AI agent governance in insurance: underwriting, claims and the regulatory reckoning

An underwriting agent at a mid-size European insurer rejected 340 life insurance applications over a six-week period. Every rejection followed the model’s risk scoring protocol. Every rejection was documented. Every rejection was technically compliant with the insurer’s underwriting guidelines.

The problem surfaced when a compliance analyst noticed the rejection rate for applicants from three postal codes was four times the average. Those postal codes mapped to neighborhoods with higher immigrant populations. The agent was not using ethnicity as a factor. It was using medical history completeness as a proxy, and applicants from those areas were more likely to have medical records from healthcare systems the model could not parse.

The model was accurate. The outcomes were discriminatory. And under the EU AI Act, the insurer was liable for both.

This is the governance challenge specific to insurance. Not whether AI agents can underwrite, process claims or detect fraud. They can. The question is whether the governance around those agents is strong enough to satisfy regulators who are watching this sector more closely than any other.

The regulatory overlay#

Insurance AI agents operate under more regulatory pressure than agents in most other sectors. Four layers of regulation apply simultaneously, and each adds requirements that generic AI governance frameworks do not cover.

Layer 1: the EU AI Act#

The EU AI Act explicitly classifies AI systems used for risk assessment and pricing in life and health insurance as high-risk (Annex III, Area 5b). This is not an interpretation. It is a named use case in the legislation.

High-risk classification triggers mandatory requirements:

• Risk management system that identifies and mitigates risks throughout the AI system lifecycle
• Data governance ensuring training data is relevant, representative and free from errors
• Technical documentation sufficient for regulatory assessment of compliance
• Record-keeping that enables monitoring of the AI system’s operation
• Transparency providing deployers with information to interpret outputs and use them appropriately
• Human oversight enabling humans to understand, monitor and override the system
• Accuracy, robustness and cybersecurity appropriate to the intended purpose

For insurers, this means every underwriting agent, every claims triage agent and every pricing model that touches life or health insurance must be documented, tested and monitored to these standards. The compliance deadline phases in through August 2026.

Layer 2: EIOPA’s AI governance opinion#

In August 2025, EIOPA published an Opinion on AI governance and risk management that clarifies how existing insurance legislation applies to AI systems. This is not a new regulation. It is a supervisory interpretation that national regulators will use to assess compliance.

The Opinion confirms that Solvency II’s governance requirements, including the system of governance, risk management and internal control provisions, apply fully to AI systems. It also confirms that the Insurance Distribution Directive’s requirements to act in the customer’s best interest apply when AI agents interact with customers or make decisions affecting them.

Key principles from the EIOPA Opinion:

• AI governance must be proportionate to the risk the AI system poses
• Insurers must ensure fairness in AI-driven decisions, particularly in pricing and underwriting
• Explainability must be sufficient for the decision’s context: a denial of coverage requires more explanation than a premium calculation
• Human oversight must be meaningful, not performative. A human rubber-stamping AI decisions does not satisfy the requirement.

Layer 3: NAIC model bulletin (US)#

In the United States, the National Association of Insurance Commissioners has driven AI governance through its Model Bulletin on AI, adopted by 23 states and Washington, D.C., by late 2025.

The Model Bulletin requires insurers to:

• Establish AI governance frameworks with board-level oversight
• Conduct impact assessments before deploying AI in insurance decisions
• Test for unfair discrimination in AI-driven outcomes
• Maintain documentation of AI systems used in insurance functions
• Ensure third-party AI tools meet the same governance standards

A model law on third-party AI oversight is anticipated in 2026, potentially including licensing requirements for vendors whose AI tools are used in insurance decisions.

Layer 4: State-level AI regulation#

Beyond the NAIC framework, individual states are adding specific requirements. Colorado’s SB21-169 requires bias testing for insurance AI. The Texas Responsible AI Governance Act (TRAIGA), effective 2026, requires transparency, consent and accountability. Multiple state legislatures are considering bills that expand liability for AI-driven insurance decisions.

For insurers operating across multiple states, the compliance burden compounds: each state may have slightly different requirements, testing standards and reporting obligations.

Governing the four agent types#

Each type of insurance agent carries different governance requirements because each makes different decisions, accesses different data and affects customers differently.

Underwriting agents#

What they do: Assess risk, calculate premiums, decide whether to offer coverage and set policy terms. Increasingly, they handle straight-through processing for standard risks without human review.

Governance requirements:

Fairness and bias testing. This is the most scrutinized area. 81% of insurance regulators now identify fairness and bias mitigation as critical when evaluating AI in underwriting. Required testing includes:

• Disparate impact analysis across protected characteristics (age, gender, ethnicity, disability, location as a proxy)
• Performance evaluation across demographic groups to identify systematic differences
• Proxy variable detection: identifying when neutral-appearing variables (postal code, occupation, medical record completeness) correlate with protected characteristics
• Regular revalidation as population distributions shift

Explainability. Every adverse underwriting decision must be explainable. Not “the model scored this applicant at 0.73 risk.” Rather: “the application was declined because the combination of medical history (factor A), occupational risk (factor B) and coverage amount (factor C) exceeded the risk threshold for this product.” The EU AI Act requires explanation sufficient for the customer to understand and challenge the decision.

