Why AI Underwriting Explainability Moved Up the IRDAI Agenda in 2025 and 2026
AI-assisted underwriting moved from pilot to production across Indian commercial insurance through 2024 and 2025. Major general insurers deployed ML-driven risk selection on SME commercial lines, used computer vision for property risk assessment from drone and satellite imagery, applied NLP for loss-run extraction and broker submission triage, and embedded LLM-based reasoning into the broader underwriting workflow. The capability gain was real: pricing accuracy improved measurably, underwriting throughput increased, and submission turnaround times compressed.
The regulatory response has tracked the capability. IRDAI's posture through 2023 to 2026 shifted from broad permissions (encouraging insurtech experimentation through the Regulatory Sandbox framework) to more specific expectations on how AI-assisted decisions are explained, documented, and audited. The shift reflects three concurrent pressures. First, the volume of policyholder-facing AI decisions has grown to a scale where ad hoc handling is no longer practical. A major Indian general insurer in 2026 may make tens of thousands of AI-assisted underwriting decisions per month on SME commercial business. Each decision affects a policyholder. Patterns of disparate treatment, even if unintended, become statistically observable at this scale. Second, the DPDP Act 2023 establishes principles on automated decision-making that the Data Protection Board of India and IRDAI together operationalise through implementing guidance. Section 12 of the Act, when read with the draft operational guidance, addresses decisions made wholly or significantly through automated processing, with implications for transparency, human-review rights, and grievance handling. Third, international precedent from the European Insurance and Occupational Pensions Authority (EIOPA), the Monetary Authority of Singapore (MAS), the UK Financial Conduct Authority (FCA), and the US National Association of Insurance Commissioners (NAIC) has crystallised expectations on AI explainability that Indian regulators have studied and adapted.
The 2026 working assumption among Indian insurer compliance and chief risk officer functions is that IRDAI will release formal guidance on AI in insurance during 2026 or early 2027, drawing on the sandbox outcomes, the international precedent, and the supervisory dialogue with major insurers. The guidance is likely to address: model documentation and validation requirements; explainability standards for decisions affecting policyholders; bias testing for protected attributes (a contested category in the Indian context); audit trail requirements; board-level oversight expectations; and the integration with DPDP Act compliance on automated decisions. Insurers preparing in 2026 for the expected guidance are building the documentation, testing, and governance infrastructure that will demonstrate compliance when the guidance crystallises.
The commercial case for the investment is independent of the regulatory timing. Explainable AI underwriting produces better outcomes: underwriters trust the model outputs and use them more effectively, brokers and policyholders accept the pricing logic when it is articulable, model failures are identified earlier through interpretable diagnostics, and the corporate governance over the analytical function is materially stronger. The Indian commercial insurers leading the explainability investment through 2025 and 2026 report these operational benefits alongside the regulatory preparation.
Feature Attribution Techniques: SHAP, LIME, and the Choice of Method
Explainability in AI underwriting has multiple technical meanings. The most operationally relevant meaning for insurance is feature attribution: explaining what features of the input drove a specific prediction. A submission scored at relativity 1.34 to the portfolio average should be accompanied by an explanation that identifies the features pushing the prediction above or below 1.00, in language that the underwriter, the broker, and the policyholder can interpret.
The two dominant attribution methods used in Indian commercial insurance AI deployments through 2024 to 2026 are SHAP (Shapley Additive Explanations) and LIME (Local Interpretable Model-agnostic Explanations). Each has different mathematical foundations and operational characteristics, with the choice depending on the model architecture and the use case.
SHAP is grounded in cooperative game theory, treating each feature's contribution to the prediction as analogous to a player's contribution to a coalition's payoff. The SHAP value for a feature represents the average marginal contribution of that feature across all possible feature subsets. The mathematical foundation produces attribution values with desirable properties (efficiency, symmetry, dummy, additivity) that make them theoretically defensible. In practice, SHAP is computed efficiently for tree-based models (XGBoost, LightGBM, CatBoost, Random Forest) through TreeSHAP, which produces exact attributions in polynomial time. For neural network models, KernelSHAP produces approximate attributions through sampling. Indian commercial insurers using tree-based models for SME underwriting, commercial motor risk selection, and broker submission triage report routine production use of TreeSHAP with attribution computation latency of 10 to 50 milliseconds per submission.
