Most insurers have a list of AI use cases. Few have a sequenced plan that answers three questions simultaneously: which use cases generate the highest return, which carry manageable regulatory risk under the EU AI Act, and which the current infrastructure can support today. This post provides the use case scoring matrix, the AI governance framework, and the phased investment approach that turns a working group into a production deployment.
The Board Has Approved Three Consecutive Working Groups. A Competitor Just Processed 8,000 Claims a Day.
Artificial intelligence is on the board agenda for the third consecutive quarter. The CDO presents a slide with twelve potential use cases: fraud detection, automated underwriting, claims triage, financial close automation, customer churn prediction, AI-assisted reserving, document extraction, risk scoring, complaints handling, embedded insurance APIs, pricing optimisation, and portfolio analytics. Each use case has a one-line description and a projected ROI range.
The CFO asks which three the business should fund this year. The CRO asks which three carry the highest regulatory risk under the EU AI Act. The CTO asks which three the current infrastructure can actually support without a six-month modernisation prerequisite. The CDO has not been asked these three questions simultaneously before. The slide does not answer them.
The board approves a working group. The working group will report back next quarter. Next quarter arrives. The working group reports that it needs more time. A competitor has deployed AI-assisted claims fraud detection. It is processing 8,000 claims a day. It caught 340 fraud cases in its first month that manual review would have missed. The board approves a revised timeline. The working group will report back next quarter.
Why Most Insurance AI Strategies Fail Before They Start
An AI strategy in insurance is not a list of use cases. What most insurers do not have is a sequenced investment plan that answers the three questions the CFO, CRO, and CTO asked simultaneously: which use cases generate the highest return, which carry manageable regulatory risk under the EU AI Act and Finanstilsynet's AI governance expectations, and which the current technology infrastructure can support without a modernisation prerequisite that adds 12 months to the timeline before the first model reaches production.
The EU AI Act August 2026 deadline makes this question urgent for every European and EEA insurer with AI systems in or approaching production. The three-question framework, the use case scoring matrix, the governance structure, the infrastructure sequencing logic, and the investment phasing approach that follows are the components that turn a working group into a production deployment.
The Three Questions Every AI Strategy Must Answer
The working group in the opening scene failed not because the CDO lacked knowledge or the board lacked commitment. It failed because the evaluation framework applied to the twelve use cases answered only one of the three questions: projected ROI. The regulatory risk dimension and the infrastructure readiness dimension were not assessed before the use cases were presented.
Question 1: Which use cases generate the highest return?
The ROI assessment for each AI use case should be based on documented deployment outcomes from comparable insurers, not vendor projections. Claims fraud detection at FNOL delivers an average 3.2× return over 24 months in documented deployments because it addresses a high-cost problem — fraudulent claims payments — with a high-volume data set on a process that runs continuously. Financial close automation delivers a comparable return because it reduces manual effort on a high-frequency, high-error-rate process that consumes qualified finance team time.[2]
Question 2: Which use cases carry manageable regulatory risk?
The EU AI Act Annex III classifies AI systems used in insurance pricing, underwriting decisions, and creditworthiness assessment as high-risk. High-risk classification requires a documented conformity assessment, human oversight mechanisms, audit trail obligations, and transparency requirements before the system is placed in service. The August 2026 deadline applies to all EU and EEA insurers, including Norwegian carriers operating under the EEA Agreement. Finanstilsynet's AI governance expectations apply in parallel.[3][4]
The AI strategy must map each use case to its EU AI Act classification before the investment decision is made. A use case classified as high-risk is not un-investable — it is investable on a longer timeline, with governance infrastructure built in parallel. The regulatory risk dimension does not eliminate high-return use cases from the strategy. It sequences them correctly.
Question 3: Which use cases does your infrastructure support today?
An AI model that requires real-time data access cannot be deployed on a policy administration system that processes in nightly batch. An AI system that requires an API connection to a claims platform cannot be deployed if that platform has no external API surface. Infrastructure readiness is an input to AI strategy: the use cases that are infrastructure-ready today go into Phase 1; the use cases that require a platform modernisation prerequisite go into Phase 2, sequenced after the modernisation investment is funded and in delivery.
