AI Governance Frameworks for Indian Insurers and Brokers

Indian insurers and brokers are deploying AI across underwriting triage, fraud detection, claims classification, customer service, and distribution analytics. The deployment pace is well ahead of the governance pace. The IRDAI has not yet issued an AI-specific regulation, but it does not need to. Existing rules already constrain AI use: the IRDAI Information Security Guidelines, 2023 require board-approved policies for data handling and model deployment; the IRDAI (Protection of Policyholders' Interests) Regulations, 2017 require fair and explainable claim decisions; the Digital Personal Data Protection Act, 2023 requires lawful basis, purpose limitation, and data minimisation for any automated processing of personal data.

Globally, the Singapore MAS FEAT principles, the EU AI Act 2024, and the NAIC AI Bulletin in the US provide reference points that Indian regulators are likely to draw from. Boards that build a governance framework now will not be caught flat-footed when the IRDAI issues its own circular, which is expected to follow the Bima Sugam operational rollout.

Most insurers and brokers do not have a current inventory of AI in use. Build one before writing policy. The inventory should capture, for each system:

• the business function it supports (claims, underwriting, distribution, operations)
• whether it makes or recommends decisions affecting policyholders
• the data classes processed, especially sensitive personal data under the DPDP Act
• the vendor or in-house team responsible
• the model type (rules, classical ML, foundation model, LLM agent)
• the inference frequency and whether outputs are reviewed before action

A tier the inventory by risk. Tier 1 systems make automated decisions affecting policyholder claims, premiums, or coverage. Tier 2 systems recommend decisions that a human approves. Tier 3 systems support internal operations with no direct policyholder impact. Governance intensity should match the tier; treating a chatbot the same as an underwriting model wastes the controls budget.

Borrow the model risk management structure that the RBI's Master Direction on Model Risk Management, 2024 established for banks, even though insurers are not directly bound by it. The three-line defence model adapts cleanly:

1. First line: the business team that owns the model is responsible for performance, drift monitoring, and documented use limits.
2. Second line: an independent model validation function reviews model design, data lineage, bias testing, and ongoing performance against benchmarks. The validator must be independent of the team that built the model.
3. Third line: internal audit periodically reviews whether the first two lines are doing their job and whether outputs meet regulatory and policyholder expectations.

For Tier 1 systems, validation should be annual at minimum, with revalidation triggered by significant data drift, regulatory change, or material adverse outcomes in production. For Tier 2 and Tier 3, validation cycles can stretch to 18 or 24 months. Document the model risk policy at board level so the validation function has the standing to challenge business owners.

The Digital Personal Data Protection Act, 2023 changes the AI development workflow more than most insurers have absorbed. Three obligations bite hardest:

• Purpose specification: personal data collected for issuing a policy cannot be reused to train a generic fraud-detection model without fresh consent or a lawful basis.
• Data minimisation: collecting more features than the model justifiably needs is now a regulatory risk, not just a privacy concern.
• Right to explanation: while the DPDP Act does not yet carry an explicit right to algorithmic explanation, the IRDAI's fair-treatment expectations and the consumer-protection regime together require that a policyholder facing claim denial can be told the basis.

Indian insurers and brokers should publish a data-protection note that maps each AI system to its lawful basis. If the answer for any system is unclear, that system should pause new training and consent should be re-engineered.

The majority of AI used by Indian insurers and brokers is not built in-house. It comes through SaaS underwriting platforms, third-party fraud-detection vendors, claims-management software, and increasingly foundation-model APIs. Vendor governance is now AI governance.

Contract terms to insist on for any vendor providing AI services to an insurer or broker:

• a clear statement of which model is used, where it is hosted, and which jurisdiction processes data
• audit rights, including the right to inspect training data lineage and bias-testing reports
• a notification obligation if the vendor materially changes the model, retrains on new data, or switches providers
• a data-processing agreement compliant with the DPDP Act, including data-localisation commitments for personal data
• liability allocation for adverse outcomes attributable to model error, separate from general SLA breaches

For foundation-model APIs (OpenAI, Anthropic, Google, Indian sovereign-cloud providers), insurers should not transmit identifiable policyholder data without an enterprise agreement that prohibits use of the data for further training. Many free-tier and standard-tier APIs reserve the right to train on customer inputs. This single contract clause is the most common AI governance failure in the Indian market today.

AI in underwriting and claims raises the risk of disparate impact across protected groups. Indian law does not yet have an equivalent of the US Adverse Action Notice or the UK Equality Act algorithmic-decisioning regime, but the IRDAI's policyholder-protection mandate and Article 14 of the Constitution together create a duty of non-arbitrary treatment.

A defensible fairness program includes:

• pre-deployment bias testing across attributes such as gender, age band, occupation class, and geography
• ongoing monitoring of decision-outcome distributions in production, with alerts when outcome rates drift across groups
• a documented adverse-outcome review process, where a sample of automated denials is reviewed by a human reviewer with the authority to overturn
• escalation paths to the appointed actuary and the compliance head for systemic issues

The practical challenge in India is the limited availability of demographic ground-truth data; insurers cannot record caste, religion, or income easily. Proxies (geography, occupation, mobile number provenance) are imperfect but usable when applied with care and documented limitations.

AI governance is a board-level matter when the systems are Tier 1. The IRDAI Corporate Governance Guidelines, 2024 already require board approval for material technology deployments; AI systems that affect underwriting or claims clearly qualify.

A quarterly board pack on AI should include:

• inventory updates and changes in tiering
• model performance trends and any material drift events
• validation reports filed in the period and any open findings
• adverse-outcome reviews and the rate of human overturns of automated decisions
• vendor changes, data-protection incidents, and regulatory correspondence touching AI

Disclose meaningfully to policyholders as well. The product information sheet should indicate where AI is used in decisioning, particularly in claims, even if the regulator does not yet mandate it. A modest disclosure now buys credibility when regulator and consumer attention sharpens.