Introducing the GraymatterLab Agent Platform
The HIPAA-native foundation healthcare agents run on.
In the early days of generative AI in healthcare, the demo was the easy part. A clever prototype that summarized a referral or drafted an appeal letter took an afternoon. Putting that same agent on real patient work – running eligibility against a clearinghouse, assembling a prior-authorization packet, working a denial queue, clearing an intake list – is a different problem entirely. That’s where most healthcare AI stalls.
The hard part was never the prompt. It’s everything around the agent: where it runs, what it’s allowed to touch, what gets logged, how it reaches your clearinghouse and your EHR, and how you prove, months later, that it behaved. In a regulated business handling PHI, an agent you can’t govern and can’t audit isn’t an asset. It’s a liability.
To put an agent on real patient work with the reliability you’d expect from a member of your team, you need a foundation built for that from the runtime up – not a general-purpose AI stack with a compliance feature bolted on.
Today we’re introducing the GraymatterLab Agent Platform: the HIPAA-native infrastructure to build, run, connect, govern, and improve healthcare AI agents. It’s the foundation every GraymatterLab agent runs on, now named and laid out as a single platform – the runtime, the connectivity, the governance, and the evaluation that turn a working agent into a system you can responsibly operate inside a healthcare organization.
Every agent runs on the same purpose-built infrastructure, covered under signed Business Associate Agreements, with PHI protected at every layer, every action audited, and every output traceable. And you don’t have to build the agents to get value: our Agent Factory delivers them from healthcare-native templates, and the Canvas in Agent Studio is there for the day your team wants to build their own. Either way, they run on the same platform.
Why the platform matters
Most healthcare AI conversations start with the agent: what it automates, how it performed in a demo, which workflows it covers. That’s the right question up to a point. The harder question is what the agent runs on once the demo is over.
General-purpose AI infrastructure wasn’t built with HIPAA in mind. It wasn’t designed for clearinghouse and payer connectivity, or for the audit standards your compliance team will ask about, or for the clinical boundaries that keep an agent from operating outside its lane. Retrofitting compliance onto a general-purpose stack is possible. It’s also fragile, slow to maintain, and difficult to prove in an audit.
The GraymatterLab Agent Platform inverts that order. Governance, connectivity, and runtime controls are built into the foundation – not added per project. Every agent built on the platform inherits the same protections without having to rebuild them from scratch. For a healthcare organization putting AI on real patient work for the first time, that’s the difference between deploying with confidence and deploying with risk you can’t fully account for.
Five infrastructure layers – Build · Run · Connect · Govern · Improve – on a BAA-covered Google Cloud foundation. We mark roadmap items honestly throughout, and we never overclaim, especially on anything that touches PHI.
Build
Getting a healthcare agent into production doesn’t have to start from scratch. The Build layer is organized around that: every agent starts from a proven healthcare pattern, carries safe defaults by design, and comes out of the Agent Factory ready to operate rather than ready to configure. Most organizations evaluating healthcare AI want agents delivered and running – not a model to build on.
- Agent Factory – productized, template-driven agent delivery from healthcare-native scaffolds. Each agent we ship is faster and more reliable than building from a blank model, and each one gets smarter with every deployment cycle.
- Healthcare-native templates – agents start from proven scaffolds (router, sequential, parallel, loop, and a healthcare base pattern), not from scratch. The patterns carry the safe defaults so every agent inherits them automatically.
- The Canvas (Agent Studio) – the visual build environment for composing agents and workflows, drag-and-drop, no engineering required. Live today, and there for the day your team wants to build their own.
- Agent Catalog – a shared, reusable library of healthcare agents (insurance discovery, demographic verification, denial management, specialty-pharmacy and infusion intake, Medicaid enrollment, and more). Each deployment builds on the last rather than starting over.
- Skills Library – composable healthcare knowledge in markdown (eligibility rules, prior-auth logic, PHI protection, clinical boundaries) injected into agents at runtime. Skills are scoped – community, org-shared, personal, or agent-local – versioned, and slash-invocable (/eligibility-check), so domain expertise stays shared and consistent rather than buried in one agent’s instructions.
Run
A working agent in a demo is different from a reliable agent in production. The Run layer bridges that gap – a managed, scalable runtime on Google Cloud built to handle the volume and durability real patient workflows require, with PHI never leaving the BAA boundary.
- Cloud Run runtime – every agent runs as a managed, scalable, multi-tenant service on Google Cloud Run. Production-grade infrastructure, not a sandbox.
- Agent Memory – agents carry workflow context across turns and sessions from a durable, HIPAA-compliant store, so a multi-step intake doesn’t forget what it learned three messages ago.
- Multi-agent orchestration (A2A) – agents call other agents. Complex workflows decompose into specialists – a router over intake, eligibility, and verification – rather than one brittle mega-agent, with deterministic paths where a flow needs to run the same way every time.
