.jpg)
At a Glance
The Challenge: Scaling a HIPAA-regulated AI Imaging Suite without Scaling the Team
CloudGeometry has supported Nanox's AI imaging suite for five years. Developers on the engagement have built and operated the systems that collect X-ray and CT images from dozens of hospitals and imaging centers, store and preprocess that imagery in a HIPAA-compliant AWS environment, run it through Nanox's proprietary AI models, and return results — both text findings and processed images — to the medical professionals on the receiving end. The system is PHI-adjacent at every stage: HIPAA controls and the obligation to keep them current was a structural constraint, not an afterthought.
Two pressures had been growing on the engagement:
— Heterogeneous-facility integration tax. Every new hospital or imaging center brought its own CRM, its own imaging system, and its own data conventions. Onboarding a new facility required dedicated engineering work — read the source system, normalize the data, validate the integration end-to-end, prove the HIPAA boundary held. The cost was bounded per site but it scaled linearly with the installed base, and the installed base was growing.
— Sprint-cadence ceiling on feature work. Adding features — both system-wide capabilities and per-client adaptations — ran on traditional 2-to-4 week sprint cycles. The cadence was disciplined and the work shipped, but it was a hard ceiling on how quickly Nanox could respond to product opportunities and customer-specific requirements. The engineering team was twelve people deep, and sustaining the cadence either meant holding that headcount or growing it as the system grew.
The decision was to test whether AI-MSL — applied to a real, live, regulated production system — could break both ceilings without breaking HIPAA.
The AI-MSL Approach
CloudGeometry transitioned the Nanox engagement from Managed Development Services to AI-MSL on the customer's existing HIPAA-compliant AWS infrastructure. The transition preserved the regulatory posture from day one — same control plane, same audit boundary, same accountable owner. Three structural changes defined the new operating model:
AppGraph Captured the Imaging-suite System Intelligence
The data flows, the integration topology across the dozens of source facilities, the preprocessing pipelines, the AI-model invocation paths, the result-return paths, and the PHI-adjacency boundaries were modeled into AppGraph as the canonical shared context for every change. Tribal knowledge that previously lived with the senior staff was made explicit and reusable.
Technical Account Manager-driven Requirements Intake
The Technical Account Manager (TAM) became the front door for new feature requests and per-client adaptations — capturing requirements in plain language, routing them through the product layer, and into the AI-MSL development flow. The role replaced the traditional sprint-planning ceremony as the requirements-shaping step.
AI Lifecycle Engineer in Supervise-and-Approve Mode
The AI Lifecycle Engineer assigned to the account is the human gate, not the implementer. AI-MSL produces the spec, the code, the tests, and the deployment artifacts; the AI Lifecycle Engineer reviews, approves, and signs off at every governance gate, with HIPAA-aware controls preserved across every transition.
The result is an engagement that runs end-to-end through the AI-MSL governed lifecycle on a regulated production system, with three operators (two engineers and a QA manager) where twelve previously stood.
The Outcome
— The engineering team scaled from 12 to 2 engineers plus 1 QA manager. Three people, on the same workload, on a regulated PHI-adjacent system. The cost line collapsed materially while delivery quality and HIPAA posture held.
— Heterogeneous-facility integrations are now automated through the AI-MSL flow. The integration work that previously required dedicated engineering on every new hospital or imaging center — reading the new CRM, mapping the new imaging system, validating the data flows, proving the HIPAA boundary — is now produced through the AI-MSL flow under human approval gates. The TAM captures the new facility's specifics; AI-MSL produces the integration spec, the implementation, and the test coverage; the AI Lifecycle Engineer reviews and approves.
— Feature cadence compressed from 2–4 week sprint cycles to 2–3 days. System-wide features and per-client adaptations both move through the same flow at the same pace. The TAM enters the requirement, it travels to product and dev, and it ships once the AI Lifecycle Engineer approves the gates.
— HIPAA audit passed without findings. The audit followed the AI-MSL transition. No findings is the strongest available signal that the regulatory posture was preserved through the change in operating model — not weakened, not deferred, not patched after the fact.
The Lesson Learned
Final integration testing with downstream internal systems is not fully automated by AI-MSL. The framework generates the integration test suites — and that part works — but the actual execution of those tests, and the manual fixes that surface when something fails against an internal system that AI-MSL doesn't fully model, still required QA and developer hands.
The lesson, internalized into how CloudGeometry now scopes AI-MSL engagements: AI-MSL excels at code generation, structured specification, and test scaffolding. End-to-end integration testing into customer-controlled internal systems remains a human-in-the-loop step. The QA manager and senior-developer safety net is non-negotiable in production-grade health-technology engagements where downstream-system behavior is not fully observable from the AI-MSL flow.
This reinforces the principle that defines AI-MSL: AI executes; humans supervise. Final-mile integration validation is one of the supervised steps, and the operating model is built around that fact rather than wishing it away.
Reference Availability & Next Steps
Reference contact: VP of R&D, Nanox — confirmed available for a direct reference call about CG’s AI-MSL engagement, the HIPAA-compliance posture, and the operating-model transition outcomes.
— Engagement model: AI-MSL Managed (transitioned from Managed Development Services)
— Engagement duration: 5+ years, ongoing
— Regulatory posture: HIPAA-compliant AWS infrastructure · PHI-adjacent · audit passed without findings post-transition.
Talk to Nanox's VP of R&D about CloudGeometry's AI-MSL delivery
Schedule a System Intelligence Assessment for your imaging or regulated-data system
Compliance & Governance Posture
— Regulatory framework: HIPAA (US) — controls maintained throughout the AI-MSL transition; audit passed without findings.
— Infrastructure: HIPAA-compliant AWS environment (customer-owned control plane).
— PHI scope: PHI-adjacent — the AI-MSL flow operates within Nanox's regulatory boundary; controls were preserved at the transition rather than re-engineered.
— Governance gates: Technical Account Manager (requirements intake) · AI Lifecycle Engineer (architecture / implementation / deployment approval) · QA manager (final-mile integration validation).
— Audit-trail traceability: every change carries the AI-MSL spec, generated code, test outputs, and human approval log — the artifact required by health-technology auditors is generated as part of the flow, not assembled retroactively.
Engagement Timeline
Contact us
See how AI-MSL can map your existing codebase, accelerate planning, and bring supervised automation to your development process.
