
Building an agentic AI solution at Bluesight with Amazon Bedrock
Quick Answer
Bluesight leveraged Amazon Bedrock AgentCore to develop Prism, an agentic AI solution that streamlines compliance across six healthcare products, reducing manual audit hours significantly.
Quick Take
Bluesight leveraged Amazon Bedrock AgentCore to develop Prism, an agentic AI solution that streamlines compliance across six healthcare products, reducing manual audit hours significantly. The Prism Assistant for ControlCheck, launched in May 2026, is already operational in 20 health systems, with a more complex solution expected later in the year.
Key Points
- Manual compliance audits consume over 4,000 hours annually per hospital.
- Prism integrates data from multiple Bluesight products for actionable insights.
- Amazon Bedrock is HIPAA-eligible, ensuring data privacy for healthcare.
- AgentCore enables secure, serverless hosting and communication.
- The ControlCheck prototype was developed in just nine months with AWS support.
📖 Reader Mode
~12 min readThis post is co-written with Vijay Venkatesh, CTO at Bluesight.
If you build software for hospitals, you know that compliance work scales poorly. Hospitals managing 340B Drug Pricing Program compliance face a compounding data problem. Proving that a Group Purchasing Organization (GPO) purchased drug qualifies for an exception requires cross-referencing each purchase against several sources at once. These include Food and Drug Administration (FDA) shortage lists, American Society of Health-System Pharmacists (ASHP) data, days-on-hand inventory, machine learning (ML) based shortage predictions, and backorder signals from hundreds of other hospitals. For a single covered entity, this manual audit process consumes over 4,000 hours annually. Multiply that across a network of over 620 hospitals, and the scale of the problem becomes clear.
Bluesight powers hospital and pharmacy operations with intelligence that simplifies inventory management, procurement, and compliance. As a Thoma Bravo portfolio company, Bluesight offers a product suite of KitCheck, ControlCheck, CostCheck, 340BCheck, ShortageCheck, and PrivacyPro that serves thousands of partners across the United States. Each product solves a distinct piece of the compliance puzzle. But customers kept asking for something that cut across product boundaries. They wanted an AI layer that could reason over data from multiple systems at once and surface actionable insights without requiring analysts to manually stitch reports together.
In this post, we describe how Bluesight used two AWS engagements and Amazon Bedrock AgentCore to evolve from a single-product AI prototype to Prism, a unified agentic AI solution spanning six healthcare compliance products. Prism Assistant for ControlCheck launched in May 2026 and is already in use by 20 health systems. A more complex multi-product agentic solution is on track for later in 2026.
The compliance challenges driving Bluesight toward agentic AI
Bluesight’s first AI opportunity was in drug diversion detection. ControlCheck monitors controlled substance transactions across hospital pharmacies, flagging potential diversion patterns through sophisticated analytics. Compliance teams were spending hours compiling reports, writing executive business reviews, and manually correlating signals across dashboards. A conversational interface that could perform this analysis in seconds would save hospital users and customer success teams enormous amounts of time. But it had to meet the security and accuracy standards that hospital compliance programs demand.
The second challenge was more ambitious. Hospitals classified as DSH (Disproportionate Share), PED (Children’s), or CAN (Free-Standing Cancer) are prohibited from purchasing outpatient drugs through GPO contracts unless the drug is genuinely unavailable through non-GPO channels. Proving that exception requires evidence from multiple Bluesight products at once: purchase records from CostCheck, shortage data from ShortageCheck, and 340B eligibility from 340BCheck. No single product had the full picture.
Both use cases shared a common constraint: the architecture had to be production-grade from day one. Patient data is governed by the Health Insurance Portability and Accountability Act (HIPAA). Hospital compliance teams need audit trails. Any AI system making claims about drug purchasing compliance must be explainable and deterministic where it matters. Bluesight needed a reusable AI architecture, not one-off solutions that would require rebuilding for each new use case.
Building on Amazon Bedrock AgentCore
Bluesight chose AWS because Amazon Bedrock AgentCore provided production-grade agentic AI infrastructure without requiring the team to build it from scratch. Three capabilities were decisive in this choice.

Figure 1. Prism Assistant single-agent architecture on Amazon Bedrock AgentCore.
First, Amazon Bedrock is HIPAA-eligible. For a healthcare company handling protected health information, this was non-negotiable. Bluesight operates under a Business Associate Agreement (BAA) with AWS, and customer data processed by Amazon Bedrock isn’t used to train foundation models (FM). This combination of regulatory compliance and data privacy gave the team confidence to connect agents to live hospital data.
Second, AgentCore Runtime provides secure, serverless hosting with session isolation, which is critical when multiple hospitals query the system concurrently. AgentCore Gateway transforms existing product APIs into Model Context Protocol (MCP) compatible tools that agents can discover and invoke, with built-in authentication and encryption. This meant connecting agents to live data sources across three products without building custom integration infrastructure from the ground up.
