📄 Published Research — Peer-reviewed paper published on arXiv.
Full paper: arxiv.org/abs/2604.18302
Privacy is one of the most critical yet underaddressed barriers to AI adoption in mental healthcare — particularly in high-sensitivity environments such as military, correctional, and remote healthcare settings, where the risk of patient data exposure can deter help-seeking behaviour entirely.
Existing AI psychiatric decision support systems predominantly rely on cloud-based inference pipelines, requiring sensitive patient data to leave the device and traverse external servers. In contexts where a patient's willingness to seek help depends on absolute confidence that their data never leaves their hands, this architecture is unacceptable.
The Zero-Egress Principle
The zero-egress architecture guarantees a single property: no patient data is transmitted to, processed by, or stored on any external server at any stage.
This is not a privacy policy. It is an architectural guarantee — enforced by the absence of any external network call during inference. The platform runs entirely on the device. There is nothing to breach externally because nothing leaves.
The On-Device Model Consortium
The platform integrates three lightweight, fine-tuned, quantized open-source LLMs working in ensemble:
- Gemma — compact architecture, strong instruction following
- Phi-3.5-mini — optimised for resource-constrained mobile hardware
- Qwen2 — multilingual, for cross-language clinical applicability
An on-device orchestration layer coordinates ensemble inference with consensus-based diagnostic reasoning, producing DSM-5-aligned assessments without any cloud dependency.
Clinical Capabilities
- Clinician decision support — differential diagnosis assistance and evidence-linked symptom mapping against DSM-5 criteria
- Patient-facing self-screening — accessible mental health screening with clinical safeguards, for environments where clinician access is limited or delayed
Performance on Commodity Hardware
The evaluation demonstrates diagnostic accuracy comparable to server-side predecessors while sustaining real-time inference latency on commodity mobile hardware — the class of device available in correctional facilities, remote postings, and field environments.
Regulatory Significance
- HIPAA — Protected Health Information never enters a covered cloud environment. Business Associate Agreements become structurally unnecessary.
- GDPR — No personal data leaves the jurisdiction of the patient's device. Cross-border transfer restrictions do not apply.
- EU AI Act — On-device medical AI may qualify for reduced regulatory burden given the absence of centralised data processing.
The Broader Implication
This research demonstrates that the assumed trade-off between AI capability and privacy is not architectural — it is a design choice. For sensitive domains where privacy is non-negotiable, on-device AI with quantized open-source models now provides capability parity without the privacy risk. The zero-egress principle has direct applicability beyond healthcare: legal, financial, defence, and government AI deployments all face the same data sovereignty requirements.
Read the full paper: arxiv.org/abs/2604.18302