Use Case · Insurance

Insurance: red-teaming claims and underwriting agents.

End-to-end agentic claims. Parametric underwriting. Life and health risk-rating.

Carriers are deploying agents that read first-notice-of-loss narratives, classify damage photos, price life and health policies, and trigger payouts. Every one of those steps is a regulated decision and an attacker-reachable input. AgentGuardian fingerprints the agent, runs the 96-probe corpus across all ten OWASP ASI 2026 categories, and produces a signed evidence pack a chief actuary or a market-conduct examiner can read.

Book a Carrier AssessmentTry Open Source
The Carrier Problem

Three agent shapes, one regulated blast radius.

The agentic-AI buildout inside insurance carriers is converging on three shapes, and each one creates a different category of regulatory exposure. The shared property is that the agent is making a decision that the insurance code treats as a regulated decision, often with a fiduciary or anti-discrimination overlay, and that the decision is now reachable by a third-party input.

01

End-to-end agentic claims

Intake, triage, classification, fraud screen, reserve, adjudication, payout — handled by a swarm of coordinated agents that read claimant-provided text, photos, PDFs, and third-party-data API outputs.

02

Parametric-policy underwriting

Agent reads sensor or index data (wind-speed, rainfall, flight delay, BTC spot, carbon price) and binds, prices, or pays out without a human in the loop. The trigger value is the entire control surface.

03

Life and health risk-rating

Agentic underwriting that consumes wearable data, electronic health records, and broker-provided narrative. EU AI Act Annex III high-risk by default. Colorado SB21-169 and NYDFS Circular 7 require evidence on demand.

The chief actuary signs the rate filing. The chief underwriting officer signs the risk appetite. Neither of them signed for an LLM that can be talked out of a denial by a sentence in a PDF.

How AgentGuardian Fits

Three probes that matter most for an insurance agent.

The 96-probe corpus is sharded across all ten OWASP ASI 2026 categories on every scan. For an insurance carrier, three probe clusters are load-bearing. Each one corresponds to a known agent shape, a known regulatory anchor, and a known revenue-or-loss event the carrier will be asked to defend.

STEP 01 · CLAIMS INTAKE
Probe prompt injection in claims free-text and multimodal evidence.

End-to-end agentic claims systems read first-notice-of-loss narratives, scanned police reports, repair-shop invoices, and damage photos. Every one of those channels is an attacker-controlled input the moment a third party can populate it. AgentGuardian shards ASI01 (Goal Hijack) and ASI09 (Trust Exploitation) probes against the intake agent — including indirect injection through tool outputs and PDF text layers — and adds vision-channel payloads against any LLM that reads photographs of damage.

ASI01-T1 · GOAL HIJACKIndirect injection inside the FNOL narrative that rewrites the system goal mid-adjudication.
ASI09 · TRUST EXPLOITATIONFabricated citations to non-existent policy clauses; output-reflection XSS into the adjuster console.
MULTIMODAL · VISION CHANNELAdversarial overlays on damage photos and receipts that flip the agent's loss-classification call.
MUTATOR · CONTROL_CHARSNull bytes, BOM, and RTL-override injected into claimant free-text to break policy filters.
STEP 02 · UNDERWRITING
Probe goal-drift and proxy discrimination in pricing agents.

Life, health, and parametric underwriting agents are the regulator's first concern. They are EU AI Act Annex III high-risk by default. Colorado SB21-169 and the NAIC Model Bulletin on the Use of AI Systems by Insurers both require carriers to demonstrate that the agent has not learned to use forbidden proxies — ZIP code, surname, brand of car — as substitutes for prohibited attributes. AgentGuardian runs ASI10 (Rogue Agents / Drift) probes that hold the protected attribute constant while perturbing the proxy, and surfaces every quote-delta that exceeds a configurable threshold.

