# Sample Coherence Report ```json {"@context":"https://schema.org","@type":"Article","name":"Coherence Report \u2014 Meridian Health AI, Inc. \u2014 Muestra de coherencia","headline":"Coherence Report \u2014 Meridian Health AI, Inc.","description":"Informe de coherencia de muestra \u2014 una demostraci\u00f3n del formato Mnemom para informes de postura ag\u00e9ntica. La empresa objetivo es ficticia; los patrones de postura son reales.","url":"https://www.mnemom.ai/es/report/sample/","inLanguage":"es-ES","publisher":{"@id":"https://www.mnemom.ai#organization"},"datePublished":"2026-04-21T00:00:00Z","dateModified":"2026-04-21T00:00:00Z"} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.mnemom.ai/es/"},{"@type":"ListItem","position":2,"name":"Muestra de coherencia","item":"https://www.mnemom.ai/es/report/sample/"}]} ``` Informe de muestra — para demostración. Target company is fictional. The posture signals, scoring, methodology, and Mnemom capability claims are real; the target, its customers, and the evidence URLs are composite representations of realistic patterns we observe in mid-market healthcare AI companies at Series B scale. A real report would carry live evidence URLs, live screenshots, and live regulatory countdowns — and would be generated, versioned, and annotated by the Mnemom Coherence pipeline. Informe de coherencia · muestra # Coherence Report — Meridian Health AI, Inc. Report date 2026-04-21 Target meridianhealth.ai Archetype blend {A: 0.30, B: 0.25, C: 0.10, D: 0.35} Composite · Grade C 584 ± 28 / 1000 σ = score uncertainty (lower is more confident) Compliance is your strongest dimension at 720 (B), carried by SOC 2 Type II, HITRUST, HIPAA BAA, and a named EU operating entity. Provenance is your weakest at 450 (D+) — the AI-assisted attribution on triage outputs is opt-out-able by Enterprise admins, and you carry no C2PA or machine-readable content marking. The gap between your general regulatory posture and your AI-specific provenance posture is the defining shape of this report. Reclamar este informe Invitar[PDF](https://coherence-orchestrator.fly.dev/api/v1/reports/a7x3k9m2n5p8q4r1/export.pdf)[DOCX](https://coherence-orchestrator.fly.dev/api/v1/reports/a7x3k9m2n5p8q4r1/export.docx) ## 1\. Executive Summary You are a mid-market healthcare AI company shipping an agentic clinical triage assistant into US hospital systems and three named EU health networks. You built on a strong compliance foundation — SOC 2 Type II, HITRUST, HIPAA BAA, GDPR-aligned with a named DPO and an Irish operating entity — which places you in the top third of your segment on _general_ enterprise posture. The governance surface specific to your AI product has not kept pace with that foundation: there is no model card or system card for your triage model, no NIST AI RMF mapping, no ISO 42001 readiness statement, no EU AI Act Article 50 readiness document (103 days out), no Colorado AI Act readiness (70 days out), no AI-specific scope in your HackerOne bounty, no named Chief AI Officer, and no published behavior changelog across your triage model's version history. Your bug bounty runs; your AI red-team does not exist. The gap between your general compliance posture and your AI-specific posture is the largest finding in this report, and it is the gap that enterprise health-system CISOs are beginning to ask about in procurement reviews. Composite Trust Rating **584 ± 28 / 1000 (C)**.Anotar * * * ## 2\. Trust Rating ### Composite: 584 ± 28 / 1000 — Grade C Dimension Score Weight Headline Visibility (V) 550 0.18 C−. Blog + changelog active; no model card or system card for triage AI Alignment (A) 480 0.18 D+. General "responsible AI" page; no framework mapping, no C-suite AI owner Drift (D) 500 0.10 D+. Uptime SLAs published; behavior changelog for triage AI absent Provenance (P) 450 0.075 D+. Article 50(1) partial; "Made with Meridian AI" attribution opt-out-able Compliance (C) 720 0.27 B. SOC 2 Type II + HITRUST + HIPAA BAA + GDPR + EU entity — the strength of this report Resilience (R) 600 0.20 C+. HackerOne bounty operational; scope does not explicitly include AI-specific findings Composite 584 — C. Mid-pack on AI-specific posture; top third on general compliance **Archetype-weighted:** V 0.18 · A 0.18 · D 0.10 · P 0.075 · C 0.27 · R 0.20Anotar **Confidence:** σ = 28 (medium-high). 