Editorial illustration: a stack of compliance documents resting beneath a single transparent governance shield with audit ledger lines flowing along the lower margin.
Editorial illustration: a stack of compliance documents resting beneath a single transparent governance shield with audit ledger lines flowing along the lower margin.

If a regulator subpoenas our chat logs six months from now, can we hand them a tool-level trace — which retrieval tool fired, which policy version was in force at that exact moment, which document chunks were returned, and which got redacted before the model ever saw them?

That's the question. Not "how good is the search." Not "does it have a Slack connector." The audit-trail question is what kills or closes Glean deals in healthcare, financial services, and the public sector right now, and it's why the regulated-industries shortlist looks different from the rest of the enterprise market.

Disclosure. This article is published by ASCENDING, an AWS Advanced Consulting Partner (founded 2018, Fairfax VA) that builds the Jarvis AI Agent platform — including the MCP Gateway and Jarvis Registry discussed below. We compete with Glean in some accounts. We've tried to keep the regulatory facts straight; the recommendation is ours.

What changed in 2025 and 2026

Glean is a strong product. Series F at roughly $7.2B in 2025, SOC 2 Type II in pocket, real customers in pharma and insurance. None of that's in dispute. The dispute is whether a retrieval-augmented assistant designed around a closed connector model can produce the evidence a HIPAA auditor, an FFIEC examiner, or a FedRAMP sponsor now expects.

Three things shifted the bar:

  1. MCP went to the Linux Foundation on December 9, 2025. The protocol stopped being an Anthropic side project and started being the substrate everyone — AWS AgentCore Gateway (GA October 13, 2025), Azure AI Foundry (GA June 16, 2025) — assumes you'll speak.
  2. RFC 8707 resource indicators became mandatory in MCP on March 15, 2026. Token replay across tools is now a spec-level violation. If your agent stack can't prove the access token it presented was bound to the specific resource it was talking to, you have a finding.
  3. ISO/IEC 42001 (the AI management system standard, published 2023) and NIST AI 600-1 (the Generative AI Profile of the AI RMF) both pushed inventory and per-call governance from "nice to have" into the column auditors check first. The EU AI Act's Annex IV technical documentation list reads almost like a per-call log schema.

A platform built before any of that — and Glean's architecture predates all of it — has to bolt audit on. A platform built around an MCP gateway can emit it natively.

Healthcare: HIPAA, BAAs, and the data-residency footnote

Healthcare buyers ask two questions in the first meeting. Will you sign a Business Associate Agreement that covers the AI workload, not just storage? And where, physically, does the embedding inference run?

Glean will sign a BAA. Good. The harder question is BAA scope — specifically whether the agreement covers the LLM inference path, the embedding model, and any third-party reranker. We've watched BAA negotiations stall for ten weeks on exactly that point. Glean's hosted architecture also makes the residency answer awkward when a hospital system is on Epic in a state that has its own health-data localization rule on top of HIPAA.

Where Glean falls short for HIPAA buyers:

  • PHI redaction happens after retrieval, not before tool selection. The model sees what came back. That's a per-call audit gap.
  • BAA scope is negotiable but uneven. Some sub-processors are inside; some aren't. Read carefully.
  • Connector-level access control, not tool-level. You can scope Glean to a SharePoint site. You can't scope it to "this clinical-notes retrieval, only when the requesting agent presents a token bound to this resource."

A Jarvis Registry deployment closes those gaps three ways. PHI policies attach to the tool in the registry, not the user session, so de-identification fires before any retrieval result enters model context. The MCP Gateway emits a per-call record that includes the policy snapshot in force at the moment of the call — same call, replayed an hour later under a new policy, looks different in the log, and you can prove it. And BAA scope is contractual at the ASCENDING level, covering the inference and embedding paths together. Fair warning: the Jarvis native connector catalog is narrower than Glean's. If you need 70 SaaS sources out of the box, that gap matters.

Financial services: FFIEC, the SEC, and classification at retrieval time

The FFIEC IT Examination Handbook's third-party section now reads, in practice, as if it were written about AI vendors. Examiners are asking for data-classification evidence at the retrieval step — meaning, when a Jarvis AI Agent or any other agent pulled the document, was it tagged Confidential, was the tag honored, did the response surface a citation that respects the tag.

Glean does data classification well at the index level. The gap is at the call boundary. SEC Rule 17a-4 and FINRA 4511 expect records that prove which underlying tool was invoked and what was returned. A Glean response that fans out across six connectors and synthesizes an answer is hard to decompose into 17a-4-shaped records after the fact. Banks we've talked to ended up writing custom log shippers to reconstruct that chain. Not impossible. Not cheap.

This is where the MCP-gateway architecture earns its keep. Every tool call passes through the MCP Gateway as a discrete event. Each event carries: the calling agent identity, the resource indicator (RFC 8707) the access token was bound to, the policy version, the tool name and version, the redaction rules applied, and the response hash. That's the artifact a Series 24 supervisor needs when the SEC asks how the desk's research assistant came up with a number. It's also the artifact your model-risk-management team needs under SR 11-7 to show the model wasn't fed restricted data.

One more thing finance buyers underestimate: real-time deprecation. When a tool is pulled from the Jarvis Registry, every agent loses access on the next call. No cache. No 24-hour propagation window. In a market-abuse investigation, that distinction is the difference between a finding and a footnote.

