Healthcare agentic-AI sits across three regulatory regimes that do not compose cleanly — HIPAA on PHI handling and BAA topology, FDA software-as-medical-device guidance on clinical decision support and predetermined change control, and state medical/nursing board licensure rules placing the practitioner as the responsible party of record — and the five-control bundle of BAA-aware architecture, PCCP, clinical-judgement-of-record audit trail, on/off-switch with practitioner attribution, and breach-notification readiness is the minimum defensible architecture for any clinical agentic-AI deployment.

60-day cadence because state-board AI guidance and FDA SaMD enforcement are both moving inside the window. Status: partial — three named state-board citations (TX, CA, NY) need confirmation against exact statements before status promotes to up. NIST AI RMF Healthcare Profile date is also pending; if it lands inside the window, the calendar updates.