry — model catalog + agent runtime Foundry models are listed as covered services · per-model verification required for non-Microsoft models

* Per-model

Azure Health Data Services FHIR · DICOM · MedTech — purpose-built for PHI workloads

Azure Health Data Services (FHIR, DICOM, MedTech) Not provisioned at PACS today · architectural option for PCC integration

✓ Covered

Governance plane Purview · Entra · Defender · Agent 365 — the controls, not the agents

Microsoft Purview (Compliance Manager, DSPM for AI, DLP, sensitivity labels) E5 / Purview add-on dependent · partial today, gap analysis underway

✓ Covered

Entra ID · Entra Agent ID · Entra ID Governance Agent ID is zero-cost visibility · enable immediately for shadow agent inventory

✓ Covered

Microsoft Defender for Cloud (incl. AI threat protection) Defender for Cloud AI workload protection requires plan selection

✓ Covered

Microsoft Agent 365 — agent registry, observability, lifecycle Preview / GA roadmap dependent · Agent ID provides interim visibility

✓ Covered

GitHub Copilot Developer code-completion · SKU determines protection and training posture

GitHub Copilot Enterprise / Business Tenant-bound · code not used to train base models · enterprise policy controls

✓ Covered

GitHub Copilot Free / Pro / Pro+ Individual SKUs · personal GitHub identity · not a PACS contracting surface No PACS code, no PHI. Under GitHub's April 2026 policy update, individual SKU prompts and code suggestions may be used to improve Copilot models unless the user has opted out at the account level — and that election is outside PACS control.

✕ Not covered

Third-party consumer AI No PACS BAA · no enterprise control plane · AUP territory

ChatGPT (consumer) · Claude (consumer) · Gemini (consumer) · others Personal accounts · no PACS contracting · no enterprise audit trail No PHI · no PII · no PACS data. Permitted for public-domain knowledge tasks only under the AUP. Anything PACS-specific routes through M365 Copilot Chat (work mode) or Copilot Studio.

✕ No PACS BAA

The boundary

Microsoft's BAA is entered automatically via the Online Services DPA. It protects the infrastructure. PACS implementation controls protect the deployment. A covered service deployed without tenant isolation, label propagation, and DLP scope is still a breach path — the contract does not configure itself.

III. The Strategic Insight Section 05 of 22

Data governance is over AI governance — because the data is what trains the AI.

Every Copilot agent we build, every Studio workflow we deploy, every clinical or operational LLM we eventually permit — all of them are downstream of one thing: the quality, structure, and governance of the knowledge they read.

PACS's knowledge base, SharePoint architecture, ServiceNow configuration, and document metadata are the substrate on which our AI will operate. If those sources are inconsistent, unindexed, or stale, every AI tool built on top inherits and amplifies their defects — at the speed and scale of automation.

This is why AI governance and knowledge governance cannot be separated. They are the same function, viewed from two angles. The proposal that follows treats them as one.

IV. The Regulatory Floor Section 06 of 22

The obligations already affecting the industry.

AI governance is not a future regulatory possibility for PACS. Multiple federal and state regimes already apply to AI as used in healthcare today. A summary of the most material — and the specific PACS control gap each one creates.

In force · Enforcement begun

HHS Section 1557 — AI & Patient Care Decision Support

Effective: July 5, 2024 · AI provisions enforced: May 1, 2025

Covered entities must make reasonable efforts to identify uses of patient care decision support tools (explicitly including AI) employing variables related to protected characteristics, and to mitigate risks of discrimination. Required: written policies, staff training, audit of AI tool performance, human override capability, and vendor disclosure collection.

PACS gap today No function currently owns identification, mitigation, written policies, or audit of AI tools touching protected characteristics. Section 1557 Coordinator exists per requirement but has no AI-specific scope.

Source: HHS Section 1557 Final Rule, Federal Register^↗

NPRM published · Final rule pending

HIPAA Security Rule — Notice of Proposed Rulemaking

Published: January 6, 2025 · First proposed update since 2013

HHS expects AI software used to create, receive, maintain, or transmit ePHI — or that interacts with ePHI — to be listed as part of the technology asset inventory. Adds mandatory vulnerability scanning every 6 months, annual penetration testing, 72-hour critical system restoration plans, and removes the "required vs. addressable" distinction.

PACS gap today No AI technology asset inventory exists. 406 agents in tenant are uninventoried, undocumented, and not classified by ePHI access.

