Investor Readiness

Enterprise Risk Register

Machine-readable risk control map for SCRIMED enterprise diligence.

SCRIMED tracks PHI/privacy, clinical safety, hallucination, drift, bias, cybersecurity, vendor, cost, auditability, regulatory, EHR, payer, and deployment risks without claiming production approval.

Statusenterprise-risk-register-active-no-phi
Risks13
Critical5
Blocked4
PHI/privacy

critical severity; possible likelihood

Keep public and demo surfaces synthetic/no-PHI; require BAA/DPA, data classification, retention, deletion, and incident controls before live data.

Review evidence
clinical safety

critical severity; possible likelihood

Require human review, TrustOS gates, Clinical Robustness Lab scorecards, and no autonomous clinical authority.

Review evidence
model hallucination

high severity; possible likelihood

Require citations, evidence cards, unsupported-claim refusals, and hallucination-risk scorecards.

Review evidence
model drift

high severity; possible likelihood

Use model registry placeholders, eval snapshots, regression checks, and canary/rollback gates before provider activation.

Review evidence
bias

high severity; possible likelihood

Track demographic bias risk in synthetic robustness scenarios and require reviewer disposition before any clinical claim expands.

Review evidence
cybersecurity

critical severity; possible likelihood

Preserve AAL2, least privilege, token redaction, fail-closed APIs, rate limits, and provider-call kill switch.

Review evidence
vendor dependency

medium severity; possible likelihood

Use provider-neutral model routing with synthetic fallback and future adapters for OpenAI, Anthropic, Google, NVIDIA, Azure, AWS, and open models.

Review evidence
cost spike/API abuse

high severity; possible likelihood

Keep provider calls disabled by default, use request thresholds, rate limits, safe errors, and cost guardrail contract checks.

Review evidence
auditability

high severity; possible likelihood

Bind execution attempts to policy decisions, hashes, model route metadata, reviewer gates, and durable-store readiness.

Review evidence
regulatory claims

critical severity; possible likelihood

Block HIPAA/SOC/HITRUST/FDA/ONC/security/accessibility certification and clinical validation claims until qualified approval exists.

Review evidence
EHR integration

critical severity; possible likelihood

Keep EHR writeback and production connectors blocked; use synthetic FHIR/HL7/DICOM readiness only.

Review evidence
payer workflow

high severity; possible likelihood

Allow synthetic policy synthesis and reviewer-held packets only; block payer submission, final coding, claims, appeals, and reimbursement guarantees.

Review evidence
deployment security

high severity; possible likelihood

Use build/smoke validation, fail-closed protected routes, DNS readiness, rate limits, and no-secret tests before promotion.

Review evidence

Boundary

Risk tracking is not approval.

The risk register is a readiness control. It is not legal advice, clinical validation, security certification, regulatory approval, PHI authority, production connector approval, or customer go-live approval.