Bluesight says its new AI assistant cut some hospital drug-diversion analysis from 30 minutes to under one. That speed is useful. In a regulated workflow, it is not the main product.
The main product is a defensible chain from question to evidence to decision.
Bluesight's Prism rollout on Amazon Bedrock AgentCore shows what that chain can look like. Prism Assistant launched inside the company's ControlCheck software in May and is now used by 20 health systems. A broader agent is being built to coordinate purchasing, shortage, and 340B compliance data across multiple products.
The operator lesson is simple: a regulated agent should be designed as an audit system with a conversational interface—not as a chatbot with compliance added later.
1. Bound the Agent's Authority
Bluesight did not give the model direct access to raw databases. The team wrapped existing product APIs in Lambda functions that returned structured data, then exposed more than 10 ControlCheck APIs through AgentCore Gateway.
AWS says this reduced query latency from five minutes to 10 seconds while keeping business logic in the application layer. The model interprets questions and coordinates tools; the existing system remains the source of operational rules.
That separation is a reusable pattern. Give an agent the smallest set of typed tools it needs. Put authentication, authorization, validation, and transaction limits outside the prompt. Treat every added tool as added authority.
2. Keep Consequential Decisions Deterministic
For Bluesight's planned GPO compliance agent, the model does not decide whether a purchase qualifies for an exception. It gathers evidence and prepares the report. A rule-based pipeline applies 13 evidence signals, priority matching, and configurable time windows.
That architecture draws a bright line: use the model for interpretation and orchestration; use testable logic for the determination that must survive review.
In a three-day AWS engagement, the GPO agent reported 100% invoice discovery and 93% evidence-justification accuracy on synthetic data, above an 85% target. Those are promising development results, not production proof. AWS also says the evaluation suite is being expanded from only 3-15 cases.
3. Make Every Step Reconstructable
The production design uses private network boundaries, request authentication, managed secrets, encryption, and observability. AWS says every agent decision, tool call, and data access is logged.
That trace is not just for debugging. A compliance team needs to reconstruct which sources were consulted, which evidence was accepted, which rule fired, and what the human reviewer did next.
Independent reporting shows why. KFF Health News documented a different vendor's drug-diversion system that failed to flag about five missing-drug instances and other inconsistencies in a months-long fentanyl case. Hospital staff noticed the problem first. The reporting also found that hospitals are not required to publicly disclose use of this software or report AI malfunctions.
The lesson is not that monitoring software is useless. It is that a system without a strong exception and incident trail can make failure harder to see.
Measure the Evidence Loop, Not Just Speed
Bluesight's internal measurements across 20 health systems report recurring reports falling from roughly six hours to 15 minutes, pre-investigation triage from three hours to about 10 minutes, and variance analysis from 30 minutes to under one.
Operators should add three more scorecards:
- Decision quality: false negatives, false positives, evidence coverage, and disagreement with reviewers.
- Control quality: unauthorized tool attempts, policy blocks, stale-data use, and untraceable outputs.
- Recovery quality: time to detect a miss, time to escalate, override rate, and whether one incident improves tests for every customer.
This opens a practical founder opportunity. Regulated industries need evaluation suites, evidence-lineage stores, exception consoles, incident-sharing workflows, and audit exports that sit between models and systems of record.
The Takeaway
Prism's most important contribution is architectural. It treats agentic AI as a bounded evidence workflow: tools gather, rules decide, logs explain, and humans own exceptions.
That is the standard regulated agents will be judged against. The winning product will not be the one that sounds most capable. It will be the one that can show exactly what happened when the answer mattered.
Sources
- AWS and Bluesight architecture case study: https://aws.amazon.com/blogs/machine-learning/building-an-agentic-ai-solution-at-bluesight-with-amazon-bedrock/
- Bluesight Prism launch announcement: https://bluesight.com/news/bluesight-launches-prism-an-ai-platform-built-for-health-systems/
- KFF Health News reporting, republished by Conexiant: https://conexiant.com/internal-medicine/articles/hospital-ai-fails-to-flag-drug-diversion/
