AI that drafts. You that approves.
In insurance, advisory, and healthcare billing, you are personally liable for what goes out under your name. The Oversight Layer™ is the governance architecture that lets you capture AI efficiency while keeping that liability under control.
Governance controls built into every implementation. [Not legal advice; we coordinate with your counsel where required.]
Five things built into every install.
Not marketing claims. Verifiable controls in the dashboard, the ones that satisfy your auditor, not just your curiosity.
Every AI output is logged and visible to you, always. The Audit Log records every draft the AI generated, who reviewed it, who approved it, and when it was sent. Nothing is a black box. Full export at any time.
The AI only generates outputs within parameters you've reviewed and approved. No improvising on coverage, investment advice, diagnoses, or compliance-sensitive language. Anything outside the configured playbook routes to a human before it goes anywhere.
Where disclosure is required or expected, it's built into the workflow, not retrofitted. Clients and counterparties know when AI is involved. Research shows satisfaction is measurably higher with disclosed AI interactions than with undisclosed ones. [S-COPC25]
Pause the AI instantly, at any time, with a single action. A licensed professional is always the accountable party, the AI increases throughput; the human owns judgment and final sign-off. This is by contract, not by convention.
Every AI draft, every human approval, every send, timestamped and exportable. The contemporaneous record that supports defensibility in an E&O claim, SEC supervisory review, or a HIPAA audit is already there, not assembled after the fact.
In insurance, advisory, and healthcare billing, the licensed professional is personally liable for every client interaction. The Oversight Layer™ is the architecture that lets you use AI while keeping that liability under control.
Six oversight levers. All of them yours.
How control is maintained in every workflow we deploy. [Sources: Sinch 2026, COPC 2025]
"You see every output before it reaches a client."
The Approval Inbox is a first-class screen in the dashboard, not a buried export. Every AI draft sits there, visible, waiting for your review. Nothing sends without a human touching it.
"The AI only operates within your approved parameters."
AI outputs are constrained to the templates and playbook your team has reviewed and signed off on. No freeform responses on coverage questions, investment topics, billing codes, or compliance-sensitive language. The parameters define the range; the AI stays inside them.
"You approved every workflow before it went live, and you can kill it instantly."
Every configured workflow is reviewed and signed off by your team before activation. The Kill Switch pauses all AI activity in one click. You are always in control of what goes out under your name.
"Autonomy is earned, not assumed."
Every implementation starts in supervised mode, the AI drafts, nothing sends until you approve. The Trust Ladder (see section 03 below) governs how and when the AI earns more autonomy. There is no cold deployment. [See Trust Ladder, section 03]
"Clients know when AI is involved, and respond better to it."
Disclosure is built into the workflow architecture, not added as an afterthought. Clients told they're interacting with AI are measurably more satisfied, and disclosure reduces liability exposure across TCPA, SEC Marketing Rule, and state AI-identity laws. [COPC 2025]
"A licensed professional is accountable for every output."
Every workflow has a named human checkpoint. Anything outside the configured parameters, edge cases, compliance-sensitive requests, escalation triggers, routes to a human before any output is generated. The AI is fast; the human is accountable.
The AI is fast. The human is accountable. That distinction is built in, not hoped for.
The Trust Ladder, autonomy earned, not assumed.
Every engagement starts at Stage 1. The AI earns the right to operate with more autonomy by demonstrating consistent, clean output under direct human review. Owner control is absolute at every stage.