LIME takes a different approach. For a specific prediction, LIME approximates the underlying model locally with a simpler interpretable model (typically a linear regression or decision tree) fitted to perturbations of the input. The local model's coefficients then serve as the attribution. LIME has the advantage of model-agnostic applicability: it works with any model that produces predictions for given inputs. The disadvantage is that the local approximation can be unstable for some inputs, with different LIME runs producing different attributions for the same prediction. Indian insurer deployments using LIME tend to be for use cases where the underlying model is not amenable to SHAP (such as ensembles of heterogeneous models or external vendor models without source access).
The choice between SHAP and LIME in Indian commercial insurance AI underwriting has consolidated through 2024 to 2026 around: SHAP for in-house tree-based models (the dominant architecture for tabular underwriting data), LIME for external or composite models, and integrated gradients or comparable techniques for deep learning models where these are used (typically for image-based or document-based underwriting input).
The operational integration of attribution into the underwriting workflow has evolved through three stages. In the first stage, the attribution was an internal diagnostic used by the model development team and consulted by underwriters when investigating unusual predictions. In the second stage, the attribution became a routine part of the underwriting tool, with the top contributing features displayed alongside the predicted relativity, in language calibrated to the underwriter audience. In the third stage, the attribution flows through to the broker submission response and to the policyholder communication, with the pricing logic articulated in plain language and the policyholder able to query specific aspects.
The plain-language translation of attribution is the harder engineering problem. A raw SHAP value of +0.18 for the 'building construction type: light steel frame' feature does not communicate to a broker or a policyholder. The translation layer maps the feature contribution to a sentence such as: 'The light steel frame construction type contributes a 18 percent surcharge relative to the portfolio average, reflecting the higher vulnerability of this construction to fire and wind perils.' The translation layer maintains controlled language templates for each feature, validated for accuracy by the underwriting team and reviewed by communications and legal functions. Indian insurer deployments report that the translation layer requires substantial engineering investment but is the practical bridge between technical attribution and policyholder-facing communication.
Model Risk Management Frameworks: Documentation, Validation, and Lifecycle Governance
The 2026 Indian insurer practice on AI underwriting model risk management has consolidated around a framework that adapts international banking model risk principles (notably the US Federal Reserve's SR 11-7 and the EU's CRR model validation expectations) to the insurance context with Indian regulatory specifics. The framework spans documentation, validation, monitoring, and lifecycle governance.
Model documentation is the foundation. Each production model is supported by a document that records: the model's purpose and the underwriting decisions it supports; the data sources used in training and the data quality assessments; the feature engineering performed and the rationale for feature selection; the model architecture and hyperparameter choices with the rationale; the training methodology including the train-test split, the validation approach, and the performance metrics; the calibration approach if the model output is used directly in pricing; the operational integration including the API specifications and the integration with downstream systems; the monitoring metrics and the thresholds for action; the known limitations and the assumptions on which the model relies. The documentation is maintained under version control, with material changes triggering re-validation and approval.
Model validation is conducted by a function independent of the model development team. The 2026 Indian insurer structure typically has the validation function reporting to the chief risk officer or directly to the board risk committee, separate from the chief underwriting officer or chief actuary who owns the model development function. The validation covers: replication of the model results from the documented methodology and data, evaluation of the model performance against the stated metrics on out-of-sample data, assessment of the feature engineering and selection logic, evaluation of the calibration and any business logic adjustments, review of the operational integration for correctness, examination of the monitoring approach for adequacy, and identification of model limitations not captured in the documentation. The validation produces a report with findings that the model development team responds to before production deployment.
Model monitoring in production tracks the model's behaviour over time. The standard monitoring includes: input distribution monitoring (is the live input data distributed as the training data was, or has the distribution shifted), prediction distribution monitoring (are the model outputs distributed as expected), performance monitoring against actual outcomes (where outcomes are observable, the model's predictive accuracy against actuals), and feature attribution stability (are the dominant features the same as those in the development phase). Monitoring outputs feed a model status dashboard reviewed by the model owner monthly and the model risk committee quarterly, with material drift triggering investigation and potentially re-training.
