1. Executive Summary
You are a mid-market healthcare AI company shipping an agentic clinical triage assistant into US hospital systems and three named EU health networks. You built on a strong compliance foundation — SOC 2 Type II, HITRUST, HIPAA BAA, GDPR-aligned with a named DPO and an Irish operating entity — which places you in the top third of your segment on general enterprise posture. The governance surface specific to your AI product has not kept pace with that foundation: there is no model card or system card for your triage model, no NIST AI RMF mapping, no ISO 42001 readiness statement, no EU AI Act Article 50 readiness document (103 days out), no Colorado AI Act readiness (70 days out), no AI-specific scope in your HackerOne bounty, no named Chief AI Officer, and no published behavior changelog across your triage model's version history. Your bug bounty runs; your AI red-team does not exist. The gap between your general compliance posture and your AI-specific posture is the largest finding in this report, and it is the gap that enterprise health-system CISOs are beginning to ask about in procurement reviews. Composite Trust Rating 584 ± 28 / 1000 (C).
2. Trust Rating
Composite: 584 ± 28 / 1000 — Grade C
| Dimension | Score | Grade | Headline |
|---|---|---|---|
| V — Visibility | 550 | C− | Blog + changelog active; no model card or system card for triage AI |
| A — Alignment | 480 | D+ | General "responsible AI" page; no framework mapping, no C-suite AI owner |
| D — Drift | 500 | D+ | Uptime SLAs published; behavior changelog for triage AI absent |
| P — Provenance | 450 | D+ | Article 50(1) partial; "Made with Meridian AI" attribution opt-out-able |
| C — Compliance | 720 | B | SOC 2 Type II + HITRUST + HIPAA BAA + GDPR + EU entity — the strength of this report |
| R — Resilience | 600 | C+ | HackerOne bounty operational; scope does not explicitly include AI-specific findings |
Archetype-weighted: V 0.18 · A 0.18 · D 0.10 · P 0.075 · C 0.27 · R 0.20
Confidence: σ = 28 (medium-high). 57 of 178 catalog signals resolved to PRESENT; 11 resolved to PRESENT_NEGATIVE (surfaced as Findings); 84 resolved to ABSENT with archetype-common expected coverage; 26 ABSENT with archetype-rare expected coverage (silent — no penalty). This report's grade is stable across reasonable reinterpretations of the archetype blend (pure-D healthcare peer: 595; pure-A AI-native peer: 560 — same letter grade either way).
3. Posture Profile
Visibility — 550 / C−
Meridian Health AI runs an active company blog (post cadence ~2/month; recent posts include the Q1 clinical-triage-accuracy update, a piece on de-identification pipeline architecture, and coverage of the Series B). A status page is present with 99.94% reported uptime FY2025. The enterprise trust hub collates the SOC 2 Type II attestation (report available on request), HITRUST certification, and HIPAA BAA template. A high-level "How our AI works" page describes the triage model's inputs, outputs, and intended use.
What is not visible: there is no model card for the triage model, no system card for the agent runtime, and no behavior changelog across triage-model versions. The public documentation does not disclose which foundation model underpins the agent, which guardrails are in place, or what the refusal / escalation behavior is in production. For a healthcare-AI company, this is the single largest transparency gap — health-system CISOs and clinical governance committees increasingly request these artifacts during procurement, and their absence is becoming a procurement blocker.
Alignment — 480 / D+
Meridian publishes a "Responsible AI at Meridian" page with five stated principles (Patient Safety, Clinician Oversight, Data Minimization, Continuous Improvement, Transparency). The principles are real. What sits under them is uneven: the principles are not mapped to any external framework (NIST AI RMF is not referenced; ISO 42001 is not referenced; the OWASP Agentic Top 10 is not referenced). There is no named Chief AI Officer or Chief Medical Informatics Officer with AI-governance scope in the executive team page; the closest is a SVP of Clinical Data Products who also runs commercial. The organization hires rapidly in ML research (14 of 82 open roles), but zero open roles currently carry titles for AI safety, AI red team, AI policy, or responsible AI program manager.
Public executive posture on AI governance is thin: the CEO has appeared on two industry podcasts (one clinical-AI-specific, one general-healthcare-investor-focused) in the last 18 months — both framed around product differentiation and market dynamics rather than governance posture. No essays, no conference keynotes on governance, no regulatory comments filed.