57 of 178 catalog signals resolved to PRESENT; 11 resolved to PRESENT\_NEGATIVE (surfaced as Findings); 84 resolved to ABSENT with archetype-common expected coverage; 26 ABSENT with archetype-rare expected coverage (silent — no penalty). This report's grade is stable across reasonable reinterpretations of the archetype blend (pure-D healthcare peer: 595; pure-A AI-native peer: 560 — same letter grade either way).Anotar * * * ## 2.5 Posture With Mnemom This is what your posture would look like after you adopt Mnemom and ship the runtime-governance infrastructure that your current scores flag as missing. We are **conservative** about what Mnemom closes. Signals that require corporate action (appoint a C-suite AI owner; register a second EU entity; join Frontier Model Forum) are _not_ credited to Mnemom in the table below — they are broken out in §6.5.Anotar Dimension Today (Meridian Health AI) With Mnemom (Conservative) Healthcare-AI Leader Mnemom Lift Residual Gap to Leader V 550 630 850 +80 220 A 480 560 870 +80 310 D 500 600 820 +100 220 P 450 500 780 +50 280 C 720 800 900 +80 100 R 600 690 880 +90 190 Composite 584 666 860 +82 194 _Healthcare-AI leader counterfactual: an Epic-class clinical AI vendor with published ISO 42001 certification, mature AI-specific red-team function, published model cards per triage model, NIST AISIC membership, C2PA adoption for AI-generated clinical summaries, and an in-production Article 50 compliance artifact. Estimated ~860 (A) under Meridian's archetype weights. You are one grade level below that peer today; Mnemom lifts you half a grade; the remaining corporate actions close the rest._Anotar ### Per-dimension rationale for the Mnemom uplift (conservative) **V — Visibility (+80):** Mnemom produces a continuously-maintained trust-rating record per deployed triage agent, functionally substituting (not formally) for a published model card and system card. Mnemom emits a behavior changelog as a side effect of drift detection — one of the gaps a health-system CISO's technical review most reliably surfaces. Mnemom does **not** publish your research roadmap, does **not** change your GitHub org's public repo strategy, and does **not** author your exec public-comms posture.Anotar **A — Alignment (+80):** Mnemom's compliance reporting maps your controls to NIST AI RMF, OWASP Agentic Top 10, ISO 42001, and EU AI Act Article 50. That closes five specific catalog signals: `POL-11`, `POL-12`, `POL-13`, `POL-14`, and partial `POL-15` (Colorado). Mnemom does **not** publish your AI principles page for you (write one), does **not** name your C-suite AI owner (appoint one), and does **not** enroll you in Frontier Model Forum or NIST AISIC (apply).Anotar **D — Drift (+100, Mnemom's strongest dimension):** Drift detection is the Layer-4 primitive Mnemom was built for. Continuous behavioral monitoring with trust-score time series closes `BLOG-12` (behavior changelog), `DRIFT-07` (post-mortem infrastructure), and provides the evidence substrate for your clinical-governance committee to review triage-agent behavior changes quarterly. Mnemom does **not** publish your post-mortems _for_ you (still a corporate comms decision).Anotar **P — Provenance (+50, floor-bounded):** Mnemom provides cryptographic provenance attestation per AI-generated clinical summary — the first production-ready artifact that maps clinical-summary provenance to EU AI Act Article 50(2) machine-readable marking requirements. Mnemom does **not** join C2PA for you (apply). The "Made with Meridian AI" attribution being opt-out-able for Enterprise admins remains your product UX decision.Anotar **C — Compliance (+80):** Mnemom produces your Article 50 readiness documentation (`REG-11`), Colorado AI Act readiness (`REG-12`), ISO 42001 readiness artifact (`REG-06`), and NIST AI RMF alignment statement (`POL-11`). Mnemom does **not** issue the ISO 42001 certification itself (that's a separate audit engagement) and does **not** stand up additional EU entities for you.Anotar **R — Resilience (+90):** Mnemom's red-teaming framework delivers continuous adversarial testing against your triage agent as a service — closing `SEC-08` (threat model), `SEC-09` (red-team reports), and functionally substituting for `TEAM-10`/`TEAM-11` AI-red-team hiring. Mnemom does **not** expand your existing bounty's scope to explicitly include prompt-injection and agent-abuse findings (update your HackerOne policy) and does **not** add safe-harbor language to your SECURITY.md.Anotar **Read:** The lift pattern is consistent with the "healthy engagement" shape we've observed across every target in our comparison set. Mnemom moves you from C to C+ (bordering B). Corporate governance actions (some listed in §6.5) take you the rest of the way to B+ / A. We do not claim Mnemom is a silver bullet; we claim it is the runtime governance infrastructure your current posture is missing, and that the infrastructure, once in place, makes the remaining corporate actions easier to execute because they have something concrete to report against.Anotar * * * ## 3\. Posture Profile ### Visibility — 550 / C− Meridian Health AI runs an active company blog \[[ev-E7](#ev-E7)\] (post cadence ~2/month; recent posts include the Q1 clinical-triage-accuracy update, a piece on de-identification pipeline architecture, and coverage of the Series B). A status page is present with 99.94% reported uptime FY2025. The enterprise trust hub collates the SOC 2 Type II attestation (report available on request), HITRUST certification, and HIPAA BAA template \[[ev-E5](#ev-E5)\]. A high-level "How our AI works" page describes the triage model's inputs, outputs, and intended use.Anotar What is not visible: there is no model card for the triage model, no system card for the agent runtime \[[ev-E9](#ev-E9)\], and no behavior changelog across triage-model versions \[[ev-E8](#ev-E8)\]. The public documentation does not disclose which foundation model underpins the agent, which guardrails are in place, or what the refusal / escalation behavior is in production. For a healthcare-AI company, this is the single largest transparency gap — health-system CISOs and clinical governance committees increasingly request these artifacts during procurement, and their absence is becoming a procurement blocker.Anotar ### Alignment — 480 / D+ Meridian publishes a "Responsible AI at Meridian" page with five stated principles (Patient Safety, Clinician Oversight, Data Minimization, Continuous Improvement, Transparency) \[[ev-E4](#ev-E4)\]. The principles are real. What sits under them is uneven: the principles are not mapped to any external framework (NIST AI RMF is not referenced; ISO 42001 is not referenced; the OWASP Agentic Top 10 is not referenced). There is no named Chief AI Officer or Chief Medical Informatics Officer with AI-governance scope in the executive team page; the closest is a SVP of Clinical Data Products who also runs commercial. The organization hires rapidly in ML research (14 of 82 open roles), but zero open roles currently carry titles for AI safety, AI red team, AI policy, or responsible AI program manager \[[ev-E11](#ev-E11)\].Anotar Public executive posture on AI governance is thin: the CEO has appeared on two industry podcasts (one clinical-AI-specific, one general-healthcare-investor-focused) in the last 18 months — both framed around product differentiation and market dynamics rather than governance posture \[[ev-E12](#ev-E12)\]. No essays, no conference keynotes on governance, no regulatory comments filed.Anotar ### Drift — 500 / D+ Meridian publishes SaaS-level post-mortems for material uptime incidents (two in the last 12 months, both thoroughly documented). It does not publish AI-behavioral post-mortems. There has been one public clinical-accuracy controversy in Q4 2025, where a published case study cited a triage recommendation that a downstream reviewer disputed; the public response was a product statement on LinkedIn rather than a formal post-mortem \[[ev-E14](#ev-E14)\]. The triage model has been versioned three times in the last year; the changelog on meridianhealth.ai/changelog contains feature additions and UI changes but no behavior-delta entries, and no per-version evaluation-suite results \[[ev-E8](#ev-E8)\].Anotar ### Provenance — 450 / D+ Triage summaries surface an "AI-assisted" label by default. Enterprise administrators can disable the label across their tenant \[[ev-E15](#ev-E15)\] — a product affordance that inverts the Article 50(1) AI-interaction-disclosure direction the EU AI Act is moving toward. The triage outputs do not carry C2PA manifests or any