U.S. Department of Health and Human Services Achieves Complete AI Agent Inventory in 72 Hours with Elantis’ Aegis
Table of contents
Overview
In January 2026, the U.S. Department of Health and Human Services (HHS) deployed Elantis’ Aegis platform to discover, classify, and govern every AI agent operating across its production environments.
With more than 80,000 employees spread across 28 operating divisions and responsibility for more than $1.7 trillion in annual program outlays, HHS had accumulated a sprawling and largely invisible AI agent footprint. Divisions had independently deployed LangChain agents, AWS Bedrock Agents, and Microsoft Copilot Studio automations to accelerate claims processing, grant administration, and clinical research workflows. By late 2025, HHS could not confirm how many of those agents existed or whether any were operating on protected health information, leaving the Department exposed to data-protection breaches under the Health Insurance Portability and Accountability Act and potentially significant financial penalties.
Results & Impact
Initial Outcomes
- 847 AI agents discovered across 23 operating divisions
- 312 shadow agents (37% of total) previously unknown to HHS IT
- 67 high-severity policy violations caught in the first 30 days
- 89 agents accessing protected health information without governance binding, remediated within 45 days
- Audit preparation time reduced from 6 weeks to 4 days
- Time to first complete agent inventory: 71 hours from sensor deployment
Ongoing / Operational Outcomes
- 100% of discovered agents under active Aegis governance
- Mean time to detect a new unregistered agent: under 4 minutes
- Open HIGH/CRITICAL findings down 91% from baseline
- Compliance posture score improved from 22/100 to 88/100
The Challenge: Governing a Federal AI Estate Across 28 Independent Divisions
HHS operates one of the most complex IT estates in the U.S. federal government. Its 28 operating divisions each maintain independent AWS and Azure tenancies, on-premises HPC clusters, and SaaS deployments. Development teams inside CMS, NIH, and the Office of the National Coordinator had independently deployed AI agents to accelerate claims processing, grant administration, and clinical research workflows. However, without central coordination or oversight in place these efforts were leaving the organization vulnerable to potential risks, such as unauthorised access to protected health information, model outputs unduly influencing clinical or administrative decisions, or the proliferation of shadow AI agents outside the control of the IT team.
By Q3 2025, the HHS CISO office had received four internal audit flags citing AI tool proliferation as an unmitigated risk. The agency could not produce an accurate count of AI agents in production, let alone confirm whether any were operating on protected health information. An Office of Inspector General (OIG) review scheduled for Q1 2026 included a new section requiring documentation of AI systems with data access. HHS had just 90 days to prepare.
The OIG review required the HHS to maintain a comprehensive inventory of all AI use cases across its divisions, identify which systems qualified as “high impact” (those touching protected health information, influencing clinical decisions, or affecting individual rights), and certify that minimum risk management practices were in place for each.
The stakes were significant: HIPAA violations tied to an ungoverned AI agent processing member records carry penalties up to $1.9 million per violation category, and the OIG had already rated HHS's information security program "Not Effective" for the sixth consecutive year in FY2025.
It was impossible to manually produce an accurate and comprehensive audit in the time available. Manual discovery across 14 AWS accounts, 3 Azure tenancies, and 7 on-premises environments would have required an estimated 2,400 staff hours and still produced an incomplete picture. A different approach was needed.
The Solution: Zero-Instrumentation Discovery and Runtime Enforcement
Aegis, Elantis’ agentic AI discovery and governance platform, was deployed initially as a read-only discovery layer, which meant no existing agent or application needed to be changed or taken offline. Within hours of deployment, its lightweight sensors began passively observing network traffic across HHS's cloud and on-premises infrastructure, identifying agent behavior without intercepting or storing any protected health information.
At the same time, Aegis pulled agent inventory from HHS's cloud accounts across 14 AWS and three Azure environments, and cross-referenced that data against endpoint activity and code repositories. This multi-source approach surfaced agents that cloud infrastructure scans alone would have missed, including developer tools running on staff laptops and 54 agents written into code but not yet deployed to production.
By Day 4, Aegis had produced a complete inventory of 847 agents. Each one was classified, risk-scored, and mapped to the systems it could access. For the 89 agents with access to Medicare and Medicare member records or National Institutes of Health patient datasets, Aegis automatically generated recommended HIPAA compliance policies. Applying those policies required no changes to the agents themselves as the enforcement ran at the infrastructure layer, sitting between each agent and the data it could reach.
Implementation and Investment
Implementation ran in three phases. In the first week, Aegis's discovery layer was activated across HHS's cloud environments, endpoint activity monitoring was connected, and HHS's code repositories were scanned for agents not yet in production.
Over the following two weeks, the full agent inventory was assembled and risk-scored, and HIPAA compliance policies were generated for all 89 agents with access to protected health information. HHS's security team reviewed and approved 83 of those policy assignments directly. The remaining six were escalated for additional data governance review.
Full enforcement of the policies went live on Day 47. When the OIG audit arrived, Aegis generated the complete AI agent documentation package from its audit trail and delivered it to HHS Compliance in four hours.
“We had four separate audit flags telling us AI agents were a risk we couldn’t quantify. In 72 hours, Aegis gave us the answer no manual process could have produced in 90 days. What made it viable for a federal environment was the zero-instrumentation approach — we didn’t have to ask 28 divisions to change their code to get a complete picture. We went into the OIG review with a 100% agent inventory and a signed audit trail. That’s not something we’ve been able to say about any other technology category.”
— Deputy CISO, U.S. Department of Health and Human Services
Replicability
The HHS deployment demonstrates that Aegis’s zero-instrumentation discovery approach is viable in highly decentralized environments where centrally mandating code changes to existing agents is not operationally feasible. Federal agencies and large state government bodies with distributed IT estates and upcoming AI audit requirements should note that the discovery-first, enforcement-second deployment model can deliver a complete agent inventory before any governance policy is applied — making the approach compatible with phased procurement and change management constraints.
Elantis is an awardee of TXShare’s Artificial Intelligence (AI) Governance, Compliance, and Enablement Platform cooperative contract. To learn more about Elantis and explore the contract, visit Civic Marketplace.
.avif)