Drift — 500 / D+
Meridian publishes SaaS-level post-mortems for material uptime incidents (two in the last 12 months, both thoroughly documented). It does not publish AI-behavioral post-mortems. There has been one public clinical-accuracy controversy in Q4 2025, where a published case study cited a triage recommendation that a downstream reviewer disputed; the public response was a product statement on LinkedIn rather than a formal post-mortem. The triage model has been versioned three times in the last year; the changelog on meridianhealth.ai/changelog contains feature additions and UI changes but no behavior-delta entries, and no per-version evaluation-suite results.
Provenance — 450 / D+
Triage summaries surface an "AI-assisted" label by default. Enterprise administrators can disable the label across their tenant — a product affordance that inverts the Article 50(1) AI-interaction-disclosure direction the EU AI Act is moving toward. The triage outputs do not carry C2PA manifests or any cryptographic attestation of AI generation. Meridian is not a member of the Content Authenticity Initiative or C2PA.
meridianhealth.ai/robots.txt exists and blocks CCBot and GPTBot. It does not address ClaudeBot, PerplexityBot, Google-Extended, or anthropic-ai — a partial AI-crawler posture that signals the company has thought about scraping but has not declared a comprehensive stance. No agents.txt; no ai.txt.
Compliance — 720 / B
The strength of the report. SOC 2 Type II attested; annual pen-test commitment on the trust page. HITRUST CSF certified. HIPAA BAA available to Enterprise customers. GDPR-aligned with an Irish operating entity (Meridian Health AI (Ireland) Limited); named DPO with contact email published; Article 27 representative named via a Dublin-based data-protection firm. Sub-processor list published and dated (last updated 2026-03-01) naming three named foundation-model providers. Privacy policy and ToS up to date (both updated January 2026). DPA available at the advertised URL.
Weaknesses in compliance are entirely AI-specific: no ISO 42001 (not a hiring target; not claimed). No explicit NIST AI RMF alignment statement. No published DPIA covering the triage agent. No explicit EU AI Act Article 50 readiness statement with a roadmap date. No Colorado AI Act readiness statement. No FedRAMP (declared out-of-scope; Meridian does not serve federal agencies).
Resilience — 600 / C+
Bug bounty on HackerOne, operational since 2023, 94 resolved findings to date. Published VDP with safe-harbor language; security.txt serves a current contact and PGP key. Annual pen-test summary published. SECURITY.md is current on the primary public repo. Head of Security publicly named (VP Security Engineering). No CVEs assigned to Meridian products in the last 24 months.
What the resilience posture lacks: the bounty scope page mentions "all products" but does not explicitly list AI-specific finding categories (prompt injection, jailbreak, agent abuse, sandbox escape, memory poisoning) as eligible. No published AI-specific threat model. No AI red team — the VP Security Engineering's team does traditional application security; there is no adversarial-ML function. No published red-team report or independent eval of the triage model.
4. Concrete Findings
F-01 — General compliance posture is top-third of segment; AI-specific posture is bottom-third
SOC 2 Type II + HITRUST + HIPAA BAA + GDPR with Irish entity + DPO + Article 27 rep is a rare and valuable position for a Series B healthcare AI company. Underlying that foundation, the AI-specific layer is thin: no ISO 42001, no NIST AI RMF mapping, no model card, no system card, no behavior changelog, no AI-red-team function, no EU AI Act Article 50 readiness document. The gap between the general compliance story a health-system CISO can take to their board and the AI-specific story they cannot is the defining finding of this report.
F-02 — "AI-assisted" attribution on triage outputs is opt-out-able by Enterprise admins
The product's current UX allows tenant admins to disable the "AI-assisted" label on clinical summaries across their organization. This is the opposite direction from where EU AI Act Article 50(1) is moving (disclosure of AI interaction as a design requirement, not a configuration option) and it carries reputational exposure in any jurisdiction where consumer-facing AI disclosure becomes mandatory. This is a product UX decision, not a Mnemom-addressable gap.
F-03 — Triage model has been versioned three times without a published behavior changelog
Three material triage-model updates in the last year, none accompanied by a published per-version behavior-delta description. Clinical governance committees at Meridian's 34 named health-system customers have begun asking for these artifacts during quarterly vendor reviews. Two of those customers have made "behavior changelog per model version" a condition of 2026 renewal.