Source: HHS Notice of Proposed Rulemaking, Federal Register^↗

Active enforcement

OCR HIPAA Enforcement — 2025 Trends

10 resolution agreements in first 5 months of 2025 · Top fine $3M

The largest 2025 penalties have centered on risk analysis failures. Updated penalty caps effective January 28, 2026: Tier 4 violations capped at $2,190,294 per violation category per year. An unaudited agent reading PHI is — by definition — outside the organization's risk analysis.

PACS gap today The Facility Visit Report Agent (and 405 others) are not represented in any current HIPAA risk analysis. Each represents a potential separate violation category.

Source: HHS OCR Resolution Agreements^↗

In scope · Public company obligation

SOX 404 ITGC — AI Touching Financial Reporting

Standing requirement · Annual external audit

If an LLM, agent, or RPA-with-AI touches Workday payroll, GL, billing, AP/AR, or any ICFR-relevant system, it falls under IT General Controls. Change management, access controls, and segregation of duties between developers and governance apply to the agent itself as a control.

PACS gap today Workday-connected agents discovered in the admin portal. Custom-LLM work happening on the data team. No SoD structure between AI developers and AI governance.

Source: PCAOB AS 2201 — Audit of ICFR^↗

In force

ONC HTI-1 Final Rule — Predictive Decision Support Interventions

Published: December 2023 · DSI provisions in effect

Transparency obligations apply to certified Health IT developers (e.g., PointClickCare). PACS as a customer must consume FAVES disclosures and govern use. If PACS develops in-house AI that informs clinical decisions, the regulated DSI question arises directly.

PACS gap today No consumption process exists for vendor FAVES disclosures. No internal review of whether any PACS-built agent crosses the DSI threshold.

Source: ONC HTI-1 Final Rule^↗

Multi-state exposure

State AI Laws — 17-state operating footprint

California · Colorado · Illinois · New York · Texas · others

Colorado SB 24-205 (effective February 2026), New York City AEDT, Illinois AI Video Interview Act, multiple California AI provisions. Triggered the moment AI touches employment decisions in Workday — a system PACS already operates at enterprise scale.

PACS gap today No state-by-state inventory of where AI-enabled Workday features are in use, or whether they meet state-specific transparency or audit requirements.

Source: Colorado SB 24-205^↗

Bottom line

Each item above is a present-day obligation. The function described in the sections that follow is the operational answer.

V. Industry Reality Check Section 07 of 22

Failure is documented, recent, and avoidable.

Four public AI failures from the past 24 months — each preventable with a governance function in place. None of the affected organizations had one.

Legal precedent

Air Canada — chatbot misinformation liability

Canadian Civil Resolution Tribunal · February 2024

A chatbot on Air Canada's website provided incorrect bereavement fare information to a customer. Air Canada argued the chatbot was a "separate legal entity." The tribunal disagreed — holding the company liable for its chatbot's output. A landmark decision establishing that chatbot statements are corporate statements.

Lesson for PACS If a PACS agent provides incorrect care, scheduling, or compliance information to a staff member, patient, or family member, the company is on the hook for the output — not the agent.

Source: Moffatt v. Air Canada, 2024 BCCRT 149^↗

Government chatbot failure

NYC MyCity — illegal advice to small businesses

Reported: March 2024 · Markup investigation

New York City's MyCity small business chatbot, built on Microsoft Azure with GPT-4, told business owners they could fire workers for complaining about harassment, take tips from employees, and serve cheese rats had nibbled. The chatbot continued operating after the issues were reported.

Lesson for PACS A government chatbot, on enterprise infrastructure, with the same Microsoft stack PACS uses — produced illegal guidance to citizens. Default model behavior is not a substitute for governance.

Source: The Markup — NYC's AI Chatbot Tells Businesses to Break the Law^↗

Healthcare-specific breach

Agentic AI workflow vendor — patient data breach

Reported: 2025 · Vendor incident · Hundreds of thousands of patients affected

A breach involving an agentic AI workflow vendor exposed patient records across multiple hospitals. The data was reportedly accessible on an unprotected platform for weeks before discovery. (Primary vendor and incident details pending verification before final presentation.)

Lesson for PACS Agentic AI is exactly the workflow class PACS has 406 agents already operating in. Vendor-side AI failures map directly onto PACS's exposure as a deployer.

Source: McNees Wallace & Nurick · AI HIPAA Compliance Risks^↗

Operational failure

Amazon — AI usage metrics as objective

Reported: Nov 2025 – Mar 2026 · Reuters, FT, CNBC, Fortune

Amazon set an 80% weekly-use target for its internal Kiro AI coding tool, tracked adoption as a corporate OKR, and required VP approval for exceptions. Within three months, four Sev-1 production incidents — including a 13-hour AWS Cost Explorer outage and a six-hour retail outage costing an estimated 6.3M orders — were tied to AI-assisted changes. An internal briefing acknowledged "high blast radius" incidents from "Gen-AI assisted changes" where "best practices and safeguards are not yet fully established." Amazon's remediation: senior-engineer sign-off on AI-assisted code and "controlled friction" on the most critical change paths.

