govrn · BCBS of Illinois (HCSC)

Governance across all three lenses over one technology fleet. 5 high/critical findings open

Governance posture

IT-Rationalization

50/100

inventory · duplication · disposition · roadmap

0 pass
3 partial
0 fail
0 n/a

Cybersecurity

61/100

NIST CSF 2.0 · CIS v8.1 · privacy

1 pass
3 partial
0 fail
0 n/a

AI-Governance

6/100

AI-BOM · bias · oversight · provenance · drift

0 pass
1 partial
6 fail
0 n/a

AI-BOM · 5 models · the surface security misses

Model	Use case	Risk	Oversight	Owner	Reviewed
Prior-auth approval algorithmInternal / undisclosed · in-production 2026	Auto-approves prior-auth for a limited set of procedure codes (93% of members); stated to never deny — only approve or route to clinician review	critical	HITL ✓	Clinical Operations	161d ago
Claims auto-adjudicationInternal / undisclosed · in-production 2026	Automated claims processing with auto-approval of some requests	high	HITL ✓	Claims	161d ago
Member virtual assistantUndisclosed vendor · in-product 2026	Answers benefits/plan questions; routes calls to advocates	high	no HITL	Member Experience	192d ago
Risk-prediction modelInternal · in-production 2026	Predicts member health risk for proactive outreach (diabetes, readmission, etc.)	high	HITL ✓	Care Management	222d ago
Fraud-detection modelInternal / vendor · in-production 2026	Flags potentially fraudulent claims for investigator review	med	HITL ✓	Payment Integrity	130d ago

Model

Use case

Risk

Oversight

Owner

Reviewed

Prior-auth approval algorithmInternal / undisclosed · in-production 2026

Auto-approves prior-auth for a limited set of procedure codes (93% of members); stated to never deny — only approve or route to clinician review

critical

HITL ✓

Clinical Operations

161d ago

Claims auto-adjudicationInternal / undisclosed · in-production 2026

Automated claims processing with auto-approval of some requests

high

HITL ✓

Claims

161d ago

Member virtual assistantUndisclosed vendor · in-product 2026

Answers benefits/plan questions; routes calls to advocates

high

no HITL

Member Experience

192d ago

Risk-prediction modelInternal · in-production 2026

Predicts member health risk for proactive outreach (diabetes, readmission, etc.)

high

HITL ✓

Care Management

222d ago

Fraud-detection modelInternal / vendor · in-production 2026

Flags potentially fraudulent claims for investigator review

med

HITL ✓

Payment Integrity

130d ago

Cost & Efficiency · AI tokenomics — the governance that de-risks AI also makes it cheaper

$55kmonthly AI spend

$5krecoverable / mo

91%efficient

1over-provisioned

Model	Tier	Monthly	Tokens/mo	Right-sizing	Recoverable
Prior-auth approval algorithmAuto-approves prior-auth for a limited set of procedu…	workhorse	$22k/mo	0M	right-sized ✓	—Modeled estimate — decisioning model, not token-metered; confirm real spend in engagement
Claims auto-adjudicationAutomated claims processing with auto-approval of som…	workhorse	$14k/mo	0M	right-sized ✓	—Modeled
Member virtual assistantAnswers benefits/plan questions; routes calls to advo…	frontier	$9k/mo	130M	over-provisioned	$5k/moModeled — member-facing LLM likely over-tiered for benefits FAQ; workhorse + caching candidate
Risk-prediction modelPredicts member health risk for proactive outreach (d…	workhorse	$7k/mo	0M	right-sized ✓	—Modeled
Fraud-detection modelFlags potentially fraudulent claims for investigator …	lightweight	$3k/mo	0M	right-sized ✓	—Modeled

Model

Tier

Monthly

Tokens/mo

Right-sizing

Recoverable

Prior-auth approval algorithmAuto-approves prior-auth for a limited set of procedu…

workhorse

$22k/mo

right-sized ✓

—Modeled estimate — decisioning model, not token-metered; confirm real spend in engagement

Claims auto-adjudicationAutomated claims processing with auto-approval of som…

workhorse

$14k/mo

right-sized ✓

—Modeled

Member virtual assistantAnswers benefits/plan questions; routes calls to advo…

frontier

$9k/mo

130M

over-provisioned

$5k/moModeled — member-facing LLM likely over-tiered for benefits FAQ; workhorse + caching candidate

Risk-prediction modelPredicts member health risk for proactive outreach (d…

workhorse

$7k/mo

right-sized ✓

—Modeled

Fraud-detection modelFlags potentially fraudulent claims for investigator …

lightweight

$3k/mo

right-sized ✓

—Modeled

Monitoring & findings · systems & vendors & public chatter — never individuals

Monitoring: not connected. The signals below are sample / discovery findings from the baseline assessment — not a live feed. Continuous monitoring activates when connectors are wired to this tenant's stack. We mark what's real.

