Solutions / Insurance

AI governance that holds up when the insurance market asks for proof.

Carriers, MGAs, TPAs, and insurtechs are putting AI into underwriting, rating, claims, and fraud workflows while regulators and carrier partners raise the bar on governance. Castle gives the teams that own that risk one system for the inventory, the obligations, the controls, the runtime decisions, and the evidence, so the answer to "show us your AI governance" is an export, not a project.

Current status, stated plainly

Castle is built and tested and in early access. It is not yet live-proven with a customer or auditor, and it holds no certifications. Regulatory summaries on this page are for orientation, not legal advice; regime mappings are reference mappings for your counsel to review, not regulator endorsements.

01 / Who this is for

The teams that answer for AI in an insurance workflow

  • Carriers using AI or vendor-supplied models in underwriting, rating, claims handling, or fraud detection, and preparing for AI questions in market-conduct exams.
  • MGAs and TPAs that operate AI inside delegated authority, and increasingly receive AI governance, documentation, and audit requirements through carrier program agreements.
  • Insurtechs selling AI-driven products into carriers, where a credible governance story is becoming part of the sale.

A wording we hold ourselves to: the NAIC bulletin addresses licensed insurers. It does not bind MGAs or TPAs directly. The practical pressure reaches them through the carriers and contracts above them, and that is the pressure Castle helps answer.

02 / Why now

The triggers are on the calendar

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers has been adopted in 24 jurisdictions, 23 states plus the District of Columbia, per the NAIC's implementation tracker (status April 1, 2026). It expects a written program for responsible AI use, governance proportionate to risk, internal controls, and documented oversight of third-party AI and data.

From January to September 2026, the NAIC is piloting its AI Systems Evaluation Tool in 12 states, giving market-conduct examiners a standardized AI-governance checklist. Standardized asks mean the evidence can be prepared in advance instead of reconstructed under exam deadlines.

And independent of any one regulator, carriers that must answer for their AI are pushing documentation, audit, and governance requirements down through program agreements. Whoever you are in the chain, someone above you will eventually ask you to show your governance.

03 / What Castle does

One system from obligation to evidence

You need
Castle provides
A complete, current inventory of AI use and autonomous agents.
The AI use case and agent registry: purpose, risk tier from fixed rules, owner, declared tools and data access, mapped controls and obligations.
The obligations that apply to insurance AI, mapped to your systems.
Insurance obligation libraries for the NAIC AI Model Bulletin, NYDFS CL-7, Colorado SB 21-169, Texas TDI Bulletin B-0036-20, and the EU AI Act, shipped as reference mappings your counsel can review.
Governance decisions that are consistent and documented.
Deterministic policy decisions from rules you can read, with human sign-off gates, named owners, and an exceptions register.
Control of what agents actually do, beyond what they are supposed to.
Runtime enforcement at the action boundary: allow, deny, and block decisions recorded on a tamper-evident hash chain. How enforcement works.
Evidence a carrier, auditor, or examiner can verify independently.
Signed evidence packets with a Merkle manifest, verified by the standalone castle-verify tool on the recipient's own machine. One command, castle insurance examiner-packet, bundles the packet, that verifier, and a verify-first 00-START-HERE.md cover sheet into a single portable deliverable the examiner checks offline, without installing Castle.
Proof the model behaves, not a checklist of controls.
First-party model validation: a battery for bias and fairness (disparate impact), grounding, robustness, and drift, emitting pass/fail results mapped to NAIC bias-testing and SR 11-7 obligations, stamped into the same signed evidence packet. You validating your own models, not an independent audit.
Proof your content guardrails actually fired.
Castle ingests your NeMo Guardrails / Llama Guard / Presidio rail decisions (toxicity, PII, jailbreak) as obligation-mapped, verifiable evidence tied to market-conduct duties. Governing your guardrails, not running them.
A dry run before the examiner's checklist arrives.
The exam simulator: a response package structured to Exhibits A through D of the NAIC AI Systems Evaluation Tool 4.0 exposure draft (use quantification matrix, governance checklist with a citation column, per-model detail sheets, data provenance rows), assembled from live registry data with explicit "requires insurer input" placeholders, never fabricated values. One command, castle insurance examiner-packet, emits it as a single portable deliverable, optionally one ZIP, with a signed Merkle attestation and the bundled standalone verifier. Structured to the Tool 4.0 exposure draft as publicly posted by the NAIC; the exposure draft is in active revision and states may customize it. Preparation material, counsel reviewable, not regulator endorsed.
The pack your carrier asks for under delegated authority.
The carrier-delegation pack for MGAs and TPAs: attestation packet, exam-readiness export, and the agent and model inventory, framed for the carrier's oversight of AI used under its delegated authority.
Partner evidence the carrier can trust without taking anyone's word.
Countersigned evidence chains: the carrier's instance, or a free verification node (castle countersign serve), re-verifies the MGA's packet and signs a receipt bound to its exact bytes; receipts aggregate into one offline-verifiable Transparent Statement, and an oversight report summarizes coverage across the delegation chain. Aligned to the IETF SCITT architecture (draft-ietf-scitt-architecture, in IESG evaluation).
Where each jurisdiction stands on the NAIC bulletin.
A jurisdiction-by-jurisdiction adoption record inside the product, with each instrument and date source-dated, plus a content-currency check that flags staleness. Kept current to public sources as of the recorded dates; not legal advice.
04 / For MGAs & TPAs

When the carrier's diligence lands on your desk

Delegated authority now comes with AI questions attached: what models and agents run inside the program, what data they touch, who approved them, and what records exist. Answering from email threads and spreadsheets is slow and hard to defend.

Castle gives an MGA or TPA the same machinery a carrier uses: the obligation map drawn from your program agreements and applicable guidance, the AI inventory, the approval trail, and an evidence packet you can hand up the chain. The carrier-delegation pack bundles that into one handoff: attestation packet, exam-readiness export, and the agent and model inventory, framed for the carrier's oversight of AI used under its delegated authority. The goal is that carrier diligence becomes a handoff, and your governance becomes part of why carriers want your program.

And the carrier does not have to take the packet on faith: its own instance, or a free verification node, re-verifies your evidence and countersigns it, so what rolls up the chain is independently verified rather than self-reported. Where delegated authority runs on bordereaux spreadsheets today, this is the verifiable version for AI governance evidence.

05 / The deep guide

Preparing for the exam itself

For the full treatment of what is changing in market-conduct exams, what examiners ask, and exactly what Castle exports for each ask, read the exam-readiness guide. It includes the four ask categories, the evidence mapping, and a six-step preparation sequence you can run whether or not you use Castle.

Read the exam-readiness guide

06 / Next step

See it on your own program

Watch the real product authorize, deny, and block in under ninety seconds, then bring us one program agreement or AI use case and we will walk the full pass live.

Watch the demo Talk to Castle