AI governance for healthcare and health-adjacent companies.
Boards are asking about AI strategy. Customers and auditors are starting to ask about AI controls. Most security teams don't have a defensible answer yet. I help them build one — policy, controls, agent operations review, and a roadmap your auditor can sign off on.
Fractional CISO·25 years across infrastructure, security, and platform engineering·Operating production agents every day
Three engagement types.
No price list — pricing happens on the discovery call after I understand your scope. No retainers where I just show up at the end of the month.
One-time engagement
AI Governance Sprint
4–6 weeks
Deliverables
AI usage policy, agent and tool inventory, control mapping to your existing framework (SOC 2 / HIPAA / HITRUST as relevant), and a 12-month roadmap for ongoing governance.
Best for
Companies whose board, customers, or auditor has started asking about AI and need a defensible position fast.
Ongoing retainer
Fractional CISO with AI scope
Monthly engagement
Deliverables
Everything a fractional CISO does — risk management, policy, compliance program, audit support — plus AI-specific controls, agent operations oversight, and ongoing review of LLM-integrated workflows for prompt injection, authority escalation, and PHI/PII leakage.
Best for
Companies that need a security executive in the seat but aren't ready for a full-time CISO, and whose AI surface area is growing.
Project-based
SOC 2 / HIPAA / HITRUST Audit Prep
Scoped to audit timeline
Deliverables
Full readiness through audit, with AI usage and agent operations integrated into the control set rather than bolted on after. No surprises at the finish line.
Best for
Companies on a defined audit clock who don't want to be surprised by an AI-controls question they haven't answered.
From discovery to deployment
in weeks, not months.
Every engagement starts with understanding what's actually at risk — then builds toward something durable that your team can own.
30 minutes
Discovery Call
Map your workflows, tools, pain points, and compliance obligations. I listen more than I talk.
3–5 days
Setup Sprint
Deploy a secure AI operations center, assess your current control posture, and identify highest-priority gaps.
2 weeks
Tuning Period
Calibrate agents, refine workflows, close documented gaps, and stand up evidence collection for audit.
Ongoing
Embedded Execution
AI handles day-to-day monitoring, you handle strategy. I stay until it's running right and your team can own it.
Work that moved the needle.
Real results from real engagements.
Accelerating a 3-Year Roadmap to 6 Months
How a healthcare analytics firm achieved SOC 2 Type II in record time while cutting cloud spend by 70%. Inherited a scattered program, closed all critical gaps, and managed the auditor relationship to a clean opinion.
Read case studyModernizing Legacy "Big Iron" in One Year
Migrating two decades of technical debt to the cloud and achieving SOC 2 amidst exponential growth. Full cloud migration, security program build-out, and first audit — all in a single year.
Read case studyReady to build a defensible AI governance position?
Book a 45-minute call to talk through where your AI exposure sits and what a governance program would take.
Recent thinking.
Practical writing on AI security, compliance, and what actually matters when you're trying to ship safely in healthcare.
Your AI Agent Has Root Access — Now What?
Most security teams think about prompt injection as a single-model problem. In multi-agent architectures, the blast radius is completely different.
Read more →We Told Our Customer We're SOC 2 Certified. We're Not.
The frameworks haven't caught up yet, but auditors are still asking questions. Here's what I've seen them care about most in the last six months.
Read more →HIPAA Security Rule 2026: No More "Addressable" Safeguards
HIPAA was written before LLMs existed. The obligations still apply — and the gaps between the regulation and the technology are exactly where risk accumulates.
Read more →Book Your Free Strategy Session
Let's discuss your security goals and compliance requirements in a no-obligation 45-minute call.
Operator experience,
not just advisory.
I run production AI systems every day. I know what breaks, where credentials leak, and which controls are theater versus substance.
Can't find a time? peter@peterhallen.com