Assessment completed for: Green Mountain Mutual Insurance (fictional profile — illustrative only)
\nTop 3 Risks Identified:
\nRecommended Path:
\nPrivate AI infrastructure — VPC-isolated deployment with claims triage assistant and underwriting research agent. Estimated project: $42K build + $4.2K/mo operations retainer.
\n| Field | Detail |
|---|---|
| Company | Green Mountain Mutual Insurance (fictional profile) |
| Headcount | 180 employees across: underwriting (22), claims handling (38), field agents (45), IT & operations (15), sales & distribution (28), finance & compliance (12), executive (8), HR & admin (12) |
| Annual Premium Volume | $240M across regional P&C lines |
| Product Lines | Personal lines (homeowners, auto) ~55%; Small commercial (BOP, workers comp) ~30%; Farm & ranch ~10%; Specialty/excess ~5% |
| Geographic Focus | Vermont primary; expanded into NH and upstate NY since 2018 |
| Distribution | Independent agent network (~85 agents); 3 direct sales staff; no captive captive agents |
| Current IT Infrastructure | On-premise core policy and claims system (PolicyPen v4); Azure-hosted file servers; Microsoft 365 E3; Salesforce for agent management; IBM Watson Assistant for customer service chatbot (pilot) |
| Current AI Usage | ChatGPT personal accounts (widespread); IBM Watson Assistant pilot; Microsoft 365 Copilot trial (12 users); no formal AI governance program |
| Decision-Makers | CEO, COO, VP Underwriting, VP Claims, CIO, Director of Compliance, Director of Agent Relations |
Scope note: This fictional profile is based on a composite of real mid-size regional P&C carriers in Vermont. The data sensitivity findings, risk patterns, and architecture recommendations are directly applicable to actual carriers of this size and product mix.
\nAI tools currently in use across the carrier, mapped by deployment type, user volume, and risk classification.
\n\n| Tool | \nDeployment Type | \nUsers | \nVolume Estimate | \nRisk Flag | \n
|---|---|---|---|---|
| ChatGPT (free, personal accounts) | \nConsumer web — no enterprise controls | \n~65 employees (underwriting, claims, agents) | \n150–280 queries/day estimated | \nCRITICAL — No firm visibility, no data controls, GLBA exposure | \n
| Microsoft 365 Copilot | \nM365 E3 tenant — pilot phase | \n12 underwriters (trial) | \nUnknown — no reporting configured | \nHIGH — Consumer financial data in M365 tenant, no RBAC configured for AI access | \n
| IBM Watson Assistant | \nCloud SaaS — customer service chatbot | \nCustomer-facing (live to policyholders) | \n~800 conversations/month | \nMODERATE — Policyholder PII in Watson; carrier reviewing BAAs | \n
| PolicyPen AI features | \nLicensed on-premise system | \n22 underwriters, 8 processors | \nHigh — daily use | \nLOW — Vendor-controlled, on-premise | \n
| Salesforce Einstein AI | \nCloud SaaS — agent management | \n28 sales staff | \nModerate — lead scoring, email drafting | \nHIGH — Agent contact data, commission structures, agent PII in Salesforce cloud | \n
| Google Gemini (personal accounts) | \nConsumer web | \n~20 employees | \nLow — occasional use | \nCRITICAL — Same as ChatGPT free tier; no visibility | \n
| CLAIMS FRAUD MODEL (internal) | \nOn-premise — legacy statistical model | \nClaims adjusters (required) | \nUsed on ~40% of claims | \nMODERATE — Not AI/LLM; needs documentation for NAIC 668 | \n
Key finding: An estimated 60–70% of AI usage is outside IT visibility. The compliance team has no documentation of which AI tools are processing policyholder data — a direct gap against GLBA Safeguards Rule requirements and NAIC Model Law 668.
\nClassification of data types by department, with AI tools currently touching each classification. This map forms the basis for GLBA and NAIC compliance documentation.