The Use Case Scoring Matrix
The scoring matrix below maps seven common insurance AI use cases across the three dimensions. The scores are indicative and should be calibrated against each insurer's specific infrastructure, data quality, and regulatory position. Green rows indicate Phase 1 candidates. Amber rows indicate Phase 2. Red rows indicate Phase 3, requiring governance infrastructure as a prerequisite.
| Use case | ROI potential | Regulatory complexity | Infra readiness | Phase |
|---|---|---|---|---|
| Claims fraud detection (FNOL) | 5 | Low | High | Phase 1 |
| Submission triage and data extraction | 4 | Low | High | Phase 1 |
| Financial close automation | 5 | Low–Medium | High | Phase 1 |
| Customer churn prediction | 4 | Medium | Medium | Phase 2 |
| AI-assisted reserving | 4 | Medium | Medium | Phase 2 |
| Risk scoring (underwriting support) | 4 | High | Medium | Phase 2 |
| Automated pricing decisions | 5 | Very high (Annex III) | Low–Medium | Phase 3 |
The matrix illustrates a non-obvious result: automated pricing decisions score highest on ROI potential (5) but lowest on overall priority because their high regulatory complexity under EU AI Act Annex III makes them Phase 3 investments. Starting with claims fraud detection and submission triage delivers measurable returns in 14 to 16 weeks and builds the data governance infrastructure that Phase 2 and Phase 3 deployments require.
Scoring indicative — calibrate against your infrastructure, data quality, and regulatory position[2]The AI Governance Framework
An AI governance framework for an insurer operating in the EU or EEA requires five components. Each is a prerequisite for the next EU AI Act compliance assessment or Finanstilsynet supervisory review.
A documented register of all AI systems in production or development: their EU AI Act risk classification, data inputs, output actions, and the human oversight mechanism in place for each. The inventory is the foundation for every subsequent governance activity.
A formal classification of each AI system against EU AI Act Annex III criteria, documented before deployment and reviewed when the system is materially changed or when its operating context changes. Insurance pricing, underwriting, and creditworthiness systems are high-risk by default.
A defined process for human review of AI model outputs at the decision point, with documented authority levels, override procedures, and escalation routes. The oversight mechanism must be proportionate to the risk classification: high-risk systems require more formal oversight than minimal-risk systems.
A log of AI model inputs, outputs, and decisions that enables retrospective review of any individual decision. The audit trail must be retained for a period proportionate to the regulatory requirements of the jurisdiction — typically five to seven years for insurance-related decisions.
A named individual at board or senior management level accountable for AI governance. The EU AI Act requires that providers and deployers of high-risk AI systems designate an accountable individual. Finanstilsynet's AI governance expectations include board-level accountability for AI risk. This is not an administrative requirement — it is the organisational anchor for the four components above.
Investment Sequencing: How to Phase AI Investment
The insurance AI implementation phasing that compounds fastest follows a consistent pattern across documented deployments: each phase delivers returns that fund the next, and the governance infrastructure built progressively across all three phases reduces the regulatory risk of each subsequent deployment.
Phase 1: Deploy high-return, low-risk, infrastructure-ready use cases
Deploy two to three Phase 1 use cases — claims fraud detection, submission triage, financial close automation. Establish the model inventory, audit trail, and oversight mechanisms that Phase 2 will require. Measure outcomes against pre-deployment baselines. Use the Phase 1 results as the business case for Phase 2 funding. Target: 14-week time to first production deployment.[2]
Phase 2: Deploy use cases requiring governance or limited infrastructure prerequisites
Deploy Phase 2 use cases — churn prediction, AI-assisted reserving, risk scoring support — that require either a governance prerequisite from Phase 1 or a limited infrastructure upgrade. Fund the infrastructure upgrade from Phase 1 returns where possible. Extend the governance framework to cover Phase 2 systems.
