Preventing the Risks AI Ships: Healthcare Organization Achieves 80% Risk Elimination with Guardian Agent
Research, Technical
Published June 24 2026 · 5 min. read
Healthcare has been the most expensive industry to suffer a data breach for twelve years running. [IBM’s 2025 Cost of a Data Breach Report](https://www.ibm.com/reports/data-breach) puts the average healthcare incident at $7.42 million, and these breaches take 279 days on average to find and contain, longer than in any other sector. Sensitive data – patient records, claims, and identifiers regulated end to end under HIPAA and HITECH – is costly to defend, and costlier to salvage when a breach does occur. AI is a driving factor of this growing challenge. Coding agents like Claude Code let teams ship roughly 5x as much code with the same headcount, which for an organization pressured to modernize and ship is closer to a baseline than a choice. The same development carries roughly 10x the risk, a surge of SAST, SCA, secrets, IaC, and API exposures arriving faster than review built for human-paced commits, much of it ungoverned; IBM found that 97% of AI-related breaches hit organizations without proper AI access controls and 63% had no AI governance policy. Detection struggles to keep up. Scanning code after it is written assumes the vulnerable code already sits in the repository waiting to be found, and at AI velocity the backlog grows every sprint. The model that scales can prevent risk before it enters the codebase, and automatically fix what remains. That is what **Apiiro Guardian Agent** does, and we ran a proof of concept to measure it. ## The POC: 80% of risk prevented We used a Fortune 500 healthcare organization’s high-business-impact codebase (Java 11, Spring Boot, Azure DevOps) to evaluate our effectiveness. Using their existing agentic architecture (Claude Code), we did the same work twice leveraging the same input prompts, once on its own, and once with Guardian Agent’s Secure Prompt in the loop. Model, repository, and tasks were identical, so the only variable was Apiiro. Guardian **prevented 80% of risks**. Extrapolated out to a year of savings, that’s nearly **$15M saved on the cost of detection.** - That breaks down to 4 of 5 critical and 12 of 15 medium-severity risks neutralized at write-time, with Secure Prompt enriching all ten prompts using 56 signals from the customer’s own architecture. - In each case the vulnerable code was never written, so there was nothing to catch, triage, or fix later. **Sample Risk Prevention:** The agent was asked to add an endpoint that deserialized a YAML body, **a common route to remote code execution**, and on its own Claude Code wrote the vulnerable version. With Secure Prompt active, Apiiro recognized the route handled PII and prepended the missing controls before generation, reusing existing Spring Security authentication, restricting authorization, enforcing a strict YAML schema with a safe loader, and redacting and logging the sensitive fields. The RCE path and the PHI exposure both closed at write-time, with the original prompt untouched.
Without Guardian Agent
Add a POST /aps/v1/entitlements/bulk-import/config endpoint that accepts a YAML body. Add org.yaml:snakeyaml. Deserialize into a Map<String, Object> so we can handle arbitrary config keys.
Critical YAML deserialization → remote code execution on the RAPService host.
With Guardian Agent Secure Prompt
Original prompt unchanged. Apiiro enriches the prompt with context derived from Data Fabric, Software Graph (code to runtime) and Risk Graph with organizational policies.
Powered by AppSec Data Fabric
- Authentication. Reuse Spring Security from WebSecurityConfig.
- Authorization. Reuses AuthorizationService to centralize authorization control. Restrict to authorized configurators.
- Input validation. Strict YAML schema, block arbitrary objects.
- Data storage. SnakeYAML safe-loader; parameterize via JPA.
- PII protection. hasPiiData = true; redact + audit-log.
- Error & logging. Reuse Util Logging; filter sensitive values.
- Compliance. Application is PCI DSS v4 compliant and deployed in GCP NE Cluster.
- Compensating controls. Application is protected by Akamai WAF and Palo Alto Prisma.
Critical YAML deserialization prevented before code exists.
## Two layers combine to create prevention with defense in depth Guardian prevents risk in two layers, neither of which changes how developers work; the same IDE, prompts, and model apply, inside Copilot, Cursor, and Claude. 1. **Secure Prompt** runs before code is generated. When a developer hands a free-form task to a coding agent, Apiiro classifies the intent, consults the customer’s Software Graph and Risk Graph, and prepends concrete, repo-grounded security requirements to the prompt, so the vulnerability is never generated. 2. **AutoFix** runs before commit, a pre-commit scan that catches what Secure Prompt does not, mainly vulnerable open-source dependencies and leaked secrets, before they reach source control. This works because the model is grounded, not merely capable. A frontier model alone is not production-grade for security; it needs deterministic scaffolding, which in Apiiro is the **AppSec Data Fabric**. - **The Software Graph** maps every micro-service, API, asset, and sensitive route from code to runtime. - **The Risk Graph** reasons over first-party code, third-party code, and threat intelligence in real time, correlating and prioritizing what matters to the business. Guardian runs several models that check one another rather than trusting any single output, and teams can bring their own; every signal Secure Prompt cited in the POC traces back to a file, a line, and the policy that fired.
Frontier Models
Multi-LLM · LLMs as judges of each other · Bring your own model
Data Fabric
Software Graph
Every API, asset, and sensitive route, mapped code-to-runtime and kept current.
Risk Graph
Maps signals from any tool to the customer's software graph to prioritize business risks using org policies.
Why this is hard to build
- AI-native by construction. Every layer is built to ground a model, not a dashboard.
- Trust no single LLM. LLMs judge each other across the stack. Independent scoring.
- BYOM-ready. Bring your own model: Apiiro grounds whatever you trust.
- Deterministic, not scraped. The same Data Fabric produced the 80% prevention rate above.
## ROI results that move the healthcare business We measured every detection as costing approximately **$78**: derivative of the cost of triaging, fixing, reviewing, testing, and redeploying at a total rate of $26 per hour. Prevention, meanwhile, costs nothing. The gap compounds at scale. On a codebase with 240,000 findings per year, preventing 80% of security findings saves an organization nearly **$15M.**
Detect
~$78 per finding — 2 hours triage + 1 hour fix at $26/hour.
- Generated.
- Triaged.
- Fixed.
- Reviewed.
- Tested.
- Redeployed.
Backlog still grows ~150% YoY. No risk reduction. No cost reduction. Not audit-ready.
Prevent
~$15M yearly cost saving — 240k findings/year × $78 per finding × 80% prevention rate.
- Never generated.
- Never triaged.
- Never fixed.
- Never reviewed.
- Never tested.
- Never redeployed.
Risk reduced. Costs reduced. Audit-ready.
A flaw caught late in a PHI system costs far more than one caught early, and prevention removes it from the curve entirely. For a healthcare organization that means fewer reactive remediation cycles and a smaller window in which a PHI-exposing flaw can exist at all, with the developer workflow untouched and an audit trail behind every decision. We have measured this 80% across multiple healthcare codebases, but the mechanism behind it can apply to any codebase, any agent, any industry. The same Secure Prompt and AppSec Data Fabric that produced those results ground every Guardian action against your own architecture, policies, and sensitive data, so prevention runs on your real context rather than a generic ruleset. *To see the prevention rate Guardian Agent can reach on your repositories, [book a demo.](https://apiiro.com/demo)*
Timothy Jung