Third, the agent-to-agent communication pattern in AgentCore matched the architecture Bluesight needed for the GPO prohibition use case. A coordinating agent delegates to specialized data workers. One queries CostCheck purchase records, another checks ShortageCheck availability data, and a third validates 340B eligibility. AgentCore Runtime supports this multi-agent pattern with proper separation of concerns and observability across the full execution chain.
From ControlCheck prototype to production in nine months
In September 2025, Bluesight partnered with AWS through the EBA (Experience-Based Acceleration) program for a three-day intensive sprint. The objective was to build a conversational drug diversion analyst for ControlCheck that could query live data and generate visual reports.
The team of 15, made up of eight Bluesight engineers and seven AWS professionals, built a functioning agent with Strands Agents on Amazon Bedrock, hosted on AgentCore Runtime. They connected over 10 ControlCheck APIs through AgentCore Gateway as MCP servers, built a frontend with chart generation, and implemented observability for performance monitoring and cost attribution.
A key architectural decision was separating the AI reasoning from the data layer. Rather than exposing raw databases to the agent, the team wrapped existing ControlCheck API endpoints in AWS Lambda functions that returned structured, agent-optimized data. This reduced query latency from 5 minutes to 10 seconds and kept business logic in the application layer where it belonged. The agent’s job was to interpret user questions, orchestrate tool calls, and present results clearly.
After the demo, Samir Neyazi, Director of Product Management at Bluesight, was unequivocal: “110 percent yes, this exceedingly helps diversion program sales.” He wanted to show it to customers the following Monday.
“Healthcare sets a high bar on compliance, data security, and scale. Our collaboration with AWS resulted in an architecture that could handle all of that at once,” says Vijay Venkatesh, CTO at Bluesight. “Built on that foundation, Bluesight’s domain expertise and proprietary data make the feature genuinely useful to the customers performing compliance work every day.”
The EBA gave Bluesight an architecture ready for production from day one. It was deployed in a virtual private cloud (VPC), fully encrypted, with authentication, observability, and infrastructure-as-code already in place. No architectural pivots were needed, and no technical debt accumulated that would need unwinding later. Prism Assistant is Bluesight’s unified branding for in-app AI across all products. It went from that three-day sprint to production general availability in under nine months. That timeline would typically take 12–18 months of exploratory AI development.
Scaling to multi-product intelligence with Prism
In March 2026, Bluesight returned for a second EBA. This time the goal was more ambitious: build an agentic AI solution that orchestrates across multiple products to automate GPO prohibition compliance auditing.

Figure 2. GPO prohibition multi-agent orchestration architecture.
The reference architecture and patterns from the first EBA significantly reduced development time. What took three days of intensive work to establish for ControlCheck became reusable infrastructure for Prism. The team organized into three workstreams, covering agent behavior and infrastructure, data workers and tools, and UX/frontend, and moved fast because the foundational patterns were already proven.
The resulting Prism architecture runs Claude Sonnet 4.6 as the primary model and Claude Haiku 4.5 for fast operations, both on Amazon Bedrock through AgentCore Runtime deployed in a VPC with private subnets. AgentCore Gateway connects Lambda-backed tools to CostCheck, ShortageCheck, and 340BCheck data sources. A GPO-specific orchestrator agent coordinates with specialized data worker agents, each responsible for gathering evidence from a specific product domain.
The compliance determination itself is not a large language model (LLM) opinion. Bluesight built a deterministic scoring pipeline with 13 evidence signals, priority-based matching, and configurable temporal windows. The LLM orchestrates data gathering and report generation, but the scoring logic is rule-based and auditable. This is a critical distinction for hospital compliance programs that must demonstrate their methodology to regulators.
The full system was connected and operational by end of Day 1. Every planned feature was working by end of Day 2. Day 3 focused on polish, exploratory testing, and a demo to Bluesight business stakeholders and AWS executive sponsors. The agent achieved 100 percent invoice discovery rate and 93 percent evidence justification accuracy on synthetic data during the EBA, exceeding the 85 percent target.
“We returned for the second engagement with bigger questions. Not just ‘can we build another agent,’ but ‘can we build a platform,’” says Venkatesh. “That meant pushing the architecture further and stress-testing it against a compliance workflow that crosses product boundaries in ways the first engagement never did. The fact that it worked, and worked fast, is what turned Prism from an idea into a vision we could actually commit to building.”
“The whole AWS team was great to work with. We made way more progress than I’d hoped, and that was thanks to your team guiding us on both trying things and following patterns. We wouldn’t have had as good of a demo without the EBA process,” says Steve Hodges, Sr. Engineering Manager at Bluesight.
“It’s amazing what you can accomplish when you put a bunch of smart people working towards a single goal in a room together for three days,” adds AJ Rivosecchi, CostCheck General Manager at Bluesight.
Security and compliance in production
For healthcare organizations evaluating agentic AI, security is not a feature to add later. It’s a design constraint from the start. Bluesight’s architecture addresses this at every layer.
The HIPAA eligibility and BAA coverage of Amazon Bedrock help support compliance efforts for patient-adjacent data processed by agents. However, organizations remain responsible for their own compliance assessment under the AWS shared responsibility model. AgentCore Runtime deploys within a VPC using private subnets and security groups, keeping all communication between agents and data sources within a controlled network boundary. Amazon Cognito handles OAuth2 client credentials flow with JSON Web Token (JWT) validation, authenticating and authorizing each agent request before any data access occurs.
