We design regulated AI infrastructure. See how we replaced a fragile, hallucinating clinical chatbot with a strict, governable state machine backed by Policy-as-Code.
A top-tier telehealth provider attempted to automate clinical intake using a standard generative AI "chatbot" (a ReAct loop). Because the LLM was trapped in a continuous loop of reasoning and tool-calling with no bounded action space, it failed catastrophically.
Tool calls were entirely LLM-decided. Without a deterministic graph, the agent could theoretically invoke any exposed API at any time, eliminating auditability.
If the hospital's EHR API returned a timeout, the ReAct agent panicked, hallucinated fake patient history to fulfill its prompt, and attempted to route care based on fiction.
There was no physical barrier preventing the LLM from triggering a prescription API. It was only stopped by a "system prompt"—which is mathematically vulnerable to jailbreaks.
Real medical triage is not an abstract conversational flow. It requires mapping unstructured symptoms to standard clinical acuity frameworks (like ESI or CTAS).
The system must explicitly map patient presentations into rigid operational vectors:
Neural proposes. Symbolic disposes.
We separated probabilistic reasoning from deterministic execution. The LLM acts purely as a stochastic proposal engine; the surrounding infrastructure is strictly deterministic.
Goal: Zero PHI exposure. Data enters a secure API gateway where a local edge-filtering service tokenizes Protected Health Information. The LLM never sees raw identity—only a clinical abstraction (e.g., Age Bucket: 40-50, Sex: M, Comorbidity: Hypertension).
The LLM does NOT call tools. It does NOT write text to the patient. It ingests the clinical abstraction and outputs a strictly validated JSON execution plan. If the plan violates schema validation, maximum depth limits, or enum enforcement, it is deterministically rejected before execution begins.
Before any action is committed (scheduling, routing, EHR mutation), an Open Policy Agent (OPA) intercepts the request. Symbolic, hard-coded clinical rules (e.g., Chest pain + diaphoresis > 20 min = Automatic ER Escalation) override the neural network's routing priority.
The orchestration engine interprets the approved JSON plan step-by-step. It maintains durable state, writes to an immutable audit log, and tracks SLA timers. There is no recursion, no autonomous replanning, and no self-directed loops.
In healthcare, how an AI fails is more important than how it succeeds.
EHR_UNAVAILABLE. Trigger fallback: Ask patient direct allergy questions; escalate to human nurse.Every triage session generates a cryptographic footprint for SOC2/HIPAA compliance, stored in an append-only log:
Scenario: 45-year-old male. Chest pain for 45 minutes. History: hypertension. On aspirin.
// Layer 1: PII stripped. Only structured clinical data reaches the LLM.
{
"patient_id": "TOKEN_8832",
"demographics": { "age_bucket": "40-50", "sex": "M" },
"presentation": {
"symptoms": ["chest_pain_acute"],
"duration_mins": 45
},
"known_comorbidities": ["hypertension"],
"current_medications": ["aspirin_81mg"]
}// Layer 2: LLM proposes a structured plan. No actions are taken yet.
{
"acuity_classification": {
"esi_level": 2,
"risk_vector": "cardiac"
},
"proposed_graph": [
{
"step": 1,
"action": "ROUTE_DECISION",
"parameters": { "care_path": "ER_IMMEDIATE", "sla_timer_mins": 10 }
}
]
}# Layer 4: Symbolic rules evaluate the neural proposal.
package triage.governance
default allow_routing = false
# RED FLAG DETECTED: Deterministic ER escalation
allow_routing {
input.acuity_classification.esi_level <= 2
input.proposed_graph[_].parameters.care_path == "ER_IMMEDIATE"
}
# FAILSafe: Block any non-ER routing for high-acuity cardiac vectors
deny_routing[msg] {
input.acuity_classification.risk_vector == "cardiac"
input.proposed_graph[_].parameters.care_path != "ER_IMMEDIATE"
msg := "FATAL: Policy mandates immediate ER routing for cardiac vectors."
}Deterministic Routing Compliance
Zero hallucinated actions or prescriptions.Reduction in Nurse Triage Load
Safe, asynchronous case abstraction.PHI Exposures to LLM
Protected by Layer 1 ingress sanitization.