A clinical decision support agent goes live in a regional health system’s emergency department. Three months later, an internal audit finds the agent’s escalation rate has drifted materially from the deployed baseline for cases involving certain insurance classes. No patient has been harmed. No PHI breach has triggered. No alarm has fired. Just behavior that no longer matches what the compliance team certified. This is the shape of AI governance failure in healthcare today, and it points to a single conclusion: compliance for AI agents cannot be a deployment artifact. It has to be a runtime property of every decision the agent makes, attested at the point of execution, not certified at the point of release.

The model card was signed off by clinical leadership. The deployment passed IRB review. The validation report was archived. None of that is wrong, and none of it is sufficient. Each is a snapshot of a system that is no longer the system in production. The agent in front of patients is composed of a model that has been updated, tools that have been versioned, prompts that have evolved, and a retrieval corpus that absorbs new clinical guidance every week. An agent can answer the same clinical question differently over time as its prompts, tools, retrieval context, and operational conditions evolve. Both answers may appear defensible in isolation. What cannot be defended is the absence of evidence that governance held in either case.

The Compliance Drift Gap

Call this structural failure the Compliance Drift Gap: the widening distance between the system that was approved and the system currently making decisions in production. For deterministic software, that distance is small enough to ignore. For an AI agent in a clinical environment, it widens with every interaction. By the time an audit surfaces it, the gap is no longer measurable in days. It is measurable in decisions.

The gap does not announce itself. There is no error log entry for it. The agent continues to function. Outputs continue to look reasonable. What changes is the relationship between the agent’s behavior and the controls under which it was approved. This is the failure mode that healthcare’s existing compliance machinery is not built to detect.

Why Healthcare Compliance Breaks Under Agents

Healthcare compliance evolved for a particular kind of system. Deterministic. Auditable at rest. Behavior fully described by documentation. HIPAA’s accounting-of-disclosures requirements, the EU AI Act’s Article 14 human oversight obligations for high-risk AI systems used in clinical contexts, and FDA’s posture on Software as a Medical Device: all of these assume a system that can be characterized once and trusted to keep that characterization. Agents do not work this way.

An AI agent’s behavior emerges from the interaction between its model, its tools, its prompt context, the data it retrieves, and the operator it is acting on behalf of. None of those are static. This is where healthcare’s compliance frameworks reveal their underlying assumption: that the unit of compliance is the output. Did the agent produce the right answer. Did the disclosure conform to minimum-necessary. Did the consult request follow protocol. The output is what gets logged, audited, and reviewed.

For agents, the unit of compliance is no longer the output. It is the decision trace. What context did the agent see. What policies applied. What was redacted. What was escalated. What was blocked. The trace is what tells a regulator whether the system was operating within the controls under which it was approved, regardless of whether the output happened to be correct. Without a structural way to capture and attest to the decision trace, every output is a guess about whether governance held. That is the position most healthcare AI deployments are in. They have outputs. They do not have governed decisions.

From Logging to Authorization

The first response many teams reach for is observability. Log every agent action. Stream the events to a SIEM. Build dashboards. This is the path of least resistance, and it does close part of the gap. It does not close the gap that matters in healthcare.

The distinction is between three things often collapsed into one: monitoring, logging, and governance. Monitoring observes what the agent is doing. Logging records it for later. Governance decides whether the agent gets to do it. The first two are forensic by design. They tell you what happened, after it happened. In a clinical environment, post-hoc visibility into a PHI exposure or a misrouted consult is not a control. It is a record of failure. The patient encounter is over. The disclosure has already left the building.

Healthcare cannot operate this way at scale. The governance decision has to fire at the same instant the agent acts. That is a different category of system. It is enforcement at runtime, at the point where the agent is about to act, not validation after the fact. The architectural transition the next generation of healthcare AI deployment requires is from observation to enforcement, and from logging to authorization.

OpenBox as Runtime Governance Layer

OpenBox (docs.openbox.ai) is the runtime governance layer for AI agents. It wraps existing agents without architectural change, and it intervenes at the point of execution rather than observing afterward.

The Trust Lifecycle moves through five stages: Assess, Authorize, Monitor, Verify, and Adapt. Each stage closes a specific failure surface that the Compliance Drift Gap exposes. Cryptographic Attestation operates across all five, producing a signed, tamper-evident record of every decision made and every control applied, in a form that survives external audit.

Assess establishes a risk and behavior baseline. Each agent receives a Trust Score, computed as Risk Profile (40%) + Behavioral (35%) + Alignment (25%). The score maps to a Trust Tier, which determines the agent’s autonomy envelope. A clinical decision support agent handling oncology consults does not begin life at the same tier as a billing reconciliation agent. Risk profile of the operating domain, observed behavior in production, and alignment with the controls under which the agent was deployed are weighed continuously, not once.

