Veklom  ·  Field Notes  ·  Policy

Why SaaS AI Tools Cannot Serve Regulated Buyers

Policy April 26, 2026 9 min read By Veklom Engineering

The current generation of AI infrastructure vendors is built on a structural assumption that fails the moment a Tier-1 bank's CISO or a 500-bed hospital's compliance team opens the procurement form. This is not a feature gap. It is an architectural one.

YOUR PERIMETER · VPC / ON-PREM / GOVCLOUD Veklom Gateway Audit + Policy Postgres · Redis · Object Store EGRESS OpenAI / Anthropic Local Ollama / vLLM FIG. 1 · SOVEREIGN PERIMETER

The Assumption That Breaks

Every venture-funded AI infrastructure company in 2024–2026 ships a SaaS product. Portkey, Helicone, LangSmith, LangFuse, Braintrust, Arize, Weights & Biases, Vellum — every single one assumes the customer is comfortable with a third party seeing their model traffic. Their architectures route requests through vendor-controlled infrastructure. Their billing is per-call or per-seat. Their compliance posture is a hosted SOC 2 report and a generic Data Processing Addendum.

That assumption holds for technology companies, consumer applications, and the long tail of startups. It does not hold for the 4,000+ hospitals subject to HIPAA, the 4,400 banks under prudential supervision in the United States, the 12,000 firms holding CMMC certification for defense work, or the 27 EU member states subject to GDPR Article 28's processor-controller distinctions. For these institutions, the SaaS posture is not a friction point. It is a categorical disqualifier.

Three Procurement Reviews That Killed Three Deals

We have transcripts of vendor risk-management interviews from buyers across three sectors. The questions are not the same, but the failure mode is.

Tier-1 US bank, regulated under OCC supervision

The third-party risk team's first question was not about features. It was: "Walk me through the data flow when one of our analysts asks the chatbot to summarize a credit memo." The answer for a SaaS AI gateway is, inevitably, that the prompt traverses the vendor's network, is logged in the vendor's storage, may be sampled for telemetry, and is — under the vendor's standard terms — subject to subpoena under the vendor's home jurisdiction, not the bank's.

That answer ends the procurement. Not because the vendor is malicious. Because the bank's third-party risk framework treats any vendor with logical access to non-public information as an extension of the bank's own attack surface. The bank cannot assert to its examiners that a SaaS vendor's incident response, key management, and personnel screening are equivalent to its own without conducting an audit the vendor will never permit at the depth required.

500-bed academic medical center, US

HIPAA permits the use of business associates. A Business Associate Agreement (BAA) is signable. Several SaaS AI vendors will sign one. The agreement is not the obstacle.

The obstacle is the second question: "Where exactly is the PHI when the model generates its response?" If the answer involves any vendor-controlled compute, the hospital's CISO must be able to demonstrate to OCR auditors — in the event of a breach anywhere in the vendor's cloud — that the breach assessment, notification timeline, and remediation are governed by the hospital's policies, not the vendor's. Modern SaaS architectures do not separate cleanly enough to make that case stand up.

Mid-tier defense contractor, CMMC Level 2

The Department of Defense's Cybersecurity Maturity Model Certification framework requires that controlled unclassified information (CUI) remain inside the contractor's authorization boundary. A SaaS AI tool with logging, telemetry, or any form of vendor-side persistence puts CUI into a data store outside the boundary. That is a finding. A single finding at Level 2 disqualifies a contract bid for as long as it remains open.

The contractor was willing to pay 4× the SaaS list price to avoid that finding. No SaaS vendor could meet the requirement without re-architecting their product into something that is, by definition, no longer SaaS.

“A vendor cannot sell into our environment if their compliance posture is a contract clause. We need an architectural answer, not a legal one.”
— CISO, Tier-1 US bank (transcribed, anonymized)

The Procurement Math

The structural disqualifier shows up in three measurable ways during procurement. We have data from 14 enterprise AI evaluations conducted between Q3 2025 and Q1 2026. The pattern is consistent enough to chart.

Days from RFP Issued to Signed Contract N=14 ENTERPRISE AI EVALUATIONS · 2025-Q3 THROUGH 2026-Q1 0 90 180 270 360+ ~38 SAAS / TECH ~140 SAAS / HEALTH ~280+ SAAS / BANK no signal SAAS / DEFENSE
Fig. 2 — Median procurement cycle by buyer regulatory class. SaaS AI vendors close in tech but the curve flattens to non-viability under prudential and CMMC supervision.

The data is not surprising to anyone who has run an enterprise procurement. What is surprising is how few AI vendor pitch decks acknowledge it. Most slides assume the buyer's friction is education, not architecture. They are wrong.

The Architectural Alternative

If SaaS is structurally disqualified, the alternative is not "SaaS with extra audit logs." The alternative is software the buyer operates inside their own perimeter — what we call sovereign AI infrastructure. Three architectural properties define it:

  1. The vendor never has logical access to runtime data. The model traffic, the prompts, the embeddings, the audit log — none of it leaves the buyer's perimeter without an explicit, logged, policy-controlled action by the buyer.
  2. The compliance boundary is the buyer's authorization boundary. The vendor sells software. The buyer operates infrastructure. SOC 2, HIPAA scope, FedRAMP boundary, CMMC enclave — all defined by the buyer's existing controls, not the vendor's hosted offering.
  3. Outbound calls to third parties are explicit, configurable, and disable-able. An air-gapped operating mode is not a feature flag. It is an architectural property: there is no code path that initiates network traffic outside the configured allow-list.

This is the architecture Veklom ships. Multi-LLM gateway, multi-tenant RBAC, audit logging, GDPR endpoints, Stripe-integrated billing, ML lifecycle for cost and quality predictors — all of it deployable into the buyer's VPC, GovCloud, on-prem Kubernetes, or fully air-gapped enclave. The same source-available codebase the SaaS vendors won't ship, hardened to the threat model the SaaS vendors won't acknowledge.

What This Means for Buyers

If you are evaluating AI infrastructure for a regulated environment, the question is not "which SaaS is the most secure." The question is whether the vendor's commercial model can survive the answer to your third-party risk questionnaire. For most of them, the answer is no — and the procurement will end three months in, after both sides have invested significant time pretending the architecture might bend. It will not.

The faster path is to pre-filter for architecture. If the vendor's product is structurally incapable of running inside your perimeter without a permanent network egress to their cloud, the conversation is over before it starts. The remaining set is small. Veklom is in it.

If you are building this internally instead — and many of the largest banks and hospitals are — we have a separate piece on what that build looks like, what it costs, and where the integration debt lives. Read it next.

Evaluating AI infrastructure for a regulated environment?

We will not waste your time pretending we are something we are not. If your perimeter requires sovereign deployment, we are built for that. If it does not, we will say so on the first call.

Schedule a 30-minute review →