How Oregon Health & Science University Eliminated AI Compliance Exposure Across 60 Research Programs in 31 Days

Oregon Health & Science University (OHSU) is Oregon's only academic health center, operating three hospitals, 13 primary care and specialty clinics, and 60 research institutes with approximately $680 million in annual research funding. Its 19,000-person workforce includes clinicians, investigators, and engineers who have independently deployed AI tools to support clinical documentation, genomics research, patient matching for clinical trials, and administrative workflows.

OHSU engaged Elantis to bring all production AI agents under policy governance – with particular focus on those accessing its electronic health record system, clinical trial management system, and research datasets governed by its Institutional Review Board (IRB). 

Results & Impact

Initial Outcomes – First 60–90 Days

• 94 AI agents brought under active governance across clinical, research, and administrative environments, with full enforcement active from Day 31
• 23 unauthorized patient data access attempts blocked in the first 60 days – each caught and stopped before reaching the agent's context window
• IRB audit preparation time reduced from eight weeks to three days – a complete, auditable record of every AI data access interaction, ready for review on demand
• Zero confirmed patient data exposure events per quarter, down from an estimated 40–60 at baseline
• Zero downtime and no code changes required for 83 of the 94 agents governed – enforcement applied entirely at the infrastructure layer

Operational Outcomes

• 74% reduction in security team compliance ticket volume within two weeks, as automated policy recommendations replaced manual triage
• Average time to bring a new agent under governance: 2.1 days, compared to three–six weeks under the previous manual review process
• ~140 hours of internal staff time required across security, research IT, and data governance – from contract signing to full enforcement go-live

The Challenge: AI Agents in a Research Environment With No Governance Layer

OHSU's research environment is intentionally decentralized. Investigators running federally funded studies have significant autonomy over their computational tools. By late 2024, more than 40 research teams had deployed AI tools to automate tasks ranging from clinical note summarization to genomic analysis – several of which held credentials to OHSU's electronic health record system and clinical trial management platform.

OHSU's security team had no real-time visibility into what these tools were doing once deployed. An AI agent acting on a malformed instruction or compromised credential could have triggered a HIPAA breach notification affecting thousands of patient records. For academic medical centres, the average HIPAA settlement is $1.2 million, with breaches also putting NIH funding at risk and creating lasting reputational damage.

The IRB dimension was equally urgent. OHSU's institutional review board had begun receiving objections from research participants about AI use in studies, but had no auditable framework for how AI tools were accessing research data. Investigators could provide manual assurances, but that assurance chain would not survive a federal audit. OHSU needed a governance layer that worked across a decentralized research environment without requiring every team to rebuild their tools from scratch.

The Solution

For 83 of the 94 AI agents in production – all packaged as self-contained software modules – governance rules were applied at the environment layer in one go, with no service interruptions and without touching the code of any individual agent. 

Every outbound data request from those agents passes through Elantis's policy engine, which returns a decision (allow, block, sanitize, or flag for manual approval) before the request executes. For patient data fields returned through electronic health record (EHR) queries, the system automatically redacts sensitive identifiers before they reach the agent.

For the 11 agents built directly by OHSU's internal research engineering teams, a lightweight software integration gave the security team granular visibility into exactly which data fields an agent attempted to access – and whether its behavior matched its stated IRB protocol scope.

Elantis automatically generated HIPAA-compliant policy templates for all 94 agents based on their data access patterns. OHSU's data governance team reviewed and approved every policy binding in a single three-hour working session.

Implementation and Investment

OHSU procured Elantis through the TXShare cooperative contract on Civic Marketplace – the AI Governance, Compliance, and Enablement Platform contract administered by the North Central Texas Council of Governments (NCTCOG). No new RFP was required.

Engagement timeline and cost:

• Contract signing: February 2026
• Full enforcement go-live: March 2026
• Total deployment duration: 31 days
• Internal effort required: approximately 140 hours across security, research IT, and data governance

Replicability for Other Agencies

The OHSU deployment demonstrates the model's applicability beyond traditional municipal government: any institution managing AI tools across a decentralized research or clinical environment, with HIPAA or IRB obligations, faces the same core governance gap that Elantis was built to close.