F-04 — Bug bounty runs but does not explicitly scope AI-specific findings
HackerOne program is operational, has 94 resolved findings to date, and has a clean safe-harbor policy. The scope page does not explicitly list AI-specific categories — prompt injection, jailbreak, agent-tool abuse, memory poisoning, indirect injection via document upload. Researchers who work in that adjacency read the scope as "probably covered" rather than "definitely covered," and several industry peers have moved to explicit AI-scope bounty programs in the last 12 months. This is a one-page edit to the HackerOne program description.
F-05 — 14 ML-research open roles, zero AI-safety open roles
Meridian's hiring mix telegraphs organizational priorities: 14 of 82 open roles are in ML research, model training, or AI infrastructure. Zero are in AI safety, AI red team, AI policy, AI risk management, or responsible AI program management. For a company deploying a clinical-triage agent into hospital systems governed by HIPAA and subject to emerging state AI laws (Colorado AI Act effective June 30, 2026), the hiring asymmetry is a structural governance signal.
5. Gaps
| ID | What we looked for | Polarity | Implication |
|---|---|---|---|
| G-01 | Model card for the triage model | ABSENT | Opaque behavior to clinical reviewers |
| G-02 | System card for the agent runtime | ABSENT | No documented tool permissions / sandbox boundaries / failure modes |
| G-03 | NIST AI RMF alignment statement | ABSENT | No framework legibility for health-system CISO boards |
| G-04 | ISO 42001 certification or in-process statement | ABSENT | AI management system not attested |
| G-05 | EU AI Act Article 50 readiness document | ABSENT | 103 days to enforcement; EU health-system customers will ask |
| G-06 | Colorado AI Act readiness statement | ABSENT | 70 days to enforcement; Colorado health-system exposure |
| G-07 | DPIA / AI risk assessment for the triage agent | ABSENT | No documented risk posture specific to the AI product |
| G-08 | Behavior changelog across triage-model versions | ABSENT | No drift-tracking surface |
| G-09 | AI-specific scope in HackerOne program | ABSENT | Researcher uncertainty on AI-adjacent findings |
| G-10 | Named Chief AI Officer / Chief Medical Informatics Officer with AI scope | ABSENT | No C-suite governance owner specific to the AI product |
| G-11 | AI-safety / red-team hiring | ABSENT | No internal adversarial function |
| G-12 | AI-specific threat model | ABSENT | No published threat decomposition |
| G-13 | C2PA / Content Authenticity Initiative membership | ABSENT | No provenance-coalition participation |
| G-14 | AI-assisted attribution being non-disableable | PRESENT_NEGATIVE | Opt-out-able by admins; inverted direction |
| G-15 | Comprehensive AI-crawler stance in robots.txt | ABSENT | Partial (CCBot + GPTBot only); no Claude/Perplexity/Google-Extended |
| G-16 | agents.txt / ai.txt / llms.txt | ABSENT | No machine-readable agent-interaction policy |
| G-17 | Frontier Model Forum / NIST AISIC / PAI / MLCommons / Responsible AI Institute membership | ABSENT | No multi-party accountability on AI safety |
6. Remediation Recommendations
R-01 — Ship a model card, system card, and behavior changelog for the triage agent
Impact: High · Urgency: Two customer renewals gated on this · Effort: Medium Model card describes the triage model (architecture category, training data categories, known limitations, eval results including adversarial robustness). System card describes the agent runtime (tools, permissions, sandbox boundaries, failure modes, escalation paths). Behavior changelog published per model version with behavior-delta descriptions and eval-suite results. [Closes G-01, G-02, G-08]
R-02 — Publish EU AI Act Article 50 readiness + Colorado AI Act readiness
Impact: High · Urgency: 70 / 103 days · Effort: Low-Medium
Dedicated page linked from /trust and /enterprise. Article 50(1) AI-interaction disclosure commitment (and the UX change from F-02); Article 50(2) machine-readable content marking roadmap; Article 50(4) N/A (no deep-fake scope). Colorado AI Act compliance statement specific to healthcare consumer decisions. [Closes G-05, G-06; partially addresses F-02]
R-03 — Publish a governance framework mapping + name a C-suite AI owner
