The 3verest family · P/04 · The Watch

HEIMDALL
Sovereign AI control plane
Sovereign AI Routing· A new category of infrastructure

Every AI request.Classified. Governed.Routed. Proven.

Heimdall is the sovereign AI control plane for healthcare. It sits between applications and AI models, ensuring every request is policy-compliant, jurisdiction-aware, economically optimised and fully auditable.

Nothing crosses unseen.

Book a briefingRead the architecture
REQUESTPROVEN01Application02Classification03Governance04Routing05Ledger

01 · The missing layer

The AI stack has a missing layer.

Today, healthcare applications connect directly to AI models. A PACS calls a frontier API. A pathology viewer calls a cloud model. Nothing sits between the request and the model, no policy, no jurisdiction, no meter, no record. That direct line is where the risk lives.

TRADITIONAL AI STACKApplicationdirect · unseenAI ModelApplication → Model. Direct. Unseen.HEIMDALL AI STACKApplicationHEIMDALLclassify · govern · route · accountAI ModelApplication → Heimdall → Model. Governed. Proven.

01

Unbounded token costs

Inference is a variable cost inside a fixed-price product. Context size, model verbosity and retry loops make per-task spend a random variable. Margin erodes silently, invoice by invoice.

02

Sovereignty failures

A request leaves the jurisdiction the moment it hits a US-hosted endpoint. Identifiable patient data crosses a border nobody declared, and procurement finds it before the regulator does.

03

Compliance risk

The EU AI Act and the frameworks following it demand logging, traceability and human-oversight evidence for high-risk AI. A direct API call produces none of it.

04

Model lock-in

Wire an application to one vendor’s endpoint and the model becomes load-bearing. Switching means re-integration, re-validation, re-certification, so nobody switches.

05

Version drift

The model you validated at version X silently becomes X+1. In a regulated clinical workflow that is a safety event, not an upgrade, and there is no record it happened.

06

No auditability

When the regulator, the board, or the buyer asks what the AI did, there is no answer. The decisions happened, but nothing recorded them. The evidence does not exist.

Six failures, one root cause: nobody owns the layer between the application and the model. Heimdall is that layer.

02 · Introducing Sovereign AI Routing

The layer between software and intelligence.

Heimdall introduces a category that did not exist: Sovereign AI Routing. It is the control plane that decides, for every single request, what may run, where it may run, on which model, at what cost, with what proof.

Applications never select models.Applications declare intent.Heimdall determines execution.

A radiologist’s viewer does not ask for “GPT-4o in us-east-1”. It declares a task, draft this report, and a data class. Heimdall resolves the rest: the policy that applies, the jurisdiction that binds it, the cheapest compliant model that can serve it, and the immutable record that proves it happened the way it was meant to.

APPLICATIONSdeclare intentHEIMDALLSOVEREIGN AI ROUTINGOwned models
In-region weights on 3verest hardware
Specialist models
Clinical task-tuned models
Frontier models
Resident, via de-identification gate
Human review
Where policy demands judgment
Heimdall determines execution, the application never chose a model

Definition

Sovereign AI Routing (n.), the infrastructure layer that classifies, governs, routes and accounts for every AI request between an application and the models that serve it, under the legal authority of a chosen jurisdiction.

03 · The four decisions

Four decisions, before a single token.

Every request that crosses Heimdall is resolved by four decisions, made in sequence, in under three milliseconds of overhead, and recorded forever.

Each request declares a task class and a data class. An on-gateway PHI detector, a small owned model, no external calls, verifies the claim at recall ≥ 0.995 in under 15 ms. Declared de-identified but detected identifiable, and the request is stopped at the gate.

Two questions, asked at once. The task class names the unit of cognition the application wants performed; the data class declares the sensitivity of what it is sending. The classifier reconciles the declared data class against what it actually detects, the application is never trusted to mark its own homework.

Task classreport.draft · priors.summarise · worklist.triage, the named unit of work
Data classidentifiable · de-identified · synthetic, the sensitivity tier
PHI detectoran owned model running on the gateway, with zero external calls
Reconciliationdeclared vs. detected, any mismatch blocks the request before a token is spent

Mislabelled data is caught at the gate, not in a breach notification.

AC-CL-1 · PHI recall ≥ 0.995 · ≤ 15 ms

Policy is read as sentences a governance lead can sign, not YAML. Residency is not a region toggle; it is the routing logic itself. Evaluation is sub-millisecond, deterministic, and fails closed: when in doubt, nothing runs.

