Upgrade Plan

SCRIMED CODE pt. 4

Agent Governance Control Plane

SCRIMED Agent Governance is a synthetic/no-PHI control plane. It evaluates metadata-only agent session state and does not authorize PHI export, autonomous clinical care, diagnosis, treatment, prescribing, EHR writeback, payer submission, production deployment, certification claims, or customer go-live.

Statusscrimed-agent-governance-active-synthetic-no-phi
Agents3
Policies6
Decisionrequire_review
Risk65
Human approvalrequired

Identity Registry

Every agent has declared scope, allowed tools, blocked tools, and an owner.

trust_safety

Project SENTINEL Supervisor

Trust and Safety

Blocked tools

ehr_writeback, payer_submit, patient_message, external_export

payer_workflow

Prior Authorization Documentation Agent

RCM Governance

Blocked tools

payer_submit, patient_message, ehr_writeback

clinical_intelligence

Clinical Context Agent

Clinical Safety

Blocked tools

diagnose, prescribe, ehr_writeback, patient_message

Contextual Policies

Session-state flags drive allow, deny, or require-review decisions.

require_review

phi-touched-block-export

If PHI touched, block export and require human review.

Human review required

PHI access changes the action boundary; export cannot proceed without qualified approval.

require_review

untrusted-content-restrict-tools

If untrusted external content read, restrict tool actions.

Human review required

Untrusted content can inject instructions or poison retrieval context.

require_review

cost-threshold-requires-approval

If agent cost exceeds threshold, require approval.

Human review required

Cost guardrails prevent runaway agent loops and unexpected billing exposure.

require_review

external-communication-review

If action attempts external communication, require review.

Human review required

External communication can create legal, clinical, patient, or payer consequences.

deny

outside-declared-scope-deny

If agent task is outside declared scope, deny.

Human review required

Agents are deny-by-default outside their declared identity and permission scope.

require_review

clinical-recommendation-decision-support-only

If clinical recommendation requested, return decision-support-only boundary.

Human review required

Clinical content can support review but cannot become autonomous diagnosis, treatment, or prescribing.