Pattrn Logo
InsuranceAI Governancevendor riskprocurementunderwritingclaims

What should insurers ask vendors before approving AI for underwriting or claims?

13 April 2026
Answered by Rohit Parmar-Mistry

Quick Answer

What should insurers ask vendors before approving AI for underwriting or claims? Start with governance, data provenance, testing, explainability, monitoring and accountability, because customer-impacting AI is only safe to approve when controls are evidenced and decision risk stays reviewable.

Detailed Answer

Insurers need sharper AI vendor review questions before customer-impacting deployment

When an external AI system could influence underwriting, claims handling or customer outcomes, a standard vendor questionnaire is not enough. Insurers need to know how the model was built, what evidence supports its performance, who is accountable when it fails and whether the control environment stands up to regulatory scrutiny.

The practical test is simple: could your team explain why this system is safe to use, where its limits are and how you would intervene if outcomes drift or complaints rise? If the answer is no, approval is premature.

The safest approval approach is to test governance, evidence and operational control together

Before approval, insurers should ask for clear answers in six areas: purpose, data, model performance, customer impact, operational oversight and contractual accountability. A vendor may have impressive demo results, but that is not enough if the insurer cannot evidence appropriate governance, challenge decisions or switch to manual review when needed.

  • Purpose and use case: What exact decision or recommendation will the AI support, and where must humans remain in control?
  • Data and training basis: What data sources were used, what permissions apply and how is sensitive or biased data managed?
  • Testing and validation: What performance testing has been done on insurance-relevant scenarios, edge cases and adverse outcomes?
  • Explainability and traceability: Can the insurer understand the main factors shaping outputs and retain an audit trail?
  • Monitoring and incident response: How will drift, degradation, complaints or unfair outcomes be detected and escalated?
  • Accountability and contract terms: Who owns remediation, reporting, model changes and liability if the system causes harm?

Book an AI Risk & Efficiency Audit

The vendor risk questions that matter most

1. What is the system actually being used for?

Insurers should ask whether the tool scores risk, triages claims, recommends actions, drafts communications or supports fraud review. The approval standard should change depending on whether the AI is simply assisting staff or materially shaping customer outcomes. A vendor should define intended use, prohibited use and known limitations in plain English.

2. What data trained or configured the system?

Ask what datasets, labels and external sources underpin the model. The vendor should explain how representative the data is for your market, product lines and customer base, plus what steps were taken to identify imbalance, proxy discrimination or stale inputs. If the answer is vague, that is a warning sign.

3. How has the model been tested for insurance use cases?

General benchmark scores are not enough. Insurers should ask for validation against underwriting and claims scenarios that resemble real operating conditions. That includes false positives, false negatives, edge cases, complaint-triggering situations and scenarios involving vulnerable customers.

4. Can we challenge and explain outputs?

If the model affects premiums, claim triage or customer treatment, the insurer needs a practical way to understand why an output was produced and when it should be overridden. Ask what explanation artefacts exist, what logs are retained and whether internal teams can reconstruct a decision path during audit, complaint handling or regulatory review.

5. What controls exist for drift, change and failure?

Approval should never assume performance will remain stable. Ask how the vendor detects model drift, data drift and operational degradation. You also want thresholds for intervention, rollback procedures, change notification commitments and a documented incident response path.

6. Where does accountability sit contractually?

Procurement and risk teams should ask who approves model updates, how material changes are disclosed, what service levels apply to incidents and what indemnities or remediation commitments exist. If a vendor wants broad freedom to change the model without oversight, the insurer is carrying too much unmanaged risk.

How insurers should structure the review in practice

A useful approach is to split the review into four short workstreams.

  1. Business risk review: confirm the use case, decision impact, customer impact and fallback process.
  2. Technical assurance review: assess data lineage, validation evidence, explainability, monitoring and change control.
  3. Compliance and governance review: test fairness, complaints handling, record keeping, oversight and policy alignment.
  4. Commercial and contractual review: tighten responsibilities for incidents, updates, evidence provision and termination.

This structure helps insurers avoid a common failure mode where procurement approves the vendor, but no one has fully tested the operational and governance implications of using the AI in a regulated environment.

See Governance Retainers

Red flags that should slow or stop approval

Insurers should pause if a vendor cannot clearly evidence training data provenance, refuses meaningful testing on representative cases, offers limited explainability, lacks robust monitoring or treats model updates as routine software changes. Another red flag is over-reliance on disclaimers such as \"human review required\" without showing how that review actually works in operations.

You should also challenge any model that creates pressure to accept outputs without sufficient scrutiny. If staff cannot confidently override the system, or if complaints and exceptions are likely to rise without a clear governance response, the approval case is weak.

Approval should depend on evidence, not vendor confidence

The strongest AI vendor reviews in insurance do not ask whether the tool is innovative. They ask whether the insurer can operate it safely, justify it internally and defend it externally. That means documented controls, defined limits, accountable owners and a realistic plan for monitoring customer outcomes after go-live.

If a vendor can answer those questions well, approval is easier to justify. If not, the right answer is not \"approve and hope\". It is to tighten conditions, narrow the use case or delay deployment until the control evidence is strong enough.

Talk to us about implementation support

FAQ

Do insurers need a separate AI vendor questionnaire?

Usually yes. Standard third-party risk questionnaires rarely go deep enough on model governance, testing, explainability, monitoring and customer-impact controls.

What is the most important question to ask first?

Start with the exact decision impact. If the AI materially influences underwriting, claims or customer treatment, the review standard should be much higher.

Is human review on its own enough as a control?

No. Human review only helps if reviewers understand the system, can challenge outputs and have time and authority to override decisions properly.

Should insurers allow vendors to update models without approval?

Not for material changes. Contracts and governance processes should define what changes require notice, retesting or formal reapproval.

What if the vendor cannot explain the model clearly?

That does not always mean automatic rejection, but it does mean the insurer needs stronger safeguards, narrower use cases and a higher burden of evidence before approval.

Need More Specific Guidance?

Every organisation's situation is different. If you need help applying this guidance to your specific circumstances, I'm here to help.