Free Online AI Risk Check

Home

/

Shadow AI

/

Questions to Ask Before Choosing an AI Platform

Platform Selection

Questions to Ask Before Choosing an AI Platform

The 12 must-have capabilities for any AI governance platform

The Complete Checklist

6 categories, 25 capabilities—12 must-haves, 13 nice-to-haves

Discovery & Visibility

Must
Have

Shadow AI Discovery

Platform can inventory all unauthorized AI usage across the organization

Why it matters: You can’t govern what you can’t see. Shadow AI discovery is the foundation.

Must
Have

Centralized Dashboard

Single pane of glass showing all AI usage, models, departments, and data flows

Why it matters: Leadership needs visibility. Scattered tools create blind spots.

Must
Have

Usage Analytics

Real-time reporting on who’s using AI, for what, how often, and what data is involved

Why it matters: You need metrics to demonstrate ROI and identify risk patterns.

PHI Protection & Compliance

Must
Have

Automatic PHI Detection

Real-time identification of all 18 HIPAA identifiers before data reaches AI models

Why it matters: Manual PHI removal doesn’t scale and has 100% error rate.

Must
Have

Automatic PHI Redaction

Cleansing PHI from prompts while maintaining context for AI responses

Why it matters: Blocking PHI entirely makes AI useless. Redaction preserves utility.

Must
Have

Data Rehydration

Re-inserting redacted PHI into AI responses so users get actionable output

Why it matters: De-identified responses aren’t useful for clinical workflows.

Must
Have

Complete Audit Logs

Immutable logs of every AI interaction with timestamp, user, model, and data shared

Why it matters: OCR and auditors will ask ‘prove PHI wasn’t exposed.’ You need evidence.

Must
Have

BAAs with All AI Vendors

Business Associate Agreements with OpenAI, Anthropic, Google, and any model provider

Why it matters: HIPAA requires BAAs for any vendor that might access PHI.

Multi-Model AI Access

Must
Have

OpenAI GPT Access

Latest OpenAI models for general-purpose tasks, documentation, research

Why it matters: Most requested model by staff. If you don’t provide it, shadow usage continues.

Must
Have

Anthropic Claude Access

Claude Sonnet and other Anthropic models for analysis and complex reasoning

Why it matters: Different models excel at different tasks. Staff need options.

Must
Have

Google Gemini Access

Google’s Gemini models for research, data analysis, and multimodal tasks

Why it matters: Model diversity prevents vendor lock-in and optimizes for use cases.

Must
Have

Model Selection by Use Case

Ability to choose the right model for each task (documentation vs. analysis vs. coding)

Why it matters: One model doesn’t fit all needs. Platform should guide optimal selection.

Policy & Governance Controls

Must
Have

Role-Based Access Control

Different AI permissions by department, role, or user (clinical vs. admin vs. leadership)

Why it matters: Not everyone needs access to all models. Controls prevent misuse.

Must
Have

Model-Level Restrictions

Ability to limit which models are available to which users or departments

Why it matters: Some models cost more or have different risk profiles.

Nice

Usage Quotas

Set limits on AI usage per user, department, or organization-wide

Why it matters: Cost control and preventing abuse or overuse.

Nice

Content Filtering

Block certain types of prompts (e.g., requests to generate clinical advice without oversight)

Why it matters: Some use cases are too high-risk even with PHI protection.

Staff Enablement

Must
Have

Onboarding & Training

Guided setup, prompt engineering basics, and appropriate use case education

Why it matters: Staff won’t adopt tools they don’t understand or trust.

Nice

Prompt Templates

Pre-built, approved prompts for common healthcare tasks (discharge summaries, appeal letters, etc.)

Why it matters: Reduces cognitive load and ensures consistency.

Must
Have

Support & Help Resources

Documentation, FAQs, and access to support when staff have questions

Why it matters: Unsupported tools get abandoned. Support drives adoption.

Security & Infrastructure

Must
Have

SOC 2 Type II Certification

Platform provider has completed SOC 2 Type II audit for security controls

Why it matters: Demonstrates serious security posture and third-party validation.

Must
Have

HIPAA Compliance

Platform architecture is designed for HIPAA compliance (not just ‘HIPAA-ready’)

Why it matters: HIPAA-ready ≠ HIPAA compliant. You need actual compliance.

Must
Have

Data Residency Controls

Ability to specify where data is stored and processed (US-only, specific regions)

Why it matters: Cost control and preventing abuse or overuse.

Nice

SSO / SAML Integration

Single sign-on integration with your existing identity provider

Why it matters: Reduces password fatigue and improves security posture.

Red Flags to Watch For

Warning signs that a platform isn’t enterprise-ready

‘HIPAA-Ready’ Instead of ‘HIPAA Compliant’

HIPAA-ready means ‘we could be compliant if you configure it correctly.’ You need actual compliance, not homework.
This applies to any compliance framework, not just HIPAA.

Single Model Access Only

If they only offer one Providers AI models (usually their own), it’s vendor lock-in disguised as governance. You need multi-model access.

No PHI Protection Layer

If they rely on staff to ‘remember to remove PHI,’ it’s not a governance platform—it’s just a wrapper around ChatGPT.

No Audit Logs

If you can’t prove what data was sent where, you can’t demonstrate compliance. Audit logs are non-negotiable.

No BAAs with Model Providers

The platform vendor might have a BAA with you, but if they don’t have BAAs with OpenAI, Anthropic, etc., PHI is still exposed.

How to Use This AI Checklist

1

Score Each Platform

Give 1 point for each must-have, 0.5 points for each nice-to-have. A platform needs at least 12/12 must-haves to be viable.

2

Ask for Proof

Don’t take marketing claims at face value. Ask for SOC 2 reports, sample BAAs, audit log exports, and customer references.

3

Test Shadow AI Discovery

Ask the vendor to demonstrate how they would inventory your existing shadow AI usage. If they can’t, they’re not solving your biggest problem.

4

Validate PHI Protection

Test the PHI detection with real (de-identified) patient scenarios. See if it catches all 18 HIPAA identifiers automatically. Use for any compliance framework requirement.

See How AuthenTech AI Measures Up

Book a Shadow AI Risk Check and we’ll show you how our platform delivers on all 12 must-haves

Get Platform Selection Help
Free Online AI Risk Assessment
Chance Avatar
Chance Sassano founded AuthenTech AI to help healthcare organizations figure out how to say yes to safe AI, even in a market that changes faster than policy can keep up. He brings 25 years of enterprise IT infrastructure and security experience. He hosts the AI & The Art of the Possible podcast, where he explores how AI benefits humans and the leaders building it responsibly. Outside of work, he’s a musical theatre dad and French Bulldog father.