For Insurance Carriers & Agencies
GLBA, NAIC Model Bulletin, and NY DFS Cyber Reg 500 don't pause for AI adoption. We build compliant private AI for carriers that can't afford a regulatory examination.
What's at Stake
Insurance AI sits at the intersection of four distinct regulatory regimes. Your compliance team will have questions — here's what they need to know.
The Gramm-Leach-Bliley Act requires carriers to protect non-public personal financial information. The 2023 updated Safeguards Rule requires carriers to document all third-party service providers handling customer data — including AI vendors — and obtain written agreements covering security requirements. Most carriers have not mapped their AI tool usage to GLBA.
The NAIC's AI Model Bulletin (adopted by many state DOIs) requires carriers to document AI system usage, maintain transparency on AI-assisted underwriting and claims decisions, and provide appeal mechanisms. Carriers must be able to explain any AI-influenced decision. Most current AI deployments create undocumentable black boxes.
For carriers operating in New York, 23 NYCRR 500 requires covered entities to assess the cybersecurity risk of all third-party service providers — including AI tools. AI vendor contracts must address data security, access controls, and incident notification. This is a certification requirement with named officer accountability.
State insurance regulators are actively examining AI use in underwriting and claims handling, particularly for fair lending and anti-discrimination compliance. Carriers need to demonstrate exactly where data goes, who can access it, and what controls prevent discriminatory patterns. Public LLM usage makes this documentation nearly impossible.
The Problem
Claims files contain names, addresses, medical history, and financial data. Sending that through a public LLM API creates regulatory exposure your compliance team will have questions about.
State insurance regulators are actively examining AI use in underwriting and claims handling. Carriers need to demonstrate exactly where data goes and who can access it.
Third-party AI vendors often use your data for model training by default. Your vendor contracts may not clearly prohibit it — and most don't offer private deployment options.
What It Does
Pull a complete claims history, coverage analysis, and reserve recommendation in minutes. A model trained on your claims data surfaces patterns across similar files — not just the single claim in front of you.
Query your own policy portfolio, rate manuals, and underwriting guidelines in natural language. Get consistent answers — auditable, repeatable, and never hallucinated from public training data.
Give your agents a private AI that knows every policy form, endorsement, and exclusion in your book. Quote faster, bind confidently, and route complex questions before they become E&O claims.
How We'd Approach It
Four phases. Fixed-price. GLBA documentation included. See the full methodology →
We inventory your claims files, policy data, and agent communications. We produce a GLBA-compliant data classification map identifying what data types exist, where AI is currently touching them, and what the Safeguards Rule requires. You get a compliance baseline before we build anything.
Private AI infrastructure in your cloud environment or on-premise. RBAC ensures claims handlers see claims data, underwriters see policy data, agents see their book. PHI in medical records is anonymized before entering the training corpus. Immutable audit log for NAIC 668 documentation.
Fine-tuning on your carrier's claims history, rate manuals, and underwriting guidelines. We validate against your actual workflows and build the NAIC 668 decision documentation package. Your compliance team reviews the audit trail before go-live.
Model weights transfer to you. Monthly retainer includes quarterly retraining as claims patterns shift, annual GLBA Safeguards Rule review, and support for any state DOI market conduct examination. You own the model — we keep it current and compliant.
Sample Work Product
See the depth of a Vermont AI Systems engagement — a complete AI Readiness Assessment in Insurance format.
Read the Green Mountain Mutual Insurance sample assessment →Common Questions
The GLBA Safeguards Rule requires carriers to have written agreements with service providers that handle customer data, and to conduct due diligence on those providers' security practices. A private AI deployment you control eliminates the third-party vendor risk entirely — there's no external service provider to audit. We provide GLBA-compliant deployment documentation as part of every engagement.
Yes — and this is built into the architecture from day one. Every query and response is logged with user ID, timestamp, data sources accessed, and output. The log is immutable and exportable for regulatory review. If a state DOI examines an AI-assisted underwriting decision, you can show exactly what data the model used and what it returned. Public LLMs cannot produce this documentation.
Medical records in auto claims and health-adjacent P&C lines are handled with a de-identification layer before ingestion. We anonymize PII and PHI before documents enter the training corpus — the model learns from claim patterns, not individual claimant identity. This is not a workaround; it's the architecture standard for HIPAA-adjacent carrier data.
More questions? See the 15 questions to ask any AI vendor →
The discovery call is 30 minutes. We'll tell you exactly what it would take to build this for your organization, what it would cost, and whether we're the right fit.