The model lifecycle has defined stages from development through retirement. Development covers data preparation, feature engineering, model training, and initial documentation. Validation covers the independent review described above. Limited deployment covers the production introduction with constrained scope and elevated monitoring. Full deployment covers the operational use across the intended scope. Steady state covers ongoing operation with routine monitoring. Re-training and re-validation occur on a defined cadence or in response to performance triggers. Retirement covers the orderly decommissioning when the model is replaced or no longer appropriate.
The governance structure combines the model owner (typically the underwriting function head with delegated authority), the model risk management function (the validation team), the model risk committee (a cross-functional group reviewing model status quarterly), the chief risk officer (with ultimate accountability for the framework), and the board risk committee (with oversight on the most material models). The structure aligns the decision authority with the analytical capability, ensuring that material decisions on production deployment, model retirement, or material change are made by appropriate seniority with documented basis.
Where the framework adapts to the AI specifics
Traditional model risk frameworks were designed for actuarial and statistical models with relatively stable structure and well-understood limitations. AI models introduce considerations that the framework must address: the model's reasoning is less directly interpretable, the model can update through online learning where this is permitted, the model relies on training data that may itself reflect historical patterns the insurer wishes to move beyond, and the model's outputs can drift in subtle ways that may not be detected through aggregate performance metrics. The 2026 Indian insurer adaptation strengthens the explainability requirements (every model output must be attributable to interpretable features), requires retrospective bias testing as part of monitoring, prohibits online learning for production models without explicit re-validation triggers, and adds a model risk overlay for AI systems that is reviewed alongside the standard framework.
Bias Testing: Protected Attributes, Proxy Variables, and the Indian Context
Bias testing in AI underwriting addresses whether the model produces materially different outcomes for groups that should be treated equivalently. The technical methodology is well established in international AI fairness literature. The Indian operational application requires careful consideration of which protected attributes to test for, how to identify proxy variables that may produce indirect bias, and how to reconcile bias testing with the legitimate use of risk-relevant variables that may correlate with protected attributes.
The protected attributes in the Indian context include those explicitly protected by the Constitution (caste under Articles 15 and 17, religion under Article 15, sex under Article 15) and those addressed in specific statutes (gender in workplace contexts, disability under the Rights of Persons with Disabilities Act 2016). The legal status of these attributes in private insurance pricing is contested in some areas, with insurance practice historically using some attributes (notably gender, with gender-neutral pricing imposed for specific products and continued use of gender as a rating factor for others). Indian insurance practice does not explicitly use caste or religion as rating variables, but the bias testing question is whether the model's outputs nonetheless produce disparate treatment by these attributes through proxy variables.
The proxy variable problem is the central operational concern. A model that does not directly use caste as an input can nonetheless produce caste-correlated outputs if it uses variables that correlate with caste in the underlying population. Geographic features (postal code, district, state) correlate with caste distribution in many parts of India. Occupational variables correlate with caste through the historical distribution of occupations across communities. Educational variables correlate with caste through historical access to education. Asset and income variables correlate with caste through inherited wealth distribution. A model trained on historical underwriting data that produces predictions correlating with caste through these proxies may produce disparate outcomes even with the best intentions of the developers.
The bias testing methodology in 2026 Indian insurer practice combines several techniques. First, descriptive analysis examines the model's predictions stratified by protected attribute groups (where data on the attribute can be obtained for a sample of insureds or through inference). The analysis identifies systematic differences in predicted relativity, in approval rates, and in pricing outcomes between groups. Second, counterfactual analysis runs the model with hypothetical changes to specific variables to assess whether the output changes in ways that suggest proxy bias. Third, conditional independence testing assesses whether the model's output is conditionally independent of the protected attribute given the legitimate risk variables; lack of conditional independence suggests proxy effects. Fourth, outcome equity metrics including demographic parity, equal opportunity, and calibration parity provide quantitative measures of fairness that the framework can track over time.
