Dan Gonzalez

When I finished law school I went directly into healthcare compliance instead of traditional legal practice. Saint Louis University, JD with a Health Law Certificate, 2012. The conventional path was a firm or a clerkship. I took a compliance officer role at a small healthcare technology company instead. It was the right call. The work was hands-on in a way that legal practice usually isn't at that stage: real decisions, real risk, real accountability for outcomes.

For the next 12 years I built compliance programs at regulated technology companies. Not maintaining programs someone else built. Building them. That means writing the policies, designing the controls, running the audits, managing the vendor relationships, negotiating the BAAs, handling the incidents, and sitting in the room when regulators ask questions. I led organizations through HITRUST certifications (200+ controls), SOC 1 and SOC 2 audits, CMS authorization processes, state Medicaid reviews. I've built vendor management programs, security frameworks across AWS, Google Cloud, and Azure, and compliance training that engineers and ops teams actually complete.

At some point I started writing software to do parts of the work faster. Not automating compliance, which is the wrong framing. Automating the parts of compliance that are mechanical: cross-referencing a BAA against 45 CFR 164.504(e)(2), mapping a policy framework against NIST CSF 2.0, running a gap analysis on HIPAA security rule controls. Those tasks require domain knowledge to scope correctly and to interpret the output. They do not require a human to do the reading line by line. That distinction matters. Most compliance automation tools miss it.

That thinking became Rote. I built the baseline analysis workflows, all six of them, because I needed that foundation for continuous regulatory monitoring to be useful and actionable the way I intended. Most compliance platforms stop at point-in-time analysis because that's where the tooling stops. I treated it as the floor. The strategic direction is Sentinel, the continuous monitoring layer: watch the regulatory landscape, compare incoming changes against each workspace's surface area, surface actionable diffs. That's the work I want to do at scale.

I also built Safe LLM Lab, a research platform for systematic LLM safety and prompt-vulnerability testing. The motivation is straightforward: there's a large gap between AI policy documents and the actual behavior of deployed models. Safe LLM Lab is built to generate empirical evidence that closes that gap. AES-256-GCM encryption, row-level security, MFA, tamper-detected audit logging with anomaly detection on privilege escalation, multi-user encrypted study collaboration. Open source and deployed.

Outside of software, I'm a car person. My wife and I maintain a collection of six cars. I designed, installed, and tuned the stereo system in my 1967 Dodge Coronet, which is Plum Crazy Purple and is also the target platform for Kit, my next project: an LLM running on a Raspberry Pi, integrated into the car, running offline. Local inference, no cloud dependency. I named it Kit. It's early.

I grew up in the Pacific Northwest and went to the University of Puget Sound for undergrad (Psychology and Comparative Sociology). I'm based in Spokane.

Now I do fractional Chief AI Officer work, take one or two clients at a time by design, and build in public.