| Stage | What the AI does | Human role | When to advance |
|---|---|---|---|
| 1 · Supervised [supervised] | Drafts outputs; sends nothing. Every draft lands in the Approval Inbox. Owner and our team review each one before any output is acted upon. | Reviews and approves or edits every draft. High involvement. Learns what the AI produces and where it needs guardrails. | First 1-2 weeks, or until the first set of interactions are consistently clean. Owner's call to advance, no pressure. |
| 2 · Approved [approved] | Sends outputs that match approved templates for defined, common scenarios. Anything outside the playbook routes to the human queue before any action is taken. | Reviews the human queue; handles edge cases and exceptions. Spot-checks sent outputs in the Audit Log. | When approval rate is consistently high and there have been zero compliance incidents. Owner can advance or stay here indefinitely. |
| 3 · Trusted [trusted] | Handles the defined playbook autonomously within configured parameters. Escalates anything outside scope, sensitive, or flagged to a human immediately, never guesses. | Regular Audit Log review. Escalation path always live. Can drop back to Stage 2 or hit the Kill Switch at any time with one action. | Ongoing, maintained only while zero compliance incidents and regular review continue. Owner retains full authority to demote or stop at any time. |
The governance architecture, eight components, one install.
These aren't backend controls you have to take on faith. The Approval Inbox and Audit Log are screens in your dashboard. Visibility is the trust.
Approval Inbox
Review-before-send queue, every AI-drafted output lands here before any action is taken. Approve, edit, or reject. The control that substantiates every other claim on this page.
[review-before-send]
Append-Only Audit Log
Every AI draft and every human approval, logged with who, what, and when, timestamped and exportable at any time. You own the data. Nothing is filtered or withheld. The record that supports defensibility in an E&O review, an SEC exam preparation, or a HIPAA audit.
[append-only] [exportable]
Playbook Editor
The human-approved parameters library. The AI is constrained to it. No freeform outputs on coverage, investment, billing codes, or compliance-sensitive topics. You define the playbook; we configure the constraint.
[human-approved only]
Escalation Rules
Owner-defined triggers that route to a human: regulatory questions, complaint language, out-of-scope requests, sensitive topics. Non-negotiable in regulated verticals, configured at build time, not left to chance.
[human-defined]
Kill Switch
One action pauses all AI activity, immediately, globally or per workflow. No delay. No approval process. Available at all times. A real person is always accountable.
[one-click off]
Disclosure Architecture
Where AI disclosure is required or expected by regulation or client expectation, it is built into the workflow, not added after deployment. Configured as part of the Build phase. [S-COPC25]
[built-in, not bolted-on]
Guardrails
PII detection and handling, output filters for compliance-sensitive language, prompt-injection defense aligned with OWASP LLM Top 10, retrieval-grounding so outputs are based on your actual data, not hallucination.
[OWASP-aligned]
Data Controls
Encryption at rest and in transit, retention limits, role-based access control, and a written commitment: we never train third-party models on your client data. Sub-processor documentation and Data Processing Agreement (DPA) available on request.
[no-training commitment] [DPA available]
What we can honestly claim, and when.
"Aligned with" is not the same as "certified." We are precise about this distinction. The rule: never claim a certification before the audit report exists.
All claims below are current and accurate as of . SOC 2 and ISO 42001 certifications are planned for future phases, not claimed until reports exist.
| Claim | Day 1 | 30 days | Future |
|---|---|---|---|
| Human-in-the-loop / review-before-send | YES | YES | YES |
| Append-only, timestamped audit log of every AI action | YES | YES | YES |
| We never train models on your client data | YES (policy + DPA) | YES | YES |
| Aligned with NIST AI RMF | YES (aligned, not certified) | YES | YES |
| Aligned with OWASP LLM Top 10 (2025) | YES (aligned, not certified) | YES | YES |
| Governance page + countersignable DPA | This page (live); DPA on request | YES | YES |
| SOC 2 Type I certification | NOT YET (do not claim) | NOT YET | Planned, in progress |
| ISO/IEC 42001 certification | NOT YET | NOT YET | Future phase |
Regulatory context, built into the implementation, not bolted on after.
We design every implementation with the regulatory environment of your specific industry in mind. This is architecture for compliance, not a compliance guarantee. We work alongside your counsel.