ASI10-T3 · LONG-HORIZON DRIFTMulti-turn pricing sessions that measure quote drift as proxy variables are perturbed.
ASI10 · REWARD HACKINGUnderwriting agents that learn to maximise premium-bind rate by exploiting demographic proxies.
ASI06 · MEMORY POISONINGPersistent triggers planted in the RAG corpus of actuarial guidance and underwriting manuals.
MUTATOR · TYPE_CONFUSIONBoundary attacks on parametric-trigger thresholds (wind-speed, rainfall, flight-delay).
STEP 03 · ADJUDICATION AND PAYOUT
Probe tool misuse and A2A compromise on the payout path.

The blast radius of a compromised claims agent is a wire transfer. ASI02 (Tool Misuse), ASI03 (Privilege Compromise), and ASI07 (Agent-to-Agent Compromise) probes target the adjudication-to-payout handoff — the moment the claims agent calls into the payments service, the reinsurance ledger, or the fraud-screening agent. AgentGuardian replays signed A2A messages, attempts cross-tenant reads against the policyholder graph, and exercises tool-argument injection against every payment-rail tool the agent can reach.

ASI02 · TOOL MISUSEArgument injection against the payment-rail tool to redirect, escalate, or duplicate payouts.
ASI03-T2 · PRIVILEGE ABUSECross-tenant reads against the policyholder graph; scope-token replay on the reinsurance ledger.
ASI07 · A2A COMPROMISESupervisor impersonation between claims and fraud-screening agents; signed-message replay on the bus.
ASI08 · CASCADING FAILURESRetry storms, alarm suppression, and dependency cascade on the reinsurance settlement workflow.
Regulatory Teeth

Where the examiner will start.

Carriers asking AgentGuardian about agent governance typically have a regulator-facing trigger: an upcoming market-conduct examination, a Senior-Manager-accountability filing, an Annex III technical-documentation request, or a board-level demand for an answer the chief risk officer can defend. Below are the frameworks that examiners and counsel cite most in 2026.

EU AI ACTAnnex III high-risk: life and health pricing, claims-eligibility decisions.
COLORADO SB21-169Algorithm and external-consumer-data testing requirements for insurers.
NAIC MODEL BULLETINAI System programme and market-conduct examination authority over agentic insurers.
NYDFS CIRCULAR 7 (2024)Use of AI and ECDIS in underwriting and pricing; explainability and governance expectations.
UK FCA · CP 5/24Senior Manager accountability for AI agents that touch UK retail policyholders.
MAS FEAT (Singapore)Fairness, Ethics, Accountability, Transparency principles applied to insurer AI.
OSFI E-23 (Canada)Model risk management guideline extended to agentic decisioning systems.
OWASP ASI 2026Primary taxonomy — every finding tagged ASI01 through ASI10.

The NAIC Model Bulletin gives every state insurance commissioner market-conduct examination authority over the carrier's use of AI systems. The carrier's burden is to produce evidence — not to assert that the agent is safe.

Operator Voice

What the chief actuary and the chief underwriting officer are actually asked.

Two role-shaped briefings AgentGuardian was built to support. Both are framed in language a board committee or a market-conduct examiner uses, not in vendor-marketing language.

Chief Actuary Briefing

On the rate-filing question: has the agent learned a forbidden proxy?

The deterministic AIVSS score lets the actuarial team treat the agent the way any other model is treated under the carrier's model-risk policy. The ASI10 goal-drift probes hold the protected-class attribute constant and perturb the proxy. Any quote-delta beyond the configured threshold is flagged with a probe transcript and an AIVSS-weighted severity. That is the evidence the rate-filing memo can cite — and the evidence the actuary can hand to a market-conduct examiner without having to first translate it from prompt-engineering language.

  • Reproducible AIVSS score on every probe run
  • ASI10 drift probes parameterised by proxy variable
  • Quote-delta table per protected attribute
  • Probe transcripts in the SARIF and PDF outputs
Chief Underwriting Officer Briefing

On the claims-leakage question: can the agent be talked out of a denial?

Claims leakage from a manipulated free-text narrative or an adversarial damage photo is a P&L line, not a research curiosity. ASI01 (Goal Hijack) probes with the PAP mutator family — once it ships in the OSS corpus — and the in-tree control-character and encoding mutators today, exercise every reachable indirect-injection channel. The output is a per-probe transcript with the exact payload, the agent's resulting tool calls, and the reserve or payout delta the agent attempted. That number, multiplied by claim volume, is the leakage exposure the CUO is being asked about in the quarterly business review.