cryptographic attestation of AI generation. Meridian is not a member of the Content Authenticity Initiative or C2PA \[[ev-E18](#ev-E18)\].Anotar meridianhealth.ai/robots.txt exists and blocks CCBot and GPTBot. It does not address ClaudeBot, PerplexityBot, Google-Extended, or anthropic-ai \[[ev-E1](#ev-E1)\] — a partial AI-crawler posture that signals the company has thought about scraping but has not declared a comprehensive stance. No agents.txt; no ai.txt \[[ev-E3](#ev-E3)\].Anotar ### Compliance — 720 / B The strength of the report. SOC 2 Type II attested; annual pen-test commitment on the trust page. HITRUST CSF certified. HIPAA BAA available to Enterprise customers \[[ev-E5](#ev-E5)\]. GDPR-aligned with an Irish operating entity (Meridian Health AI (Ireland) Limited); named DPO with contact email published; Article 27 representative named via a Dublin-based data-protection firm \[[ev-E6](#ev-E6)\]. Sub-processor list published and dated (last updated 2026-03-01) naming three named foundation-model providers \[[ev-E13](#ev-E13)\]. Privacy policy and ToS up to date (both updated January 2026). DPA available at the advertised URL.Anotar Weaknesses in compliance are entirely AI-specific: no ISO 42001 (not a hiring target; not claimed). No explicit NIST AI RMF alignment statement. No published DPIA covering the triage agent. No explicit EU AI Act Article 50 readiness statement with a roadmap date. No Colorado AI Act readiness statement. No FedRAMP (declared out-of-scope; Meridian does not serve federal agencies).Anotar ### Resilience — 600 / C+ Bug bounty on HackerOne, operational since 2023, 94 resolved findings to date. Published VDP with safe-harbor language; security.txt serves a current contact and PGP key \[[ev-E2](#ev-E2)\]. Annual pen-test summary published. SECURITY.md is current on the primary public repo. Head of Security publicly named (VP Security Engineering). No CVEs assigned to Meridian products in the last 24 months.Anotar What the resilience posture lacks: the bounty scope page mentions "all products" but does not explicitly list AI-specific finding categories (prompt injection, jailbreak, agent abuse, sandbox escape, memory poisoning) as eligible \[[ev-E10](#ev-E10)\]. No published AI-specific threat model. No AI red team — the VP Security Engineering's team does traditional application security; there is no adversarial-ML function. No published red-team report or independent eval of the triage model.Anotar * * * ## 4\. Concrete Findings ### F-01 — General compliance posture is top-third of segment; AI-specific posture is bottom-third SOC 2 Type II + HITRUST + HIPAA BAA + GDPR with Irish entity + DPO + Article 27 rep is a rare and valuable position for a Series B healthcare AI company \[[ev-E5](#ev-E5)\] \[[ev-E6](#ev-E6)\]. Underlying that foundation, the AI-specific layer is thin: no ISO 42001, no NIST AI RMF mapping, no model card, no system card \[[ev-E9](#ev-E9)\], no behavior changelog \[[ev-E8](#ev-E8)\], no AI-red-team function, no EU AI Act Article 50 readiness document. The gap between the general compliance story a health-system CISO can take to their board and the AI-specific story they cannot is the defining finding of this report.Anotar ### F-02 — "AI-assisted" attribution on triage outputs is opt-out-able by Enterprise admins The product's current UX allows tenant admins to disable the "AI-assisted" label on clinical summaries across their organization \[[ev-E15](#ev-E15)\]. This is the opposite direction from where EU AI Act Article 50(1) is moving (disclosure of AI interaction as a design requirement, not a configuration option) and it carries reputational exposure in any jurisdiction where consumer-facing AI disclosure becomes mandatory. This is a product UX decision, not a Mnemom-addressable gap.Anotar ### F-03 — Triage model has been versioned three times without a published behavior changelog Three material triage-model updates in the last year, none accompanied by a published per-version behavior-delta description \[[ev-E8](#ev-E8)\]. Clinical governance committees at Meridian's 34 named health-system customers have begun asking for these artifacts during quarterly vendor reviews. Two of those customers have made "behavior changelog per model version" a condition of 2026 renewal.Anotar ### F-04 — Bug bounty runs