Lesson for PACS Healthcare moves slower than retail tech — that is the advantage. PACS gets to learn from these failures rather than reproduce them, but only if governance precedes adoption pressure. Adoption metrics measure tool use; outcome metrics measure value. Don't confuse the two.

Source: Reuters internal-memo reporting, Nov 2025^↗ (corroborated by FT, CNBC, Fortune)

VI. Existing Coverage & The Gap Section 08 of 22

Three functions exist. None of them is this one.

Three existing functions touch AI at PACS today, each with a specific and necessary scope — and none of them owns the operational lifecycle of AI being built inside our walls.

Vendor AI Committee

Scope: Does PACS admit this AI vendor?

Vendor contract / BAA review
Model claims & documentation
Pre-admission risk screen
Decision: admit or deny

Compliance

Scope: Is PACS legally compliant?

HIPAA / SOX / CMS audit
Policy adherence review
After-the-fact assurance
Not in pre-deployment loop

Information Security (ISM)

Scope: Identity, network, endpoint, threat.

Access controls & identity
Network & endpoint security
Threat detection & response
Not AI lifecycle management

The Gap · What no one owns today

Agent intake. Build standards. Evaluation sets. PHI classification per agent. Versioning & rollback. Audit cadence. Knowledge base governance. Training. Incident response for AI-specific failure modes. Today: zero owners. Tomorrow: this function.

ACTII

The Framework · Section 09 of 22

Anchored to recognized standards.

PACS will not invent its own framework. The proposed function aligns to the same standards Workday, JPMorgan, IBM, and peer regulated enterprises align to — published, voluntary, increasingly cited by HHS, and certifiable.

PRIMARY ANCHOR · YEAR 1 NIST AI Risk Management Framework 1.0

Four functions: Govern · Map · Measure · Manage. Published by NIST, US federal baseline. Voluntary, free to adopt, increasingly cited by HHS. Provides the structural backbone for the proposed function. Workday case study (published by NIST) uses this exact framework.

Y1 Primary
nist.gov/AI-RMF^↗

PRIMARY ANCHOR · GENAI NIST AI RMF Generative AI Profile (AI 600-1)

Companion profile for generative AI specifically. Addresses hallucination, prompt injection, data leakage, model drift, and operational risk patterns relevant to Copilot agents and LLM deployments.

Y1 Primary
NIST AI 600-1^↗

CERTIFICATION PATH · YEAR 2 ISO/IEC 42001:2023 — AI Management System

International standard for AI Management Systems — the AI equivalent of ISO 27001. Certifiable. Increasingly expected of publicly traded companies under SOX scrutiny. Crosswalks cleanly to NIST AI RMF; Microsoft-provided crosswalk will guide implementation.

Y2 Target
ISO/IEC 42001:2023^↗

SECURITY BASELINE OWASP Top 10 for LLM Applications

Industry-standard threat model for LLM deployments. Prompt injection, training data poisoning, supply chain vulnerabilities, sensitive information disclosure. Coordinates with CyberSec for security-overlap domains.

Continuous
OWASP LLM Top 10^↗

VENDOR / PLATFORM Microsoft Responsible AI Standard v2

Microsoft's own responsible AI framework — directly applicable since PACS is a Copilot tenant. Provides Microsoft-specific implementation guidance for the controls the framework above requires.

Y1 Continuous
Microsoft Responsible AI^↗

HEALTHCARE OVERLAYS HIPAA · HHS/OCR · CMS · Section 1557

Healthcare-specific obligations overlay on top of the technical frameworks. AI governance translates these into operational standards: data classification per agent, BAA verification, discrimination audit per Section 1557 §92.210, FAVES disclosure consumption from HTI-1 vendors.

Continuous
HHS HIPAA^↗

Workday precedent

Workday — a publicly traded enterprise software company whose platform PACS already runs — uses NIST AI RMF as its anchor framework and is published by NIST as a model case study. The path PACS will follow is well-trodden, not experimental.

VII. The Function Section 10 of 22

One function. Four pillars.

The proposed AI & Knowledge Governance function operates across four operational pillars — bounded, named, and individually measurable.