Government: FedRAMP, ISO 42001, and the Annex IV problem

Federal and state-government buyers have the tightest stack to satisfy and the smallest tolerance for "we're working on it."

FedRAMP status. Glean is not FedRAMP High authorized at the time of writing. That alone disqualifies it from a chunk of the DoD and IC workload. Microsoft 365 Copilot has a path through GCC High, but the Copilot tooling available in GCC High lags the commercial release by quarters, and the connector catalog you can actually use is narrower than the public collateral implies.

ISO/IEC 42001. The standard expects an AI management system with a documented inventory of AI components, a governance loop, and risk treatment evidence. A registry-driven architecture maps onto 42001 almost line for line — every tool in the Jarvis Registry has an owner, a risk class, a lifecycle state, and a change-history record. That's the inventory clause, done.

EU AI Act Annex IV. Even US public-sector buyers care about this when they have European subsidiaries or use European-funded data. Annex IV asks for a description of the system, the data used, the human oversight measures, the monitoring, and the changes through the lifecycle. The per-call audit emitted by the MCP Gateway is most of that documentation, automatically, as a byproduct of running the platform.

Comparison: Glean / Microsoft 365 Copilot (GCC High) / Jarvis Registry

Disclosure. ASCENDING builds Jarvis. Read the row with that in mind. We've tried to be fair on the negative axes; check our work against the vendor docs.

AxisGleanM365 Copilot (GCC High)Jarvis Registry
FedRAMP High authorizationNot authorizedIn Authorization (GCC High path)In Authorization via AWS GovCloud (ASCENDING is AWS Advanced Consulting Partner)
HIPAA BAA scope (covers inference + embeddings)BAA available; scope varies by sub-processorBAA available within GCC High boundaryBAA covers the gateway + agent + embedding path under a single ASCENDING agreement
Per-call audit granularity (tool-level + policy snapshot)Connector-level; reconstruction neededActivity logs at user/app levelPer-call MCP event with policy snapshot, tool version, resource indicator, redaction trace
RFC 8707 resource indicators (mandatory in MCP since 2026-03-15)Not MCP-nativePartial via Foundry adaptersEnforced at gateway; token-replay attempts are blocked, not just logged
ISO/IEC 42001 alignment (inventory + governance loop)Manual mapping requiredManual mapping requiredRegistry maps to 42001 inventory clause directly; governance loop built in
Where Jarvis concedesNarrower native connector inventory than Glean — if you need 70+ SaaS sources out of the box, Glean ships more of them today.

The procurement questions to actually ask

Save these. Run them past every vendor on the shortlist, including us.

  1. At the moment a tool call fires, what policy version is bound to that call, and can you produce the policy snapshot a year later? If the answer involves log correlation across three systems, you have an evidence problem.
  2. Will your BAA cover the LLM inference and embedding path, not only data at rest, and will it name the sub-processors involved? Ask for the redlines, not the marketing one-pager.
  3. What's your stance on RFC 8707 resource indicators? Enforced, logged, or roadmap? "Roadmap" was an acceptable answer in 2025. It isn't in 2026.
  4. When a tool is deprecated from your catalog, what's the propagation time before every agent loses access? Anything measured in hours is a gap.
  5. Show me the ISO/IEC 42001 inventory artifact your platform emits, not the one we'd build in a spreadsheet. If the artifact doesn't exist as a platform output, treat that as missing capability.

FAQ

Is Glean a bad choice for regulated industries? No. It's a good product. It's a poor fit for buyers whose audit posture depends on per-call tool-level evidence and whose pipeline includes FedRAMP High or strict BAA scope. For a healthtech company two years from a HITRUST audit, with mostly SaaS data and no public-sector ambition, Glean can still be the right answer.

Does Microsoft 365 Copilot in GCC High solve the FedRAMP problem? For some workloads, yes. The catch is feature parity: the Copilot release available in GCC High trails the commercial product, and the connector set you can lawfully use is smaller. Procurement teams routinely discover this after signing.

Why does RFC 8707 keep coming up? Because token replay across tools — taking an access token meant for tool A and presenting it to tool B — is the easiest way to exfiltrate data through a poorly governed agent. RFC 8707 binds a token to a resource. MCP made it mandatory on March 15, 2026. If your platform doesn't enforce it, you're outside the spec.

Can we get a per-call audit out of Glean with custom work? Sometimes. We've seen teams ship custom log shippers and stitching layers to approximate it. The cost is real, and the evidence is reconstructed rather than native, which is a weaker position with an auditor.

Where does Jarvis Registry pricing sit? On AWS Marketplace and Azure Marketplace. Starter is $1,500/month, Pro is $2,500/month, and there's a Custom Enterprise tier for federal and FSI deployments that need GovCloud, dedicated VPC, or non-standard BAA scope.

About ASCENDING

ASCENDING is an AWS Advanced Consulting Partner founded in 2018 in Fairfax, Virginia. We build Jarvis AI Agent — a governance-first, MCP-native agent platform — along with the MCP Gateway and Jarvis Registry referenced above. We work with regulated buyers in healthcare, financial services, and the public sector on FedRAMP, HIPAA, FFIEC, and ISO/IEC 42001 alignment. If you want to test our claims against your specific audit posture, talk to us.