Three stages of agentic AI over the JIL detection layer.

Investigator

Job: Sweep the vendor's historical claim record. Build the evidentiary base layer.

Reads tokenized flagged claims + JIL Tier-1 signal codes (upcoding suspect, frequency anomaly, premise mismatch, etc.). Cross-references against the vendor's full claim history to compute base rates. Produces a structured set of pattern signatures with confidence per signature + the supporting evidence references.

Output contract: pattern_signatures[] + flagged_cohort_summary + chain_of_custody_evidence_refs[]. JSON schema enforced; if the model deviates, the orchestrator retries once then surfaces the failure to the Auditor.

Theorist

Job: Map the Investigator's pattern signatures to statutory elements. Propose viable legal theories.

Walks the federal False Claims Act (31 USC §3729), Anti-Kickback Statute (42 USC §1320a-7b), Stark Law (42 USC §1395nn), state Medicaid fraud statutes, ERISA fiduciary breach, civil RICO. For each candidate theory: cite the controlling statute element-by-element, identify the supporting pattern signatures, score the strength of the link, list the evidentiary gaps.

Output contract: proposed_theories[] with statute citations + element mapping + strength score + open evidentiary gaps. Theory selection is the Theorist's call; downstream agents inherit and stress-test.

Adversary

Job: Red-team the case. Anticipate every defense the vendor's counsel will raise.

For each Theorist-proposed theory: name the most plausible defense ("good-faith reliance on coding software", "absence of materiality post-Escobar", "intervening cause", "statute of limitations defense"). Rate the rebuttal strength honestly. List the specific counter-evidence required to defeat it (not "more documentation" - "Q3 2024 internal coding audit memos"). Identify the weakest link the case overall.

Output contract: defense_scenarios[] with rebuttal_strength: strong|moderate|weak + counter_evidence_required[] + weakest_link_analysis. The Adversary is paid to be honest about weak rebuttals; the Drafter decides what to drop.

Damages Quantifier

Job: Produce damages under multiple methodologies with statistical confidence intervals.

Four methodologies: extrapolation (flagged-cohort rate applied to full claim universe), unit-of-overpayment (sum the flagged set only - most conservative), benefit-of-bargain (paid minus what would have been paid for the actual service rendered), disgorgement (all vendor profit derived from the misconduct - broadest). Every methodology carries a 95% confidence interval and the explicit assumptions. Treble damages flag set only if a Theorist-cited statute allows it.

Output contract: calculations[] with amount_usd_cents + confidence_interval_95 + assumptions[] + treble_damages_eligible + recommended_methodology. Integer cents; no float drift in the audit chain.

Drafter

Job: Compose the investigative memo + the CREB™ bundle structure.

Reads the prior four agents' outputs as structured JSON. Composes the case theory summary, key evidence references, defenses anticipated, damages methodology, recommended action. Estimates the page count and exhibit count of the resulting CREB™ bundle. Returns artifact placeholders for the orchestrator to sign and persist - actual long-form rendering happens in the CREB renderer at filing time.

Output contract: investigative_memo_artifact_id + creb_bundle_artifact_id + honest page_count and exhibit_count estimates. Haiku because long-form generation at this stage is heavy-output / moderate-reasoning - ~3x cheaper per token than Sonnet, sufficient quality.

Auditor

Job: Walk the entire chain. Verify integrity. Hold the seal until the chain passes.

Validates every prior agent's output schema. Verifies the SHA-256 hash chain (each agent's result_hash_sha256 referenced by the next). Identifies evidentiary gaps that downstream counsel will need to close. Scores chain integrity: clean (seal), minor-gap (seal with marker), major-gap (hold for human review). The Auditor's go-no-go gates the CREB™ seal - no auditor approval, no court-portable bundle.

Output contract: chain_integrity_findings[] + evidentiary_gaps[] + overall_severity: clean|minor|major + seal_decision: yes|hold. The seal decision is the last action before CourtChain™ anchoring.

Agents are role-specialized AI workers that act in sequence over a goal, each producing a structured artifact the next consumes, with every step auditable.