Signals · sample / discovery

1 critical1 high1 medium0 low0 info

Sev	Signal	Source	Target	Seen	Status
critical	Utilization-AI accountability is a live regulatory + litigation themeCertified MT class action alleges formulaic automated denials without individualized review (30% appeal-reversal); CMS 2023 rule + IL SB1425 push human-review from stated to provable. Public-signal finding — confirm internal controls in discovery.	news	Prior-authorization automation	10h ago	new
high	IDOI expects a written AIS Program; public posture is principles-onlyIDOI CB 2024-08 lists governance/risk-control/audit documentation it may request on exam; no matching artifacts are publicly visible.	news	Prior-authorization automation	10h ago	new
medium	Repeated IDOI data-accuracy fines signal data-governance weak points$231,900 fine (2023) for provider-directory accuracy + consent-order non-compliance — data governance underpins AI governance.	news	Availity Fusion (FHIR data engine)	10h ago	new

Sev

Signal

Source

Target

Seen

Status

critical

Utilization-AI accountability is a live regulatory + litigation themeCertified MT class action alleges formulaic automated denials without individualized review (30% appeal-reversal); CMS 2023 rule + IL SB1425 push human-review from stated to provable. Public-signal finding — confirm internal controls in discovery.

news

Prior-authorization automation

10h ago

new

high

IDOI expects a written AIS Program; public posture is principles-onlyIDOI CB 2024-08 lists governance/risk-control/audit documentation it may request on exam; no matching artifacts are publicly visible.

news

Prior-authorization automation

10h ago

new

medium

Repeated IDOI data-accuracy fines signal data-governance weak points$231,900 fine (2023) for provider-directory accuracy + consent-order non-compliance — data governance underpins AI governance.

news

Availity Fusion (FHIR data engine)

10h ago

new

Findings · HITL-gated — display only, no action without client GO

0 none6 proposed0 approved0 applied

Sev	Finding	Type	Affects	Action
critical	Utilization AI (prior-auth, 93% of members) lacks publicly demonstrable, exam-ready human-review evidenceDocument and log the individualized human-review path on AI-routed prior-auth/claims; produce decision-logging + reviewer-evidence exam-ready against IDOI CB 2024-08, CMS 2023 MA rule, and pending SB1425. Move the existing 'AI cannot deny' claim from stated to provable.	gap	Prior-auth approval algorithm	proposed
high	No publicly visible written AIS Program (governance body, model inventory, internal audit)Stand up / document the written AI System Program IDOI expects: AI governance body, AI-BOM, risk controls, audit cadence. This is the single artifact a market-conduct exam will ask for first.	gap	Prior-auth approval algorithm	proposed
high	No public model disclosure / accuracy basis for member-impacting AIPublish CHAI-style model cards (purpose, data, limits, accuracy/over-approval rates) for prior-auth, claims, and the member chatbot; add a data-handling statement.	gap	Member virtual assistant	proposed
high	No documented appeal-reversal feedback loop into AI/process governanceBuild a governed feedback loop: denial reversals (the MT case cites 30%) feed model + process review; track over-denial / over-approval drift.	gap	Claims auto-adjudication	proposed
high	No public disparate-impact assessment on risk-prediction / utilization AIRun + document disparate-impact testing across member populations for risk-scoring and utilization AI; record under the AIS Program.	gap	Risk-prediction model	proposed
medium	Member-chatbot model provider undisclosed; AI-vendor data-flow oversight not publicDisclose internally + govern the chatbot foundation-model provider and data-flow; apply GPAI/supplier terms; define fallback.	gap	Member chatbot / virtual assistant	proposed

Sev

Finding

Type

Affects

Action

critical

Utilization AI (prior-auth, 93% of members) lacks publicly demonstrable, exam-ready human-review evidenceDocument and log the individualized human-review path on AI-routed prior-auth/claims; produce decision-logging + reviewer-evidence exam-ready against IDOI CB 2024-08, CMS 2023 MA rule, and pending SB1425. Move the existing 'AI cannot deny' claim from stated to provable.

gap

Prior-auth approval algorithm

proposed

high

No publicly visible written AIS Program (governance body, model inventory, internal audit)Stand up / document the written AI System Program IDOI expects: AI governance body, AI-BOM, risk controls, audit cadence. This is the single artifact a market-conduct exam will ask for first.

