AI is Making Compliance Sexy Again
with Zach Rosen, Co-Founder & CEO of Brellium
Zach Rosen is the Co-Founder and CEO of Brellium, the AI compliance platform that audits every patient visit across ambulatory healthcare. Brellium serves over 250K providers across all 50 states, auditing more than 1M clinical records per month against payer, regulatory, and OIG standards.
The company has raised >$30M from First Round Capital, Left Lane, Kearney Jackson, and Menlo Ventures. A second-time founder, Zach struggled with a personal misdiagnosis that drove him to build a safety net for patient care.
Tune in to hear why: the real compliance moat isn’t the public rulebook; how Brellium is building intelligence no EHR or model lab can replicate; and why compliance is a dead wedge in some AI markets… and a killer in others.
Today’s Episode
Compliance is having an AI moment. Norm AI just raised $120M at a $1.2B valuation led by Khosla Ventures, turning regulations into AI agents in legal and finance. But it isn’t the first time compliance has been in vogue. Veeva built a $40B+ business on compliance in life sciences, Avalara did it in tax, and Workiva in financial reporting. Boring on the surface, billions underneath.
But healthcare compliance is a different beast. The rules aren’t deterministic, the enforcement is inconsistent, and the stakes are orders of magnitude more personal. Zach Rosen has built Brellium to tackle a problem space where all three collide. This episode taps his experience to get at questions that matter for any founder eyeing compliance as a wedge: when does it become a moat, when is it just a feature, and how has AI changed the game?
Non-Determinism is Your Best Friend
The conventional wisdom on compliance as a Vertical AI wedge is straightforward: regulations are public, the data isn’t proprietary, the moat is thin. If you can Google the requirements, so can your competitor and so can the incumbent EHR.
Zach argues this framing fundamentally misunderstands what compliance means in ambulatory healthcare. The public bulletin is the starting point, not the finish line.
Take Aetna’s ABA requirements in Texas. You can find the 12 items on the payer bulletin: sessions must be individualized, care must be medically necessary, and so on. Simple enough on paper. But what does “individualized” actually mean? What does “medically necessary” look like against a specific patient chart? Two providers reviewing the same documentation will come up with different answers. And Aetna’s auditor may have a third definition entirely.
There are kind of fractals of knowledge. The closer you zoom in... it’s not as cut and dry. If it’s 45 words of medically necessary care that’s also individualized to patient, then all of a sudden you start to understand — wait, there are a bunch of edge cases here that I maybe didn’t account for.
This gap between exposure and enforcement is one we’ve explored in the past. And it’s the core of Brellium’s defensibility strategy. The regulations may be public. The enforcement and remediation patterns — written, tribal, and word-of-mouth — are not.
About a year ago, one of Brellium’s customers was placed in prepaid review and had funds clawed back because a payer in Georgia required backdated co-signatures from two separate providers on all documentation. That requirement wasn’t on any public bulletin until weeks after the enforcement action. The provider lost a substantial sum essentially out of the blue.
In the AI era, doing the work is as important as identifying it. That’s why it’s critical that Brellium doesn’t stop there. They intake that enforcement event, codify it, and push it to every other customer billing the same payer in the same state — the next provider doesn’t get blindsided. Multiply that across 250,000 providers, all 50 states, and dozens of payers, and you get a compounding intelligence layer that no system of record can replicate because EHRs don’t see how audits actually play out. These are decision traces only a platform that sees and does the work can capture.
Parafin is the partner that makes Verticals possible. They just launched the Spend Card, a business credit card that platforms can deploy to their SMBs without becoming a bank. Fresh off a Goldman Sachs credit facility and the 2026 Forbes Fintech 50, Parafin has extended over $35B in offers to small businesses across platforms like DoorDash, Gusto, and TikTok Shop.
Compliance Products Are Secretly Training Products
Brellium sells compliance. That’s the “why to buy.” But the actual first-order value delivered is workforce training.
A real-time compliance flag can tell a provider to swap out one diagnosis code for another. That protects the documentation. It doesn’t change how the provider treats the next patient.
At the surface, we’re a compliance product and that is why most of our customers choose to partner with us. But actually if you dive deeper, the value that we provide — that’s actually first order, not the second order effect — is that we’re a training product.
Brellium’s weekly reviews track provider performance over time: what they did well, what they need to improve, why, and how. Providers who improve get placed into higher performance buckets that qualify for bonuses and promotion tracks. Providers who repeat mistakes get reinforced constructive feedback. It’s a closed-loop system that changes behavior, not just documentation.
This is a pattern we’re seeing across Vertical AI more broadly. The products building lasting defensibility aren’t the ones automating a task; they’re the ones making the human better at their job over time. Rilla does this for field sales in the trades. Brellium does it for clinical compliance. The product starts as a tool and becomes, over time, indistinguishable from the org’s training infrastructure. That creates switching costs no feature comparison can overcome.
