Architecture and Landing Zones

The landing zone is where lawful operation begins

Before the Responsibility Ledger, Evidence Fabric, and governed transfers can be trusted, the environment beneath them must be secure, isolated, monitored, and evidentially defensible. Every Inference Clinical deployment starts here. Phase 1 is non-negotiable.

Start with a single NHS-compliant landing zone. Prove governance controls at the infrastructure layer. Then deploy the first governed boundary.

What the landing zone protects

The landing zone is not abstract infrastructure. It is the specific set of controls that make the governance substrate trustworthy. Without it, the Responsibility Ledger is a database, not a governed record. Here is what depends on the foundation being correct.

What the landing zone protects: infrastructure controls connected to the governance artefacts they make trustworthy Governed AWS Landing Zone Responsibility Ledger Consent & Access Artefacts Evidence Fabric BALP / AuditEvent Traces Clinical Safety Evidence Clearing Metric Inputs INFRASTRUCTURE CONTROLS CloudTrail Object Lock Immutable Logs KMS Customer-Managed Encryption Account Isolation SCPs Blast Radius UK Residency eu-west-2 Data Sovereignty Config GuardDuty Security Hub

Responsibility Ledger

Without immutable storage and tamper-evident logging, the chain of custody for every responsibility transfer has no evidentiary standing.

Consent and access artefacts

Without customer-managed encryption and UK residency, GP Connect consent records and access audit trails lack jurisdictional standing.

Evidence Fabric

Without cryptographic integrity and retention controls, evidence cannot be demonstrated to regulators on demand.

BALP audit events

Without CloudTrail, Object Lock, and immutable retention, the audit trail that records every system interaction has gaps.

GP Connect and NRL trust position

Without account separation and identity federation, the trust framework governing NHS record access cannot be maintained.

Clinical safety evidence

Without the landing zone, DCB 0129/0160 compliance artefacts and DUAA complaint response capability are scattered across ungoverned storage.

Foundation first: the deployment sequence

Foundation-first sequence: Priority 1 secure landing zone, Priority 2 governance layer, Priority 3 operational intelligence Lawful operation begins here PRIORITY 1 Secure AWS Landing Zone AWS Organizations / account separation Service Control Policies (SCPs) IAM federation Network segmentation CloudTrail / Config / GuardDuty KMS / encryption UK residency controls Foundation established Governance on insecure infrastructure is liability, not governance PRIORITY 2 Governance Layer Consent infrastructure Responsibility transfer (MVRT) Seven Flows enforcement Clinical safety controls (DCB 0160) Audit and evidence services First governed boundary live PRIORITY 3 Operational Intelligence Clearing Metric (Volume, Age, Rate) Cross-boundary observability Dashboards and analytics Cost and risk monitoring

The sequence is non-negotiable. Priority 1 establishes the infrastructure baseline for NHS data. Priority 2 deploys the governance layer on that secure foundation. Priority 3 adds operational intelligence as the network expands. No clinical data enters the environment until Priority 1 controls are in place. No governed boundary goes live until Priority 2 controls are operational.

Landing zone controls: what makes evidence trustworthy

Foundational competence is not optional. Every governance invariant we enforce depends on the infrastructure beneath it being correct, secure, and structurally isolated. We treat landing zone architecture with the same rigour we apply to clinical safety cases. Each customer landing zone is built to a consistent pattern:

Claim authority: STATUTORY Law or mandatory standard ASSURANCE EXPECTATION NHS guidance and procurement IC POLICY Inference Clinical requirement

AWS Organisations and account structure

Separate accounts for governance, clinical workloads, data, and shared services. Organisational boundaries in the clinical domain map to AWS account boundaries in the infrastructure domain. This is account-level isolation, not just VPC boundaries. Each clinical workload operates in its own blast radius. Billing separation is built into the account structure. Per-organisation cost attribution means NHS Trust A never subsidises Trust B's infrastructure. STATUTORY

Consequence: a compromise in one organisation's workload cannot propagate to another's. The Responsibility Ledger's integrity is blast-radius contained.