PILLAR 01

Policy

Acceptable Use Policy for AI
PHI / PII handling in AI workflows
Model admissibility standards
DLP & guardrail configuration
AI incident response playbook

PILLAR 02

Lifecycle

Agent intake & risk classification
Build standards & review
Evaluation sets & red-team
Approval & deployment gates
Versioning & rollback
Monitoring & 3–6 mo audit cycle
Retirement & archival

III

PILLAR 03

Knowledge

KB standards & metadata
Indexing & retrieval architecture
Source-of-truth designation
RAG / connector strategy
Permission propagation
Cross-system reconciliation

PILLAR 04

Enablement

Tier 1: User chat (all staff)
Tier 2: Notebooks / Projects
Tier 3: Action agents (HITL)
Tier 4: Autonomous agents
Training & certification
Internal AI literacy program

ACTIII

Tiered Enablement · Section 11 of 22

Four tiers of AI use. Four levels of governance.

A multiplier, not a bottleneck. Governance scales with risk — self-service on low-risk productivity, gated review on PHI- or SOX-touching automation.

TIER01

Assistive Conversational AI

Out-of-the-box Copilot Chat with role-permissioned responses. General productivity: drafting, summarization, search. No PHI, no decisioning.

SELF-SERVICE
AUP + DLP only
Quarterly sampled audit

TIER02

Augmentative Notebooks & Projects

Curated knowledge sources, multi-turn workspaces, scoped to user or team. Built by trained staff. Standards apply; governance reviews on creation, not on every use.

LIGHT REVIEW
Training prerequisite
Standards-based audit

TIER03

Action — HITL Agentic w/ human approval

Agent proposes action, human approves in-context. "Reset this password? [Yes]". Built by the AI Governance function on service request. Full lifecycle applies.

GATING REVIEW
Eval sets required
3–6 mo audit cycle

TIER04

Autonomous Agentic — background

Agent executes overnight or background workflows. Human reviews report or output. Rare. Reserved for cases where Tier 3 has proven mature.

FULL REVIEW
Compliance + Privacy
Internal Audit sign-off

Key framing

Governance does not slow the 80% of low-risk work. It puts guardrails on the 20% that can actually hurt us. What slows organizations down is ungoverned AI failures requiring emergency remediation.

SOP12

Agent Lifecycle · Section 12 of 22

From request to retirement.

The seven-stage operational SOP every new agent passes through. Same workflow whether the requester is a field engineer asking for a help-desk assistant or the CFO asking for a forecast bot.

Lifecycle Stages · Standard Workflow

01 · REQUEST

Intake

ServiceNow form
Who / why / data class

→

02 · BUILD

Design

Copilot Studio
Standards-based

→

03 · EVAL

Test

Pass / fail / adversarial
Red-team set

→

04 · REVIEW

Approve

Tier-appropriate
Compliance if PHI / SOX

→

05 · DEPLOY

Publish

Scoped user group
Permissions enforced

→

06 · OPERATE

Monitor

Usage review monthly
3–6 mo audit cycle

→

07 · RETIRE

Decommission

Source stale or
owner departed

Versioning gap · Today

In a recent audit, it was identified PACS could not detect and roll back an agent regression three changes later. Stages 02 through 07 above are exactly the controls that close that gap in Y1.

MATRIX13

Data × Model Admissibility · Section 13 of 22

What data may meet what model.

The single most useful artifact for day-to-day decisioning. Read a row left-to-right to know which AI platforms are admissible for which class of PACS data. Framework-driven, not preference-driven.

Data Class × Model Admissibility · v1 Draft

Admissible Conditional Prohibited

M365 CopilotBAA ✓

Anthropic ClaudeBAA ✓

ChatGPT EnterpriseBAA REQ

Consumer LLMsNO BAA

FoundryIN-TENANT

Public

marketing · public KB

✓

Internal-confidential

SOPs · internal KB · ops

✓

⚠

✗

✓

PII

employee · demographic

✓

⚠

✗

✓

PHI

PointClickCare · ePHI

⚠

✗

⚠

ICFR / SOX-relevant

GL · AP/AR · payroll

⚠

✗

⚠

MNPI

pre-earnings · material

✗

⚠

Model-agnostic by design

This matrix is updated as BAAs and vendor postures change. The framework dictates admissibility — not preference. Claude, Copilot, GPT, and Foundry are admitted or denied by the same data-class rules.

VIII. Environment Build Section 14 of 22

The governance plane stays Microsoft — regardless of where the agent is built.

Four layers, adapted from Microsoft's Cloud Adoption Framework for AI. Each layer answers a different question. Layers 1–3 govern every AI surface at PACS — Microsoft, third-party, or custom. Layer 4 is the build surface for agents we own.