Phase 3: Deploy high-risk AI use cases with full EU AI Act conformity assessments
Deploy automated pricing and underwriting decision systems with full EU AI Act Annex III conformity assessments, human oversight requirements, and bias audit documentation. By this point, the governance infrastructure built in Phases 1 and 2 provides the foundation for the conformity assessment. The August 2026 deadline makes this phase time-critical for insurers that have not yet started.[3]
Frequently Asked Questions
We do not have the data quality to deploy AI effectively — should we wait until our data is clean?+
Waiting for perfect data is the most common reason AI strategies stall. The practical answer is to select Phase 1 use cases where data quality is sufficient — claims fraud detection and document extraction typically require lower data quality thresholds than automated pricing models. Running Phase 1 deployments on available data generates the business case for the data quality investment that Phase 2 requires, and the model monitoring infrastructure built in Phase 1 identifies exactly which data quality issues matter most. Perfect data is not a prerequisite for starting. It is a product of starting.[2]
What does an EU AI Act conformity assessment for an insurance AI system actually involve?+
A conformity assessment for a high-risk AI system requires: documentation of the system's intended purpose, data inputs, and output actions; a risk assessment covering the potential harms the system could cause if it fails or produces biased outputs; a technical description of the human oversight mechanism; documentation of the training data and validation process; and an ongoing monitoring plan covering performance metrics and incident reporting. The assessment must be completed before the system is placed in service and reviewed when the system is materially changed.[3]
How do we present an AI strategy to a board that has approved three consecutive working groups with no outcome?+
Present a phased deployment plan rather than a use case list. The board has seen use case lists. It has not seen a document that answers: which three use cases we will deploy in the next 16 weeks, what the projected return is based on documented comparable deployments, what the regulatory classification of each is, what infrastructure prerequisites apply, and what the governance structure looks like. A one-page summary answering these five questions for three Phase 1 use cases, with a Phase 2 and Phase 3 roadmap showing how Phase 1 returns fund subsequent phases, is a board decision document, not a working group report.[1]
What is the August 2026 EU AI Act deadline and what happens if we miss it?+
The EU AI Act requires that high-risk AI systems placed in service or significantly updated after August 2026 comply with Annex III obligations including conformity assessment, human oversight, and audit trail requirements. Systems already in production before the deadline have a transition period, but the exact terms depend on whether the system is materially changed after the deadline. Non-compliance carries administrative fines of up to NOK 350 million or 3% of global annual turnover for violations of high-risk AI system requirements. Norwegian insurers are subject to the EU AI Act through the EEA Agreement. Specific compliance obligations should be verified with qualified legal counsel.[3]
How does Finanstilsynet's AI governance expectation differ from the EU AI Act?+
The EU AI Act is a product regulation: it classifies AI systems by risk level and requires specific technical and governance measures before high-risk systems are placed in service. Finanstilsynet's AI governance expectations are expressed as supervisory principles within the broader framework of sound governance for financial institutions — they focus on board accountability, model risk management, explainability of AI decisions to regulators, and consumer protection in AI-assisted interactions. Both frameworks apply to Norwegian insurers simultaneously. The EU AI Act sets the minimum technical compliance floor; Finanstilsynet's expectations set the supervisory standard for how AI is governed within the insurer's overall risk framework.[4]
How do we handle AI model explainability requirements when presenting decisions to regulators or customers?+
Model explainability is required by the EU AI Act for high-risk AI systems and by Finanstilsynet's expectations for AI-assisted decisions that affect customers. The practical standard is that the model must be able to produce a human-readable explanation of why a specific output was generated — why a claim was flagged for investigation, why a risk was scored at a specific level, why a renewal premium is set at its current value. This does not require that the model's internal weights are interpretable. It requires that the output is accompanied by a documented explanation of the factors that drove it. Explainable AI frameworks including SHAP and LIME provide technical approaches to generating these explanations from complex models.[3][4]
This article provides general information only and does not constitute legal or regulatory advice. EU AI Act Annex III obligations, Finanstilsynet AI governance expectations, and GDPR requirements for AI systems in insurance require case-specific legal assessment. Insurers should consult qualified counsel for guidance specific to their jurisdiction and AI deployment programme.
References
All statistics sourced from documented deployments and third-party research organisations. Links verified 2026. Click any citation to jump to its source.
