For regulated verticals (HIPAA, financial services, legal), we build isolated AI infrastructure on Google Cloud using service accounts, VPCs, and restricted APIs. This gives us Vertex AI and Claude capabilities without compromising data isolation or compliance requirements.
The Compliance Problem
Some clients operate in verticals where data can’t flow through public APIs. A healthcare client can’t send patient information to Claude’s public API. A financial services client can’t route transaction data through external language models.
But they still want AI capabilities: document analysis, content generation, data extraction, automation.
The solution: isolated GCP infrastructure that clients own, that uses service accounts with restricted permissions, and that keeps data inside their VPC.
The Architecture
For each regulated client, we build:
1. Isolated GCP Project
Their own Google Cloud project, separate billing, separate service accounts, zero shared infrastructure with other clients.
2. Service Account with Minimal Permissions
A service account that can only:
– Call Vertex AI APIs (nothing else)
– Write to their specific Cloud Storage bucket
– Log to their Cloud Logging instance
– No ability to access other projects, no IAM changes, no network modifications
3. Private VPC
All Vertex AI calls happen inside their VPC. Data never leaves Google’s network to hit public internet.
4. Vertex AI for Regulated Workloads
We use Vertex AI’s enterprise models (Claude, Gemini) instead of the public APIs. These are deployed to their VPC and their service account. Zero external API calls for language model inference.
The Data Flow
Example: A healthcare client wants to analyze patient documents.
– Client uploads PDF to their Cloud Storage bucket
– Cloud Function (with restricted service account) triggers
– Function reads the PDF
– Function sends to Vertex AI Claude endpoint (inside their VPC)
– Claude extracts structured data from the document
– Function writes results back to client’s bucket
– Everything stays inside the VPC, inside the project, inside the isolation boundary
The client can audit every API call, every service account action, every network flow. Full compliance visibility.
Why This Matters for Compliance
– HIPAA: Patient data never leaves the healthcare client’s infrastructure
– PCI-DSS: Payment data stays inside their isolated environment
– GDPR: EU data can be processed in their EU GCP region
– FedRAMP: For government clients, we can build on GCP’s FedRAMP-certified infrastructure
The Service Account Model
Service accounts are the key to this. Instead of giving Claude/Vertex AI direct access to client data, we create a bot account that:
1. Has zero standing permissions
2. Can only access specific resources (their bucket, their dataset)
3. Can only run specific operations (Vertex AI API calls)
4. Permissions are short-lived (can be revoked immediately)
5. Every action is logged with the service account ID
So even if Vertex AI were compromised, it couldn’t access other clients’ data. Even if the service account was compromised, it couldn’t do anything except Vertex AI calls on that specific bucket.
The Cost Trade-off
– Shared GCP account: ~$300/month for Claude/Vertex AI usage
– Isolated GCP project per client: ~$400-600/month per client (slightly higher due to overhead)
That premium ($100-300/month per client) is the cost of compliance. Most regulated clients are willing to pay it.
What This Enables
– Healthcare clients can use Claude for chart analysis, clinical note generation, patient data extraction
– Financial clients can use Claude for document analysis, regulatory reporting, trade summarization
– Legal clients can use Claude for contract analysis, case law research, document review
– All without violating data residency, compliance, or isolation requirements
The Enterprise Advantage
This is where AI agencies diverge from freelancers. Most freelancers can’t build compliant AI infrastructure. You need GCP expertise, service account management knowledge, and regulatory understanding.
But regulated verticals are where the money is. A healthcare data extraction project can be worth $50K+. A financial compliance project can be $100K+. The infrastructure investment pays for itself on the first client.
If you’re only doing public API integrations, you’re leaving regulated verticals entirely on the table. Build the fortress. The clients are waiting.
Leave a Reply