Most of what we need is already licensed. The unfilled boxes are deliberate — they identify the explicit spend decisions ahead, not gaps left by omission. PointClickCare is the named architectural gate because it sits inside Layer 1 (data governance) but is not natively addressable by Purview today.

Already licensed or zero-cost

Net-new spend decision

Layer 01 Data Governance & Compliance What data, where, under whose label — and what AI may touch it.

Purview Compliance Manager Purview DSPM for AI Purview DLP + sensitivity labels Copilot Studio governance Power Platform DLP Data residency controls SharePoint · OneDrive · Exchange · Teams IT Glue ServiceNow PointClickCare *

PCC · Layer 01

Integration gap — architecture decision pending Phase 3. PointClickCare is the most PHI-dense system in scope and the least natively observable by the Microsoft governance plane. Architecture options (Azure Health Data Services FHIR ingress · vendor API governance · shadow-data classification) are evaluated in Phase 3. Not a blocker for Phases 1–2.

Layer 02 Agent Observability What agents exist · what they do · what they cost · what they touch.

Microsoft Agent 365 Defender for Cloud Azure Log Analytics Azure Cost Management ServiceNow CMDB · SOX ITGC cross-reference

Layer 03 Agent Security Identity · privilege · threat surface · red-team posture.

Entra Agent ID Entra ID Governance Defender for Cloud · AI threat protection Foundry Content Safety PyRIT + AI Red Teaming Agent Azure RBAC Microsoft Sentinel Security Copilot

Layer 04 Agent Development The build surface — code-first and low-code, governed by Layers 1–3.

Microsoft Foundry Copilot Studio Agent Framework (code-first) GitHub Copilot Enterprise Foundry SDK MCP + A2A protocols

The boundary

The governance plane stays Microsoft regardless of where the agent is built. Workday Illuminate, ServiceNow Now Assist, and PointClickCare integrations are governed through Layers 1–3 — not exempt from them. Cross-tenant agent ID, label propagation, and threat protection scope are enforced at the plane, not at the agent.

—

Intermezzo.

Pause · Questions · Stretch

We are halfway. A good moment for a refill, a stretch, or any questions on the framework, the regulatory floor, or the coverage gap before we move into structure and people.

The AI keeps going. So does David. You don't have to.

IX. Engineering Restructure Section 15 of 22

An org change that stands on its own.

The engineering restructure is independently valuable — and necessary regardless of the AI governance proposal.

Independent decision This section is presented as reference only. It is not part of the AI & Knowledge Governance ask and is not included in the three decisions requested on the live deck or in the decision memo. Approve, defer, or decline this independently of every other section in this dossier. The AI governance function does not depend on this restructure occurring, and this restructure does not depend on the AI governance function being approved.

Current state

Three RDEs · Parallel pods

RDE × 3

David · Ian · Heather Each running pods independently

Field

Engineers per pod Holistic-visit model · monthly cadence

Gap

Three voices, one message — heard three different ways No single growth path for engineers. The goal is one unified message to field engineers.

Proposed state

One Director · Senior/Lead Engineers · Specialized roles

Tier 1

Ian Chechet · Director of Engineering Manages 4–6 Senior/Lead Engineers, not ICs directly

Tier 2

Senior / Lead Engineers · player-coaches Andy · D. Yun · J. Garcia · R. Garcia · N. Natoli · others TBD

Tier 3

Field Engineers · project + onboarding + escalation Holistics reduced to 1–2x/year per Bill's direction

Specialized

Heather → Technical Project Manager / Systems Specialist Asset management · ServiceNow build · Long-term continuity for Nicholas's scope

New role

David → Director of AI & Knowledge Governance PACS equivalent of Microsoft's Lead Responsible AI Champ + Office of Responsible AI functions · Backfilled by restructure above

Independence

The restructure stands on its operational merits — clearer engineer growth paths, unified field messaging, and a defined senior-engineer tier. AI governance is a separate decision. Approve, defer, or decline either; neither blocks the other.

TEAM16

Task Force Model · Section 16 of 22

Light core. Broad participation.

Not a department — at least not yet. One full-time lead, four task-force members carrying primary roles, and a cross-functional review board that meets monthly. Designed as Stage One. Y2 re-evaluation against KPIs and workload determines whether the function graduates to a formal department with named FTEs.

Lead · Full-time

D. Hunter · Y1 net new role

Operational ownership of all four pillars. 40+ hrs/week dedicated. Backfilled in engineering by restructure.

Task force · Primary roles + 10–15 hrs/wk

D. Yun · J. Baker · I. Chechet · +1–2 TBD

Carry existing positions; contribute to standards, agent reviews, and pillar-specific work without leaving current scope. Hold Entra roles: AI Administrator & Agent ID Administrator (scoped, audit-trailed, least-privilege).