AWS Key Management Service (AWS KMS) manages encryption keys for data at rest and in transit. AWS Secrets Manager handles credentials for downstream service connections. Amazon CloudWatch provides dashboards, alarms, and metric filters across the full agent execution chain. Every agent decision, tool invocation, and data access is logged and traceable.
This observability layer isn’t only operational tooling. Hospital compliance programs must be able to demonstrate exactly how a compliance determination was reached. That means showing which data sources were consulted, what evidence was gathered, and how the scoring rubric was applied. This is a regulatory requirement, not a nice-to-have. The combination of deterministic scoring logic and comprehensive audit trails gives compliance teams confidence that AI-assisted determinations are defensible.
“Security is paramount for our hospital customers,” says Vijay Venkatesh, CTO at Bluesight. “Our hospital customers need to know their data is protected under HIPAA before they’ll adopt any AI solution. Amazon Bedrock’s HIPAA eligibility and the network isolation built into AgentCore gave us a security posture we could confidently present to compliance teams from day one.”
Results
Early adopters of Prism Assistant are already seeing measurable improvements in their daily workflows. Based on Bluesight’s internal measurements across 20 health systems, diversion teams report up to 97% faster report generation and data analysis compared to their previous processes:
- Recurring reports completed 96 percent faster, dropping from approximately six hours of manual assembly to 15 minutes.
- Pre-investigation triage time decreased by 90 percent, from three hours to roughly 10 minutes.
- Controlled substance variance analysis completed 97 percent faster, from 30 minutes to under a minute.
Beyond the Prism Assistant metrics, the two engagements delivered compounding value at the solution level:
- 12–18 months of typical AI development compressed to under 9 months for the first agent to reach production.
- 100 percent invoice discovery rate on synthetic test data, meaning every relevant purchase is identified by the GPO agent.
- 93 percent evidence justification accuracy on synthetic test data, exceeding the 85 percent target.
- Over 4,000 hours of annual manual compliance work targeted for removal.
- Second agent built in a fraction of the time by reusing the first engagement’s architecture.
- Solution designed to scale to over 2,000 hospitals across Bluesight’s network.
“The two EBAs delivered extraordinary time-to-market acceleration that wouldn’t have been possible through traditional development,” says Venkatesh. “The first gave us speed and a solid foundation. The second proved we could apply that foundation to deliver sophisticated multi-product capabilities in a fraction of the time. The AWS partnership model, which brought architectural expertise, technology validation, and multiple Solutions Architects working alongside our team, was the accelerant that made both outcomes possible.”
What’s next for Prism
Prism is Bluesight’s unified AI layer across all six products. The GPO prohibition agent is the first multi-product solution, coming later in 2026, while Prism Assistant for ControlCheck is already released and in use by 20 health systems.
Near-term, the team is expanding the evaluation suite from over 3–15 test cases covering edge cases and regression scenarios. The team is also completing production deployment of the GPO agent and gathering feedback from hospital operators and compliance teams.
Longer-term, Bluesight plans to extend the agent-to-agent architecture to additional compliance use cases: 340B material breach identification, workflow triage, and automated audit preparation. The cross-customer data network spanning over 620 hospitals, expandable to over 2,000, provides an evidence layer that grows more valuable with each hospital that joins the solution. This network effect, combined with the reusable agent architecture, positions Prism as infrastructure that compounds in value over time.
Conclusion
Bluesight’s path from a single-product AI prototype to a multi-product agentic solution took nine months. Amazon Bedrock AgentCore provided the production infrastructure, including runtime, gateway, memory, and observability. With it, the engineering team could focus on healthcare domain logic rather than building AI infrastructure. The EBA model created architectural foundations that compounded in value across both engagements, and the security-first design gave hospital customers confidence to adopt AI for compliance workflows.
If you’re building agentic AI for a regulated industry, you can start from the same primitives Bluesight used. Explore Amazon Bedrock AgentCore and open the Amazon Bedrock console to try it in your own account. Build your first agent with the AgentCore documentation and the Strands Agents framework, and browse end-to-end examples in the Amazon Bedrock AgentCore samples repository. To go deeper on agents on AWS, see Building healthcare agents using Amazon Bedrock AgentCore and Rede Mater Dei de Saúde: Monitoring AI agents in the revenue cycle with Amazon Bedrock AgentCore. For more about building healthcare AI solutions on AWS, visit AWS for Health.
About the authors
— Originally published at aws.amazon.com
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from AWS Machine Learning
See more →
Implement on-behalf-of token exchange for multi-tenant agents with Amazon Bedrock AgentCore Gateway
Amazon Bedrock AgentCore Gateway introduces on-behalf-of (OBO) token exchange for multi-tenant AI agents, addressing identity issues when calling downstream APIs. This implementation guide demonstrates how to maintain user identity and enforce least privilege while scaling across tenants using OAuth 2.0 Token Exchange (RFC 8693).