Two Paths to Win in Vertical AI
Zach views the basic option set for nascent Vertical AI products as being an evolution of the Vertical SaaS playbook:
Path A — Start with a wedge product, get customers to pay for it, then bolt on adjacent products to become the system of record / action. This was the HubSpot playbook, the Salesforce playbook, the playbook 90% of vertical software companies ran. Start with one thing, make it excellent, then add a dozen more over five years.
Path B — Start with a wedge so good the system of record / action can’t possibly compete with you, because the wedge is powered by data that is proprietary (or that the incumbent can’t feasibly access). Ideally, build a network effect around that wedge. Gong ran this play for six years as the “best call intelligence tool,” plugged into HubSpot and Salesforce as a pure point solution, before pivoting into a platform.
The AI era has made these two paths diverge further. Path A is an order of magnitude easier now; AI makes building adjacent products and expanding a platform faster than ever. But Path B, building a genuine network effect, is marginally harder, because the incentive structure shifts away from perfecting the individual customer journey and toward aggregating data across many.
If you are obsessed with compliance in a highly regulated industry... you have two core options. If compliance is simple and deterministic, you should probably take Path A — use it as your wedge and then build adjacent products. Path two, which is where we’ve leaned, is when compliance is non-deterministic. And that network effect is actually passed through taking word of mouth information and or information that is not publicly available.
AI-native Path A plays might be starting with a different kind of platform wedge, or even a service. For Path B Vertical AI businesses, the type of data that is defensible may be changing in the AI era, but the core strategy mostly rhymes.
Brellium has bet on Path B. The enforcement intelligence compounds. A provider switching to a competitor loses access to enforcement data accumulated across Brellium’s entire network. The two-sided nature of their model — solving a costly and dilatory issue for both payors and providers, translating between them without need for communication — create an additional network effect.
The Provider-Payer Flywheel
Brellium’s go-to-market exploits one of healthcare’s unusual structural features: the provider and payer sit on opposite sides of the same compliance problem.
Providers want to avoid funds being clawed back. Payers want to enforce compliance because every dollar out of their bank account goes into a provider’s bank account. Both sides spend heavily arbitrating what payers call fraud, waste, and abuse, essentially non-compliant documentation and care.
Brellium started with providers: mid-market, lower burden of proof, faster to stack proof points. Once enough providers in a given payer-state combination were on the platform, the data told a clear story. Brellium-approved providers were measurably more compliant than the market average.
That became the pitch to payers. Once a payer endorses Brellium, it makes the next provider conversation more straightforward. Not easier, Zach is quick to clarify (“none of this is easy — you’re selling next gen products to a highly regulated market that is generally not incredibly excited about technology”), but more straightforward.
The flywheel accelerates because each new provider contributes enforcement data, each payer relationship validates the product, and both sides compound the network effect. It’s a version of the two-sided vertical platform dynamic, grounded in compliance intelligence rather than transactions.
Healthcare’s notoriously closed EHR ecosystems actually help here. Unlike most Vertical SaaS categories where the rational incentive is to integrate and play nice, healthcare EMRs are, in Zach’s words, “almost entirely closed ecosystems.” Brellium’s GTM playbook: partner with the #2, #3, and long-tail EHRs first (who are incentivized to fill gaps), build the customer base on the dominant platforms organically, then formalize distribution partnerships up the chain once the proof points are undeniable.
The Takeaway for Vertical Founders
Compliance is one of the oldest wedges in vertical software. Veeva, Avalara, Workiva: the playbook is proven. But in the AI era, the game is bifurcating:
In verticals where compliance is deterministic, with clear rules, consistent enforcement, and public standards, AI makes the wedge easier to build and easier to copy. Use it to get in the door, build fast, and expand into the platform. Path A, in Zach’s framework.
In verticals where compliance is non-deterministic, with subjective standards, private enforcement, and word-of-mouth rule interpretation, AI enables something different entirely. The product becomes an intelligence layer that aggregates how rules are actually enforced across an entire market. This Path B offers a shot at building something genuinely defensible. In Zach’s eyes, it also requires more: a stronger leadership team, a more dynamic product org, and a tolerance for the slower burn of network-effect compounding.
The compliance products that win the AI era won’t be the ones that can read the rulebook. Translating deterministic rulesets and workflows from analog to digital was a SaaS-era play that’s now little more than a foot in the door (if you’re lucky enough to have found an urgent, blue-ocean use case). The AI-native winners will be startups that solve for the hairiest compliance issues — which they can do only because they’ve seen when and why they’re broken, in real time, over and over again.
See you next week.
Key Moments from this Episode
00:00 — Why compliance is having an AI moment
05:15 — What healthcare compliance actually looks like
10:53 — Why Brellium is really a training platform
14:23 — Building alongside healthcare systems of record
18:16 — Selling to providers before payers
23:29 — Can compliance become a real AI moat?
27:29 — The two playbooks for winning in Vertical AI
30:36 — Why AI makes wedge products easier to build
33:25 — The biggest mistake first-time founders make
36:24 — Why outcome-based pricing doesn’t always work
38:12 — Bullish or bearish on healthcare AI?
40:43 — The next massive AI opportunity founders are missing