Policy is the contract between the customer and the gate, written so a clinical-safety officer and an information-governance lead can both read and sign it. It is versioned like code, simulated against real traffic before activation, and applied identically to every request, governance you can prove, not governance you hope held.

Plain-languagerules expressed as sentences a governance lead signs, not buried in YAML
Simulatedevery change tested against 30 days of real traffic before it goes live
Dual sign-offhigh-risk changes require clinical safety + information governance
Deterministicthe same request resolves to the same decision, every single time

When the rules are ambiguous, nothing runs. Fail-closed is the default, not an option.

AC-PE-1 · policy decision ≤ 1 ms · fail-closed

Within the sovereign envelope, the router resolves to the cheapest compliant supply: owned distilled models for routine work, specialists for clinical reads, frontier models through a de-identification gate for the hard tail, a human queue where judgment is required. Compliance outranks cost, always.

Routing happens inside the box the policy drew. The router never looks outside the sovereign envelope to save money; within it, it always reaches for the least-expensive supply that still satisfies every rule, and records which rule kept it from going cheaper.

Cheapest-compliantthe lowest cost the policy allows, never the lowest cost outright
Four tiersowned distilled · clinical specialist · resident frontier · human queue
Envelope-boundeda per-task token budget; on breach the router downshifts or escalates
Failoversovereign → sovereign only, never a silent fall-back to foreign supply

Compliance outranks cost on every request. The router cannot save money by breaking policy.

AC-RT-1 · routing ≤ 2 ms · sovereign → sovereign failover

The request lands in an immutable, hash-chained ledger: tenant, task class, model, version, jurisdiction, tokens, latency, outcome, and the exact policy rule that fired. Compliance evidence is generated as exhaust, a six-month documentation project becomes a download.

The final act of every request is to write itself down. One line, sealed to the line before it by a cryptographic hash, capturing not just what happened but why, the exact policy version and the rule that produced the decision. The ledger is the product’s memory, and it cannot be quietly rewritten.

One line per requesttenant · task · model · version · jurisdiction · tokens · latency · outcome · rule
Hash-chainedeach entry seals the last, so any edit breaks the chain and shows
Tamper alerta broken chain raises an alarm within five minutes
Evidence on demandauditor-ready packs rendered per model, jurisdiction or regulation

The audit isn’t assembled after the fact. It already exists, the moment the request completes.

AC-LG-2 · hash-chain verifiable · tamper alert ≤ 5 min

04 · The request lifecycle

One request. Seven movements.

Follow a single inference request, a radiologist asking for a draft report, through the gate. Scroll to advance. Each movement adds microseconds and removes risk.

Scroll to advance →

Step 1

Task Class

The application declares intent, report.draft, not a model. Heimdall resolves the named, versioned task class that carries its own policy, model binding, token envelope and price.

resolve ≤ 0.4 ms

01

Step 2

PHI Detection

An owned on-gateway detector scans the payload for identifiable data, verifying the declared data class. No external call leaves the boundary to make this decision.

recall ≥ 0.995 · ≤ 15 ms

02

Step 3

Policy Evaluation

The applicable policy is evaluated deterministically: permitted task, permitted jurisdiction, permitted model set. Ambiguity fails closed. The rule that fires is captured.

decision ≤ 1 ms · fail-closed

03

Step 4

Model Resolution

Within the compliant envelope, the router selects the cheapest supply that satisfies policy, owned, specialist, resident frontier, or human queue. Compliance outranks cost.

route ≤ 2 ms

04

Step 5

Inference

The request runs on the resolved model. Identifiable payloads bound for frontier models pass a de-identification gate first; sovereign workloads never leave the region.

sovereign-by-default

05

Step 6

Ledger Creation

A single immutable line is hash-chained into the ledger: every input to the decision, every token spent, the latency, the outcome. Tamper-evident, jurisdiction-bound, permanent.

append-only · ≤ 5 min tamper alert

06

Step 7

Evidence Generation

The ledger renders into auditor-ready evidence packs on demand, per task class, per model, per jurisdiction, per regulation. Compliance becomes a download, not a project.

evidence pack ≤ 60 s

07

05 · The sovereignty engine

Residency is not a setting.It is a decision.

