Enterprise Risk Register
Machine-readable risk control map for SCRIMED enterprise diligence.
SCRIMED tracks PHI/privacy, clinical safety, hallucination, drift, bias, cybersecurity, vendor, cost, auditability, regulatory, EHR, payer, and deployment risks without claiming production approval.
critical severity; possible likelihood
Keep public and demo surfaces synthetic/no-PHI; require BAA/DPA, data classification, retention, deletion, and incident controls before live data.
Review evidencecritical severity; possible likelihood
Require human review, TrustOS gates, Clinical Robustness Lab scorecards, and no autonomous clinical authority.
Review evidencehigh severity; possible likelihood
Require citations, evidence cards, unsupported-claim refusals, and hallucination-risk scorecards.
Review evidencehigh severity; possible likelihood
Use model registry placeholders, eval snapshots, regression checks, and canary/rollback gates before provider activation.
Review evidencehigh severity; possible likelihood
Track demographic bias risk in synthetic robustness scenarios and require reviewer disposition before any clinical claim expands.
Review evidencecritical severity; possible likelihood
Preserve AAL2, least privilege, token redaction, fail-closed APIs, rate limits, and provider-call kill switch.
Review evidencemedium severity; possible likelihood
Use provider-neutral model routing with synthetic fallback and future adapters for OpenAI, Anthropic, Google, NVIDIA, Azure, AWS, and open models.
Review evidencehigh severity; possible likelihood
Keep provider calls disabled by default, use request thresholds, rate limits, safe errors, and cost guardrail contract checks.
Review evidencehigh severity; possible likelihood
Bind execution attempts to policy decisions, hashes, model route metadata, reviewer gates, and durable-store readiness.
Review evidencecritical severity; possible likelihood
Block HIPAA/SOC/HITRUST/FDA/ONC/security/accessibility certification and clinical validation claims until qualified approval exists.
Review evidencecritical severity; possible likelihood
Keep EHR writeback and production connectors blocked; use synthetic FHIR/HL7/DICOM readiness only.
Review evidencehigh severity; possible likelihood
Allow synthetic policy synthesis and reviewer-held packets only; block payer submission, final coding, claims, appeals, and reimbursement guarantees.
Review evidencehigh severity; possible likelihood
Use build/smoke validation, fail-closed protected routes, DNS readiness, rate limits, and no-secret tests before promotion.
Review evidenceBoundary
Risk tracking is not approval.
The risk register is a readiness control. It is not legal advice, clinical validation, security certification, regulatory approval, PHI authority, production connector approval, or customer go-live approval.