Model documentation. Under both the EU AI Act and NAIC requirements, underwriting models must be documented with: training data composition, feature importance rankings, validation methodology, performance metrics across subgroups, known limitations and update history.

Human oversight architecture. Straight-through processing is permitted for standard risks. Complex cases, borderline decisions and any case touching protected characteristics require human review. The governance question is not whether humans review, but which cases trigger review and whether the triggers are correctly calibrated.

Claims processing agents#

What they do: Triage incoming claims, assess damage, determine coverage, calculate settlements and in some configurations, approve payments for simple claims automatically.

Governance requirements:

Decision auditability. Every claims decision must be reconstructable: what data the agent received, what rules it applied, what settlement it calculated and why. When a customer disputes a claims decision, the insurer must produce the complete decision trail, not just the outcome.

Escalation design. The governance challenge is defining which claims an agent can resolve autonomously and which require a human adjuster. The threshold is not just claim value. It includes: complexity (multi-party claims, liability disputes), emotional sensitivity (injury claims, bereavement), regulatory exposure (claims touching regulatory reporting thresholds) and pattern anomalies (claims that deviate from the agent’s training distribution).

Speed vs. accuracy governance. Underwriting timelines are collapsing from 3 days to 3 minutes. Straight-through processing rates have jumped from 10-15% to 70-90%. Speed is the value proposition. But speed without accuracy governance creates liability. Every automated claims payment needs a confidence threshold below which the claim routes to a human, and that threshold needs regular calibration based on actual outcomes.

Customer service agents#

What they do: Handle first-notice-of-loss, answer policy questions, process endorsements and guide customers through claims submission. Nordic insurers like If have deployed chatbots that reduced human contact escalations by 60%.

Governance requirements:

Transparency obligations. The Insurance Distribution Directive requires that customers know they are interacting with an AI agent. This is not a nice-to-have. It is a regulatory requirement. The agent must identify itself as AI, and customers must have a path to a human agent at any point.

Advice boundaries. Customer service agents must not provide advice that constitutes a regulated insurance recommendation unless the agent has been approved for that function. Answering “what does my policy cover?” is information. Answering “you should increase your coverage to $500,000” is advice. The governance boundary between information and advice must be enforced at the prompt level.

Data minimization. Customer service agents collect data through conversation. Governance must ensure they collect only data necessary for the task, do not retain conversational data beyond the required period and do not use customer disclosures for purposes beyond the immediate service request (unless explicitly consented).

Fraud detection agents#

What they do: Analyze claims for patterns indicative of fraud, flag suspicious claims for investigation and in some cases, automatically route flagged claims to special investigation units.

Governance requirements:

False positive governance. Fraud detection is a high-false-positive domain. Internal pilots report 20-30% reductions in false positive rates with AI, but even improved rates mean legitimate customers are being flagged, investigated and delayed. Governance must set acceptable false positive thresholds, monitor actual rates and trigger recalibration when thresholds are exceeded.

Customer impact mitigation. A customer flagged for fraud investigation experiences delays, scrutiny and often distress. Governance must ensure: flagged customers are notified of delays without revealing the fraud investigation, investigations resolve within defined timeframes and customers cleared of fraud receive expedited processing to compensate for the delay.

Adversarial robustness. Fraud patterns evolve. Fraudsters adapt to detection models. Governance must include regular model revalidation against emerging fraud patterns, red-team testing of the model’s blind spots and monitoring for systematic shifts in fraud detection accuracy. A fraud model trained on 2024 patterns will miss 2026 fraud techniques unless governance mandates continuous learning.

Regulatory transparency. When fraud investigations result in claim denials, regulators may require disclosure of how AI contributed to the investigation. The governance framework must produce documentation of the model’s decision factors without revealing detection methodology that fraudsters could exploit to evade future detection.

The actuarial validation gap#

Insurance has a long tradition of model validation. Actuarial models are tested, documented and reviewed by credentialed professionals. But traditional actuarial validation was designed for statistical models with interpretable parameters. AI agents, particularly those using LLMs for reasoning, do not fit this framework.

The validation gap manifests in three areas:

Interpretability. A generalized linear model used for pricing has interpretable coefficients. An LLM-based underwriting agent that synthesizes medical records, occupational risk data and claims history into a risk assessment does not. Traditional validation examines model parameters. Agent governance must examine model behavior, through testing, output analysis and fairness audits rather than parameter inspection.

Stationarity assumptions. Actuarial models assume relatively stable underlying distributions. AI agents operating on LLMs may shift behavior with model updates, prompt changes or data distribution shifts. The drift detection requirements for insurance agents are stricter than for most other sectors because the decisions directly affect policyholders’ financial protection.

Third-party model risk. Many insurance agents use foundation models from OpenAI, Anthropic or Google as their reasoning engine. The insurer does not control model updates. A foundation model update could subtly change the agent’s underwriting behavior without the insurer’s knowledge. Governance must include model version pinning, regression testing after any model update and contractual requirements with model providers for advance notification of changes.