but does not explicitly scope AI-specific findings HackerOne program is operational, has 94 resolved findings to date, and has a clean safe-harbor policy \[[ev-E10](#ev-E10)\]. The scope page does not explicitly list AI-specific categories — prompt injection, jailbreak, agent-tool abuse, memory poisoning, indirect injection via document upload. Researchers who work in that adjacency read the scope as "probably covered" rather than "definitely covered," and several industry peers have moved to explicit AI-scope bounty programs in the last 12 months. This is a one-page edit to the HackerOne program description.Anotar ### F-05 — 14 ML-research open roles, zero AI-safety open roles Meridian's hiring mix telegraphs organizational priorities: 14 of 82 open roles are in ML research, model training, or AI infrastructure. Zero are in AI safety, AI red team, AI policy, AI risk management, or responsible AI program management \[[ev-E11](#ev-E11)\]. For a company deploying a clinical-triage agent into hospital systems governed by HIPAA and subject to emerging state AI laws (Colorado AI Act effective June 30, 2026), the hiring asymmetry is a structural governance signal.Anotar * * * ## 5\. Gaps ID What we looked for Polarity Implication G-01 Model card for the triage model ABSENT Opaque behavior to clinical reviewers G-02 System card for the agent runtime ABSENT No documented tool permissions / sandbox boundaries / failure modes G-03 NIST AI RMF alignment statement ABSENT No framework legibility for health-system CISO boards G-04 ISO 42001 certification or in-process statement ABSENT AI management system not attested G-05 EU AI Act Article 50 readiness document ABSENT 103 days to enforcement; EU health-system customers will ask G-06 Colorado AI Act readiness statement ABSENT 70 days to enforcement; Colorado health-system exposure G-07 DPIA / AI risk assessment for the triage agent ABSENT No documented risk posture specific to the AI product G-08 Behavior changelog across triage-model versions ABSENT No drift-tracking surface G-09 AI-specific scope in HackerOne program ABSENT Researcher uncertainty on AI-adjacent findings G-10 Named Chief AI Officer / Chief Medical Informatics Officer with AI scope ABSENT No C-suite governance owner specific to the AI product G-11 AI-safety / red-team hiring ABSENT No internal adversarial function G-12 AI-specific threat model ABSENT No published threat decomposition G-13 C2PA / Content Authenticity Initiative membership ABSENT No provenance-coalition participation G-14 AI-assisted attribution being non-disableable PRESENT\_NEGATIVE Opt-out-able by admins; inverted direction G-15 Comprehensive AI-crawler stance in robots.txt ABSENT Partial (CCBot + GPTBot only); no Claude/Perplexity/Google-Extended G-16 agents.txt / ai.txt / llms.txt ABSENT No machine-readable agent-interaction policy G-17 Frontier Model Forum / NIST AISIC / PAI / MLCommons / Responsible AI Institute membership ABSENT No multi-party accountability on AI safety * * * ## 6\. Remediation Recommendations # Action Surface Expected Lift Decision Owner 1 Ship a model card, system card, and behavior changelog for the triage agent. Model card describes the triage model (architecture category, training-data categories, known limitations, eval results including adversarial robustness). System card describes the agent runtime (tools, permissions, sandbox boundaries, failure modes, escalation paths). Behavior changelog published per model version with behavior-delta descriptions and eval-suite results. Closes G-01, G-02, G-08. BLOG/DOC V +60, D +30 Chief Medical Informatics Officer 2 Publish EU AI Act Article 50 readiness + Colorado AI Act readiness — dedicated page linked from `/trust` and `/enterprise`. Article 50(1) AI-interaction disclosure commitment (and the UX change from F-02); Article 50(2) machine-readable content marking roadmap. Colorado AI Act compliance statement specific to healthcare consumer decisions. Closes G-05, G-06; partially addresses F-02. POL/REG C +50, A +20 VP Compliance + Legal 3 Publish a governance framework mapping + name a C-suite AI owner. One page: existing controls mapped to NIST AI RMF, ISO 42001, OWASP Agentic Top 10. Name a C-suite owner with scope for AI governance across product, security, and clinical safety. Closes G-03, G-10; foundations