The reconciliation challenge is that some variables that correlate with protected attributes are legitimately risk-relevant. Geographic variables correlate with caste but also with peril exposure (flood-prone areas, seismic zones, urban congestion); the use of geographic variables for peril exposure is necessary for accurate pricing. The bias testing distinguishes legitimate risk-relevant correlation from indirect discrimination through proxy effects, with the test typically asking whether the model would produce equivalent outputs if the protected attribute were unmeasured but the underlying risk factor (peril exposure) were directly measured. The reconciliation is a matter of model design discipline, with the variables used selected for their direct relevance to underwriting risk rather than for their availability or convenience.
The operational testing cadence in 2026 Indian insurer practice runs bias testing as part of the model validation before production deployment, then re-runs the tests on a quarterly cadence as part of model monitoring. Material findings trigger investigation, potential model adjustment, and reporting to the model risk committee. The findings are documented and retained for regulatory inspection.
The Indian regulatory context for bias is currently less prescriptive than the EU or US contexts. The EU AI Act's high-risk system classification (which includes insurance pricing in specific contexts) requires bias testing with documented methodology and remediation. The US state-level insurance regulation (notably Colorado's Senate Bill 21-169 on the use of external consumer data and information sources by life insurers, and the New York Department of Financial Services Circular Letter No. 1 on race-related underwriting practices) imposes specific testing and disclosure requirements. The 2026 Indian context is less prescriptive but the trajectory of IRDAI's emerging guidance is expected to incorporate bias testing expectations drawing on these precedents.
Audit Trail Architecture: Logging, Retention, and Regulatory Defence
Audit trails for AI underwriting decisions are required by the IRDAI Information Security Guidelines 2023, by the broader IRDAI conduct expectations, and by the DPDP Act 2023 provisions on automated decisions. The 2026 Indian insurer practice has built audit infrastructure that captures the model inputs, the prediction outputs, the attribution explanations, the human override decisions, and the policyholder communication, with the combined trail supporting regulatory inspection, dispute defence, and internal investigation.
The audit log content for each AI-assisted underwriting decision includes: the submission identifier, the timestamp of the model invocation, the model identifier and version, the input features with their values, the model's prediction output, the SHAP or LIME attribution values, the policyholder communication that resulted from the prediction (the price quoted, the terms offered, the rationale provided), and any human review or override with the user identifier, timestamp, and rationale. The combined trail allows reconstruction of the decision flow from policyholder submission to the final terms.
The immutable storage requirement under the IRDAI Information Security Guidelines 2023 means the audit logs are written to a tamper-evident store. The 2026 typical architecture uses append-only databases or specifically designed audit log services (cloud-native options including AWS QLDB, Azure Confidential Ledger, and equivalent Indian deployments) that cryptographically prevent retroactive modification. The integrity of the audit trail is foundational; an audit trail that can be altered after the fact provides no defence in a dispute.
The retention period balances regulatory requirements with the practical cost of long-term storage. IRDAI guidance and the DPDP Act together suggest retention for the policy period plus the regulatory record-keeping period (typically extending to 8 to 12 years for major commercial policies, longer for some long-tail liability lines). The 2026 practice typically retains the full audit trail for the policy period plus 10 years, with the storage cost managed through tiered storage (hot storage for the current and previous policy period, cold storage for the older trail).
The policyholder access under the DPDP Act 2023 includes the right to receive a copy of personal data processed about them, which extends to the model inputs, the prediction output, the explanation, and the resulting decision. The 2026 Indian insurer practice is to maintain the audit trail in a structure that supports policyholder access requests, with the access produced through a documented workflow that includes redaction of any internal information not subject to disclosure and provides the policyholder with an interpretable record of how the AI-assisted decision affected them.
The regulatory inspection workflow uses the audit trail to support IRDAI examinations, investigations, and supervisory dialogue. The 2026 typical preparation includes a documented inspection protocol that retrieves the relevant audit trails efficiently, presents the model documentation alongside the trails, and produces summary analysis on specific issues the regulator raises. Insurers that have practiced the inspection workflow find that responsiveness to regulatory queries is a competitive advantage in the supervisory dialogue.
