
Hospital AI Leaves the Waiting Room
Artificial intelligence in healthcare often arrives with blockbuster promises. It will discover medicines. Predict disease. Transform patient care. Possibly make the printer work on the first attempt.
AWS and healthcare technology company Bluesight are tackling something less glamorous but enormously expensive: hospital pharmacy compliance.
Bluesight has developed Prism, an agentic AI layer designed to connect information across its pharmacy operations and compliance products. Instead of forcing hospital staff to dig through multiple dashboards, assemble spreadsheets, and manually compare records, Prism can retrieve relevant data, coordinate software tools, and prepare findings through a conversational interface.
The first production feature, Prism Assistant for ControlCheck, launched in May 2026 and is now used across 20 health systems, according to AWS. Bluesight is also developing a more ambitious agent for the federal 340B Drug Pricing Program, with release planned for later in 2026.
This is not an AI doctor. It does not diagnose patients or prescribe medication.
Instead, it attacks the administrative thicket surrounding hospital drug purchases, controlled substances, shortages, and audit preparation. That may sound less cinematic, but hospital compliance teams could consider it a very welcome plot twist.
Why 340B Compliance Creates a Data Avalanche
The federal 340B Drug Pricing Program allows eligible healthcare organizations to purchase outpatient drugs at reduced prices. However, several hospital categories—including Disproportionate Share, children’s, and free-standing cancer hospitals—face restrictions on buying outpatient drugs through Group Purchasing Organization contracts.
An exception may apply when a medicine is genuinely unavailable through an approved non-GPO channel. Proving that exception is where the paperwork monster wakes up.
Compliance teams may need to compare purchasing records with US Food and Drug Administration shortage lists, data from the American Society of Health-System Pharmacists, days-on-hand inventory, back-order reports, and machine-learning shortage forecasts.
AWS says a single covered entity can spend more than 4,000 staff hours annually on this review process. Bluesight’s wider data network spans more than 620 hospitals and could potentially expand beyond 2,000.
That workload does not come from one difficult calculation. It comes from thousands of small checks scattered across different products and data sources.
Was the medicine unavailable? When did the shortage begin? Did the hospital have enough stock? Was the purchase eligible? Does the evidence align with the date on the invoice?
One question quickly becomes thirteen tabs, three dashboards, and a spreadsheet called “FINAL_v7_REAL_FINAL.”
Prism Becomes the Connecting Layer
Bluesight already offers several healthcare products, including ControlCheck, CostCheck, ShortageCheck, 340BCheck, KitCheck, and PrivacyPro. Each handles a different slice of hospital pharmacy operations.
The problem was not necessarily a shortage of data. Hospitals had plenty of it. The problem was connecting the right pieces quickly enough to produce a useful and defensible answer.
Prism acts as an AI layer across Bluesight’s product portfolio. It does not replace every application with one enormous chatbot. Instead, it interprets a user’s request, identifies which tools should handle it, retrieves structured information, and presents the results.
That distinction matters.
Traditional chatbots mainly generate text. An agentic system can take a broader request, select tools, perform multiple steps, and coordinate data from separate services. The user may ask for a report on a suspicious controlled-substance pattern or evidence supporting a purchasing exception. Prism then works through the relevant systems.
Bluesight began with ControlCheck, its controlled-substance monitoring platform. ControlCheck already identifies unusual medication transactions, but staff still had to assemble reports and correlate signals manually.
Prism Assistant adds a conversational interface that can query those records, generate charts, and prepare material for reports. The AI is not inventing a new hospital database. It is helping staff navigate the systems they already use.
A Three-Day Prototype Turns Into a Product
Bluesight and AWS began developing the ControlCheck assistant during an Experience-Based Acceleration engagement in September 2025.
The sprint lasted three days. Eight Bluesight engineers worked alongside seven AWS specialists to create a functioning prototype. The team used Strands Agents with Amazon Bedrock, hosted the application through Amazon Bedrock AgentCore Runtime, and connected more than 10 ControlCheck APIs through AgentCore Gateway.
They also created a frontend that could generate charts and added systems for authentication, monitoring, performance measurement, and cost attribution.
That was the prototype. Production took longer, as production generally does when reality walks into the room holding a clipboard.
Bluesight says it moved from the sprint to general availability in under nine months. AWS argues that a similar exploratory AI project might normally take 12 to 18 months. However, that comparison comes from the companies involved and should not be treated as an independently established industry benchmark.
Still, the development process offers a useful lesson. The team did not treat the prototype as a disposable demo. It built around a virtual private cloud, encryption, authentication, observability, and infrastructure-as-code from the beginning.
In regulated healthcare, “we’ll add security later” is less a strategy and more an invitation to disaster.
The AI Does Not Receive the Database Keys
One of the most important architectural decisions involved what Prism could not access.