  • Indirect injection probes for FNOL, PDF, photo, third-party data
  • Per-probe payload, tool call, and reserve-or-payout delta
  • Multimodal vision-channel coverage on damage photos
  • T1 tier — tools, memory, PII reachable
Evidence Pack

A bundle a market-conduct examiner can read.

Every scan produces five artefacts: SARIF 2.1.0, PDF, HTML, JSON, and an evidence directory. Each finding carries an OWASP ASI 2026 category, a MITRE ATLAS v5.4.0 technique, a CSA Agentic-RT category, and a deterministic 0-100 AIVSS score. The bundle is SHA-256 signed and reproducible from the corpus version stamp.

  • Probe transcripts per ASI category
  • AIVSS score and severity table
  • MITRE ATLAS v5.4.0 technique IDs
  • CSA Agentic-RT category mapping
  • Quote-delta table for proxy probes
  • Multimodal injection samples
  • Tool-call audit per finding
  • SHA-256 signed bundle
AgentGuardian Evidence · 2026.05SIGNED · SHA-256
Carrier-XL · Claims Agent · Q2 2026 scan

target=langgraph · adapter=http · tier=T1 · mode=full · probes=96

AIVSS Posture
71/100
ASI Coverage
10 of 10
Critical Findings
3
ATLAS Techniques
v5.4.0
Top Probe
ASI01 · indirect
Mutator Hits
control_chars · encoding
sha256: 7c3a9f1d8b4e2f5a6c8d0e1f3a5b7c9d1e3f5a7b9c1d3e5f7a9b1c3d5e7f9a1b · corpus=2026.05 · agentguardian=1.0.0
Request a Carrier Evidence Sample
Carrier FAQ

Questions insurance teams ask first.

Does AgentGuardian model the EU AI Act high-risk obligations for life and health pricing?
Today, AgentGuardian's primary taxonomy is OWASP ASI 2026 with MITRE ATLAS v5.4.0 and CSA Agentic-RT mappings on every finding. EU AI Act mapping is on the public roadmap; in the interim the evidence pack carries the ASI and ATLAS identifiers that an EU AI Act technical-documentation file can cite by reference. The AIVSS score is deterministic and reproducible, which is what regulators tend to ask for when they ask for a number.
How do the goal-drift probes show proxy discrimination without seeing protected attributes?
The probe holds the candidate protected attribute constant and perturbs the proxy variable (ZIP, surname, vehicle make, broker channel). Any quote-delta beyond the configured threshold is flagged as a candidate proxy, with the probe transcript and the AIVSS-weighted severity attached. That is the evidence the NAIC Model Bulletin asks the carrier to produce on demand.
What does the multimodal injection probe actually do?
It generates adversarial overlays on damage photos, receipts, and scanned reports — text payloads rendered into the image at sizes and positions that defeat naive OCR filters but are read by vision-language models. The probe records every loss-classification flip, every payout-amount change, and every tool call the agent attempted as a result.
Can AgentGuardian run against a claims agent that we do not own?
Yes — the HTTP adapter covers any agent reachable over HTTP, MCP, or a webhook. The recon stage fingerprints the agent's tool surface from observed traffic, then the swarm shards probes across the ASI categories that the fingerprint indicates are reachable. Read-only mode is supported for production endpoints.
Does this replace our actuarial model-risk programme?
No. AgentGuardian is adversarial testing for the agentic layer — the prompt-injection, tool-misuse, A2A, and drift surface that actuarial model validation was never designed to cover. It complements OSFI E-23, SR 11-7, and your internal model-risk standard; it does not replace them.

Move from agent pilots to filed and examined.

Book a carrier-shaped assessment. We will run AgentGuardian against your claims or underwriting agent and walk the chief actuary, the CUO, and the CRO through the evidence bundle.

Book a Carrier AssessmentTry Open Source