Most insurers have a list of AI use cases. Few have a sequenced plan that answers three questions simultaneously: which use cases generate the highest return, which carry manageable regulatory risk under the EU AI Act, and which the current infrastructure can support today. This post provides the use case scoring matrix, the AI governance framework, and the phased investment approach that turns a working group into a production deployment.
The Board Has Approved Three Consecutive Working Groups. A Competitor Just Processed 8,000 Claims a Day.
Artificial intelligence is on the board agenda for the third consecutive quarter. The CDO presents a slide with twelve potential use cases: fraud detection, automated underwriting, claims triage, financial close automation, customer churn prediction, AI-assisted reserving, document extraction, risk scoring, complaints handling, embedded insurance APIs, pricing optimisation, and portfolio analytics. Each use case has a one-line description and a projected ROI range.
The CFO asks which three the business should fund this year. The CRO asks which three carry the highest regulatory risk under the EU AI Act. The CTO asks which three the current infrastructure can actually support without a six-month modernisation prerequisite. The CDO has not been asked these three questions simultaneously before. The slide does not answer them.
The board approves a working group. The working group will report back next quarter. Next quarter arrives. The working group reports that it needs more time. A competitor has deployed AI-assisted claims fraud detection. It is processing 8,000 claims a day. It caught 340 fraud cases in its first month that manual review would have missed. The board approves a revised timeline. The working group will report back next quarter.
Why Most Insurance AI Strategies Fail Before They Start
An AI strategy in insurance is not a list of use cases. What most insurers do not have is a sequenced investment plan that answers the three questions the CFO, CRO, and CTO asked simultaneously: which use cases generate the highest return, which carry manageable regulatory risk under the EU AI Act and Finanstilsynet's AI governance expectations, and which the current technology infrastructure can support without a modernisation prerequisite that adds 12 months to the timeline before the first model reaches production.
The EU AI Act August 2026 deadline makes this question urgent for every European and EEA insurer with AI systems in or approaching production. The three-question framework, the use case scoring matrix, the governance structure, the infrastructure sequencing logic, and the investment phasing approach that follows are the components that turn a working group into a production deployment.
The Three Questions Every AI Strategy Must Answer
The working group in the opening scene failed not because the CDO lacked knowledge or the board lacked commitment. It failed because the evaluation framework applied to the twelve use cases answered only one of the three questions: projected ROI. The regulatory risk dimension and the infrastructure readiness dimension were not assessed before the use cases were presented.
Question 1: Which use cases generate the highest return?
The ROI assessment for each AI use case should be based on documented deployment outcomes from comparable insurers, not vendor projections. Claims fraud detection at FNOL delivers an average 3.2× return over 24 months in documented deployments because it addresses a high-cost problem — fraudulent claims payments — with a high-volume data set on a process that runs continuously. Financial close automation delivers a comparable return because it reduces manual effort on a high-frequency, high-error-rate process that consumes qualified finance team time.[2]
Question 2: Which use cases carry manageable regulatory risk?
The EU AI Act Annex III classifies AI systems used in insurance pricing, underwriting decisions, and creditworthiness assessment as high-risk. High-risk classification requires a documented conformity assessment, human oversight mechanisms, audit trail obligations, and transparency requirements before the system is placed in service. The August 2026 deadline applies to all EU and EEA insurers, including Norwegian carriers operating under the EEA Agreement. Finanstilsynet's AI governance expectations apply in parallel.[3][4]
The AI strategy must map each use case to its EU AI Act classification before the investment decision is made. A use case classified as high-risk is not un-investable — it is investable on a longer timeline, with governance infrastructure built in parallel. The regulatory risk dimension does not eliminate high-return use cases from the strategy. It sequences them correctly.
Question 3: Which use cases does your infrastructure support today?
An AI model that requires real-time data access cannot be deployed on a policy administration system that processes in nightly batch. An AI system that requires an API connection to a claims platform cannot be deployed if that platform has no external API surface. Infrastructure readiness is an input to AI strategy: the use cases that are infrastructure-ready today go into Phase 1; the use cases that require a platform modernisation prerequisite go into Phase 2, sequenced after the modernisation investment is funded and in delivery.
