Skip to main content
CredNet
Security in the Age of AI: How Credential Network Builds Above and Beyond
All posts

Security in the Age of AI: How Credential Network Builds Above and Beyond

Healthcare credentialing runs on some of the most sensitive data an organization can hold, so security is the floor Credential Network stands on, not a feature. We maintain a SOC 2 Type II report and HIPAA compliance, encrypt data with AES-256 at rest and TLS 1.3 in transit, and validate our controls continuously rather than once a year. We hold our AI to the same least-privilege standard, align to the NIST AI RMF, and are pursuing ISO/IEC 42001 — because in the age of AI, securing the model matters as much as securing the database behind it.

Luke LisonbeeLuke LisonbeeSecurity Engineer
· 5 min read

Healthcare credentialing relies on some of the most sensitive data an organization can hold: provider identities, licensing records, background checks, and protected health information (PHI) associated with them. At Credential Network, that data is the foundation of everything we build. Security isn't a feature we bolted on. It's the floor we stand on.

In 2026, that floor has to keep rising. The same AI capabilities that let us automate credentialing, surface compliance risks, and give our customers their time back also reshape the threat landscape. Attackers move faster, social engineering is more convincing, and software ships at a pace that demands real-time security. Our answer is simple: build above and beyond what the industry expects, and never stop tightening.

Security and compliance at a glance

  • Compliance: SOC 2 Type II report, HIPAA compliant.
  • Encryption: AES-256 at rest, TLS 1.3 in transit.
  • AI governance: Actively aligning to the NIST AI RMF; pursuing ISO/IEC 42001 certification.
  • Endpoint and infrastructure: Endpoint detection and response; independent third-party penetration testing (Sentinel Information Security).
  • Latest pentest: Zero high or critical-severity findings (May 2026).

A foundation of independent attestation

Trust shouldn't rest on our word. It should rest on independent verification.

SOC 2 Type II. Credential Network maintains a SOC 2 Type II report, the rigorous standard that evaluates not only whether our security controls are designed correctly, but also whether they actually operate as intended over an extended period. Type II is the harder bar, and we hold it on purpose.

HIPAA compliant. As a business associate operating in the healthcare and public health sector, we treat protected health information with the administrative, physical, and technical safeguards it demands, and we hold ourselves accountable to them every day, not just at audit time.

How we protect healthcare data at every stage

Protecting credentialing data means defending it at every stage of its lifecycle: at rest, in transit, and in use.

  • Encryption at rest: All data is encrypted using AES-256, the encryption standard trusted to protect classified information.
  • Encryption in transit: Every connection to our platform is secured with TLS 1.3, the latest and most secure version of the protocol that protects data as it moves across the internet.
  • Role-based access control: Access is governed by the principle of least privilege. People and systems can access only what their roles require, which dramatically limits what any compromised account can reach.

Continuous validation, not point-in-time checks

A certificate on a wall is a snapshot. Because security is a moving target, we validate ours continuously, across several overlapping layers:

  • Hourly compliance monitoring. Our HIPAA and SOC 2 controls are monitored continuously, with automated checks running around the clock. If any control drifts out of compliance, we're alerted within the hour, not at the next annual review.
  • Nightly cloud configuration scanning. Our cloud infrastructure is scanned every night against industry security benchmarks. If a misconfiguration appears, it triggers an immediate alert so we can correct it before it becomes an exposure.
  • Endpoint detection and response. All-in-one EDR tools monitor our endpoints in real time, automatically isolating and responding to suspicious activity.
  • Weekly internal AI-driven penetration testing. Beyond automated scanning, we run in-depth, white-box penetration tests against our own platform every week, probing it with full knowledge of its architecture. That surfaces issues a typical attacker would take far longer to find, if ever.
  • Independent third-party testing. We also bring in outside experts. We engage Sentinel Information Security, an independent firm, to probe our platform the way a real attacker would.
  • Our latest results. Our most recent independent penetration test surfaced no critical or high-severity vulnerabilities. A single medium-severity item was reviewed and confirmed to be a false positive, and the remaining low-severity observations were minor, already known to us, and handled through our standard remediation process. The pentest was completed in late May 2026.

Securing the AI itself

Credential Network builds AI directly into the credentialing workflow, and we hold our AI to the same security standard as everything else.

Our AI features operate under the same least-privilege model as the rest of the platform: they can access only the data and take only the actions required by their specific task. We actively test our AI systems for emerging risks unique to this technology, including prompt injection and other attempts to manipulate model behavior, and we design guardrails to contain them.

To guide that work, we are aligning our AI program to the NIST AI Risk Management Framework (AI RMF), the leading U.S. government framework for governing, mapping, measuring, and managing AI risk responsibly. We are also pursuing certification to ISO/IEC 42001, the first international standard for AI management systems. As AI becomes a core pillar of healthcare delivery, securing the model is just as vital as securing the database behind it.

Building toward the strongest frameworks available

Beyond our attestations, we are actively working toward full alignment with the NIST Cybersecurity Framework 2.0, the most current version of the gold-standard framework for managing cybersecurity risk, spanning Govern, Identify, Protect, Detect, Respond, and Recover. To do this rigorously rather than on paper, we've built internal tooling that continuously maps our controls against the framework's requirements, so we always know exactly where we stand and where we still have work to do.

Security is a discipline, not a department

Tools and certifications only matter if people stand behind them. At Credential Network, security is staffed and funded like the priority it is:

  • A dedicated, full-time security function. Even as an early-stage company, we staff dedicated, full-time security engineering roles where the entire job is protecting our platform and our customers' data. That level of investment is rare for a company our size, and it's a deliberate choice about what we value. Our engineers build with security in mind at every step, and that dedicated function owns the program: continuously testing, hardening, and holding us to our frameworks.
  • Whole-company security training. Everyone at Credential Network completes ongoing security awareness training, reinforced by regular internal phishing simulations that keep our people sharp against the social-engineering attacks behind most breaches.
  • Tested incident response. We maintain documented incident response plans and rehearse them through regular tabletop exercises, so that if something does go wrong, we respond with a practiced plan rather than improvising under pressure.
  • Security testing in the pipeline. Every code change is automatically scanned before it ships: static analysis (SAST) for code-level flaws, dependency and software-composition scanning for known-vulnerable libraries, and secret scanning to catch credentials before they reach a repository. Security runs on every commit, not as a gate at the end.

Our commitment

Security in the age of AI is not a destination. It's a discipline. The threats will keep evolving, and so will we. We will keep testing, keep tightening, and keep raising the bar above what's expected, because the providers and organizations who trust us with their data deserve nothing less.

To learn more about our certifications, controls, and current security posture, visit our Trust Center.

Have questions about how Credential Network protects your data? Reach out to us at security@credentialnetwork.com.