\n\n| Department | \nData Types | \nAI Tools Touching This Data | \nClassification | \nVolume/Month | \n
|---|---|---|---|---|
| Claims Handling | \nClaim forms, medical reports (auto accident), police reports, body shop estimates, witness statements, bank account info for claim payments | \nChatGPT (personal), Gemini (personal), M365 Copilot (trial) | \nCRITICAL — PII + PHI + financial data / GLBA / HIPAA adjacency | \n~1,400 claims/month; avg 8–12 documents/claim | \n
| Underwriting | \nPolicy applications (SSN, DOB, financial disclosures), loss history reports, credit-based insurance scores, inspections, property records | \nChatGPT (personal), M365 Copilot (trial), PolicyPen AI | \nCRITICAL — Non-public personal financial data / GLBA / NAIC regulated | \n~850 new policies/month; 400+ renewals/month | \n
| Field Agents | \nCustomer contact info, policy documents, claims status inquiries, coverage questions, producer commission records | \nChatGPT (personal), Salesforce Einstein, Gemini (personal) | \nHIGH — Agent PII, commission data, policyholder contacts / GLBA | \n~85 agents, avg 25 customer interactions/day | \n
| Customer Service (Watson) | \nPolicy numbers, claim numbers, coverage questions, payment info, contact history | \nIBM Watson Assistant (live) | \nMODERATE — PII in third-party cloud / GLBA / contract review needed | \n~800 conversations/month | \n
| Sales & Distribution | \nLead data, commission structures, agent performance metrics, competitive quote data | \nSalesforce Einstein, ChatGPT (personal) | \nHIGH — Agent PII, competitive data / GLBA | \n~200 new leads/month; 85 agent records | \n
| Finance & Compliance | \nPremium reports, loss ratio data, reserves, regulatory filings, audit workpapers | \nChatGPT (personal), M365 Copilot (trial) | \nHIGH — Regulatory filings, financial data / SOX adjacency | \nQuarterly regulatory cycle; monthly financial reporting | \n
The GLBA Safeguards Rule (16 CFR Part 314), as updated in 2023, requires carriers to:
\nCompliance finding: Green Mountain Mutual is not in compliance with the GLBA Safeguards Rule as it relates to AI tool usage. The carrier cannot certify compliance without documenting the AI tools in use, the data they access, and the controls in place. NAIC Model Law 668 adds additional documentation requirements specific to AI-assisted decisions in underwriting and claims.
\nThree plausible incident scenarios based on observed carrier behavior and current AI usage patterns.
\n\n \nHow it happens: ChatGPT free accounts are personal accounts — there's no technical or procedural control preventing an employee from using one for work. The handler is trying to work faster. The medical records are PHI-adjacent (auto insurance is a common HIPAA secondary use context). OpenAI's privacy policy does not include HIPAA BAA coverage. The carrier has no visibility into this interaction.
\nHow it happens: M365 Copilot can surface content from emails, SharePoint, and Teams within the tenant. An underwriter asks Copilot to \"find all the loss history patterns for this agent's book.\" Copilot surfaces loss history from emails that included sensitive information. The underwriter uses this in their underwriting decision — without realizing Copilot surfaced information outside the formal policy file.
\nHow it happens: Many SaaS AI features include provisions allowing the vendor to use customer data to improve their AI models. If Salesforce is using carrier data to train Einstein, the agent commission structure and customer contact data may be used in ways the carrier hasn't authorized. The carrier has no BAA with Salesforce covering AI-specific data use.
\nTwo AI capabilities are recommended for Phase 2 deployment: a claims triage assistant and an underwriting research agent. Both are deployed in a VPC-isolated environment with no data leaving the carrier's private infrastructure.
\n\n| Component | Description | Implementation |
|---|---|---|
| Claims Triage Assistant | \nFirst-pass review of incoming claims — coverage verification, reserve range recommendation, fraud indicator flag, medical record summarization. Trained on the carrier's claims history, coverage forms, and claims handling SOPs. | \nVPC-isolated; Llama 3.1 70B fine-tuned on claims corpus; RAG pipeline against claims document store; output is draft recommendation — handler reviews and approves | \n
| Underwriting Research Agent | \nNatural language Q&A against the full policy portfolio, rate manuals, underwriting guidelines, and agent communications. Underwriter asks: \"What's the exposure profile for this class code in Chittenden County?\" — gets answer from the carrier's own data, not from public sources. | \nVPC-isolated; Mistral fine-tuned on policy corpus; RAG against rate manual PDF library and agent email archive; audit log of every query and response | \n
| PHI Anonymization Layer | \nMedical records and other PHI-adjacent data is anonymized (not just redacted) before ingestion into the training corpus. The model learns from claim patterns, not from individual claimant identity. | \nHIPAA-adjacent design; de-identification pipeline before vector embedding; no raw PII in training data | \n
| Role-Based Access Controls | \nUnderwriters see policy and rate data. Claims handlers see claim documents. Agents see customer contact data for their own book. No cross-role data surfacing without explicit access grant. | \nRBAC layer above document store; each AI query checks user role before returning data; principle of least privilege enforced | \n
| Immutable Audit Log | \nEvery query and response is logged — user ID, timestamp, data sources accessed, output. Required for NAIC 668 documentation and GLBA compliance reporting. | \nAppend-only log to separate audit store; SHA-256 integrity verification; exportable to compliance dashboard | \n
IT/Compliance note: The Watson Assistant chatbot (currently in customer service) should be evaluated for replacement with a private AI deployment in Phase 3. The existing Watson contract should not be renewed without a comprehensive BAA covering AI training data use and a data retention audit.
