ATO scoping + NIST AI RMF mapping
Authorization boundary defined. SSP template aligned to FedRAMP-aware controls. Equity assessment plan drafted with the agency.
Pilot in the authorized environment
Real eligibility cases triaged with the AI. Disposition speed and equity-disaggregated approval rates measured weekly.
ATO package + statewide rollout
SSP, SAR, POA&M assembled. Internal authorizer sign-off. Production at scale across all eligibility intake channels.
Monitoring
Monthly equity and drift review. Year-two scope expanded to renewals and appeals.
The challenge
A US state Medicaid agency was disposing of about 280,000 applications and renewals a year at a 14-day mean from receipt to decision, and it was under federal scrutiny for the backlog. Public Health Emergency unwinding had pushed caseload up 23% over 18 months. Headcount stayed flat. Caseworker overtime had become a line item the legislature asked about in the prior session.
The agency had federal authority to use AI to assist eligibility determinations, not to make them. It needed something that moved disposition time while satisfying three regimes at once: NIST AI Risk Management Framework documentation, HIPAA Security and Privacy Rule obligations on protected health information, and the state's own AI governance review board. That board had killed an unrelated AI proposal six months earlier on documentation grounds, so the agency knew exactly how high the bar sat.
Rockmere came in as AI delivery lead under the prime systems integrator running a broader Medicaid platform modernisation, with the determination copilot as our sub-track. This Medicaid eligibility AI case study describes how that copilot reached production in 14 weeks with a complete NIST AI RMF documentation package, and how the 42% faster disposition was earned without a single caseworker-free path through the application flow.
The constraints
This was the most regulated build in any case study we publish. Six hard constraints shaped every architectural decision.
- NIST AI Risk Management Framework, all four functions. Govern, Map, Measure, and Manage each had to produce evidence artefacts before the state's AI governance review board would approve deployment. The framework is voluntary; the board's interpretation of it was not.
- HIPAA Security Rule and HIPAA Privacy Rule. Applications include protected health information. The Business Associate Agreement between the agency, the prime SI, and Rockmere had to cover model training data, inference logs, and retention. Technical safeguards (access control, audit controls, integrity, transmission security) had to be demonstrated against the agency's existing HIPAA implementation.
- Federal CMS rules on Medicaid eligibility determinations. AI could pre-screen and surface evidence. AI could not make the determination. Every disposition required a documented human decision. The system had to make this structural, not procedural.
- State AI governance review board. A six-member board with veto power. One member had killed a prior AI proposal on documentation grounds. The board needed to be a co-sponsor by week two, not a reviewer at week thirteen.
- Prime SI program reality. We were a sub on a multi-vendor program. Our scope was the AI determination copilot; the prime ran the broader platform modernisation. Co-location and integration discipline mattered more than independent technical heroics.
- Caseworker change-management posture. Caseworkers were veteran practitioners who had lived through three prior eligibility-system rollouts. Any new tool had to earn adoption, not be mandated. Two of the strongest critics joined the design team in week six.
Our approach
State Medicaid eligibility AI · NIST AI RMF package
We mapped NIST AI RMF to build deliverables in week one, not as end-of-project paperwork. Each framework function (Govern, Map, Measure, Manage) became a line item in the engagement plan. Risk classification of the use case (high-impact, because it touches benefits determinations) was done in week one, before any modeling. The state's AI governance review board joined as a stakeholder in week two and reviewed the design at every milestone. The board chair's question in that week-two session, "Where exactly does the caseworker make the decision?", shaped the next twelve weeks of architectural work.
Human-in-the-loop is the core architecture here, not a retrofit layer. The AI pre-screens applications, retrieves applicable policy, surfaces evidence, and proposes a likely disposition. The caseworker reviews, accepts or overrides, and makes the actual determination. The governance board required this explicitly, so we wrote it into the system in a way that cannot be bypassed: there is no caseworker-free path through the application flow. The audit log records the caseworker's decision, the AI's suggestion, and the override (if any) for every application.
Retrieval over the policy library, not just over applications. Medicaid eligibility is deeply nested federal-plus-state policy with citations down to subsection level. We built retrieval that pulls applicable policy citations alongside the application data, so the caseworker sees the policy basis for each suggested disposition. The state's compliance counsel had one non-negotiable: every AI-assisted decision had to surface its policy basis. The retrieval layer is how we met that. The same retrieval-architecture pattern is detailed for a different regulatory context in our bank fraud investigation copilot case study, where the policy library was bank fraud policies under SR 11-7.
Audit trail at federal-evidence standard. Every retrieval, every suggested disposition, every caseworker override gets logged with timestamps, model version, retrieval results, and reasoning chain. The audit trail meets the standard the agency uses for OIG audit response and for HIPAA audit log retention. The compliance counsel reviewed and approved the log schema in week six. The schema is now reusable across the state's other AI initiatives.
