Every insurance board now has AI on the risk register. The question is no longer "should we use AI" but "how do we govern it well enough that we can keep using it". A workable AI governance framework has to do three things at once: protect customers and the firm, satisfy regulators, and not freeze the innovation it exists to enable. Here is what that looks like in practice.

What AI governance is actually for

AI governance is the set of policies, controls and evidence that lets a firm say, with a straight face: "we know what AI is in use, we understand its risks, we have controls proportionate to those risks, and we can demonstrate that to a regulator." Nothing more, nothing less. Frameworks that turn into 80-page policies nobody reads fail this test.

The five pillars of a workable framework

1. A live AI inventory

You cannot govern what you cannot see. Maintain a single inventory of every AI/ML system in use — whether built, bought, embedded in a SaaS tool, or being piloted. For each, record: business owner, purpose, data inputs, decision type, model provider, risk tier and last review date. The inventory is the foundation; every other control points back to it.

2. Tiered risk classification

Not every model needs the same control intensity. A typical three-tier scheme works well:

  • Tier 1 — High: decisions affecting customers directly (underwriting, pricing, claims decisioning, fraud referral). Full controls — bias testing, explainability, human override, monitored continuously.
  • Tier 2 — Medium: internal decisions with material financial or operational impact (reserving inputs, capacity allocation, broker assistant tooling). Controls focused on accuracy, monitoring and human-in-the-loop.
  • Tier 3 — Low: productivity tooling (drafting, summarisation, code assistants). Lightweight controls — usage policy, data-loss prevention, training.

3. Control gates across the lifecycle

Every Tier 1 model passes through documented gates: business case, data sourcing review, model development sign-off, pre-deployment validation, post-deployment monitoring, and at least annual revalidation. Each gate has an owner, evidence requirements, and a named approver. The gates are the audit trail.

4. Human-in-the-loop and override

For any decision affecting a customer, a human must be able to review, override and explain. That sounds obvious; in practice many deployed models have no operational override path. Bake it into the process design, not the policy document.

5. Monitoring and revalidation

Models drift. Data drifts. Population shifts. Monitor performance, bias and stability monthly for Tier 1 models, and trigger revalidation when thresholds are breached. The monitoring pack is what you put in front of a regulator when they ask "how do you know it's still working".

Governance structure

Most insurers don't need a new committee. What they need is:

  • An AI Working Group at executive level — chaired by a named accountable executive (often CRO or COO), with risk, compliance, data, IT and key business owners.
  • AI risk reported into the existing Risk Committee on a defined cadence (quarterly minimum).
  • A named Senior Manager with AI in their SoR — there is no escape from SM&CR accountability by claiming "the algorithm did it".

Regulator-ready evidence

Whatever framework you adopt, the test is whether you could hand the following to the FCA or PRA within a working week:

  • Current AI inventory with risk tiering.
  • AI policy and risk appetite statement.
  • Control framework document mapped to the policy.
  • For any Tier 1 model: model documentation, validation evidence, monitoring pack, override examples.
  • Last AI Working Group and Risk Committee minutes covering AI.
  • Training records for staff using AI tooling.

How to avoid freezing innovation

The fastest way to kill AI adoption is to put every experiment through the same gates as a deployed pricing model. The solution is a sandbox protocol: time-boxed, data-restricted, no customer impact, light-touch governance, with a clear gate at which a successful sandbox graduates into the full framework. The framework protects production; the sandbox protects exploration.

Where most insurance AI governance goes wrong

  • Policy written by a consultant in isolation, never operationalised.
  • No inventory — nobody can list the models in production.
  • One-size-fits-all controls that crush low-risk use cases.
  • Vendor AI (embedded in software-as-a-service) ignored entirely.
  • No monitoring once a model is live.

JanthanaK helps insurers, MGAs and brokers stand up AI governance that is proportionate, regulator-ready and doesn't kill momentum — through the AI Insurance Consulting service. Book a 30-minute call to talk through where your framework needs to land.