Network isolation

VPC design that enforces the multi-organisation model. Traffic between organisations traverses governed integration points, never direct paths. Network segmentation supports NIS Regulations requirements for Operators of Essential Services. STATUTORY

Identity federation

AWS IAM integrated with healthcare identity providers. Practitioner authentication, patient identity resolution, and organisation trust relationships are wired into the infrastructure layer. Aligned with NHS Identity and spine integration requirements. ASSURANCE EXPECTATION

Security baseline

GuardDuty for threat detection, CloudTrail for API-level audit, Config Rules for continuous compliance. These are proactive defence, not compliance checkboxes. ASSURANCE EXPECTATION Cyber Essentials Plus controls embedded structurally. STATUTORY ALCOA+ audit trail integrity maintained through immutable logging.

Data breach prevention is structural: encryption at rest (KMS customer-managed keys) and in transit (TLS 1.2+), network segmentation that prevents lateral movement between organisation accounts, VPC flow logs for exfiltration detection, S3 bucket policies enforcing data residency in eu-west-2. Clinical data does not leave the UK because the infrastructure makes it impossible, not because a policy document says it should not.

AWS Organizations Service Control Policies (SCPs) enforce both security policy and clinical governance policy simultaneously. One SCP can prevent data leaving the UK region, block unapproved service deployment, and enforce tagging for clinical data classification in the same policy statement.

Consequence: every governed act is logged, encrypted, immutable, and demonstrable. The Evidence Fabric has evidentiary standing.

Observability

CloudWatch, X-Ray, and custom clinical observability pipelines. Not just infrastructure monitoring - clinical pathway monitoring that surfaces governance failures, not just system failures. ASSURANCE EXPECTATION LFPSE-ready incident detection for cross-boundary safety events.

Guardrails, not gates

The landing zone enforces policy through prevention (SCPs, permission boundaries, network rules) rather than detection-after-the-fact. Clinical data cannot leave the UK region because the infrastructure makes it structurally impossible. Unapproved services cannot be deployed because the account structure prevents it. This is the engineering controls over administrative controls principle applied to cloud infrastructure. IC POLICY

Consequence: compliance is not something you prove at audit. It is something the infrastructure enforces continuously.

For organisations with existing AWS workloads, the landing zone wraps around what exists. Existing workloads are assessed (see the Foundational Technology Review in the Assess phase), and the landing zone is designed to govern them progressively. For on-premises workloads, the governed landing zone becomes the migration target.

Three layers, each depending on the one beneath

Three-layer architecture: Governance makes transfers lawful, Platform Services makes governance operational, AWS Landing Zone makes evidence trustworthy GOVERNANCE Seven Flows / Consent / Responsibility Transfer / Boundary Audit / Safety Controls Makes transfers lawful Governance depends on platform services PLATFORM SERVICES APIs / Event Processing / Protocol Execution / Remote Monitoring / Data Services Makes governance operational Platform services depend on non-bypassable infrastructure controls AWS LANDING ZONE Accounts / IAM / Network / Logging / Encryption / Observability Makes evidence trustworthy
UK Region (eu-west-2) DSPT/CAF Aligned DCB 0129/0160 DTAC Ready DUAA Compliant UK GDPR Cyber Essentials Plus ALCOA+ FHIR R4 UK Core Multi-AZ Encrypted at Rest NIS Regulations

The Constitutional Spine

The Architecture Stack shows three layers. The Constitutional Spine is the principle that keeps them separate. No component spans all three. No service can silently grant permission. This is enforced at build time and runtime, not by convention.

Constitutional Spine: Facts produce valid/invalid/unresolved, Evaluation produces pass/fail/indeterminate, Acceptance produces accepted/declined/closed. Four anti-patterns structurally prevented. Facts Identity Time Evidence Provenance VALID / INVALID / UNRESOLVED Evaluation Consent Policy Responsibility Rules Safety Checks PASS / FAIL / INDETERMINATE Acceptance Bilateral acceptance Organisational authority Time-bounded transfer Recorded outcome ACCEPTED / DECLINED / CLOSED STRUCTURALLY PREVENTED: Smart Gateway Implicit Authority Responsibility Vacuum Silent Evaluation

For the full Constitutional Spine, including the four anti-patterns and how they are structurally prevented, see the SafeMesh architecture page.

The Six R's: Migration Through a Governance Lens

Standard migration assessments classify workloads by technical complexity and cost. In healthcare, that is not enough. Every workload carries clinical boundary obligations, and choosing the wrong migration strategy creates patient safety risk, not just technical debt.