Review board · Monthly

Compliance · Privacy · CyberSec · Vendor AI · IA · Legal · HR

Convenes for medium-/high-risk reviews and quarterly governance posture. Not standing committee meetings.

X. Reporting Line Section 17 of 22

Four options — and one recommendation.

The reporting line for the proposed Director of AI & Knowledge Governance role is genuinely a leadership decision. Four credible options; tradeoffs surfaced; one primary recommendation grounded in the Workday case study and SOX SoD principles.

Recommended

OPTION A

Direct to Bill Mackey · VP Technology

Peer to: Eng Director · CyberSec Dir · ITSM Dir

Enterprise scope; peer-level authority across CyberSec, ITSM, Engineering. Formal coordination MOU with CyberSec on security overlap. Matches Workday's NIST-published precedent of separating AI developers from AI governance reporting lines.

SOX SoD: governance does not report through a function it governs

Convening authority for Compliance / Privacy / Legal

Workday case study precedent

Reports above the current engineering chain; coordination MOU required

OPTION B

Under Stormy Seliquini · Director of Cybersecurity

Reports to: S. Seliquini · Then to Bill

Natural extension of NIST CSF → NIST AI RMF lineage; ISO 27001 → ISO 42001 alignment. Existing risk-management discipline. SOX-defensible immediately.

Tightest framework lineage

CyberSec discipline is already mature

Scope drifts to "AI security gate"; loses Knowledge + Enablement work

No natural home for KB governance

OPTION C

Under Collins Huish · Sr Dir Engineering

Reports to: Collins Huish

Preserves the existing relationship and continuity with engineering operations. Lowest political cost. Reads as natural extension of David's current role.

Lowest political friction

Continuity with engineering ops

Caps scope at Engineering; loses enterprise authority

Mixes governance with one of the functions it governs · SoD issue

OPTION D Y2–Y3 candidate

Direct to Landon Gibb · SVP Technology & Systems

Peer to: VPs across enterprise

Highest authority. Co-locates AI governance with enterprise Technology & Systems strategy. Most appropriate once the function has graduated to a department with FTE headcount justified by audit findings and workload.

Highest convening authority across HR / Legal / Finance

Signals AI gov as top-of-stack enterprise priority

Bypasses Bill in Y1; structurally awkward at function stage

Could intensify SOX scrutiny earlier than function is ready for

Y1 reads as overreach for a credentialing-stage lead

Why Option A

Option A places governance at peer level with the functions it coordinates with — CyberSec, Engineering, ITSM — and keeps it independent of any single function it governs. This is the structural pattern the Workday case study (published by NIST) documents as the SOX-defensible posture.

PATH18

Capability Build · Section 18 of 22

Two tracks, one trajectory.

Governance capability builds in two parallel tracks: people (credentials, training, hires) and tools (tenant settings, policies, agent registries, environments). Click any phase to see which milestones land where — and what each unlocks for the other track.

Governance Capability — People D. Hunter · Task force · External advisor

NOWDirector role posted

NOWTask force named

NOWNIST AI RMF training

+30DIAPP AIGP enrolled

+30DResponsible AI Std v1

+30DAI AUP → Legal

+90DIAPP AIGP complete

+90DAI-900 started

+90DAUP published

+6moAI-900 / AI-901

+6moCopilot Admin cert

+6moHCISPP enrolled

+12moAI-102 / AI-103

+12moExternal advisor

+12moSC-100 prep

+18moISO 42001 LI WIP

+18moCIPP/US enrolled

+24moISO 42001 LI complete

+24moCIPP/US complete

+24moY2 KPI evaluation

NOWEntra Agent ID enabled

NOWDSPM for AI · audit-only

NOWAgent 365 registry live

+30DPurview DSPM weekly

+30DIRM "risky AI usage"

+30DComm Compliance AI

+30DKYD policy active

+90DAgent ID baseline

+90DCopilot Studio managed env

+90DPower Platform DLP

+90DSensitive Uses · first case

+90DServiceNow intake form

+6moAgent 365 full governance

+6moSensitivity labels enforced

+6moFoundry dev/test env

+6moGitHub Copilot Ent (AI team)

+12moFirst custom CS agents · governed

+12moPyRIT · AI Red Teaming

+12moSecurity Copilot eval

+12moNow Assist in Agent ID

+18moFoundry IQ · KB grounding

+18moM365 Copilot · broader rollout

+18moWorkday Illuminate · ASOR + Agent ID

+24moFull enterprise Copilot scale

+24moPCC integration · architecture gate

+24moDragon Copilot eval (if clinical)

Governance Capability — Tools Tenant · Policies · Registries · Environments

People · NOW · May 2026

Director role posted · Task force named · NIST AI RMF training scheduled

Tools · NOW · May 2026

Visibility-first: Entra Agent ID, DSPM for AI audit mode, Agent 365 registry

Honest framing

No PACS employee currently holds an AI governance credential. The logical choice is internal candidate with deep practitioner fluency on a documented credentialing path — or external hire with credentials and 12–18 months to learn what PACS is. Internal mobility for new roles like this has been signaled as preferred.