Three properties, all required:

• Role-specialized. Not one mega-prompt. Each agent has a single narrow job (find evidence; map it to a statute; red-team the case; quantify damages; draft the memo; audit the chain). The prompt is locked + hashed; the output schema is rigid.
• Sequential, coordinated. Agents run in a fixed canonical order. Each agent's output becomes the next agent's input. The orchestrator is plain code, not another LLM - no LLM-coordinating-LLMs hand-waving. Failure or low confidence on any agent halts the pipeline.
• Auditable. Every agent invocation produces a SHA-256-hashed reasoning chain, anchored to JIL's CourtChain™ audit ledger before the next agent starts. The whole pipeline is bit-identically replayable two years later.

If a system is missing any of these three, it's not what JIL means by Agentic AI - it's an LLM with a label.

Agentic AI is not a chatbot, not RAG, not "AI tools".

To draw the line cleanly:

• Not a chatbot. No human in the loop sending free-form messages mid-pipeline. Each agent runs once per case, takes a structured input, returns a structured output, and exits.
• Not just RAG. Retrieval-augmented generation is one technique an agent uses (the Theorist retrieves controlling case law from the legal corpus). But "RAG" alone - one LLM + one vector store - is not agentic. Agentic adds role specialization + cross-checking + audit anchoring on top.
• Not "AI tools" or "AI features". Agentic means the AI drives the workflow - it decides which legal theories to propose, which defenses to anticipate, which damages methodology to recommend. A human counsel reviews; the AI doesn't wait for instructions at each step.
• Not autonomous. The Auditor agent is a hard gate. If it flags a "blocker" gap, the bundle does not seal. A human reviewer must clear the gap before AVA™ Pro+ produces the filing-ready CREB™.

Cross-region inference profiles

Bedrock invocations route through the us.* cross-region inference profile, distributing capacity across us-east-1, us-east-2, and us-west-2. If one region throttles, the next call lands elsewhere without code change. PHI residency stays US-only by published region scope + IAM Service Control Policy.

Bedrock Knowledge Bases + OpenSearch Serverless

Theorist and Auditor agents pull controlling case law from a managed RAG store backed by Amazon Bedrock Knowledge Bases over Amazon OpenSearch Serverless, with embeddings from Amazon Titan Text Embeddings v2. Corpus: Harvard CAP, CourtListener federal opinions, PACER bulk filings, CMS regulations, HHS OIG advisory opinions, DOJ FCA settlement library, state MFCU precedent.

Step Functions, EventBridge, SQS, CloudTrail, KMS

AWS Step Functions orchestrates the six-agent state machine. EventBridge fans agent-completed events to downstream consumers (CourtChain™ anchor, billing, customer notifications). SQS queues batch case intake. CloudTrail logs every Bedrock invocation (input + output hashes only, never content) to S3 with Object Lock immutability. AWS KMS / CloudHSM hold the per-tenant PHI tokenization vault keys.

AVA™ · on Amazon Bedrock

148 deterministic rule checks across 16 categories. AVA™ consumes Tier 1 flagged claims from JIL L1, groups related flags into coherent finding clusters, and produces customer-readable summaries. Inference runs on Amazon Bedrock managed APIs - no GPU provisioning, per-token pricing aligned to query volume. JIL retains the right to swap or add Bedrock-hosted models without architectural change; the system prompt + JSON-output contract is portable across Anthropic Claude families. Bedrock contractually does not retain customer prompts or use them for model improvement.

AVA™ Pro · Six specialized agents on Bedrock

Six specialized agent roles, each with a distinct prompt + JSON output contract. Today four are wired to Amazon Bedrock via cross-region inference profiles for capacity-based resilience: Investigator + Theorist on Anthropic Claude Sonnet 4.6 (heavyweight reasoning, legal-element decomposition, statutory mapping); Drafter + Auditor on Anthropic Claude Haiku 4.5 (long-form generation, evidentiary-gap structured analysis, ~3x cheaper per output token). The remaining two roles - Adversary (red-team / defense anticipation) and Damages Quantifier (multi-methodology damages with statistical confidence intervals) - run on Amazon SageMaker self-hosted inference with LoRA adapters per case theory (FCA, Anti-Kickback / Stark, ERISA, civil RICO, state insurance fraud, MFCU referral); Phase 3.

