AI in Regulated Industries
Part 5 of The Broker's Guide to AI — why insurance is different, what regulators and carriers expect, and how to stay onside.
Why insurance is different
Plenty of industries can move fast and fix mistakes later. Insurance can't, and for good reason. Brokers are licensed. Advice carries legal weight. Client data is sensitive. Errors create E&O exposure. And regulators, carriers, and clients all expect you to be able to explain exactly what happened and why.
So when AI enters a brokerage, it isn't entering a sandbox — it's entering a regulated profession. That doesn't mean AI can't be used. It means AI has to be used the way everything else in insurance is: with documentation, supervision, and accountability.
Guardrails: what the AI must never do
Guardrails are hard limits built into an AI system — things it is not allowed to do no matter how it's asked. In a brokerage context, sensible guardrails include:
- Never give advice on whether to make a claim.
- Never confirm or imply coverage exists without a human verifying.
- Never discuss another client's information, under any circumstances.
- Never bind, amend, or cancel coverage without human approval.
- Always identify itself as an AI assistant when talking to clients.
- Always hand off when a client asks for a person, mentions a claim, or expresses frustration.
Audit trails: if it isn't logged, it didn't happen
In a regulated business, “the AI handled it” is not an acceptable answer to a regulator, a carrier, or a court. You need to be able to show what the AI was asked, what information it used, what it did, what it said, when, and who reviewed it. A proper AI system logs every conversation, every action taken in your systems, every document retrieved, and every handoff — in a form you can search and export.
Explainability: “why did it do that?”
Regulators and carriers increasingly expect that decisions affecting clients can be explained. If an AI flagged a risk, drafted a recommendation, or routed a client a certain way, you should be able to say why in plain language. This is another reason source citations matter so much: an AI that says “this property doesn't qualify under the carrier's wood-stove rules, see section 4.2 of the manual” is explainable. An AI that says “doesn't qualify” with no trail is not.
Data protection: the questions that are not optional
Before any AI tool touches client information, get clear written answers to:
- Where does the data live — which country, which provider, and does it ever leave that jurisdiction? For Canadian brokerages, data residency comes up in nearly every carrier review.
- Is our data used to train the vendor's AI for other customers? The right answer for a brokerage tool is no.
- Who can access it — both at the vendor and within your own team? Access should be role-based and reviewed regularly.
- What certifications does the vendor hold? SOC 2 audits security practices over time; ISO 27001 is an international security-management standard; ISO 42001 is a newer standard for governing AI responsibly. An outside auditor verified these — they're not just logos.
- What happens when we leave — how is our data returned and deleted if we end the contract?
Accountability never transfers
One principle above all: using AI never transfers your professional responsibility to the AI or the vendor. If an AI assistant gives your client wrong information, that's your brokerage's problem, your E&O exposure, and your reputation — exactly as if an employee had said it. This isn't a reason to avoid AI; it's the reason to choose AI built for insurance, with the guardrails, logging, and human oversight described in this guide.