Advisory & RIA, supervised communications
The Oversight Layer™ is built so a licensed professional reviews and approves every AI-drafted client communication before it is sent. The audit log provides the contemporaneous supervisory record that supports defensibility in an SEC exam. FINRA Rule 3110 (applicable to broker-dealer and FINRA-member firms) requires written supervisory procedures and review of client communications. The SEC Marketing Rule (Rule 206(4)-1) governs advertising and testimonial claims by registered investment advisers. Rule 206(4)-7, the Compliance Program Rule, requires RIAs to maintain a reasonably designed written compliance program. Our playbook constraint and audit architecture are designed with both rules in mind; the specific obligations that apply depend on your registration type and should be confirmed with compliance counsel.
[Not legal advice, compliance counsel required. Requirements vary by registration type, AUM, and jurisdiction.]
Medical billing / RCM, appropriate safeguards required
HIPAA requires covered entities and business associates to implement appropriate administrative, physical, and technical safeguards for workflows that touch Protected Health Information. The Approval Inbox provides a human review checkpoint that supports those safeguards. We operate as a Business Associate and require a Business Associate Agreement (BAA) with you and every vendor in the technical stack before any PHI enters the system. We do not use consumer-tier AI models on PHI.
[Not legal advice, formal BAA and HIPAA counsel required before deployment on PHI workflows.]
Insurance agencies, consent architecture and audit trail
TCPA lawsuit volume against businesses using automated outreach remains significant. Our implementations build the consent capture and documentation architecture to address that exposure. The E&O audit trail, every AI draft, every human approval, every send, timestamped, provides the contemporaneous record that supports defensibility in a claim. We do not assert specific TCPA consent rules as current law; requirements are subject to regulatory and judicial change and require counsel review.
[Not legal advice, TCPA and E&O counsel required. Regulatory requirements are subject to change.]
Honest AI claims
No fabricated results, testimonials, or client outcomes. Every claim on this site is documented and checkable. Aligned with FTC guidance on AI and endorsement claims. What we can demonstrate is what the system does, the audit trail, the approval inbox, the kill switch. We don't claim outcomes we haven't measured.
Why most AI deployments get pulled. And why ours don't.
The failure pattern
A consistent pattern exists across AI deployments that don't last: the AI went rogue (produced something incorrect or compliance-problematic), went dark (nobody managed it and it drifted), or created regulatory exposure. In regulated businesses, any of these carries serious professional consequences, not just a service failure.
The common thread is the same assumption: that AI can be deployed without ongoing human supervision. In a service business, that's expensive. In a regulated business, it's untenable.
Failure Mode 1, No oversight
AI deployed without a governance layer. Templates drift. Edge cases produce outputs outside approved parameters. No one reviews the audit log. A compliance-sensitive output reaches a client. Nobody can prove what happened.
Failure Mode 2, No accountability
The AI operates autonomously with no named human checkpoint. When something goes wrong, and it will, there is no documented approval chain, no contemporaneous record, and no clear accountability. In regulated industries, that is the exposure.
The governance design
Both failures come from the same assumption: that supervision is optional. The Oversight Layer™ is designed around the opposite assumption, that the AI must be supervised indefinitely, not just at launch. The governance controls are permanent, not temporary.
Supervised from day one
Every engagement starts with every output in the Approval Inbox. Nothing sends until you've seen it and approved it. There is no cold deployment.
The audit trail is always on
The audit log isn't a feature you turn on before an exam. It runs continuously from day one, every draft, every approval, every send, timestamped and exportable.
The kill switch is permanent
The Approval Inbox and Kill Switch aren't onboarding tools. They are permanent controls you hold for the life of the engagement. Owner authority is absolute.
See the governance layer before you decide if you trust it.
The AI Opportunity Assessment maps your back-office workflows, shows where AI can safely do the work, and delivers a written scope with a fixed implementation price, including the full Oversight Layer™ architecture. You see the governance model before any build begins.
Fixed-fee diagnostic. Scope and price delivered in writing before any implementation begins.