The core security principle
Security & Compliance
Compliance isn't a feature.It's the foundation.
Gridlight's architecture eliminates the entire category of cloud AI data exposure risk. Not through settings, not through vendor contracts, not through encryption at transit — by never sending data outside your environment in the first place.
GRIDLIGHT RISK MODEL
- supported: Data never leaves your environment
- supported: No external vendor with data access
- supported: Your security controls govern inference
- supported: Audit logs stored in your SIEM
- supported: Zero model contamination risk
CLOUD AI RISK MODEL
- not supported: Data transmitted to vendor infrastructure
- not supported: BAA/DPA required per vendor
- not supported: Vendor security posture creates shared risk
- not supported: Inference logs may persist in vendor systems
- not supported: Model training risk from query data
Regulatory framework coverage
Mapped to the frameworks you already operate under.
Gridlight's architecture addresses specific control requirements across the regulated industries we serve. Each mapping below reflects how the platform satisfies the stated requirement — not through attestation, but through design.
HIPAAHealth Insurance Portability and Accountability Act — Security RuleHealthcare · Health Systems · Health Plans
§164.312(a)(1) · Access Controls
Role-based access control enforced at the Policy Engine layer. Least-privilege model access by user, department, and data classification. No shared credentials.
§164.312(b) · Audit Controls
Immutable, tamper-evident audit logs for every inference event — user identity, timestamp, model used, data classification tags, and policy decisions.
§164.312(e)(1) · Transmission Security
End-to-end encryption in transit (TLS 1.3) within your environment. No transmission to external networks — PHI never leaves your perimeter.
§164.312(a)(2)(iv) · Encryption at Rest
Model weights, context stores, and audit logs encrypted at rest using AES-256. Key management remains under your control — no vendor-managed keys.
§164.308(a)(5) · Security Awareness
Governance dashboard surfaces policy violations, anomalous query patterns, and access deviations in real time — supporting ongoing workforce training and monitoring requirements.
§164.308(a)(1) · Risk Analysis
Eliminates the entire risk category of third-party AI data transmission — removing a significant HIPAA risk finding that appears in virtually every healthcare AI deployment assessment.
NIST CSF 2.0NIST Cybersecurity Framework 2.0All regulated sectors
GOVERN
Policy Engine enforces AI-specific governance policies. Model and data usage rules version-controlled and auditable.
IDENTIFY
Full inventory of model assets, inference activity, and data classification across every workload.
PROTECT
RBAC, encryption at rest and in transit, network isolation, and policy-enforced data classification.
DETECT
Continuous monitoring of inference patterns. Anomaly detection and alerting integrated with SIEM via audit log export.
RESPOND & RECOVER
Model quarantine capability. Rollback to prior model versions. Incident evidence preserved in immutable logs.
GLBANCUAGramm-Leach-Bliley Act · NCUA Cybersecurity GuidanceFinancial Services · Credit Unions
SAFEGUARDS RULE · NPI Protection
Nonpublic personal information never transmitted outside your network. AI inference on member and customer data runs entirely within your environment — no third-party financial data processor relationship created.
VENDOR MANAGEMENT
Gridlight is an infrastructure platform — not a data processor with access to member records. Significantly simplifies your third-party vendor risk management obligations under NCUA guidance.
BOARD REPORTING
Governance dashboard provides board-level visibility into AI usage, policy compliance, and data handling — supporting the NCUA requirement for board oversight of information security programs.
CMMC 2.0Defense & Government
AC — Access Control
RBAC and least-privilege access enforced at the control plane for all AI workloads handling CUI.
AU — Audit & Accountability
Immutable, timestamped audit trail of all inference events involving CUI — exportable to your audit system.
SC — System Protection
Network isolation ensures AI inference involving CUI never traverses untrusted networks or leaves your boundary.
Air-gap ready
Supports fully disconnected deployments with no external network dependencies for the most sensitive CUI environments.
SOC 2 TYPE IISaaS & Enterprise
CC6 — Logical Access
Policy Engine enforces access control criteria. All inference requests authenticated and authorized against defined policies.
CC7 — System Operations
Continuous monitoring with anomaly detection. Deviations from baseline inference patterns surfaced for review.
C1 — Confidentiality
Confidential data processed exclusively within your environment. No confidential information transmitted to or stored by Gridlight infrastructure.
P series — Privacy
Inference on personal data subject to your privacy program controls — not Gridlight's vendor policies.
Supply chain trust model
Where does Gridlight sit in your trust model?
This is the question every CISO should ask — and the answer matters. Gridlight is installed infrastructure, not a connected service. Here's exactly what Gridlight can and cannot access.
GRIDLIGHT HAS ACCESS TO
- supported: Your hardware and compute resources (by design — it runs on them)
- supported: Platform telemetry for updates and support (configurable, can be disabled)
- supported: Model binaries you download and install into your environment
GRIDLIGHT CANNOT ACCESS
- not supported: Your inference data or query content — ever
- not supported: Your audit logs or observability data (stored only in your environment)
- not supported: Your proprietary context or business knowledge loaded into models
- not supported: Network access to your internal data systems or databases
Security review