Authorize is where the runtime governance decision is made. Runtime authorization operates through three control surfaces. Guardrails enforce hard constraints on what the agent can produce: PHI redaction, content controls, prohibited-term filtering. Policies, expressed in OPA/Rego, encode stateless rules that compliance teams already write in human language: minimum-necessary access, role-based PHI exposure, jurisdictional data residency. Behavioral Rules detect stateful multi-step patterns that single-action checks miss, such as the agent that issues a sequence of innocuous queries which together reconstruct an identifiable patient record. The output of this stage is a Governance Decision: allow, block, redact, or escalate.

Monitor is real-time behavioral observation. Session Replay preserves the full context of an agent’s reasoning path for any decision, in a form that can be reviewed by a clinician, a compliance officer, or an external auditor. The signal is continuous, not sampled.

Verify evaluates whether the agent’s actions across a session remained aligned with the purpose and governance conditions under which it was deployed. It validates that the controls applied during Authorize continued to hold as behavior evolved: did the Policies fire where they should have, did the Behavioral Rules catch the patterns they were configured for, did the Guardrails redact what they were supposed to redact. It is the structural complement to Authorize, not a substitute for it.

Adapt is the policy update layer. Policies are versioned, Trust Tiers shift as behavior shifts, Guardrail configurations and Behavioral Rules refine in response to what Verify surfaced. An agent whose Trust Score erodes is constrained automatically. One that demonstrates sustained alignment can earn broader autonomy. The system tightens or loosens not on a quarterly review cycle but on the signal it is producing in real time.

For healthcare, this changes what an audit can ask. The unit of compliance is no longer whether the output conformed. It is whether the attested decision trace shows that governance held. Taken as a whole, the lifecycle prevents the silent widening of the Compliance Drift Gap. Each stage closes a different mechanism by which the gap opens.

Operational Impact

The architectural shift produces operational consequences across three groups inside a healthcare system.

For compliance and privacy officers, the work changes from periodic audit preparation to continuous evidence. The attestation stream is the audit. There is no quarterly scramble to reconstruct what an agent was doing six weeks ago, because every decision the agent made carries its own signed trace. HIPAA’s accounting-of-disclosures becomes a query against the attestation log rather than a project.

For clinical and operational leadership, the calculus around AI deployment changes. The barrier to deploying a new agent has historically been the question of what happens when something goes wrong and the system has to defend itself. Runtime governance reframes that question. The defensibility is built into the architecture. New agents can be deployed into higher-stakes contexts because the controls travel with them.

For engineering, governance stops being a release-cycle gate and becomes an infrastructure layer the agent runs on. Policies are versioned, Guardrails are tested, Behavioral Rules are reviewed alongside model updates. The compliance team and the engineering team are operating against the same artifacts, which is a structural change healthcare has been trying to achieve for a decade.

The deeper shift is what regulators see. Today, a regulator examining a healthcare AI deployment is examining outputs and hoping the controls held. Under runtime governance, the regulator examines the attested decision trace and verifies that the controls held. The unit of compliance has moved.

The unit of compliance for healthcare AI has shifted from output to execution trace. Frameworks that audit only what the agent produced are auditing the wrong artifact.

The Inevitability

Healthcare regulators are not waiting for AI agent governance to converge on a standard. The EU AI Act’s Article 14 already requires human oversight of high-risk AI systems used in clinical contexts to be “effective,” a word that does not survive scrutiny when the only oversight available is a dashboard read after the fact. FDA’s SaMD trajectory points toward continuous performance monitoring and predetermined change control. HIPAA enforcement is paying closer attention to algorithmic access patterns than it did even two years ago.

The architecture that allows a clinical AI agent to be deployed with confidence is the same architecture that allows a regulator to verify the agent in motion. These are not separate problems with separate solutions. Runtime governance is the single architecture that resolves both.

The Compliance Drift Gap does not close by adding more dashboards, more reviews, or more audit frequency. It closes by moving the governance decision into the same instant as the agent’s action. Anything short of that is forensics with better lighting.

Healthcare AI is moving in this direction regardless of vendor, jurisdiction, or whether existing systems are prepared for the transition. Static certification was designed for deterministic systems. Clinical AI is not deterministic, and no regulator examining the evidence is concluding otherwise. Runtime governance is not a future requirement waiting to be formalized. It is the only architecture consistent with what clinical AI systems already are. The Compliance Drift Gap is what remains for systems that have not yet closed it.