Impact: High · Urgency: 90 days · Effort: Medium One page: existing controls mapped to NIST AI RMF, ISO 42001, OWASP Agentic Top 10. Name a C-suite owner with scope for AI governance across product, security, and clinical safety — could be an elevated Chief Medical Informatics Officer role, or a new Chief AI Officer position. The naming is the signal. [Closes G-03, G-10; foundations for G-04]
R-04 — Expand HackerOne scope to explicitly include AI-specific findings; establish AI red-team function
Impact: Medium-High · Urgency: 60 days · Effort: Low (scope edit) + Medium (red-team establishment) Update HackerOne program description to explicitly list AI-specific finding categories with bounty amounts (prompt injection, jailbreak, agent abuse, sandbox escape, memory poisoning). Open a req for an AI red-team lead; in the interim, engage Mnemom's red-team-as-service capability. [Closes G-09, G-11, G-12; F-04]
R-05 — Move "AI-assisted" attribution from opt-out-able to mandatory
Impact: Medium (High under EU enforcement) · Urgency: 103 days (Art. 50(1)) · Effort: Product decision + engineering Reverse the Enterprise-admin-disableable default for the AI-assisted label on triage summaries. Direction-of-travel alignment with EU AI Act Article 50(1). [Closes F-02, G-14]
6.25 — Posture With Mnemom
This is what your posture would look like after you adopt Mnemom and ship the runtime-governance infrastructure that your current scores flag as missing. We are conservative about what Mnemom closes. Signals that require corporate action (appoint a C-suite AI owner; register a second EU entity; join Frontier Model Forum) are not credited to Mnemom in the table below — they are broken out in §6.5.
| Dim | Today | With Mnemom | Healthcare-AI leader¹ | Mnemom lift | Residual to leader |
|---|---|---|---|---|---|
| V | 550 | 630 | ~850 | +80 | 220 |
| A | 480 | 560 | ~870 | +80 | 310 |
| D | 500 | 600 | ~820 | +100 | 220 |
| P | 450 | 500 | ~780 | +50 | 280 |
| C | 720 | 800 | ~900 | +80 | 100 |
| R | 600 | 690 | ~880 | +90 | 190 |
| Composite | 584 | 666 | ~860 | +82 | 194 |
| Grade | C | C+ | A | — | — |
| Confidence (σ) | ±28 | ±24 | ±40 | — | — |
¹ Healthcare-AI leader counterfactual: an Epic-class clinical AI vendor with published ISO 42001 certification, mature AI-specific red-team function, published model cards per triage model, NIST AISIC membership, C2PA adoption for AI-generated clinical summaries, and an in-production Article 50 compliance artifact. Estimated ~860 (A) under Meridian's archetype weights. You are one grade level below that peer today; Mnemom lifts you half a grade; the remaining corporate actions close the rest.
Per-dimension rationale for the Mnemom uplift (conservative)
V — Visibility (+80): Mnemom produces a continuously-maintained trust-rating record per deployed triage agent, functionally substituting (not formally) for a published model card and system card. Mnemom emits a behavior changelog as a side effect of drift detection — one of the gaps a health-system CISO's technical review most reliably surfaces. Mnemom does not publish your research roadmap, does not change your GitHub org's public repo strategy, and does not author your exec public-comms posture.
A — Alignment (+80): Mnemom's compliance reporting maps your controls to NIST AI RMF, OWASP Agentic Top 10, ISO 42001, and EU AI Act Article 50. That closes five specific catalog signals: POL-11, POL-12, POL-13, POL-14, and partial POL-15 (Colorado). Mnemom does not publish your AI principles page for you (write one), does not name your C-suite AI owner (appoint one), and does not enroll you in Frontier Model Forum or NIST AISIC (apply).
D — Drift (+100, Mnemom's strongest dimension): Drift detection is the Layer-4 primitive Mnemom was built for. Continuous behavioral monitoring with trust-score time series closes BLOG-12 (behavior changelog), DRIFT-07 (post-mortem infrastructure), and provides the evidence substrate for your clinical-governance committee to review triage-agent behavior changes quarterly. Mnemom does not publish your post-mortems for you (still a corporate comms decision).
P — Provenance (+50, floor-bounded): Mnemom provides cryptographic provenance attestation per AI-generated clinical summary — the first production-ready artifact that maps clinical-summary provenance to EU AI Act Article 50(2) machine-readable marking requirements. Mnemom does not join C2PA for you (apply). The "Made with Meridian AI" attribution being opt-out-able for Enterprise admins remains your product UX decision.
