Hearth & AlloyHearth & Alloy

AI Control Plane · Patent Pending

Three Gates

Every AI request is classified, authorized, and routed before reaching a model. Detected sensitive values are tokenized before any model invocation, and every decision is captured in an immutable audit trail.

Visit threegates.ai →Take the Free Assessment

Healthcare available today · Government, legal, and financial verticals on the roadmap

Executive Summary

Regulated industries want AI. The architecture has to come first.

Three Gates is an AI control plane built for regulated industries.

Three sequential checks (Data Reality; Purpose & Authority; Risk-Based Routing) run on every request before any model is invoked. Detected sensitive content is tokenized in transit; the model receives content structurally aligned with the Safe Harbor de-identification standard. Every decision is captured in an immutable audit trail with 7-year retention.

Architecture

The Three-Gate Pipeline

Sequential. Pre-submission. Auditable. Classification, authorization, and tokenization occur before model invocation.

GATE 1: DATA REALITY

What is this data, really?

Multiple independent layers contribute to detection coverage across HIPAA identifiers, healthcare-specific codes, and domain-extensible markers for other regulated industries.

  • • File screening across common document and image formats
  • • Tuned for healthcare vocabulary to reduce false positives
  • • Defense in depth, with graceful fallback
GATE 2: PURPOSE & AUTHORITY

Is this user allowed to do this?

Policy evaluates user role, task context, and data classification together. Detected sensitive values are replaced with typed semantic tokens before model invocation, and an independent verification layer confirms the request is safe before anything is routed.

  • • Downstream tools can be invoked without exposing raw values
  • • Test policies safely before production rollout
  • • Each decision is captured for audit replay
GATE 3: RISK-BASED ROUTING

Where is it safe to send?

A composite risk score determines which approved model or provider a request is eligible for, or blocks the request entirely. Organization-scoped allowlists, health-aware routing, and concurrency controls run underneath.

  • • Vendor-independent and deployment-agnostic
  • • Per-tenant controls on throughput and capability
  • • Full lineage from request to response

Platform

What's Shipped

PHI AI Readiness Assessment

Free three-module diagnostic, about 30 minutes per employee. Measures four readiness categories: PHI Identification, Safe AI Usage, Policy Awareness, and Incident Response.

  • • Baseline-lock scoring (no retake inflation)
  • • Anonymized org scorecard at 5+ completions
  • • Regulatory language, not product jargon

Employee AI Training Module

Complete training pathway. 5 industry templates, 26 modules, interactive sandbox, versioned content.

  • • Open Badges 3.0 digital certificates
  • • SCORM / xAPI export to your LMS
  • • Compliance evidence packages

Compliance Scorecard

The default landing page for CISOs and compliance leads. Answers “am I compliant?” and “what needs attention?” in ten seconds.

  • • Health score & risk events
  • • Scheduled PDF reports with email delivery
  • • Executive summary with period statistics

AI Chat & Task Library

Freeform chat plus 20+ pre-configured task templates for healthcare workflows.

  • • Real-time PHI preview as user types
  • • Model selector with org allowlists
  • • Run history, lineage, and re-run

API Gateway / Proxy

A drop-in compliance layer for existing applications. Point your app at Three Gates and get full pipeline enforcement before requests reach any model provider.

  • • Organization-scoped API keys
  • • Works with major model providers
  • • Provider credentials kept in your secret store

Browser Extension

Side-panel chat, floating action button on text selection, right-click context menus. Encrypted sessions, 15-minute inactivity timeout.

  • • No PHI stored on-device
  • • OAuth: Google, Microsoft, Passkey
  • • CSP-compliant markdown rendering

Workflow Gallery & Builder

Five pre-built healthcare workflows (PDF extract, clinical note, prior auth, patient comms, claim review). Visual builder with 11 node types.