- Context compaction – long conversations are compressed intelligently so agents stay fast and within model limits without losing the thread.
Connect
An agent that can’t reach your payer or your clearinghouse can’t do the work. The Connect layer handles the integrations healthcare actually depends on – purpose-built, PHI-aware connections to the systems your revenue cycle runs on, not a long catalog of generic APIs you’ll never use.
- Agent Gateway – a production MCP (Model Context Protocol) gateway for agents that don’t connect directly. It exposes a governed catalog of 60+ tools across the services healthcare runs on: eligibility and benefits verification, prior authorization, billing and clearinghouse operations, plus the collaboration systems teams already work in (Google Workspace, Microsoft, Slack, Jira, ClickUp). Each integration is switchable per environment, and the gateway is extensible to additional clearinghouses and payers.
- Universal Connector System – the direct path: OAuth2 connectivity to the operational tools teams already use, with encryption at rest, automatic token refresh, and PHI-aware audit on every call. The set non-hospital healthcare actually depends on – clearinghouse and payer connectivity, e-signature, secure messaging and fax, CRM, and the productivity suites.
- Healthcare standards – native support for FHIR, HL7 v2, and X12 EDI, plus the code systems (ICD-10, CPT, SNOMED CT) clinical and revenue systems already speak.
Govern
This is the layer most general-purpose platforms don’t have, and it’s the reason we built the platform before we built the agents. In a regulated business handling PHI, governance isn’t a feature you add after the fact. It’s the foundation everything else has to run on. Every control below is built into the platform from the start, not added per project.
- 18-category PHI protection – PHI is detected and redacted across the surfaces where it would otherwise leak (telemetry, audit exports, traces) before anything is written, with encryption applied where it’s stored. The deliverable an authorized user sees is never stripped; redaction happens in the logging and audit layer.
- Tenant isolation – every organization’s data is segregated at the database layer through org-scoped queries. Nothing crosses an organization boundary, and public endpoints are explicitly gated.
- Clinical boundaries – built-in guardrails keep agents from diagnosing, prescribing, or operating outside their lane. Medical decisions escalate to licensed people. Human-in-the-loop is structural, not a transition phase.
- 7-year audit trail – a full record of agent activity (requests, responses, tool calls, errors) with PostgreSQL as the primary HIPAA store and a parallel BigQuery trail retained for seven years (2,555 days) – the retention healthcare audits expect, scoped with session, user, and organization identifiers.
- Encryption (Cloud KMS) – hardware-backed key management for data at rest and in transit, with cross-language key parity across the stack.
- User management and access – enterprise identity: SSO/SAML/LDAP, role-based access control, MFA, and per-organization provisioning and administration, managed centrally. One account, one set of permissions, everywhere.
- SOC 2 Type II controls and signed BAAs – the platform runs entirely on Google Cloud services covered by Business Associate Agreements, operating under SOC 2 Type II controls (Type II report targeted for Q1 2027).
Improve
A demo shows an agent worked once. The Improve layer shows you how every agent is performing across the full volume of production work – so you catch the moment something slips, trace exactly what happened, and make it better before it becomes a problem.
- Hallucination detection – agents run with a native hallucination metric tuned to a stricter healthcare threshold, scored continuously and out of the response path, so it never slows the agent down.
- Continuous evaluation – agent outputs are scored against quality and clinical criteria, so behavior is measured rather than assumed, and refinements are grounded in what agents are actually doing in production.
- Distributed tracing (Cloud Trace) – every request, including multi-agent handoffs, is traceable end to end through a shared trace ID. You can see exactly what an agent did and why, and fix the right step.
- Token and cost governance – explicit reasoning budgets and output limits on every agent keep behavior bounded, costs predictable, and rate limits clear.
What runs on it
The platform ships with a library of healthcare agents ready to put to work. Each one is PHI-safe, starts from a proven pattern, and is designed to be configured to your payers, your codes, and your workflow.
- Patient access – insurance discovery and demographic verification, run one patient at a time or in high-volume batches against a clearinghouse.
- Prior authorization – assemble the packet, check payer requirements, and flag the gaps for a human to approve before anything is submitted.
- Revenue cycle – categorize denials by root cause and draft payer-ready appeals with the supporting evidence attached.
Every agent is a starting point, not a finished script – configured to your payers, your codes, and your workflow, with a human on the decisions that matter.
The foundation
The whole platform runs on Google Cloud covered by Business Associate Agreements. HIPAA-native means the foundation is in scope, not just the application layer on top of it.
Get started
The GraymatterLab Agent Platform is how working healthcare agents get built, run safely on PHI, connected to the systems you already use, governed to the standard your compliance team expects, and improved with every week in production. The agent is the part you see. The platform is the part that makes it dependable.
If you’re evaluating where AI agents fit in patient access, prior authorization, denials, or intake, reach out. We’ll walk you through the platform on a real healthcare workflow – bring your hard questions about the governance layer.