AI governance that holds up when the insurance market asks for proof.
Carriers, MGAs, TPAs, and insurtechs are putting AI into underwriting, rating, claims, and fraud workflows while regulators and carrier partners raise the bar on governance. Castle gives the teams that own that risk one system for the inventory, the obligations, the controls, the runtime decisions, and the evidence, so the answer to "show us your AI governance" is an export, not a project.
Current status, stated plainly
Castle is built and tested and in early access. It is not yet live-proven with a customer or auditor, and it holds no certifications. Regulatory summaries on this page are for orientation, not legal advice; regime mappings are reference mappings for your counsel to review, not regulator endorsements.
The teams that answer for AI in an insurance workflow
- Carriers using AI or vendor-supplied models in underwriting, rating, claims handling, or fraud detection, and preparing for AI questions in market-conduct exams.
- MGAs and TPAs that operate AI inside delegated authority, and increasingly receive AI governance, documentation, and audit requirements through carrier program agreements.
- Insurtechs selling AI-driven products into carriers, where a credible governance story is becoming part of the sale.
A wording we hold ourselves to: the NAIC bulletin addresses licensed insurers. It does not bind MGAs or TPAs directly. The practical pressure reaches them through the carriers and contracts above them, and that is the pressure Castle helps answer.
The triggers are on the calendar
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers has been adopted in 24 jurisdictions, 23 states plus the District of Columbia, per the NAIC's implementation tracker (status April 1, 2026). It expects a written program for responsible AI use, governance proportionate to risk, internal controls, and documented oversight of third-party AI and data.
From January to September 2026, the NAIC is piloting its AI Systems Evaluation Tool in 12 states, giving market-conduct examiners a standardized AI-governance checklist. Standardized asks mean the evidence can be prepared in advance instead of reconstructed under exam deadlines.
And independent of any one regulator, carriers that must answer for their AI are pushing documentation, audit, and governance requirements down through program agreements. Whoever you are in the chain, someone above you will eventually ask you to show your governance.
One system from obligation to evidence
castle-verify tool on the recipient's own machine. One command, castle insurance examiner-packet, bundles the packet, that verifier, and a verify-first 00-START-HERE.md cover sheet into a single portable deliverable the examiner checks offline, without installing Castle.castle insurance examiner-packet, emits it as a single portable deliverable, optionally one ZIP, with a signed Merkle attestation and the bundled standalone verifier. Structured to the Tool 4.0 exposure draft as publicly posted by the NAIC; the exposure draft is in active revision and states may customize it. Preparation material, counsel reviewable, not regulator endorsed.castle countersign serve), re-verifies the MGA's packet and signs a receipt bound to its exact bytes; receipts aggregate into one offline-verifiable Transparent Statement, and an oversight report summarizes coverage across the delegation chain. Aligned to the IETF SCITT architecture (draft-ietf-scitt-architecture, in IESG evaluation).When the carrier's diligence lands on your desk
Delegated authority now comes with AI questions attached: what models and agents run inside the program, what data they touch, who approved them, and what records exist. Answering from email threads and spreadsheets is slow and hard to defend.
Castle gives an MGA or TPA the same machinery a carrier uses: the obligation map drawn from your program agreements and applicable guidance, the AI inventory, the approval trail, and an evidence packet you can hand up the chain. The carrier-delegation pack bundles that into one handoff: attestation packet, exam-readiness export, and the agent and model inventory, framed for the carrier's oversight of AI used under its delegated authority. The goal is that carrier diligence becomes a handoff, and your governance becomes part of why carriers want your program.
And the carrier does not have to take the packet on faith: its own instance, or a free verification node, re-verifies your evidence and countersigns it, so what rolls up the chain is independently verified rather than self-reported. Where delegated authority runs on bordereaux spreadsheets today, this is the verifiable version for AI governance evidence.
Preparing for the exam itself
For the full treatment of what is changing in market-conduct exams, what examiners ask, and exactly what Castle exports for each ask, read the exam-readiness guide. It includes the four ask categories, the evidence mapping, and a six-step preparation sequence you can run whether or not you use Castle.
See it on your own program
Watch the real product authorize, deny, and block in under ninety seconds, then bring us one program agreement or AI use case and we will walk the full pass live.