For security and compliance leaders in healthcare

See your AI policy enforced. Across every request, every tool, every model.

Three Gates is a control plane for governed AI in healthcare. Every request, every tool call, every model invocation passes through the same policy enforcement, with an audit trail your auditor, your carrier, and your board can actually follow.

Control plane walkthrough

The recorded walkthrough is being prepared. In the meantime, book a session and we will step through the same architecture live against your scenario.

Step through the same architecture interactively below at your own pace.

Step through the control plane

Play, pause, scrub, and replay the scripted Demo Theater. The left side shows the clinician and agent; the right side shows the gates, tokenization, scope changes, model routing, and the blocked billing attempt as they happen.

Scripted Demo Theater

Mrs. Johnson discharge workflow

0.0s

Clinician to agent

Press play to start the scripted walkthrough.

AI Control Plane

0.0s

Gate 1

Data Reality

Waiting

Gate 2

Purpose + Authority

Waiting

Gate 3

Risk Routing

Waiting

Purpose scope

Awaiting request

Entities

Agent steps

Re-evals

Route

Not selected

Tokenized identifiers

No identifiers detected yet.

Preserved clinical context

AI can reason over this

Condition

Type 2 diabetes

Lab value

A1C 8.2

The system de-identifies the request while preserving the clinical content the model can reason over.

Enforcement log

Awaiting events...

Read the architectural notes below, take your organization's PHI Readiness Assessment, or book a session to see this run against your specific scenario.

The architectural argument

Security leaders need to know whether policy is enforced in the path of the work, whether authorization is scoped to the intent, and whether the resulting record answers evaluator questions.

Uniform enforcement across modalities

Your workforce will use AI through chat, through browser extensions inside their EHR, through autonomous agents that complete multi-step processes, and through integrations your engineering team builds. Three Gates is the layer that enforces the same policy across all of those entry points. One control plane, one audit log, one set of policies.

Intent-scoped authorization

Your evaluator is not only asking whether AI can see PHI. They are asking who authorized this AI to do this thing with this data, and where that authorization is recorded. Three Gates binds intents to specific tools and authorization paths, then blocks, logs, or requires approval when a request moves outside that scope.

An audit trail evaluators can follow

Every tokenization decision, policy gate, tool call, human approval, and blocked action is logged in a structure designed for the questions your auditor, carrier, and board will ask. Not just logs, the right records in the right shape.

What the audit trail records

The control plane log structure is designed for audit and breach-notification analysis. It records the policy path of the work without turning the audit store into another place where raw sensitive content has to spread.

Detected PHI entity type and policy outcome

Tokenization decision and boundary-held mapping

Policy gate evaluation and resulting action

Tool call with intent and scope binding

Human approval with reviewer identity and timestamp

Model invocation with provider and model version

Blocked action with the policy rule that blocked it

What you would actually deploy

Three Gates deploys against your existing AI providers and systems of record. Healthcare customers can start with PHI-protected chat and browser-based workflows, then deepen into intent-to-tool binding, agentic processes, and EHR integration with implementation support. We are intentionally working with a small number of design partners while those configuration patterns mature.