The Use Case Scoring Matrix
The scoring matrix below maps seven common insurance AI use cases across the three dimensions. The scores are indicative and should be calibrated against each insurer's specific infrastructure, data quality, and regulatory position. Green rows indicate Phase 1 candidates. Amber rows indicate Phase 2. Red rows indicate Phase 3, requiring governance infrastructure as a prerequisite.
| Use case | ROI potential | Regulatory complexity | Infra readiness | Phase |
|---|---|---|---|---|
| Claims fraud detection (FNOL) | 5 | Low | High | Phase 1 |
| Submission triage and data extraction | 4 | Low | High | Phase 1 |
| Financial close automation | 5 | Low–Medium | High | Phase 1 |
| Customer churn prediction | 4 | Medium | Medium | Phase 2 |
| AI-assisted reserving | 4 | Medium | Medium | Phase 2 |
| Risk scoring (underwriting support) | 4 | High | Medium | Phase 2 |
| Automated pricing decisions | 5 | Very high (Annex III) | Low–Medium | Phase 3 |
The matrix illustrates a non-obvious result: automated pricing decisions score highest on ROI potential (5) but lowest on overall priority because their high regulatory complexity under EU AI Act Annex III makes them Phase 3 investments. Starting with claims fraud detection and submission triage delivers measurable returns in 14 to 16 weeks and builds the data governance infrastructure that Phase 2 and Phase 3 deployments require.
Scoring indicative — calibrate against your infrastructure, data quality, and regulatory position[2]The AI Governance Framework
An AI governance framework for an insurer operating in the EU or EEA requires five components. Each is a prerequisite for the next EU AI Act compliance assessment or Finanstilsynet supervisory review.
A documented register of all AI systems in production or development: their EU AI Act risk classification, data inputs, output actions, and the human oversight mechanism in place for each. The inventory is the foundation for every subsequent governance activity.
A formal classification of each AI system against EU AI Act Annex III criteria, documented before deployment and reviewed when the system is materially changed or when its operating context changes. Insurance pricing, underwriting, and creditworthiness systems are high-risk by default.
A defined process for human review of AI model outputs at the decision point, with documented authority levels, override procedures, and escalation routes. The oversight mechanism must be proportionate to the risk classification: high-risk systems require more formal oversight than minimal-risk systems.
A log of AI model inputs, outputs, and decisions that enables retrospective review of any individual decision. The audit trail must be retained for a period proportionate to the regulatory requirements of the jurisdiction — typically five to seven years for insurance-related decisions.
A named individual at board or senior management level accountable for AI governance. The EU AI Act requires that providers and deployers of high-risk AI systems designate an accountable individual. Finanstilsynet's AI governance expectations include board-level accountability for AI risk. This is not an administrative requirement — it is the organisational anchor for the four components above.
Investment Sequencing: How to Phase AI Investment
The insurance AI implementation phasing that compounds fastest follows a consistent pattern across documented deployments: each phase delivers returns that fund the next, and the governance infrastructure built progressively across all three phases reduces the regulatory risk of each subsequent deployment.
Phase 1: Deploy high-return, low-risk, infrastructure-ready use cases
Deploy two to three Phase 1 use cases — claims fraud detection, submission triage, financial close automation. Establish the model inventory, audit trail, and oversight mechanisms that Phase 2 will require. Measure outcomes against pre-deployment baselines. Use the Phase 1 results as the business case for Phase 2 funding. Target: 14-week time to first production deployment.[2]
Phase 2: Deploy use cases requiring governance or limited infrastructure prerequisites
Deploy Phase 2 use cases — churn prediction, AI-assisted reserving, risk scoring support — that require either a governance prerequisite from Phase 1 or a limited infrastructure upgrade. Fund the infrastructure upgrade from Phase 1 returns where possible. Extend the governance framework to cover Phase 2 systems.
