ISO 42001 · NIST AI RMF · WHO AI Ethics
Every AI-assisted part of ZenoXCare runs under a published management system, states its scope up front, keeps a record you can revisit for each decision, and hands unclear cases to a human. AI never signs off identity, payment, or clinical outcomes alone.
Frameworks aligned
ISO 42001 · NIST AI RMF · WHO
Trace retention
Kept · 5 years
Decision authority
Human-in-the-loop
Where help runs
On your device when possible; cloud if not
The three anchors
Each framework links to its publisher's authoritative source and to ZenoXCare's internal control mapping.
ISO/IEC
AI Management System — requirements for establishing, implementing, maintaining and continually improving an AI management system within an organisation.
Scope: WebLLM on-device assist, federated AI inference, agentic workflows; AI register and lifecycle controls.
NIST (USA)
AI Risk Management Framework — voluntary guidance to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.
Scope: AI lifecycle risk register, model evaluation harnesses, replayable traces, regression gates.
World Health Organization
Ethics and governance of artificial intelligence for health — six principles ensuring AI works to the public benefit of all countries.
Scope: Clinical decision support boundaries (non-authoritative AI surfaces), human-in-the-loop overrides, equity guardrails.
NIST AI RMF 1.0 — applied
The four NIST functions, each grounded in a concrete control with audit-defensible evidence.
Cultivate a culture of AI risk management. Define policies, accountability, and skills.
Model register and retirement rules
Every model and helper has an owner, stated use, dataset notes, and explicit out-of-scope limits.
Compliance Co-Pilot reviewer drafting
AI may draft a decision for human review; AI never finalises identity, payment, or clinical decisions.
Quarterly governance review
Standing review of model cards, evaluation deltas, incident log, and red-team findings.
Recognise context. Identify capabilities, limitations, and stakeholder impacts before deploying AI.
Use-case categorisation
Model cards classify each use as informational, advisory, or operational; only informational + advisory ship without manual gates.
Stakeholder impact assessment
DPIA-aligned assessment for any AI surface that touches PHI, biometrics, or financial decisions.
Out-of-scope claims register
Explicit catalogue of what each surface is not permitted to do (e.g. no diagnosis, no triage authority).
Test, evaluate, and document AI system performance, robustness, fairness, and explainability.
Decision records you can replay
Every agent invocation captures the prompt, tool calls, retrieved chunks, and decision; reviewers can replay end-to-end.
Automated tests before each release
Public-query router, KYC rubric, and copilot drafts have golden datasets with budgets enforced in CI.
Bias + equity probes
Across language, jurisdiction, and gender slices on identity verification and agent answering.
Treat risk. Allocate resources to risks proportionate to impact, and continuously improve.
Incident response runbook
Written runbook with on-call rotation and live monitoring for AI-backed flows.
Off switch and slower path
Each AI feature falls back to scripted answers or a human queue when automation is off.
Ongoing misuse checks
Known prompt-attack sets run on every release; new issues become tracked tests.
WHO Ethics & Governance of AI for Health
The WHO principles applied to clinical and clinical-adjacent AI surfaces.
Principle 1
Members can decline AI assistance, request a human reviewer, and see exactly which signals informed any decision.
Principle 2
Assistive text only for clinical decisions—clinicians decide. We do not auto-diagnose.
Principle 3
Failed identity checks explain the reason code; every assistive answer ties back to published registry text.
Principle 4
Named human owner for every model; appeal route published; reviewer audit log retained 5 years.
Principle 5
Pan-African baseline; English plus planned French and Portuguese; optional on-device wording help where data is expensive.
Principle 6
Records can be revisited later; weekly cost and speed review; swaps keep evaluation limits steady.
Built to connect safely
We publish clear endpoints for search tools, partner apps, and optional on-device help—each with its trust rules and limits stated up front.
| Protocol | Path / code | Trust | Description |
|---|---|---|---|
| AI agent tools | Public, read-only | public | AI assistants like Cursor, Claude, and ChatGPT can read public compliance information. No write actions are exposed publicly. |
| Agent discovery | Public | public | Partner AI systems can discover what we offer, with example prompts and stable links for compliance registrations. |
| Public knowledge map | Public | public | A single, public list of what the platform exposes — country pages, compliance snapshots, and how everyday questions map to the right page. |
| Smart router | Public | public | Turns everyday questions into the right page when confident; otherwise suggests next steps. |
| On-device assistant | Runs in your browser | public | Caches the public knowledge map for instant answers — nothing remote unless you enable it. |
| On-device writing polish | Available where enabled in your settings | authenticated | Polishes grammar and clarity only — never invents facts, dates, or claims. A deterministic backup runs when the on-device assistant is unavailable. |
| On-device draft starter | Independent practice application — reply assist | authenticated | Generates a short starter reply when a clinician needs to respond to a compliance question on their application. Sees only the question — never patient, clinical, or financial context. Uses placeholders so it never invents certificate numbers, dates, or claims. |
| Compliance Co-Pilot | Compliance review console | authenticated | Drafts a recommended decision for borderline reviews. The reviewer must accept, override, or request more evidence. |
Every field where bundled polish is offered. The list auto-updates when developers add new compose surfaces, gated by a CI drift test against lib/ai/assist-polish-surface-registry.ts. The shared React component lives at components/local-assist/assist-polish-button.tsx.