What we delivered
An AI-assisted eligibility determination copilot integrated with the state's existing Medicaid platform. The system:
- Pre-screens applications and surfaces applicable federal + state policy citations
- Retrieves prior similar dispositions for caseworker reference
- Suggests likely outcome categories with explicit confidence levels
- Flags applications that need human review at higher priority based on complexity signals
- Generates evidence summaries for caseworker review (caseworker confirms or revises before disposition)
- Logs every step to the audit system in federal-evidence-grade format
The system was rolled out initially to 28 caseworkers in a pilot region, then expanded statewide after the 90-day pilot review.
Plus the complete NIST AI RMF documentation package: risk classification memo, impact assessment, performance characterisation report, monitoring plan, exception handling protocol, and the ongoing-monitoring infrastructure to satisfy NIST AI RMF Manage function requirements. The package was reviewed and approved by the state's AI governance review board in a single cycle. The agency's named CTO designee owns the documentation library going forward.
The result
| Metric | Baseline | After 90 days production | Change |
|---|---|---|---|
| Mean time to disposition | 14.0 days | 8.1 days | −42% |
| Caseworker daily disposition rate | 7.3 | 11.4 | +56% |
| Disposition appeal rate | 6.1% | 5.4% | −11% |
| Caseworker reported workload pressure (survey) | 4.2/5 | 3.1/5 | reduced |
Mean disposition time fell from 14.0 days to 8.1 days, a 42% reduction, while the appeal rate dropped 11% rather than rising. The state used the 90-day production data as the post-deployment monitoring evidence the NIST AI RMF Manage function requires. The appeal-rate reduction was the metric the AI governance board chair cited as decisive. The disposition-rate improvement was the one the CMS reviewer cited in the agency's next quarterly check-in.
Engagement timeline
| Week | Workstream |
|---|---|
| Week 1 | Co-located in the prime's program room. Pulled 18 months of disposition data. Risk-classified the use case as high-impact and wrote the classification memo to the governance board. |
| Week 2 | Governance board onboarding session. Walked them through the proposed architecture and the RMF mapping. Board chair asked the decision-point question that shaped the workflow diagram. |
| Weeks 3–5 | Hybrid retrieval architecture over policy library plus application corpus. Evaluation harness wired to 1,200 historical disposition pairs. HIPAA technical safeguards mapped against existing implementation. |
| Weeks 6–8 | Caseworker workflow co-design with four caseworkers from two different regions. One spent three sessions arguing against the suggested-disposition feature. She lost on the feature but won on the confidence-level display, which became the version released. Audit log schema approved by compliance counsel in week 6. |
| Weeks 9–11 | Pilot deployment to 28 caseworkers. In-production iteration. First appeals data came in at week 11 and showed no regression. |
| Weeks 12–13 | AI governance board formal review and approval. Statewide rollout planning with the prime SI. |
| Week 14 | Rollout begins. Operational handoff to the state's IT team and the prime SI. |
What survived past our engagement
Five artefacts now belong to the agency and the state.
- The NIST AI RMF documentation template. Adopted as the state's standard for subsequent AI initiatives. The state CIO's office uses it as the gating artefact for any new agency AI proposal.
- The retrieval-over-policy-library pattern. Being applied to two adjacent state agencies for benefits, licensing, and permitting decisions.
- The audit log schema. Signed off by compliance counsel and reusable across agencies. Meets HIPAA audit-log retention requirements and OIG audit-response standards.
- A named owner with budget. A designee inside the agency's CTO office owns the documentation library and the ongoing-monitoring spend. The escalation tree is written and tested.
- The "co-sponsor from week one" pattern. The state's AI governance review board has formalised this for future AI proposals. New initiatives that don't bring the board in by week two now get flagged at intake.
The state CTO has since cited the agency's AI governance board as a pattern at two national state-government CIO summits. The credential authority that lets us deliver under NIST AI RMF (a named Trainer on the Rockmere team) is detailed on our credentials page.
Where this fits
This engagement is canonical for our Public Sector practice: sub-contracted under a prime SI, with our contribution being AI delivery depth and NIST AI RMF fluency. The retrieval architecture is described in detail in RAG Systems. The build pattern is documented in AI Transformation.
The same regulatory-first build pattern appears in our bank fraud investigation copilot case study (SR 11-7 instead of NIST AI RMF) and in our CPG demand planning AI case study (SAP IBP and SOX integration). If you have a benefits, licensing, permitting, or eligibility AI initiative stalled in governance review, get in touch. We have specific experience with NIST AI RMF, FedRAMP, HIPAA, and state-level AI governance review boards.