AVA™ Pro+ · Filing-ready CREB(TM)

Final lock-down. Filing-ready bundles for counsel. Inherits AVA™ Pro's analytical scope and produces filing-ready CREB(TM) packages for customer counsel or referral agencies. Every agent reasoning chain is hashed and anchored to CourtChain™ via AWS CloudTrail + CloudWatch event hooks; the resulting evidence bundle is FRE 902(14) self-authenticating. Damages calculations carry methodology variance + 95% confidence intervals (SageMaker XGBoost for time-series anomaly base rates). The Auditor agent walks the prior five agents' chain integrity before the bundle is sealed; if any gap rises above "minor" severity, the bundle is held for human review.

Specialization beats prompt-stuffing

One mega-prompt asking a single LLM to "find fraud, propose theories, anticipate defenses, calculate damages, draft the memo, audit the chain" produces hand-wavy aggregates. Six narrow prompts, each constrained to a single output schema, produce auditable structured artifacts that downstream tooling can verify. Each agent's output is the next agent's input - no agent sees the customer's raw claim universe, only the prior agent's structured findings + the legal corpus.

Temperature 0, fixed prompts, replayable

Every agent invocation runs at temperature: 0 with a SHA-256-pinned system prompt. The ModelCard inside each AgentResult records the exact model id, the prompt hash, the AWS region, the input/output token counts. Two years from now, with the same model id available on Bedrock, the same prompt hash, and the same tokenized input, the call replays bit-identically. That replay capability is what makes the FRE 902(14) self-authentication claim hold up against a defense expert.

Right tool, right cost, per agent

The Investigator and Theorist do most of the legal-reasoning work. They get Claude Sonnet 4.6 - the heavier model, ~$3 / M input + $15 / M output. The Drafter and Auditor do generation and structured-gap analysis. They get Claude Haiku 4.5 - one-third the cost, sufficient quality for the task. Per-case spend lands at roughly $0.14 across all four Bedrock invocations. We can swap a single role to a different model without touching the rest of the pipeline.

Each customer carries its own posture

Inference mode, AWS region, model overrides, KMS key, BAA timestamp, and cost cap are all per-tenant - not process-global. A federal customer routes to AWS GovCloud (US-West) automatically; a commercial MCO routes to us-east-1. A pre-BAA POC customer is forced into stub mode by the orchestrator's BAA gate (the code refuses to invoke Bedrock if baa_executed_at is null). Each case has a hard cost ceiling beyond which the orchestrator aborts and surfaces a partial CREB™ with the cost-cap marker.

Bedrock routes across us-east-1 + us-east-2 + us-west-2

JIL invokes Bedrock through the us.* cross-region inference profile - a managed router that distributes capacity across three US regions. If one region throttles, the next call lands somewhere else without code change. The IAM policy authorizes invocation in each of the three regions plus the inference profile itself. PHI residency stays US-only by Service Control Policy + the inference profile's published region scope.

One anchor, two regulatory regimes

Each agent run's output hash is anchored to JIL's CourtChain™ (the L1 audit ledger). The same anchor satisfies HIPAA Security Rule audit-log integrity (45 CFR §164.312(b)) and FRE 902(14) self-authentication for evidentiary admissibility. CloudTrail logs land in S3 with Object Lock so they're immutable before the chain hash is computed. One mechanism, two compliance frameworks - no parallel audit infrastructure to maintain.

Minimum necessary, tokenized at boundary

AVA™ and AVA™ Pro process only the PHI required for the analytical task. PHI identifiers are replaced with format-preserving tokens (FF3-1 / FPE-AES per identifier class) at the JIL ingest boundary. Tokenization runs in AWS Lambda or ECS within the customer-tenant VPC. The crosswalk lives in AWS KMS with customer master keys (CMK), with AWS CloudHSM (FIPS 140-2 Level 3 validated) for the highest-sensitivity workloads. Re-identification happens only at the customer-facing CREB™ output boundary.