C — Compliance (+80): Mnemom produces your Article 50 readiness documentation (REG-11), Colorado AI Act readiness (REG-12), ISO 42001 readiness artifact (REG-06), and NIST AI RMF alignment statement (POL-11). Mnemom does not issue the ISO 42001 certification itself (that's a separate audit engagement) and does not stand up additional EU entities for you.
R — Resilience (+90): Mnemom's red-teaming framework delivers continuous adversarial testing against your triage agent as a service — closing SEC-08 (threat model), SEC-09 (red-team reports), and functionally substituting for TEAM-10/TEAM-11 AI-red-team hiring. Mnemom does not expand your existing bounty's scope to explicitly include prompt-injection and agent-abuse findings (update your HackerOne policy) and does not add safe-harbor language to your SECURITY.md.
Read: The lift pattern is consistent with the "healthy engagement" shape we've observed across every target in our comparison set. Mnemom moves you from C to C+ (bordering B). Corporate governance actions (some listed in §6.5) take you the rest of the way to B+ / A. We do not claim Mnemom is a silver bullet; we claim it is the runtime governance infrastructure your current posture is missing, and that the infrastructure, once in place, makes the remaining corporate actions easier to execute because they have something concrete to report against.
6.5 — Addressable by Mnemom vs Customer
Mnemom addresses directly (on adoption)
| Gap | Mnemom capability |
|---|---|
| G-01, G-02 — Model/system card | Trust Rating telemetry → continuously-maintained model/system-card equivalent |
| G-03 — NIST AI RMF mapping | Compliance reporting emits control-mapped documentation |
| G-04 — ISO 42001 readiness | Readiness artifact generated from runtime evidence (certification itself still requires a separate audit) |
| G-05 — Article 50 readiness | Readiness documentation generated + maintained |
| G-06 — Colorado AI Act readiness | Readiness documentation |
| G-07 — DPIA | DPIA template populated from runtime telemetry |
| G-08 — Behavior changelog | Drift detection emits versioned behavior deltas |
| G-11 partial — AI red-team capacity | Red-team-as-service (external capacity) |
| G-12 — AI threat model | Mnemom-published threat model for the deployed agent |
| G-17 partial — Standards engagement | Mnemom's standards-setting work on agent identity / attestation is available to Meridian as a member |
Customer must act
| Gap | Required corporate action |
|---|---|
| G-09 — HackerOne scope update | Edit the program description |
| G-10 — C-suite AI owner | Appoint one |
| G-11 full — Internal red-team hire | Open the req |
| G-13 — C2PA / CAI membership | Apply |
| G-14 — "AI-assisted" attribution UX | Product UX decision |
| G-15, G-16 — robots.txt / agents.txt / ai.txt completeness | Edit the files |
| G-17 full — Frontier Model Forum / NIST AISIC / PAI membership | Apply; membership gates exist |
| R-02 partial — Publish the readiness page | Publish it |
Closing prescription
Mnemom is necessary but not sufficient. Adopting Mnemom lifts your Trust Rating by 82 points (from 584 to 666), moving you from C to C+ (bordering B). Closing the remaining 194 points to the healthcare-AI leader (estimated ~860) requires corporate decisions that are yours to make — chief among them: appoint a C-suite AI owner, publish Article 50 readiness, flip the "AI-assisted" attribution default, and apply to Frontier Model Forum / NIST AISIC. Mnemom gives you the runtime governance infrastructure that lets those decisions have audit-ready substance; the decisions themselves remain yours.
7. Peer Context (reference-only)
Your segment is "mid-market healthcare AI companies shipping agentic clinical products at Series B scale." Your closest peers: Hippocratic AI, Nabla, Abridge, Ambience, Suki, Commure, and the clinical-AI teams at Epic and Cerner (part of Oracle Health) as enterprise reference points.
The segment is bifurcated on AI-governance posture: the top third has published model cards, behavior changelogs, and ISO 42001 posture (Nabla is the clearest example, on the strength of its EU-first regulatory posture); the bottom two-thirds resemble Meridian's shape — strong general compliance, thin AI-specific posture. The competitive risk is that health-system procurement is beginning to standardize on the top-third's artifacts, and vendors in the bottom-two-thirds are losing renewals on governance-artifact absence rather than product failure.