for G-04. TEAM/POL A +60, C +30 CEO + Board 4 Expand HackerOne scope to explicitly include AI-specific findings; establish AI red-team function. Update HackerOne program description to explicitly list AI-specific finding categories with bounty amounts (prompt injection, jailbreak, agent abuse, sandbox escape, memory poisoning). Open a req for an AI red-team lead; in the interim, engage Mnemom's red-team-as-service capability. Closes G-09, G-11, G-12, F-04. SEC R +60, A +20 VP Security Engineering 5 Move "AI-assisted" attribution from opt-out-able to mandatory. Reverse the Enterprise-admin-disableable default for the AI-assisted label on triage summaries. Direction-of-travel alignment with EU AI Act Article 50(1). Closes F-02, G-14. POL P +40, C +10 VP Product + DPO * * * ## 6.5 Addressable by Mnemom vs Customer Mnemom addresses directly Customer must act G-01, G-02 — Model/system card → Trust Rating telemetry → continuously-maintained model/system-card equivalent G-09 — HackerOne scope update → Edit the program description G-03 — NIST AI RMF mapping → Compliance reporting emits control-mapped documentation G-10 — C-suite AI owner → Appoint one G-04 — ISO 42001 readiness → Readiness artifact generated from runtime evidence (certification itself still requires a separate audit) G-11 full — Internal red-team hire → Open the req G-05 — Article 50 readiness → Readiness documentation generated + maintained G-13 — C2PA / CAI membership → Apply G-06 — Colorado AI Act readiness → Readiness documentation G-14 — "AI-assisted" attribution UX → Product UX decision G-07 — DPIA → DPIA template populated from runtime telemetry G-15, G-16 — robots.txt / agents.txt / ai.txt completeness → Edit the files G-08 — Behavior changelog → Drift detection emits versioned behavior deltas G-17 full — Frontier Model Forum / NIST AISIC / PAI membership → Apply; membership gates exist G-11 partial — AI red-team capacity → Red-team-as-service (external capacity) R-02 partial — Publish the readiness page → Publish it G-12 — AI threat model → Mnemom-published threat model for the deployed agent — G-17 partial — Standards engagement → Mnemom's standards-setting work on agent identity / attestation is available as a member — ### Closing prescription **Mnemom is necessary but not sufficient.** Adopting Mnemom lifts your Trust Rating by 82 points (from 584 to 666), moving you from C to C+ (bordering B). Closing the remaining 194 points to the healthcare-AI leader (estimated ~860) requires corporate decisions that are yours to make — chief among them: appoint a C-suite AI owner, publish Article 50 readiness, flip the "AI-assisted" attribution default, and apply to Frontier Model Forum / NIST AISIC. Mnemom gives you the runtime governance infrastructure that lets those decisions have audit-ready substance; the decisions themselves remain yours.Anotar * * * ## 7\. Peer Context Your segment is "mid-market healthcare AI companies shipping agentic clinical products at Series B scale." Cohort scores marked (estimated) reflect published-domain bootstrap values pending full pipeline refinement against each cohort member.Anotar **V** = Visibility**A** = Alignment**D** = Drift**P** = Provenance**C** = Compliance**R** = Resilience Peer V A D P C R Composite Notes Nabla 720 740 660 580 820 720 720 Cohort leader (estimated). EU-first regulatory posture; published model cards Hippocratic AI 640 580 600 520 700 660 620 (estimated) Abridge 600 540 580 480 720 640 600 (estimated) Ambience 540 500 540 460 680 600 555 (estimated) Suki 520 480 520 460 660 580 540 (estimated) Commure 500 460 500 440 640 560 520 (estimated) Meridian Health AI 550 480 500 450 720 600 584 Today (target, measured) The segment is bifurcated on AI-governance posture: the top third has published model cards, behavior changelogs, and ISO 42001 posture (Nabla is the clearest example, on the strength of its EU-first regulatory posture); the bottom two-thirds resemble Meridian's shape — strong general compliance \[[ev-E5](#ev-E5)\], thin AI-specific posture \[[ev-E9](#ev-E9)\]. The competitive risk is that health-system procurement is beginning to standardize on the top-third's artifacts, and vendors in the bottom-two-thirds are losing renewals on governance-artifact absence rather than product failure. Hippocratic AI and Abridge are the