Most platforms treat data residency as a dropdown, a region you pick and hope holds. Heimdall makes residency the routing logic itself. The jurisdiction is not where the data is stored; it is the legal authority under which every decision is made.

UKDEAU

Worked example · Germany

Berlin hospital

Request originates in-region

German policy

The jurisdiction’s rules bind it

German-approved model

Resolved from the in-region set

German ledger

Recorded under German authority

German evidence pack

Provable, in-country, forever

Fail-closed

If no compliant model is available in the jurisdiction, the request does not fall back to a foreign one. It does not run at all. Sovereignty that can be silently overridden is not sovereignty, it is a setting. Heimdall fails closed, by design.

06 · The economic engine

Make AI financially predictable.

AI is sold by the token and bought by the study. That mismatch is where healthcare AI margins go to die. Heimdall closes it, turning a variable, unbounded cost into a predictable line on a balance sheet.

WITHOUT HEIMDALLrevenuetoken costmargin collapseWITH HEIMDALLrevenueenvelopepredictable gross margin

Without Heimdall

Fixed revenue

The product is sold on a fixed licence or a per-study fee. Revenue is known and bounded.

Variable token cost

The AI underneath bills by the token, context, verbosity, retries. Cost is unknown and unbounded.

Margin collapse

Fixed revenue minus variable cost equals a margin that erodes with every heavy request. The more the feature is used, the less it earns.

With Heimdall

Task classes

Every unit of AI work is a named class with its own economics, not an open-ended API call.

Envelopes

Each task class carries a token envelope. Exceed it and the router downshifts or escalates, by policy, not by accident.

Budget controls

Per-tenant, per-region, per-task-class budgets enforce spend in real time. The ceiling is set before the bill arrives.

Model routing

The cheapest compliant model serves each request. Owned capacity absorbs the routine; frontier handles only the hard tail.

Predictable gross margin

Variable cost becomes a per-study price, underwritten from ledger data. The variance risk sits with the party able to manage it.

The hyperscalers sell cognition by the token and hope you do not do the maths. Heimdall is the maths, made into a product.

07 · The immutable ledger

Compliance as exhaust.

Most organisations treat compliance as a project, a scramble of screenshots and spreadsheets assembled after the fact. Heimdall produces it as a by-product. Every decision the gate makes writes one immutable line, and those lines assemble themselves into evidence.

RequestPolicyModelVersionJurisdictionTokensLatencyOutcomeEVIDENCE PACKhash-chained · append-only · jurisdiction-bound

Every decision. Every model. Every version. Every token. Recorded forever.

The ledger is append-only and hash-chained: each line seals the one before it, so a record cannot be altered without breaking the chain, and a broken chain raises an alert within five minutes. The evidence does not need to be gathered. It already exists.

AC-LG-2 · Append-only · hash-chained · jurisdiction-bound · tamper alert ≤ 5 min

08 · Platform architecture

The whole gate, in one view.

Heimdall is one control plane assembled from twelve cooperating subsystems. The request enters at the Gateway and leaves as a sealed ledger line. Everything between is policy, supply and proof.

Ingress plane

Where the request enters

Gateway

AC-GW

Single endpoint in front of every model. Terminates, authenticates and meters every request.

Decision plane

Where the four decisions are made

Classifier

AC-CL

On-gateway PHI and task-class detection. Owned model, no external calls.

Policy Engine

AC-PE

Deterministic, fail-closed evaluation of jurisdiction, task and model permissions.

Router

AC-RT

Resolves the cheapest compliant supply within the sovereign envelope.

Envelope Engine

AC-EN

Enforces per-task token budgets; downshifts or escalates on breach.

Supply plane

Where inference is served

De-identification

AC-DI

Strips identifiers before any payload reaches a non-sovereign model.

Model Registry

AC-MR

Catalogues every routable model, provenance, jurisdiction, eval history, pinned versions.

Bifrost

AC-BF

Owned sovereign inference. In-region weights on 3verest GPU capacity.

Evidence plane

Where proof is produced

Ledger

AC-LG

Append-only, hash-chained record of every decision and token.

Governance

AC-GV

Policy Studio: plain-language policy, simulation, dual sign-off, versioning.

Billing

AC-BL

Turns ledger data into per-study prices, envelopes and tenant invoices.

Evidence

AC-EV

Renders ledger lines into auditor-ready evidence packs on demand.