XI. Roadmap Section 19 of 22

Commitments, on a timeline.

Four time horizons. The first 30 days are already underway — NIST AI RMF training scheduled, agent inventory audit in progress, this proposal itself an artifact.

30 Days

Foundation

NIST AI RMF training complete · LinkedIn Learning · Tuesday May 26
AI inventory baseline · Copilot Admin Portal extract · all 406 agents triaged
Acceptable Use Policy v1 · drafted · routed to Compliance / Legal
Intake form & risk classification rubric · designed in ServiceNow
Peer-org AI governance role benchmarking · compiled
External advisor identified & engaged

90 Days

Operational launch

AI inventory >80% complete & classified by data class
AUP published · staff training plan rolled out
Tiered review process operational for new agent requests
Versioning & rollback standards published
KB governance standards v1 published
IAPP AIGP exam taken
Begin high-risk agent retroactive review (e.g., Facility Visit Report agent and others)

365 Days · Y1

Steady state

100% inventory of known AI artifacts
All new agents flow through formal intake
First internal audit cycle complete
Cross-functional review board meeting monthly
100% IT staff completed AI literacy training
Data source-of-truth decision made & implemented
HCISPP or CHPC underway

730 Days · Y2

Certification path

ISO/IEC 42001 gap assessment complete
Tier 3 and Tier 4 use cases piloted under governance
Vendor AI program mature · Vendor AI Committee partnership formalized
First annual external review
AI risk integrated into enterprise risk register
One public artifact published (LinkedIn long-form / regional talk)

XII. Considerations Beyond Scope Section 21 of 22

Three considerations worth holding.

The body of this proposal addresses the governance question itself. Three adjacent considerations — credentialing, organizational placement, and timing — sit just outside that scope and are worth holding in mind. Tap each card to see the context.

CONSIDERATION 01

Credentialing. The proposed lead does not yet hold the formal credentials commonly associated with this role — AIGP, compliance certification, healthcare privacy.

Tap for context →

THE CONTEXT

This is true across PACS today — no current employee holds an AI governance credential. The role and the credential are emerging together at the industry level.

The proposal pairs internal practitioner fluency with a published credentialing path: NIST AI RMF training May 26 · IAPP AIGP within 90 days · ISO 42001 Lead Implementer by Y2. External hires arrive credentialed but require 12–18 months to absorb PACS-specific architecture (Copilot Studio agents, parent/child structures, evaluation sets, Graph indexing).

Both paths are defensible. The choice is between fluency first, credentials on a timeline and credentials first, fluency on a timeline.

← Tap to flip back

CONSIDERATION 02

Organizational placement. AI governance could reasonably sit under the data team that builds AI tools, rather than as a separate function.

Tap for context →

THE CONTEXT

SOX 404 ITGC contemplates segregation of duties between developers and governance. The same principle that separates check-writing from check-approval applies here.

The Workday case study published by NIST explicitly separates developer reporting from governance reporting for this reason. A governance function inside the team it governs is structurally constrained from saying "slow down" when deployment falls short of standards.

This is the structural argument behind Option A in Section 17 — peer-level placement rather than embedded placement. The two functions are complementary, not interchangeable.

← Tap to flip back

CONSIDERATION 03

Timing. This is a meaningful amount of organizational change. Whether to start now versus 6–12 months out is a fair question.

Tap for context →

THE CONTEXT

The engineering restructure and the AI governance proposal are independent. Either can be approved, deferred, or declined without affecting the other.

The regulatory calendar is on its own clock: Section 1557 AI provisions have been enforceable since May 1, 2025; the HIPAA Security NPRM contemplates AI inventory; OCR enforcement activity is ongoing. The substantive question is sequencing and pace — not whether.

Starting organized while the volume is still manageable is materially different from starting after an incident. That is the trade-off worth holding.

← Tap to flip back

Scope clarification

PCC integration: the PointClickCare architecture decision is Phase 3 scope. Not a blocker for Phases 1–2. Layer 1 controls cover every other PHI surface today; the PCC pathway is named, sequenced, and gated — not deferred indefinitely.