The dispute defence workflow uses the audit trail in policyholder disputes, broker challenges, and consumer forum or ombudsman proceedings. The trail provides the documented basis for the underwriting decision: the model was applied as documented, the input data was as submitted, the explanation was provided to the policyholder, and any human override was documented with rationale. Where the dispute concerns the underwriting decision itself, the trail supports the insurer's position with documented evidence rather than relying on after-the-fact justification.
The incident response workflow uses the audit trail to investigate AI underwriting failures. When a model produces an unexpected output that causes operational concern, the trail allows the investigation team to reconstruct what happened: was the input data as expected, did the model produce the prediction consistent with its training, was the explanation reasonable, did human review function as designed, did the resulting communication match the prediction. The investigation supports both the immediate response (correcting the affected decisions) and the longer-term improvement (preventing recurrence).
IRDAI Sandbox Use, International Contrast with EIOPA and MAS, and DPDP Act Integration
The Indian regulatory architecture for AI in insurance combines the IRDAI sandbox mechanism (for testing innovative products), the emerging IRDAI guidance on AI applications, the DPDP Act 2023 provisions on automated processing, and the broader IRDAI Information Security Guidelines 2023. Insurers and brokers navigate the architecture by understanding each component's scope and how the components interact.
The IRDAI Regulatory Sandbox, originally established in 2019 and updated through 2024, provides limited regulatory relaxation for testing innovative insurance products, distribution channels, technology platforms, and underwriting approaches. AI applications have entered the sandbox in increasing numbers through 2023 to 2026, with sandbox participants gaining structured permission to operate with reduced regulatory constraints in exchange for outcome reporting to IRDAI. The sandbox use cases relevant to AI underwriting include: parametric and AI-assisted pricing for specific commercial lines, alternative data sources in underwriting (satellite imagery, IoT data, telematics for non-motor lines), and AI-mediated distribution channels with specific consumer protection commitments.
The sandbox to mainstream transition for AI applications is now an active question. Insurers that successfully tested AI underwriting in the sandbox seek to graduate their pilot to standard product filing. The transition requires: documentation of the sandbox outcomes, demonstration of the bias testing and explainability infrastructure, validation of the model performance against the sandbox claims, and engagement with IRDAI on the product filing under the standard process. The 2026 trajectory is toward an explicit IRDAI guidance framework that simplifies the transition by establishing standard expectations for AI applications, with sandbox participation supporting evidence rather than replacing the standard filing.
The EIOPA contrast is informative. The European Insurance and Occupational Pensions Authority has issued multiple papers and supervisory expectations on AI in insurance through 2021 to 2025, with the Joint Committee Discussion Paper on AI (2021), the Draft Supervisory Statement on the use of Generative AI (2024), and the integration with the EU AI Act (in force from 2024 with phased implementation) establishing a developed framework. The EU AI Act classifies insurance pricing for natural persons in life and health insurance as high-risk AI systems, imposing requirements on risk management, data governance, technical documentation, record keeping, transparency, human oversight, and accuracy. The framework is more prescriptive than the current Indian context. Indian insurers operating in European markets through subsidiaries or branches comply with the EU framework, with the operational adaptation informing the Indian compliance posture.
The MAS contrast is also relevant. The Monetary Authority of Singapore established the FEAT (Fairness, Ethics, Accountability, Transparency) principles for AI use by financial institutions in 2018, with subsequent Veritas initiative providing methodology guidance through 2020 to 2024. Singapore's approach is principle-based rather than prescriptive, with significant industry-led methodology development. The Indian approach has affinity with the MAS principle-based framing while drawing on EU prescriptive detail where appropriate.
The DPDP Act 2023 integration with IRDAI's AI framework is the practically important interaction. The DPDP Act establishes the data principal's rights including consent, purpose limitation, access, correction, erasure, and (under Section 12) the right to request human review of decisions made wholly or significantly through automated processing. The IRDAI AI guidance must operationalise these rights for insurance applications, with the insurer's process for AI-assisted underwriting decisions including a documented mechanism for policyholders to request human review, a documented timeline for response, and the human reviewer's authority to override or confirm the automated decision. The 2026 practice is to embed this mechanism in the standard underwriting workflow rather than treating it as an exception process, with the request volume monitored and the override patterns analysed for model improvement.