Phase 3: Deploy high-risk AI use cases with full EU AI Act conformity assessments
Deploy automated pricing and underwriting decision systems with full EU AI Act Annex III conformity assessments, human oversight requirements, and bias audit documentation. By this point, the governance infrastructure built in Phases 1 and 2 provides the foundation for the conformity assessment. The August 2026 deadline makes this phase time-critical for insurers that have not yet started.[3]
Frequently Asked Questions
We do not have the data quality to deploy AI effectively — should we wait until our data is clean?+
Waiting for perfect data is the most common reason AI strategies stall. The practical answer is to select Phase 1 use cases where data quality is sufficient — claims fraud detection and document extraction typically require lower data quality thresholds than automated pricing models. Running Phase 1 deployments on available data generates the business case for the data quality investment that Phase 2 requires, and the model monitoring infrastructure built in Phase 1 identifies exactly which data quality issues matter most. Perfect data is not a prerequisite for starting. It is a product of starting.[2]
What does an EU AI Act conformity assessment for an insurance AI system actually involve?+
A conformity assessment for a high-risk AI system requires: documentation of the system's intended purpose, data inputs, and output actions; a risk assessment covering the potential harms the system could cause if it fails or produces biased outputs; a technical description of the human oversight mechanism; documentation of the training data and validation process; and an ongoing monitoring plan covering performance metrics and incident reporting. The assessment must be completed before the system is placed in service and reviewed when the system is materially changed.[3]
How do we present an AI strategy to a board that has approved three consecutive working groups with no outcome?+
Present a phased deployment plan rather than a use case list. The board has seen use case lists. It has not seen a document that answers: which three use cases we will deploy in the next 16 weeks, what the projected return is based on documented comparable deployments, what the regulatory classification of each is, what infrastructure prerequisites apply, and what the governance structure looks like. A one-page summary answering these five questions for three Phase 1 use cases, with a Phase 2 and Phase 3 roadmap showing how Phase 1 returns fund subsequent phases, is a board decision document, not a working group report.[1]
What is the August 2026 EU AI Act deadline and what happens if we miss it?+
The EU AI Act requires that high-risk AI systems placed in service or significantly updated after August 2026 comply with Annex III obligations including conformity assessment, human oversight, and audit trail requirements. Systems already in production before the deadline have a transition period, but the exact terms depend on whether the system is materially changed after the deadline. Non-compliance carries administrative fines of up to NOK 350 million or 3% of global annual turnover for violations of high-risk AI system requirements. Norwegian insurers are subject to the EU AI Act through the EEA Agreement. Specific compliance obligations should be verified with qualified legal counsel.[3]
How does Finanstilsynet's AI governance expectation differ from the EU AI Act?+
The EU AI Act is a product regulation: it classifies AI systems by risk level and requires specific technical and governance measures before high-risk systems are placed in service. Finanstilsynet's AI governance expectations are expressed as supervisory principles within the broader framework of sound governance for financial institutions — they focus on board accountability, model risk management, explainability of AI decisions to regulators, and consumer protection in AI-assisted interactions. Both frameworks apply to Norwegian insurers simultaneously. The EU AI Act sets the minimum technical compliance floor; Finanstilsynet's expectations set the supervisory standard for how AI is governed within the insurer's overall risk framework.[4]
How do we handle AI model explainability requirements when presenting decisions to regulators or customers?+
Model explainability is required by the EU AI Act for high-risk AI systems and by Finanstilsynet's expectations for AI-assisted decisions that affect customers. The practical standard is that the model must be able to produce a human-readable explanation of why a specific output was generated — why a claim was flagged for investigation, why a risk was scored at a specific level, why a renewal premium is set at its current value. This does not require that the model's internal weights are interpretable. It requires that the output is accompanied by a documented explanation of the factors that drove it. Explainable AI frameworks including SHAP and LIME provide technical approaches to generating these explanations from complex models.[3][4]
This article provides general information only and does not constitute legal or regulatory advice. EU AI Act Annex III obligations, Finanstilsynet AI governance expectations, and GDPR requirements for AI systems in insurance require case-specific legal assessment. Insurers should consult qualified counsel for guidance specific to their jurisdiction and AI deployment programme.
References
All statistics sourced from documented deployments and third-party research organisations. Links verified 2026. Click any citation to jump to its source.
How to build an AI strategy in insurance: what leaders need to know before they start.