gap

Prior-auth approval algorithm

proposed

high

No public model disclosure / accuracy basis for member-impacting AIPublish CHAI-style model cards (purpose, data, limits, accuracy/over-approval rates) for prior-auth, claims, and the member chatbot; add a data-handling statement.

gap

Member virtual assistant

proposed

high

No documented appeal-reversal feedback loop into AI/process governanceBuild a governed feedback loop: denial reversals (the MT case cites 30%) feed model + process review; track over-denial / over-approval drift.

gap

Claims auto-adjudication

proposed

high

No public disparate-impact assessment on risk-prediction / utilization AIRun + document disparate-impact testing across member populations for risk-scoring and utilization AI; record under the AIS Program.

gap

Risk-prediction model

proposed

medium

Member-chatbot model provider undisclosed; AI-vendor data-flow oversight not publicDisclose internally + govern the chatbot foundation-model provider and data-flow; apply GPAI/supplier terms; define fallback.

gap

Member chatbot / virtual assistant

proposed

Attestations · Finding ≠ Attestation — signed independently of delivery & remediation (the conflict firewall)

AI-Governance0/100

DECLINED — AI-governance readiness is NOT attested from public signals. Member-impacting AI (prior-auth for 93% of members, claims, chatbot, risk prediction) operates at 26.5M scale with public posture at principles level only: no visible written AIS Program, model inventory, disclosure, disparate-impact testing, or appeal-feedback governance — against a regulator (IDOI CB 2024-08) that expects exam-ready evidence. This is the gap to close on the path to ISO/IEC 42001 readiness, not a passing posture. Outside-in only; a baseline engagement replaces public signals with real evidence.

Cybersecurity50/100

Indeterminate from outside-in. HIPAA-regulated enterprise posture assumed mature, but repeated IDOI data-accuracy fines signal data-governance weak points and AI-vendor oversight is not publicly visible. Conditional pending engagement.

IT-Rationalization50/100

AI systems are publicly identifiable but not consolidated into a public inventory with data-access mapping; enterprise GenAI footprint unconfirmed. Sound pending an AI-BOM + GenAI discovery sweep.

Fleet inventory · 7 assets

Asset	Kind	Owner	Adoption	Disposition	Flags
Prior-authorization automationAI-assisted prior-auth: auto-approve or route to clinician (93% of members, limited procedure codes)	application	Clinical Operations	93%	retain	—
Claims-processing AIAutomated claims adjudication with auto-approval of some requests	application	Claims	90%	retain	—
Member chatbot / virtual assistantConversational AI for benefits/plan info + AI call-routing to advocates	application	Member Experience	70%	retain	internet
Fraud-detection AIAI alerts on potentially fraudulent claims	application	Payment Integrity	80%	retain	—
Risk-prediction / proactive outreachPredicts member risk (e.g., diabetes, readmission) for proactive outreach	application	Care Management	60%	retain	—
Availity Fusion (FHIR data engine)Clinical-data standardization: 420M+ records, 6B+ FHIR resources, real-time eventing	vendor-service	Data / Interoperability	85%	retain	—
Enterprise GenAI / Copilot (to confirm)Staff GenAI usage — expired job postings reference an AI Innovation Lab + GenAI portfolio; vendor/extent not publicly confirmed	application	(to confirm)	20%	tbd	unencryptedinternet

Asset

Kind

Owner

Adoption

Disposition

Flags

Prior-authorization automationAI-assisted prior-auth: auto-approve or route to clinician (93% of members, limited procedure codes)

application

Clinical Operations

93%

retain

—

Claims-processing AIAutomated claims adjudication with auto-approval of some requests

application

Claims

90%

retain

—

Member chatbot / virtual assistantConversational AI for benefits/plan info + AI call-routing to advocates

application

Member Experience

70%

retain

internet

Fraud-detection AIAI alerts on potentially fraudulent claims

application

Payment Integrity

80%

retain

—

Risk-prediction / proactive outreachPredicts member risk (e.g., diabetes, readmission) for proactive outreach

application

Care Management

60%

retain

—

Availity Fusion (FHIR data engine)Clinical-data standardization: 420M+ records, 6B+ FHIR resources, real-time eventing

vendor-service

Data / Interoperability

85%

retain

—

Enterprise GenAI / Copilot (to confirm)Staff GenAI usage — expired job postings reference an AI Innovation Lab + GenAI portfolio; vendor/extent not publicly confirmed

application

(to confirm)

20%

tbd

unencryptedinternet