Hover a subsystem

09 · Platform capabilities

Six pillars. One control plane.

Everything Heimdall does resolves into six capability pillars, each a column of guarantees a CIO, CISO or information-governance lead can hold the platform to.

Governance

  • Plain-language policy (Policy Studio)
  • Simulation against 30 days of real traffic
  • Dual sign-off, clinical + IG
  • Versioned, attributed policy history
  • Fail-closed enforcement

Routing

  • Intent-based model resolution
  • Cheapest-compliant supply selection
  • Owned / specialist / frontier / human tiers
  • Per-task token envelopes
  • Deterministic ≤ 2 ms routing

Sovereignty

  • Jurisdiction as routing authority
  • In-region weights (Sovereign tier)
  • Sovereign → sovereign failover only
  • De-identification gate for frontier
  • Per-task-class residency

Economics

  • Per-study / per-slice pricing
  • Budget controls by tenant + region
  • Capacity blocks (capex-shaped)
  • Volume tiers
  • Underwritten from ledger data

Compliance

  • Immutable hash-chained ledger
  • Auditor-ready evidence packs
  • EU AI Act / UK / AU alignment
  • Version pinning for certification
  • Tamper alert ≤ 5 min

Operations

  • Single endpoint, drop-in deployment
  • Gateway-only / Forge / full-cloud
  • No re-certification between shapes
  • Real-time cognition dashboard
  • 21-region sovereign footprint

10 · Use cases

One gate. Every healthcare AI journey.

The same control plane serves the OEM shipping AI inside a product, the hospital governing what it has bought, and the agent infrastructure orchestrating both. Each declares intent; Heimdall resolves the rest.

Healthcare AI OEM

Vendor

Ship AI inside a fixed-price product without shipping an unbounded cost. Per-study economics, sovereignty controls and an audit trail your buyer’s procurement team will ask for.

viewer.report.draft → classify → UK policy → owned specialist → £-per-study → ledger

Healthcare Provider

Hospital

Govern every AI request that leaves your estate, across every vendor, under one policy, one ledger, one evidence pack. Control what you have already bought.

any-AI-call → classify → trust policy → approved model → budget → evidence

Digital Pathology

Imaging

Gigapixel slides, heavy inference, strict residency. Route per-region analysis to in-country models, price per slice, and prove every read stayed onshore.

slide.region.analyse → classify → DE policy → in-region model → per-slice → ledger

Radiology

Imaging

Draft reports and summarise priors at validated, version-pinned quality, with the model frozen for the certification lifetime, not silently upgraded mid-workflow.

report.draft / priors.summarise → classify → policy → cheapest-compliant → per-study

Clinical Documentation

Encounter

Ambient and structured documentation over identifiable data, kept sovereign by default, metered per encounter, recorded for every note generated.

note.ambient.draft → classify (PHI) → policy → sovereign model → budget → ledger

AI Agent Infrastructure

Orchestration

Give autonomous agents a governed substrate. Every tool call and model step is classified, permitted, budgeted and recorded, agency without blind spots.

agent.step → classify → policy → resolve → envelope → ledger (per step)

11 · Why 3verest

Built by the company already operating sovereign healthcare infrastructure globally.

Sovereign AI Routing is not a feature a generalist can bolt on. It requires owning the compute, knowing the regulation, and already standing inside the healthcare estate. 3verest does.

01

Healthcare-only focus

Every line of the platform is built for one industry. No generic cloud retrofitted to clinical reality, clinical reality is the design brief.

02

Global sovereign cloud

A sovereign footprint across the UK, EU, Australia, US and Canada. Heimdall routes to capacity 3verest owns, not capacity it rents.

03

Bifrost sovereign AI

Owned, in-region inference behind the gate. The only way to promise version stability for a certification lifetime is to own the weights and the hardware.

04

Deep regulatory expertise

The EU AI Act, UK GDPR and NHS frameworks, the Australian Privacy Act, encoded as routing logic, not bolted on as disclaimers.

05

Existing OEM ecosystem

Already co-selling with the imaging and clinical-systems vendors whose AI Heimdall governs. The ecosystem is in place, not aspirational.

Nothing crosses unseen.

Heimdall gives healthcare organisations control over every AI decision before it happens. Book an executive briefing and see a request move through the gate.

Book Executive BriefingRead the architecture

Heimdall · Sovereign AI Routing · a 3verest platform