Bluesight did not provide the language model with direct access to its raw databases. Instead, engineers wrapped existing ControlCheck API endpoints in AWS Lambda functions. Those functions return structured data designed for agent processing.
The business logic remains inside Bluesight’s application layer. The agent interprets the user’s question, selects an appropriate tool, collects the returned records, and explains the results.
AWS says this design reduced query latency from approximately five minutes to about 10 seconds.
The approach also narrows the agent’s freedom. That is a feature, not a flaw.
An unconstrained model poking around a hospital database would create obvious security, privacy, and reliability risks. Tool-based access gives developers more control over what the AI can request and what each service can return.
Think of the agent as a very fast coordinator. It may know which department to call, but it cannot stroll into the records room and start opening cabinets.
This architecture reflects a broader pattern emerging in enterprise AI. Companies are increasingly placing language models above existing APIs rather than asking them to replace established transaction systems.
The model handles language and orchestration. Traditional software keeps handling permissions, calculations, and business rules.
Not every problem needs to become a prompt.
One Agent Soon Becomes a Team

The upcoming 340B compliance system uses a more elaborate multi-agent architecture.
A coordinating GPO agent receives the task and delegates work to specialized data agents. One retrieves purchase records from CostCheck. Another gathers availability and shortage evidence through ShortageCheck. A third verifies eligibility information using 340BCheck.
The coordinator then collects those findings and prepares an audit-oriented report.
AWS says the planned architecture uses Anthropic’s Claude Sonnet 4.6 as the primary model and Claude Haiku 4.5 for faster operations. Both run through Amazon Bedrock. AgentCore Gateway connects the agents to Lambda-backed tools, while AgentCore Runtime hosts the system inside a virtual private cloud with private subnets.
This is agentic AI in a practical enterprise setting. The agents are not debating philosophy, creating their own goals, or plotting an escape through the pharmacy refrigerator.
They have narrow jobs.
That division of labor could make the workflow easier to test and audit. When an answer looks wrong, engineers can inspect which worker retrieved which evidence and which tool produced it.
A single, all-powerful agent might sound simpler. In practice, separating responsibilities can improve control. It also resembles the way human compliance teams operate: one person finds the invoice, another checks availability, and someone else validates the applicable rule.
The Language Model Does Not Decide Compliance
Here is the smartest choice in the entire project: Bluesight does not ask the large language model to make the final compliance determination.
For the upcoming GPO system, the AI gathers records, coordinates tools, and drafts explanations. A separate deterministic scoring service calculates the result.
That scoring pipeline evaluates 13 evidence signals. It uses priority-based matching and configurable time windows to determine whether the documentation supports an exception.
In other words, the model can help tell the story, but traditional software checks the rulebook.
That separation matters because language models produce probabilistic outputs. Ask the same model a question twice and the wording—and occasionally the conclusion—may change. A hospital audit cannot rely on “the chatbot seemed pretty confident on Tuesday.”
A deterministic service applies the same approved rules to equivalent evidence. Auditors can inspect the inputs, the scoring logic, the relevant time windows, and the resulting decision.
Human teams must still configure those policies. A hospital’s accepted shortage threshold, inventory period, or purchasing window can influence the result.
The system therefore does not eliminate institutional responsibility. It turns policy into repeatable software logic.
That is a more credible use of AI than letting a model improvise regulatory judgments one token at a time.
Security Arrives Before the Confetti
Healthcare organizations cannot evaluate AI solely by asking whether it works. They must also ask where the data travels, who can access it, what gets logged, and whether the system can explain its actions later.
Amazon Bedrock is HIPAA-eligible, and Bluesight operates under a Business Associate Agreement with AWS. AWS says customer data processed through Bedrock is not used to train its foundation models. However, HIPAA eligibility does not automatically make every customer deployment compliant. Organizations remain responsible for configuring and assessing their own systems under AWS’s shared-responsibility model.
Bluesight uses Amazon Cognito for authentication through OAuth2 client credentials and JSON Web Token validation. AWS Key Management Service handles encryption keys. Secrets Manager protects downstream credentials.
AgentCore Runtime separates concurrent sessions, while private subnets and security groups limit network exposure.
Then there is CloudWatch. It records agent decisions, tool calls, data-access events, alarms, and performance metrics.
That log is not merely useful when a server coughs dramatically at 2 a.m. It can help compliance teams reconstruct how the system reached a result.
Which records did it retrieve? Which tools did it call? Which scoring-rule version did it apply?
In regulated AI, the ability to answer those questions may matter as much as speed.
Early Results Look Impressive—with an Asterisk
Bluesight reports significant time savings from Prism Assistant across the 20 health systems currently using the ControlCheck feature.
According to internal company measurements, recurring reports that previously required roughly six hours of manual assembly can now take about 15 minutes—a claimed reduction of 96 percent.