Governance-aware 6 R's: three pre-migration questions gate all six strategies (Rehost, Replatform, Repurchase, Refactor, Retire, Retain) BEFORE ANY MIGRATION PATH IS SELECTED 1. Does it maintain security posture for NHS data? 2. Does it preserve audit trail continuity? 3. Has the CSO signed off under DCB 0160? Rehost Fastest route to governed coverage Replatform Preserve consent / provenance / controls Repurchase Assess governance across vendor boundary Refactor Strongest governance- by-design path Retire Confirm obligations really end Retain Govern in place with review trigger These three questions are the minimum governance gate before any migration strategy is selected.

Rehost

Lift and shift

Move the application as-is to AWS.

Even a lift-and-shift gains boundary governance, DSPT/CAF alignment, and ALCOA+ audit trails the moment it lands on the governed landing zone. For many legacy clinical systems, rehosting onto governed infrastructure is the fastest path to regulatory coverage.

Replatform

Lift, tinker, and shift

Make targeted optimisations during migration (e.g. move to RDS, Elastic Beanstalk).

Every replatform decision is evaluated against governance requirements, not just cost or performance. The consent model, audit trail, and provenance chain must survive the migration intact. A replatform that breaks consent enforcement is worse than a rehost that preserves it.

Repurchase

Move to SaaS

Replace with a different product, typically SaaS.

SaaS replacement shifts governance focus to boundary integration. The new product must participate in the consent graph and responsibility transfer protocols. DTAC applies to procured health IT. The boundary audit identifies what obligations transfer to the new vendor.

Refactor

Re-architect

Re-imagine the application using cloud-native features.

Cloud-native rebuild is where governance-by-design delivers its greatest advantage. Event-driven patterns mean governance checks execute within the clinical pathway, not alongside it. The most expensive R, but for clinical systems crossing organisational boundaries, refactoring produces the strongest safety case.

Retire

Switch off

Decommission applications no longer needed.

Governance mapping identifies clinical dependencies that IT asset registers miss. A system may look unused but still carry active responsibility transfer obligations. You cannot safely retire a system until you understand what clinical boundaries it participates in. Retirement is a governed act.

Retain

Revisit later

Keep in place for now.

Retained workloads are governed in place. The landing zone wraps around them. Retention is a conscious, documented decision with a review trigger and clear conditions under which migration becomes the right next step. It is not a deferral by default.

The boundary audit (Assess phase) produces the evidence to classify every workload. You cannot choose an R without understanding the clinical boundaries the workload participates in.

Our deployment stance

Inference Clinical will not deploy SafeMesh into environments that cannot demonstrate the required controls. This is not a commercial preference. It is a vendor responsibility position. A governance platform deployed on infrastructure without immutable logging, without encryption under customer control, without account separation, and without UK data residency creates the illusion of governance while leaving the underlying risk untouched.

We will not advise clients to skip the landing zone. We will not deploy into environments where the Responsibility Ledger's evidentiary value is compromised by the infrastructure beneath it. We will not treat the landing zone as an optional phase that can be revisited later.

This is the same principle the Constitutional Spine enforces at the software layer, applied at the infrastructure layer: governance must be non-bypassable, or it is not governance.

How we work with migration partners

Inference Clinical is not a migration partner. We are the governance layer that makes migration safe, compliant, and regulatorily sound.

From the migration partner

  • Infrastructure deployment
  • Workload migration
  • Re-platforming
  • Database migration
  • Cyber Essentials baseline

From Inference Clinical

  • Seven Flows governance
  • Clinical safety cases (DCB 0129/0160)
  • Consent infrastructure (UK GDPR, Caldicott)
  • Responsibility transfer protocols
  • DSPT/CAF compliance support
  • DTAC documentation
  • LFPSE integration
  • Boundary audit with statutory traceability

The consumption story: Governance without migration produces limited AWS consumption. Migration without governance produces non-compliant infrastructure. Combined, they produce governed cloud environments with growing workload footprints.

Related Content

Start with a boundary audit. We will tell you whether your infrastructure is ready for governed operation, and what it takes to get there.

Frequently Asked Questions