The Nordic example#

Nordic insurers offer a useful reference point because they operate under some of the strictest data protection regimes while actively adopting AI agents.

If Insurance deployed chatbot agents that handle first-notice-of-loss and customer service inquiries, reducing human escalations by 60%. Their “Engaging Virtual Agents” carry out tasks, make predictions and authenticate customers while operating within a framework designed for GDPR, IDD and the Nordic financial supervisory authorities.

Tryg established a Nordic AI hub to centralize AI development across Danish, Norwegian and Swedish markets. They tested an injury-case documentation assistant within the Danish Financial Supervisory Authority’s sandbox, a regulatory environment that allows testing governance models before full deployment.

Gjensidige has digitized end-to-end customer flows, with customers able to bind policies and manage administration without human interaction. Their approach emphasizes prevention and personalization, with AI agents operating within a governance framework that maps to Solvency II and the Norwegian Financial Supervisory Authority’s expectations.

The common pattern across Nordic insurers: governance is not a brake on AI adoption. It is the framework that makes adoption possible at scale within a highly regulated environment.

Building the insurance agent governance framework#

For insurers starting or expanding agent governance, the framework maps to the 8 pillars of agent governance with insurance-specific adaptations:

1. Agent registry with regulatory tagging. Every agent in the registry is tagged with applicable regulations: EU AI Act risk classification, NAIC Model Bulletin compliance status, state-specific requirements and internal risk tier. The registry is the foundation for regulatory reporting.

2. Risk classification calibrated to insurance. The risk classification framework must account for insurance-specific factors: whether the agent touches life/health data (EU AI Act high-risk trigger), whether it makes coverage decisions, whether it interacts with policyholders and whether its decisions are subject to appeal.

3. Fairness testing as continuous governance. Not a one-time assessment. Continuous monitoring of outcomes across demographic groups, with automated alerts when disparate impact exceeds defined thresholds. This is the requirement that most generic governance frameworks miss: insurance fairness is not a deployment gate. It is an ongoing obligation.

4. Explainability proportionate to impact. Premium calculations need a different level of explanation than coverage denials. Claims approvals need less explanation than claims denials. The governance framework defines explainability requirements by decision type and customer impact, not uniformly across all agent actions.

5. Model validation adapted for agents. Extend traditional actuarial validation to cover behavioral testing, drift detection and adversarial robustness. Involve credentialed actuaries in agent governance to bridge the gap between traditional model validation and AI-era governance requirements.

6. Third-party model governance. Contractual requirements for foundation model providers: advance notification of model updates, regression test support, performance guarantees and audit access. If your underwriting agent runs on GPT-4, you need governance that extends to OpenAI’s model lifecycle.

The cost of getting it wrong#

Organizations with fully governed AI report 58% revenue growth compared to 15% for those still piloting. In insurance, the gap is even starker because the penalties for ungoverned AI are sector-specific: regulatory fines, conduct risk findings, product recall orders and reputational damage that directly reduces policyholder retention.

The EU AI Act fines for non-compliance reach up to 3% of global annual turnover. For a major insurer, that is hundreds of millions of euros. But the regulatory fine is not the real cost. The real cost is the supervisory attention that follows: enhanced reporting requirements, mandatory governance audits and the operational drag of operating under heightened scrutiny.

Insurance AI governance is not a compliance exercise. It is the operational framework that determines whether your agents can make decisions about people’s financial protection in a way that regulators trust, customers accept and the business can scale.

Sources#

Source	Date	URL
EIOPA, Opinion on AI governance and risk management	Aug 2025	https://www.eiopa.europa.eu/eiopa-publishes-opinion-ai-governance-and-risk-management-2025-08-06_en
EU AI Act, Annex III high-risk systems	2024	https://artificialintelligenceact.eu/annex/3/
NAIC, Artificial Intelligence in insurance	2026	https://content.naic.org/insurance-topics/artificial-intelligence
Roots Automation, 10 insurance AI predictions for 2026	2026	https://www.roots.ai/blog/10-insurance-ai-predictions-2026-forecasting-shift-from-promise-performance
Fenwick, Evolution of AI insurance regulation	2026	https://www.fenwick.com/insights/publications/tracking-the-evolution-of-ai-insurance-regulation
Buchanan Ingersoll, Regulators demanding explainable AI	2026	https://www.bipc.com/when-algorithms-underwrite-insurance-regulators-demanding-explainable-ai-systems
Vantage Point, Insurtech trends 2026	2026	https://vantagepoint.io/blog/sf/insights/insurtech-trends-2026-ai-claims-underwriting
Computer Weekly, AI in Nordic financial services	2026	https://www.computerweekly.com/news/366641192/AI-driving-changes-in-Nordic-financial-services
Grant Thornton, 2026 AI Impact Survey	2026	https://www.grantthornton.com/services/advisory-services/artificial-intelligence/2026-ai-impact-survey
EIS, Fraud management and detection	2026	https://www.eisgroup.com/digital-insurance-solutions/use-case-fraud-management-detection/