\nAssessment: included ($7,500) · Internal resource: ~30 hrs IT, ~15 hrs compliance team
\n| Milestone | Deliverable | Owner | Target |
|---|---|---|---|
| AI tool inventory | Complete list of all AI tools in use by department, with data types touched | CIO + Compliance Director | Week 2 |
| Data classification audit | GLBA data map — all customer information flows, classified by sensitivity | Compliance Director + CIO | Week 4 |
| Immediate policy deployment | Interim policy: no customer data (PII, claims, policy info) in personal AI accounts; employee acknowledgment required | CEO + HR | Week 3 |
| M365 Copilot configuration review | AI-specific access controls configured; Copilot usage reporting enabled; scope limited to approved data sets | CIO + IT Director | Week 5 |
| Vendor BAA review | BAAs requested from all AI vendors (IBM Watson, Salesforce Einstein, Microsoft). Legal review of AI training data use clauses. | Compliance Director + outside counsel | Week 6 |
| NAIC 668 gap analysis | Document current AI usage against NAIC Model Law 668 requirements; identify documentation gaps and appeal mechanism requirements | Compliance Director | Week 7 |
| Phase 1 deliverable | AI Governance Framework document: policies, data map, vendor inventory, GLBA compliance status, NAIC 668 documentation | Vermont AI Systems + CIO | Week 9 |
Build investment: $42K · Internal resource: ~100 hrs IT, ~40 hrs claims/underwriting team
\n| Milestone | Deliverable | Target |
|---|---|---|
| Architecture design | VPC network design, security controls, vendor selection for private cloud or on-premise deployment | Month 4 |
| Data pipeline development | Secure document ingestion pipeline with PHI anonymization, RBAC enforcement, encryption at rest | Month 5 |
| Claims triage assistant deployment | Private LLM fine-tuned on carrier claims history; RAG pipeline; handler review interface; audit log | Month 5–6 |
| Underwriting research agent deployment | Private LLM fine-tuned on policy portfolio; RAG against rate manuals; agent-facing Q&A interface; audit log | Month 6 |
| NAIC 668 documentation package | Complete AI decision documentation for underwriting and claims; appeal mechanism implemented in system | Month 6 |
| Staff training | Claims handlers and underwriters trained on private AI usage, audit trail understanding, and escalation procedures | Month 6 |
| Phase 2 deliverable | Two private AI capabilities in production; full GLBA documentation package; NAIC 668 compliance documentation | Month 6 |
Included in operations retainer ($4.2K/mo) · Internal resource: ~20 hrs/quarter IT, ~8 hrs/quarter compliance
\n| Milestone | Deliverable | Target |
|---|---|---|
| Agent network AI assistant | AI assistant for field agents — policy lookup, coverage questions, claims status — trained on agent handbook and carrier communications | Month 9 |
| Watson Assistant replacement evaluation | Replace or renegotiate IBM Watson contract; evaluate private AI chatbot alternative for customer service | Month 9 |
| Quarterly model retraining | Claims triage model retrained on new claims data; underwriting model updated with new rate manual versions | Monthly (retainer) |
| GLBA annual review | Annual Safeguards Rule compliance review, data flow documentation update, AI tool re-inventory | Month 12 |
| DFR market conduct preparation | Documentation package prepared for potential DFR market conduct examination of AI usage in underwriting and claims | Month 12 |
| Phase 3 deliverable | Ongoing compliance posture, operational AI system, annual review cycle established | Month 12 |
Already completed for this fictional firm profile as part of the sample illustration.
\n| Item | Amount |
|---|---|
| AI Readiness Assessment — full engagement | $7,500 |
| Total Assessment | $7,500 |
The $42K fixed-price covers two AI capabilities (claims triage assistant + underwriting research agent) deployed in VPC-isolated infrastructure. A fixed-price engagement can be scoped in a 60-minute discovery call.