8. Regulatory Countdown
| Regulation | Enforcement | Days out | Your exposure | Your posture |
|---|---|---|---|---|
| Colorado AI Act | 2026-06-30 | 70 | High — triage AI makes consequential consumer decisions in Colorado health systems | Not addressed |
| EU AI Act Article 50(1) AI-human interaction | 2026-08-02 | 103 | High — EU hospital-system customers; patient-facing AI interaction | Not addressed; "AI-assisted" label is admin-disableable (F-02) |
| EU AI Act Article 50(2) machine-readable content marking | 2026-08-02 | 103 | High — triage summaries are AI-generated text artifacts | Not addressed; no C2PA adoption |
| EU AI Act Annex III (high-risk AI in healthcare) | 2027-08-02 | 468 | High — likely qualifies as "high-risk AI system" under Annex III.5 | No published roadmap |
| NYC Local Law 144 (automated employment decisions) | In effect | — | Low — not an employment tool | N/A |
| HIPAA / HITECH | Ongoing | — | Continuous | BAA in place; strong baseline |
| 21st Century Cures Act ONC algorithmic transparency | 2024-12-31 (in effect) | — | Medium — may require algorithmic transparency attestation for certified health IT integrations | Status unclear from public posture |
Exposure summary: EU AI Act Article 50 is your binding near-term deadline. Penalty ceiling: €7.5M or 1% of worldwide annual turnover. At Meridian's disclosed $47M ARR (Series B reporting), 1% is approximately $470K — meaningful but not existential. What is existential is the procurement impact: three named EU customer renewals land in Q3 2026, and procurement has already asked for Article 50 readiness documentation.
9. Evidence Appendix (selected)
| ID | Source | Captured | Finding |
|---|---|---|---|
| E-ROB-01 | meridianhealth.ai/robots.txt | 2026-04-21 | Blocks CCBot and GPTBot; does not address ClaudeBot, PerplexityBot, Google-Extended, anthropic-ai |
| E-SEC-01 | meridianhealth.ai/.well-known/security.txt | 2026-04-21 | Present; contact + PGP key current |
| E-AGT-01 | meridianhealth.ai/agents.txt | 2026-04-21 | 404 |
| E-RAI-01 | meridianhealth.ai/responsible-ai | 2026-04-21 | Five principles; no framework citations |
| E-TRUST-01 | trust.meridianhealth.ai | 2026-04-21 | SOC 2 Type II; HITRUST; HIPAA BAA; sub-processor list current 2026-03-01 |
| E-DPO-01 | meridianhealth.ai/privacy | 2026-04-21 | DPO named; Irish entity disclosed; Article 27 representative Dublin-based |
| E-BLOG-01 | meridianhealth.ai/blog | 2026-04-21 | Active cadence ~2 posts/month; recent posts product + funding; no AI governance posts in last 12 months |
| E-CHANGELOG-01 | meridianhealth.ai/changelog | 2026-04-21 | Feature + UI changes; no behavior-delta entries per triage-model version |
| E-CARDS-01 | meridianhealth.ai/blog, /docs search | 2026-04-21 | No model card or system card surfaced |
| E-HO1-01 | hackerone.com/meridian-health-ai | 2026-04-21 | Active program; 94 resolved; safe-harbor present; AI-specific categories not explicitly listed in scope |
| E-CAREERS-01 | meridianhealth.ai/careers | 2026-04-21 | 82 open roles; 14 ML research; 0 AI safety / red team / policy |
| E-EXEC-01 | Podcast search + LinkedIn | 2026-04-21 | CEO appeared on two podcasts in 18 months; governance not discussed substantively |
| E-SUB-01 | trust.meridianhealth.ai/subprocessors | 2026-04-21 | Three foundation-model providers named |
| E-INC-01 | LinkedIn press search | 2026-04-21 | Q4 2025 clinical-accuracy dispute; company response via LinkedIn post; no formal post-mortem on meridianhealth.ai |
| E-LABEL-01 | meridianhealth.ai/docs/admin/labeling | 2026-04-21 | "AI-assisted" label can be disabled at tenant level by Enterprise admins |
| E-FMF-01 | frontiermodelforum.org/members | 2026-04-21 | Meridian Health AI not listed |
| E-AISIC-01 | nist.gov/.../aisic-members | 2026-04-21 | Meridian Health AI not listed |
| E-C2PA-01 | c2pa.org members | 2026-04-21 | Meridian Health AI not listed |