The operationalisation of the policyholder review right is a specific design point. The right is exercisable; the insurer must provide a practical way to exercise it. The standard provision in 2026 includes: clear communication in the policy and at the quotation stage that the underwriting is AI-assisted; a documented contact route for the policyholder to request human review; a service level for response (typically 7 to 15 working days for non-urgent matters); a documented protocol for the human reviewer's analysis; and an outcome communication to the policyholder explaining the review conclusion. The mechanism applies whether the request comes directly from the policyholder, through the broker, or through external channels including the ombudsman or consumer forums.
Board-level oversight expectations
IRDAI's enterprise risk management guidance through 2023 to 2025 establishes board-level oversight expectations for material risk management, with AI explicitly identified as an area requiring board attention in the emerging draft framework. The 2026 Indian insurer practice has elevated AI oversight to the board risk committee, with quarterly reporting on: the AI applications in production with material policyholder impact, the model risk management framework status, the bias testing outcomes and remediation, the audit trail and incident summary, the policyholder review request volumes and outcomes, and any material changes to the AI strategy. The board's documented engagement provides both the regulatory defence and the strategic discipline that ensures AI deployment serves the corporate purpose rather than developing detached from accountability.
Implementation Roadmap and the Forward Outlook to 2027
Insurers building AI underwriting explainability capability in 2026 benefit from a documented implementation roadmap that early adopters refined through pilot and production phases. The roadmap reflects lessons on the technical infrastructure, the governance architecture, and the change management with the underwriting function.
Phase one is foundational governance. The insurer establishes the model risk management framework with documented policies on documentation, validation, monitoring, and lifecycle governance. The board approves the framework and assigns the validation function reporting line. The chief risk officer and chief underwriting officer formalise the cross-functional governance.
Phase two is infrastructure build. The audit trail infrastructure goes into production with immutable logging, retention policies, and access controls. The model documentation templates and repository go live. The validation function builds the validation methodology and tooling. The bias testing infrastructure goes into production with the methodology for protected attribute analysis, proxy testing, and outcome equity metrics.
Phase three is portfolio remediation. The existing AI models in production are documented to the new standard, validated by the validation function, and either confirmed for continued operation, scheduled for re-training to address findings, or scheduled for retirement. The remediation typically takes 6 to 12 months at an insurer with substantial existing AI deployment, depending on the model count and complexity.
Phase four is forward operations. New AI models proceed through the full lifecycle from development through validation, limited deployment, full deployment, and steady-state operation. The monitoring infrastructure tracks performance and bias on a defined cadence. The governance committees review status quarterly. The board receives the periodic reporting.
Phase five is regulatory engagement. The insurer engages with IRDAI through the supervisory dialogue, the sandbox where relevant for new applications, and the standard product filing process. The documented framework and the operational evidence support the dialogue, with the insurer positioned to respond to specific regulatory queries with credible analysis.
The 2027 forward outlook sees several developments that the framework must accommodate. First, the expected IRDAI guidance on AI in insurance during 2026 to 2027 will likely codify specific requirements that the existing frameworks will need to reconcile with. Insurers that have built principle-based capability should adapt more easily than those that built capability narrowly to current expectations. Second, the DPDP Act operational guidance from the Data Protection Board of India through 2026 to 2027 will operationalise the Section 12 automated decision provisions, with implications for the policyholder review right and the broader consent and transparency requirements. Third, the AI capability evolution with newer model architectures (multimodal models, agentic systems, reasoning models) will create explainability challenges that current SHAP and LIME methodologies were not designed for. The methodology evolution is an active research area, with Indian academic institutions and analytics consultancies contributing to the work alongside the international research community.
Fourth, the integration with broader corporate governance including the SEBI BRSR Core framework, the rating agency expectations on AI risk, and the investor expectations on responsible AI deployment will deepen. The insurer's AI explainability capability will increasingly support not only regulatory compliance but also external corporate disclosure, with the same underlying infrastructure serving multiple stakeholder requirements. Insurers that build the capability with this multi-stakeholder integration in mind will capture more value than those that build narrowly for IRDAI compliance alone.