\n| Component | Amount | Notes |
|---|---|---|
| Architecture design & security spec | $6,500 | VPC design, RBAC schema, compliance framework alignment |
| Data pipeline development (PHI anonymization + RBAC) | $9,000 | Encrypted document ingestion, de-identification layer, role-based access |
| Claims triage assistant — model fine-tuning + RAG | $10,000 | Fine-tune on claims history; RAG against claims SOPs and coverage forms |
| Underwriting research agent — model + Q&A interface | $8,500 | Rate manual RAG, policy portfolio Q&A, agent-facing interface |
| Immutable audit log system | $4,500 | NAIC 668 documentation, GLBA compliance logs, compliance dashboard |
| NAIC 668 compliance documentation package | $3,500 | Decision documentation, appeal mechanism, DFR-ready filing |
| Testing, QA, security review | $5,000 | Penetration testing, GLBA compliance validation, handler review workflow testing |
| Project management & staff training | $4,000 | Claims handler + underwriter training, policy documentation, change management |
| Net Build Cost | $51,000 | |
| Discount (assessment credit + volume) | ($9,000) | |
| Final Build Cost | $42,000 |
| Item | Monthly | Annual |
|---|---|---|
| System monitoring and uptime management | $1,400 | $16,800 |
| Security patch management and vulnerability scanning | $700 | $8,400 |
| Quarterly model retraining (claims + underwriting) | $800 | $9,600 |
| Audit log review and GLBA/NAIC compliance reporting | $500 | $6,000 |
| Quarterly governance committee support | $300 | $3,600 |
| Direct support line for claims/underwriting team questions | $500 | $6,000 |
| Operations Retainer | $4,200 | $50,400 |
Year 1 Total
\n$99,900
\n($7,500 assessment + $42K build + $50.4K retainer)
\nThree-path analysis: Private AI Build (recommended) vs. IBM watsonx (insurance-focused) vs. Salesforce Einstein for Insurance.
\n\n| Criteria | \nPrivate AI Build Recommended | \n IBM watsonx Insurance | \nSalesforce Einstein Insurance | \n
|---|---|---|---|
| Data sovereignty | \n✓ Full — data never leaves carrier VPC | \n✗ IBM-hosted cloud; data processing under IBM terms | \n✗ Salesforce cloud; Einstein training data policy unclear | \n
| GLBA Safeguards Rule compliance | \n✓ Architecture designed for it | \n⚠ BAA available but requires negotiation | \n⚠ No specific GLBA BAA for Einstein AI features | \n
| NAIC 668 documentation | \n✓ Audit log + decision documentation built in | \n⚠ Limited audit trail; carrier responsible for 668 documentation | \n⚠ Not designed for insurance regulatory compliance | \n
| Claims data training (PII/PHI) | \n✓ PHI anonymization layer; no raw PII in training | \n✗ Medical data processing requires HIPAA BAA; not currently in place | \n✗ Not HIPAA-covered; no BAA for medical records | \n
| Custom to carrier's own data | \n✓ Fine-tuned on carrier's claims history and guidelines | \n⚠ Pre-built insurance models; carrier data for RAG only | \n⚠ Generic insurance AI; limited carrier-specific customization | \n
| Underwriting AI (rate manual Q&A) | \n✓ Trained on carrier's own rate manuals and guidelines | \n✓ Some UW optimization capabilities | \n⚠ Lead scoring and email only; not UW research | \n
| Agent network support | \n✓ Agent AI assistant in Phase 3 scope | \n✗ Not focused on independent agent workflow | \n✓ Salesforce-native agent management integration | \n
| Year 1 cost (build + ops) | \n$99,900 | \n~$85K–$120K/year (SaaS licensing + implementation) | \n~$60K–$90K/year (Einstein licensing + implementation) | \n
| Year 2+ ongoing cost | \n$50,400/yr (retainer only) | \n~$60K–$80K/yr (SaaS + support) | \n~$50K–$70K/yr (Einstein licensing) | \n
| IP ownership | \n✓ Carrier owns model weights and deployment | \n✗ IBM owns the model; carrier licenses it | \n✗ Salesforce owns Einstein; carrier has no model rights | \n
Recommendation: Private AI Build — the only option that provides full data sovereignty (required for GLBA), built-in NAIC 668 documentation, PHI anonymization, and carrier-specific fine-tuning. Year 2+ economics are significantly better than ongoing SaaS licensing with no IP to show for it.
\nThis is a sample. Your assessment will be different.
\n Start at /book-audit →\n\n Or reach us directly: hello@vermontaisystems.com · (802) 555-0192\n
\n