next-best refinement targets for full pipeline runs.Anotar * * * ## 8\. Regulatory Countdown Regulation Enforcement Days out Your exposure Your posture Colorado AI Act 2026-06-30 70 High — triage AI makes consequential consumer decisions in Colorado health systems **Not addressed** EU AI Act Article 50(1) AI-human interaction 2026-08-02 103 High — EU hospital-system customers; patient-facing AI interaction **Not addressed**; "AI-assisted" label is admin-disableable (F-02) EU AI Act Article 50(2) machine-readable content marking 2026-08-02 103 High — triage summaries are AI-generated text artifacts **Not addressed**; no C2PA adoption EU AI Act Annex III (high-risk AI in healthcare) 2027-08-02 468 High — likely qualifies as "high-risk AI system" under Annex III.5 No published roadmap NYC Local Law 144 (automated employment decisions) In effect — Low — not an employment tool N/A HIPAA / HITECH Ongoing — Continuous BAA in place; strong baseline 21st Century Cures Act ONC algorithmic transparency 2024-12-31 (in effect) — Medium — may require algorithmic transparency attestation for certified health IT integrations Status unclear from public posture **Exposure summary:** EU AI Act Article 50 is your binding near-term deadline. Penalty ceiling: €7.5M or 1% of worldwide annual turnover. At Meridian's disclosed $47M ARR (Series B reporting), 1% is approximately $470K — meaningful but not existential. What is existential is the procurement impact: three named EU customer renewals land in Q3 2026, and procurement has already asked for Article 50 readiness documentation.Anotar * * * ## 9\. Evidence Appendix Evidence rows that ground the load-bearing claims of this report. Each row carries the alias the prose cites by, the capture surface, the source tier, the source URL, and a one-line snippet of the captured content.Anotar Alias Surface Tier URL Snippet E1 WD first\_party meridianhealth.ai/robots.txt Blocks CCBot and GPTBot; does not address ClaudeBot, PerplexityBot, Google-Extended, anthropic-ai. E2 SEC first\_party meridianhealth.ai/.well-known/security.txt Present; contact + PGP key current. E3 WD first\_party meridianhealth.ai/agents.txt 404. E4 POL first\_party meridianhealth.ai/responsible-ai Five principles; no framework citations. E5 SEC first\_party trust.meridianhealth.ai SOC 2 Type II; HITRUST; HIPAA BAA; sub-processor list current 2026-03-01. E6 POL first\_party meridianhealth.ai/privacy DPO named; Irish entity disclosed; Article 27 representative Dublin-based. E7 BLOG first\_party meridianhealth.ai/blog Active cadence ~2 posts/month; recent posts product + funding; no AI governance posts in last 12 months. E8 DOC first\_party meridianhealth.ai/changelog Feature + UI changes; no behavior-delta entries per triage-model version. E9 DOC first\_party meridianhealth.ai/blog, /docs search No model card or system card surfaced. E10 SEC primary\_third hackerone.com/meridian-health-ai Active program; 94 resolved; safe-harbor present; AI-specific categories not explicitly listed in scope. E11 TEAM first\_party meridianhealth.ai/careers 82 open roles; 14 ML research; 0 AI safety / red team / policy. E12 AUD aggregated Podcast search + LinkedIn CEO appeared on two podcasts in 18 months; governance not discussed substantively. E13 SEC first\_party trust.meridianhealth.ai/subprocessors Three foundation-model providers named. E14 AUD aggregated LinkedIn press search Q4 2025 clinical-accuracy dispute; company response via LinkedIn post; no formal post-mortem on meridianhealth.ai. E15 DOC first\_party meridianhealth.ai/docs/admin/labeling "AI-assisted" label can be disabled at tenant level by Enterprise admins. E16 TEAM primary\_third frontiermodelforum.org/members Meridian Health AI not listed. E17 TEAM primary\_third nist.gov/.../aisic-members Meridian Health AI not listed. E18 TEAM primary\_third c2pa.org members Meridian Health AI not listed. Siguiente paso ## Consigue un informe de coherencia para tu empresa. Un informe real se construye a partir de tus señales de postura en vivo — privado, entregado a ti o a tu CISO, versionado a medida que lo anotas. Solicítalo y nos pondremos en contacto. Reclama tu informe --- _Source: /es/report/sample/index.html · Generated by build-markdown-mirrors.mjs · For agent-readability commitment #4 see https://www.mnemom.ai/for-agents/_