ASK22

Decisions Requested · Section 22 of 22

Three asks. Three outcomes.

Each decision is independent, reversible, and defensible. Approve, discuss, or defer any item. Approvals fill three outcome buckets — Governance Framework, Knowledge Base, AI Governance Role. These three asks mirror the live deck and the decision memo.

Live Outcome Tracker

UPDATES AS YOU MARK DECISIONS · LOCAL TO THIS SESSION

Governance Framework 0%

NIST AI RMF · ISO 42001 alignment posture

Knowledge Base 0%

KB standards · training data quality

AI Governance Role 0%

Director of AI & Knowledge Governance · filled

Decisions Matrix

CLICK TO MARK · APPROVE FILLS BUCKETS · STATE IS LOCAL TO THIS SESSION

Approve the AI & Knowledge Governance function. Establish role, scope, and reporting line. Anchored to NIST AI RMF 1.0; ISO/IEC 42001-aligned posture. Works alongside Vendor AI Committee, Compliance, Privacy, InfoSec, and Internal Audit — does not replace them.

Approve internal-led Phase 1 buildout — David Hunter as named lead pending formal role definition. 90-day commitment includes NIST AI RMF training (LinkedIn Learning · May 26), IAPP AIGP exam within 90 days, and the documented credentialing roadmap in Section 17. Internal mobility for new roles signaled as preferred.

Defer major tooling spend until Phase 1 produces inventory, risk classification, and recommendations. Use Microsoft Entra Agent ID, Purview DSPM for AI (audit mode), and Agent 365 registry — all within existing PACS licensing scope or zero-cost. Any net-new tooling investment defended on Phase 1 findings — not vendor pitch.

Operational decisions documented elsewhere

Earlier dossier sections document operational decisions that follow from the three asks above and do not require separate leadership approval in this meeting: reporting line options (Section 17) · task force model and named pilot members (Section 16) · 30 / 90 / 365 / 730-day roadmap (Section 19) · success metrics (Section 20). Each is reversible; each will be reviewed at the first 30-day checkpoint after Phase 1 begins.

The engineering restructure (Section 15) is explicitly independent of this proposal and is not part of the three asks above.

What this costs

Net new headcount in Phase 1: 0. Net new dollars in Phase 1: $0 — Entra Agent ID, Purview DSPM for AI (audit mode), and Agent 365 registry sit within existing licensing scope or are zero-cost. Any Y1 training and certification spend ($15K–$25K range) is itemized in Section 18 and authorized inside the standard departmental budget cycle. Avoided cost: healthcare-sector average data breach is $9.77M (IBM 2024); OCR enforcement ceiling is $2.19M per violation category per year; Section 1557 civil money penalties are uncapped.

Artificial intelligence is already inside PACS.

The person proposing to govern AI goes first.

Personal task aggregator

Copilot Studio task agent · M365 tenant

Which AI surfaces are contractually covered — and which are not.

The obligations already affecting the industry.

HHS Section 1557 — AI & Patient Care Decision Support

HIPAA Security Rule — Notice of Proposed Rulemaking

OCR HIPAA Enforcement — 2025 Trends

SOX 404 ITGC — AI Touching Financial Reporting

ONC HTI-1 Final Rule — Predictive Decision Support Interventions

State AI Laws — 17-state operating footprint

Failure is documented, recent, and avoidable.

Air Canada — chatbot misinformation liability

NYC MyCity — illegal advice to small businesses

Agentic AI workflow vendor — patient data breach

Amazon — AI usage metrics as objective

Three functions exist. None of them is this one.

Vendor AI Committee

Compliance

Information Security (ISM)

Anchored to recognized standards.

One function. Four pillars.

Policy

Lifecycle

Knowledge

Enablement

Four tiers of AI use. Four levels of governance.

From request to retirement.

What data may meet what model.

The governance plane stays Microsoft — regardless of where the agent is built.

Intermezzo.

An org change that stands on its own.

Three RDEs · Parallel pods

One Director · Senior/Lead Engineers · Specialized roles

Light core. Broad participation.

Lead · Full-time

Task force · Primary roles + 10–15 hrs/wk

Review board · Monthly

Four options — and one recommendation.

Direct to Bill Mackey · VP Technology

Under Stormy Seliquini · Director of Cybersecurity

Under Collins Huish · Sr Dir Engineering

Direct to Landon Gibb · SVP Technology & Systems

Two tracks, one trajectory.

Commitments, on a timeline.

Foundation

Operational launch

Steady state

Certification path

How leadership knows it's working.

Three considerations worth holding.

Three asks. Three outcomes.