Dual-Zone AI Architecture: Structurally Eliminating PHI Exposure
The Architecture Challenge
Foundation models need domain context to generate useful answers. In regulated industries — healthcare, financial services, legal — that context often contains protected data that cannot leave a compliance boundary. Policy-based controls (prompt engineering, content filters) are insufficient: a single bypass means exposure.
EFS Networks was asked to solve this for a healthcare system where HIPAA's "minimum necessary" standard required a solution where it is structurally impossible — not just policy-controlled — for protected health information to reach the foundation model.
Dual-Zone Architecture
The solution separates the system into two isolated zones with no shared data paths:
- AI Zone — The agentic layer (Strands Agents SDK on Amazon AgentCore) and Amazon Bedrock inference. This zone never has IAM permissions to access patient data stores.
- PHI Zone — Lambda functions, DynamoDB, and S3 buckets containing actual patient records. Isolated by VPC, IAM boundaries, and KMS encryption.
The zones communicate only through a tokenization pipeline — the AI Zone receives synthetic tokens, never real data.
How It Works
- Entity extraction — Amazon Comprehend Medical identifies 18 PHI entity types (names, dates, medications, diagnoses) from clinical text
- Deterministic tokenization — Each PHI entity is replaced with a synthetic token (e.g.,
[NAME_001],[MED_003]). Token mappings are stored in DynamoDB within the PHI Zone only. - Guardrail layer — Bedrock Guardrails run in BLOCK mode on both input and output as defense-in-depth. In production, Guardrails caught all 6 entities that Comprehend Medical missed (99.94% combined accuracy).
- Agent reasoning — The Strands agent reasons over tokenized text using Bedrock (Claude 3.5 Sonnet for complex queries, Haiku for simple lookups), autonomously selecting tools and planning query strategy
- Reconciliation — Response tokens are mapped back to real patient data within the PHI Zone before delivery to the clinician
The agent also routes between Sonnet and Haiku based on query complexity, reducing inference costs by 19–31% with no accuracy degradation on simple queries.
Why This Pattern Matters
This architecture is transferable to any domain with sensitive data — financial PII, legal privilege, student records (FERPA), or classified information. The key insight: rather than trying to prevent a model from leaking data it has seen, ensure the model never sees the data in the first place.
The dual-zone pattern provides:
- Provable compliance — CloudTrail audit confirms zero PHI in AI Zone logs
- No model dependency — Works with any foundation model (the tokenization layer is model-agnostic)
- Defense in depth — Three independent layers (IAM isolation, tokenization, Guardrails) each sufficient alone
Production Results
| Metric | Result |
|---|---|
| PHI exposure incidents | Zero — verified via CloudTrail audit |
| Response time (p95) | 3.2 seconds against 5-second target |
| Anonymization accuracy | 99.94% (Comprehend Medical + Guardrails combined) |
| System availability | 99.97% |
| User adoption (month 3) | 73% (89% in emergency medicine) |
| Productivity gain | 78 minutes saved per clinician per day |
| Annualized value | $5.7M at ~$2,900/month operating cost |
AWS Services
Amazon Bedrock (Claude 3.5 Sonnet / Haiku), Bedrock Guardrails, Amazon AgentCore, Strands Agents SDK, Amazon Comprehend Medical, Lambda, DynamoDB, S3, Cognito, KMS, CloudWatch, CloudTrail, VPC. Infrastructure via AWS CDK (Python).
Let's talk about what you're building.
Our team brings over two decades of experience to every engagement. Tell us about your project and we'll show you what's possible.