Pre-investigation triage reportedly fell from three hours to approximately 10 minutes. Controlled-substance variance analysis dropped from around 30 minutes to less than one minute.
Overall, Bluesight reports improvements of up to 97 percent for certain report-generation and analysis workflows.
Those numbers are striking. They are also vendor-reported.
The available sources do not provide independent hospital evaluations, detailed study methods, error distributions, or comparisons across different operating environments. The figures should therefore be read as promising early operational measurements, not definitive proof of universal performance.
The upcoming GPO agent produced equally eye-catching test results. During development, it reportedly found 100 percent of relevant invoices and achieved 93 percent evidence-justification accuracy, beating an 85 percent target.
However, those tests used synthetic data. Synthetic scenarios can confirm that tools connect properly and that prepared workflows behave as expected. They cannot fully reveal how the system will respond to missing records, inconsistent drug identifiers, delayed shortage information, local purchasing rules, or disputed cases.
Real hospitals remain undefeated champions of messy data.
Humans Still Own the Hard Decisions
Prism may reduce manual work, but it does not make pharmacy, legal, or compliance professionals optional.
Hospitals will still need to approve policy configurations, evaluate unusual cases, verify data quality, and decide when an automated finding requires escalation.
Before relying on agent-assisted outputs, organizations should compare them with historical purchasing cases and existing human review processes. They should deliberately test awkward examples: incomplete invoices, conflicting shortage reports, changed drug codes, delayed feeds, and cases where experienced reviewers disagree.
Each outcome should preserve the underlying evidence, tool trace, scoring rules, and rule version used at the time.
That process may sound cautious. It should.
Compliance automation fails differently from an ordinary office assistant. A chatbot that summarizes a meeting poorly causes annoyance. A system that incorrectly supports a drug-purchasing exception could create regulatory, financial, and reputational consequences.
Bluesight’s constrained design reduces some of that risk. It keeps deterministic scoring outside the language model and creates audit records for agent activity.
Yet the architecture cannot rescue bad inputs or poorly configured policies. AI can retrieve a shortage record quickly. It cannot guarantee the record was complete, timely, or interpreted under the right local standard.
The technology may remove clerical friction. Accountability stays firmly human.
No matter how agentic the software becomes, it cannot attend the audit wearing a tie and looking apologetic.
The Bigger Enterprise AI Lesson
The Bluesight project illustrates where agentic AI may create its clearest near-term value: complex workflows that involve language, several trusted data systems, repeated manual coordination, and rules that traditional software can enforce.
The system does not rely on one model to know everything. It connects an AI coordinator to established applications through controlled tools.
It also avoids using generative AI for the most sensitive calculation. Deterministic software handles compliance scoring. The language model gathers evidence and explains the result.
That hybrid structure could prove more useful than the popular vision of an autonomous digital employee roaming freely across a company.
Enterprises usually do not need an AI with unlimited initiative. They need one that can perform specific tasks quickly, respect permissions, preserve logs, and stop at clearly marked boundaries.
Bluesight also reused the architecture from its first agent when developing the multi-product system. AWS says the second prototype was connected by the end of its first day, with planned features completed by the end of day two. Again, those development claims come from AWS and Bluesight, but they show the potential value of building a reusable agent platform rather than a parade of disconnected demos.
A successful enterprise agent may be less like a digital genius and more like excellent plumbing.
Nobody throws it a parade. Everyone notices when it works.
Prism’s Next Test Happens in Production

Bluesight plans to release the multi-product GPO prohibition agent later in 2026. The company is expanding its evaluation suite, testing more edge cases, completing the production deployment, and gathering feedback from hospital operators and compliance teams.
Longer-term plans include using the same architecture for 340B material-breach identification, workflow triage, and automated audit preparation.
The real test will not be whether Prism performs well during a tightly managed demonstration. It will be whether the system remains accurate, traceable, and useful when it meets the glorious chaos of production healthcare data.
Can it handle incomplete feeds? Can teams identify errors quickly? Do staff trust the evidence without becoming overconfident in the generated explanation? Do the reported time savings survive broader deployment?
Those questions remain open.
Still, AWS and Bluesight have chosen a sensible direction. They have given the AI a defined operational role, restricted its data access, preserved human control, and kept the decisive compliance logic outside the language model.
That will not generate the same headlines as an AI discovering a miracle drug.
But saving thousands of hours, producing faster investigations, and helping hospitals document purchasing decisions could deliver something equally valuable: software that solves an actual problem.
In enterprise AI, that remains surprisingly refreshing.
Sources
- AWS and Bluesight Build AI for Hospital 340B Compliance — Artificial Intelligence News
- Building an Agentic AI Solution at Bluesight with Amazon Bedrock — AWS Machine Learning Blog
The Kingy Brief
Get The Kingy Brief.
Every week: what launched, what changed price, and what scored well — built on KALI.
Weekly · Double opt-in · Unsubscribe anytime