  • • Parallel branches, human review, apply corrections
  • • Webhook triggers with API key auth
  • • Variable mapping across steps

Configuration Assistant

An AI admin that runs through the same control plane it administers. 25+ tools across read, write, bulk, import/export, and reset operations.

  • • Policy simulation and anomaly detection
  • • Context-aware help (knows your current page)
  • • Weekly digest with compliance insights

Admin Experience Modes

Managed, Standard, Advanced, Assessment tiers. Admins see only the surface area they need, from one-page scorecard to full policy engine.

  • • Industry selection during onboarding
  • • Navigation filtering per mode
  • • Backend access control middleware

How It Works

Assessment first. Platform second.

01

Measure the team

Admin signs up, invites the team, and employees complete the free readiness assessment (three modules, about 30 minutes per employee). Individual scores stay private; an anonymized organizational scorecard unlocks at five completions.

02

Close the gaps

Training modules are available covering each readiness category. Employees complete the content relevant to their gaps; baseline scores stay locked and improvement is tracked separately so the numbers your CISO sees remain honest.

03

Turn on the platform

When you're ready, turn on enforcement where your team actually works: the AI Chat & Task Library, the browser extension, or your existing applications via the API gateway. Same three gates, same audit trail, now enforcing on real requests instead of assessment scenarios.

AI Safety Controls

Safety Controls Built for Healthcare Workflows

Governed AI chat for PHI

Give clinicians and staff an AI assistant where detected PHI is tokenized before the model sees it, with all interactions logged and governed.

  • Inline PHI detection before model invocation
  • Policy-based redaction and warnings
  • Full transcript logging for audit

File & document pipeline

Scan PDFs, DOCX, and XLSX files for PHI before they ever reach your AI models.

  • Streaming file segmentation
  • Pre-ingestion PHI scanning
  • Configurable retention windows

RBAC & approvals

Ensure only the right roles can access PHI-aware workflows, with clear separation of duties.

  • Least-privilege access
  • Role templates for compliance
  • Approval flows for high-risk tasks

Model controls & observability

Route traffic to approved models, track usage, and tie anomalies back to policy actions.

  • Model allowlists per workspace
  • Usage dashboards & alerts
  • Signals for quality & drift

Enterprise

Enterprise-Ready by Design

Three Gates meets organizations where they are. SaaS for teams that want subscribe-first onboarding; customer-hosted deployment for enterprises that need to run inside their own cloud tenant. Same platform either way.

  • Multi-tenant organizations with full role-based access control
  • Enterprise identity & MFA (SAML / SCIM on paid tiers)
  • Customer-managed encryption keys supported
  • Deploy in our environment or yours
  • 7-year immutable audit retention with SIEM-ready export formats
  • White-label theming for healthcare, government, legal, and finance
  • WCAG 2.1 AA accessibility targeted
Three Gates architecture in your environment

Detection, policy enforcement, and auditability layered around your existing systems.

Who It's For

Built for Teams Responsible for Safe AI Adoption

Compliance & security teams

Get visibility into AI usage with the enforceable policies and audit trails you need for HIPAA and internal risk frameworks.

IT & platform teams

Integrate Three Gates into your existing identity, logging, and infrastructure without adding fragile one-off tooling.

Clinical & operations leaders

Give frontline teams an AI surface that enforces the rules at the architectural level, so they can work faster without compromising patient privacy.

Get Started

Three ways to start.

Begin with the free assessment, walk the platform with the team, or apply to the design partner program for direct founder access.

Free Readiness Assessment

Three modules, about 30 minutes per employee. Anonymized organizational scorecard unlocks at five completions. Baseline-locked scoring.

Start Assessment

Request a Demo

Walk through the Three-Gate pipeline against your real scenarios. See assessment, training, scorecard, and enforcement end-to-end.

Email the Founder →

Design Partner Program

Shape the roadmap. Preferred pricing. Direct access to the founder during the design partner cohort.

Apply

The product lives at threegates.ai. Three Gates is operated by Hearth and Alloy, Inc.