compliance_console
Compliance reviewer compose surfaces — KYC reviews, independence queue (acknowledge / request info / reject notes), governance freezes, moderation, appeals, access programs, pilot config, clinician verification.
app/c/ · components/compliance/
partner_console
Partner compose surfaces — independent-practice submission / reply / withdraw, order dispute / confirm / new-order notes, clinician credential submission, patient review notes, ghana discovery settings, investigations fulfillment.
app/p/ · components/partner/ · components/provider/
member_console
Member compose surfaces — care concierge conversations, support disputes, account profile, encounter reviews, review appeals, find-care, care triage, patient location.
app/g/ · components/gamer/ · components/concierge/
telemedicine
Telemedicine workspace — patient and clinician compose during a live session.
components/telemedicine/
marketing_public
Public marketing forms — contact form polish (no PII leaves the browser).
app/(marketing)/
Defenses, layer by layer
Threats are catalogued; controls are committed in code; a versioned corpus is replayed in CI on every release.
Input
Threat
Prompt injection from member-supplied text or untrusted retrieval
Control
Inputs marked as data, never as instructions; system prompt pinned; allow-list of tools per agent role.
Tool
Threat
Tool-injection (an agent tricked into calling a destructive tool)
Control
Public AI tools are read-only. Authenticated tools require sign-in, role checks, and safe-retry guarantees so the same action is never applied twice.
Retrieval
Threat
Poisoned or stale knowledge influencing answers
Control
Retrieval is restricted to versioned registries (standards, certifications, jurisdictions). Each chunk carries provenance.
Output
Threat
Hallucinated claims, unsafe code, or PII leakage
Control
Outputs validated against the compliance language scanner; structured outputs validated by Zod schemas before display.
Identity
Threat
Confused-deputy attacks across MCP/A2A boundaries
Control
Every cross-protocol call carries a fresh signed envelope with caller, capability, and scope; no ambient authority.
Privacy
Threat
Sensitive context leaving the device
Control
On-device WebLLM serves the offline-first tier; remote inference disables training + retains zero data.
FAQs
The page that explains our AI governance also demonstrates it — try the on-device assistant below before reading the canonical FAQ. Your question runs entirely in your browser via WebGPU (privacy-preserving by construction); falls back to the published FAQ pair when WebLLM isn't available.
No. AI surfaces are explicitly non-authoritative for clinical decisions. Clinicians retain full diagnostic and treatment authority; AI may surface evidence, draft notes, or summarise for review only.
ISO/IEC 42001:2023 for the AI management system, NIST AI RMF 1.0 for risk management, and the WHO Ethics & Governance of AI for Health for the six principles applied to clinical surfaces.
Member-supplied text is treated strictly as data, never as instructions. The system prompt is pinned, tool access is gated by role, retrieval is restricted to versioned registries, and outputs are validated before display. A versioned prompt-injection corpus is replayed in CI on every release.
Yes. Members can decline AI assistance and request a human reviewer for any decision, including KYC, support, and clinical workflows. Opt-outs are recorded and respected platform-wide.
MCP (Model Context Protocol) for read-only tool discovery, A2A (Agent-to-Agent) via /.well-known/agent.json, an intelligence manifest, and a deterministic natural-language micro-router. Each is publicly documented and crawlable.
The replayable trace store, evaluation harness budgets, model cards, prompt-injection corpus, and incident log are all available to auditors under NDA. The quarterly compliance evidence pack bundles them.
On-device WebLLM polish runs in three places: (1) compliance reviewer notes on /c/clinician-independence and /c/admin/kyc-review, (2) the applicant's independent-practice submission message, reply-to-compliance, and withdraw-reason fields on /p/clinicians/independence, and (3) member-facing assist surfaces like Care Concierge offline mode. In every case the model executes inside the browser via WebGPU and the user's text never leaves the device. The button is feature-gated by NEXT_PUBLIC_LOCAL_ASSIST_ENGINE and falls back to a deterministic regex polish when the engine is unavailable.
We share model descriptions, misuse test sets, and step-by-step decision records with auditors and partners under NDA. Trust pages can embed the live posture summary.