Insurance AI Governance Has To Move From Policy Documents Into Production Workflows

Insurance is document-heavy, judgment-heavy, and control-heavy. That combination makes it a natural environment for AI, but also one where trust, explainability, data lineage, and human oversight are nonnegotiable. The industry has moved past early experimentation, with AI now being deployed into underwriting, claims, and back-office finance processes at production scale. But the governance frameworks surrounding those deployments have not kept pace, and most still live in policy folders rather than operational workflows.

Max Richter, EMEA CEO and Global Growth Leader at mea, an AI firm partnering with insurers on strategic transformation, recently facilitated a panel on AI governance at the Global Risk Summit. Before mea, Richter spent over 15 years as a managing director at Accenture, leading AI-enabled transformation for global insurance clients. He began his career as a software engineer and holds a degree in Management Science from the London School of Economics.

"AI governance has to move from policy to operations. Boards and risk teams cannot govern AI purely through principles, committees, and acceptable use policies. Once AI is embedded within underwriting, claims, finance, compliance, or customer operations, governance has to show up in the workflow itself," says Richter.

What Breaks in Production

Richter draws a sharp line between what governance means in a pilot and what it means in production. In a pilot, a wrong answer is a learning point. In production, a wrong output can affect a customer claim, a regulatory obligation, a financial transaction, or a colleague's work. "The risk profile changes completely," Richter says. "Firms need production-grade controls. That means thinking about what governance means in operations."

He defines production-grade governance as a set of controls embedded into operational workflows: what the AI is allowed to do, when a human must approve, how decisions are logged, how exceptions are handled, and how performance is monitored over time. Without those controls, organizations run the risk of shipping AI that works in a demo but creates liability at scale.

On the replacement question, Richter is measured. Repetitive administrative work, particularly services provided by business process outsourcing teams, faces large-scale automation. But in a complex, regulated industry like insurance, the near-term opportunity is augmentation. "Give experts better information, remove some of the manual processing, and allow human judgment to be focused where it matters most."

Shadow AI and Fragmented Pilots

Richter flags shadow AI and what he calls "pilots proliferus" as a significant operational risk. Organizations are running dozens of independent experiments across business units without a central governance framework. "You can run many promising experiments and have some successes. But without common data foundations, control standards, and business ownership, those do not become scalable capabilities. You're running operational risk around that kind of setup."

Many organizations have already taken a first step by providing employees with enterprise-wide access to LLM platforms within a controlled environment. That helps staff familiarize themselves with AI, learn prompting techniques, and capture individual productivity gains. But Richter positions that as a baseline. "The next level is deploying AI to support and automate core workflows, which goes beyond individual employee productivity assistance to AI actually running the work itself. And that requires a level of framework and governance around it."

Regulation Trails the Technology

On the regulatory front, Richter describes a fragmented picture. In the United States, state-level AI regulation is proliferating without a consistent federal rulebook, creating compliance challenges for AI firms operating across jurisdictions. In Europe, the EU AI Act provides high-level governance guidance but still struggles to match the speed of the technology. "It is very difficult on this topic to have prescriptive rules-based regulation. The direction needs to be more towards principles-based regulation."

Data governance sits underneath the entire conversation. Richter describes three dimensions: keeping data secure against newly discovered model vulnerabilities, ensuring data is used according to the approvals the organization holds and for the right purpose, and governing the data generated by AI models to ensure it is accurate rather than hallucinated. "Garbage in, garbage out still applies. You need to make sure the data is curated the right way and used for the right purpose with the right models."

Richter closes by shifting the measurement conversation from model novelty to workflow performance. The questions insurance leaders should be asking are specific and operational: Has AI reduced turnaround time? Has it improved cost per transaction? Has it reduced rework, exception rates, or leakage? Has it improved data and decision quality? Can we explain what happened, who approved it, and why? "Those are the outputs that as an industry we need to be concerning ourselves with as AI moves from the innovation lab into production workflows."