No PHI in model training

Foundation models are inference-only on customer data. No customer PHI is used for fine-tuning, weight updates, RLHF, or any training process. AWS Bedrock contractually does not retain or use customer prompts for model improvement. Continued pre-training and supervised fine-tuning happen on the (PHI-free) legal corpus only, on SageMaker training jobs.

Ephemeral inference

Bedrock invocations are stateless by contract. SageMaker KV caches are cleared between sessions. No persistent storage of customer prompts in inference infrastructure. Logs capture input and output hashes only via CloudTrail + CloudWatch - never content. Every PHI access is logged and anchored to CourtChain™.

No external API egress beyond AWS

All inference happens within JIL's AWS account boundary, under the AWS Business Associate Addendum. No data flows to OpenAI, Google, or any non-AWS LLM service. Bedrock keeps customer data within the JIL AWS tenant and does not share with third-party model providers. VPC endpoints + VPC-only routing for Bedrock and SageMaker invocations.

PHI residency

PHI stays within US AWS regions. Commercial workloads in us-east-1, us-east-2, us-west-2. Federal and CMS workloads in AWS GovCloud (US-West). No cross-border PHI movement. AWS Region service constraints enforced at the IAM and SCP layer (preventive, not detective).

Immutable audit, dual-purpose anchoring

Every PHI access is logged via AWS CloudTrail and CloudWatch Logs, then anchored to CourtChain™. The same anchor that supports FRE 902(14) admissibility also satisfies HIPAA Security Rule audit log integrity (45 CFR 164.312(b)). One mechanism, two regulatory regimes. CloudTrail logs are themselves immutable (S3 Object Lock + bucket policies that deny delete) before the CourtChain™ hash is computed.

AVA™ on Snowpark Container Services

AVA™ / AVA™ Pro / AVA™ Pro+ deploy as a Snowflake Native App inside the customer's Snowflake account. PHI never leaves the customer's Snowflake perimeter. Inherits Snowflake's certified compliance posture: HITRUST CSF, SOC 2 Type II, ISO 27001, HIPAA, FedRAMP MOD, PCI DSS. Fastest path to production for customers already standardized on Snowflake Financial Services Data Cloud. See Snowflake reference architecture + TDD.

AVA™ on Databricks Apps

AVA™ deploys as a Databricks App inside the customer's Databricks workspace. Delta Lake substrate, Unity Catalog governance, Photon query engine. Best fit for lakehouse-native, ML-heavy customers running Unity Catalog. Same HITRUST + SOC 2 + ISO 27001 + HIPAA inheritance as the Snowflake path. PHI stays inside the customer's Databricks environment.

AVA™ on JIL Cloud (AWS EKS / GovCloud)

Direct AVA™ deployment on JIL Cloud (Amazon EKS + KMS + IAM + GuardDuty). Customer VPC or peered. Federal / CMS workloads land in AWS GovCloud (US-West) with FedRAMP High inheritance via Bedrock + SageMaker + GovCloud. Best fit for heterogeneous estates, federal customers requiring FedRAMP authorization paths, and any institution requiring maximum operational control. See JIL Cloud reference architecture.

Pre-built response library

• Whistic
• OneTrust Vendorpedia
• ProcessUnity
• KY3P (Hitachi)
• SIG Lite and SIG Core
• HITRUST MyCSF

Response library updated quarterly. Customer-specific overlays handled at intake.

What you get on day one of review

• SOC 2 Type II report (target; AWS carve-out for infra layer)
• HITRUST CSF certification (target i1 then r2; AWS inheritance)
• HIPAA Security Rule attestation
• AWS Business Associate Addendum evidence
• FedRAMP High inheritance documentation (Bedrock, SageMaker, GovCloud)
• Annual penetration test report (third-party)
• Architecture review materials, data flow diagrams
• BAA template and signature workflow