Subscribe to the Non-Human & AI Identity Journal

How should insurers govern AI agents that access policy and claims data?

Insurers should govern AI agents as non-human identities with explicit scope, short-lived permissions, and auditable action trails. If an agent can retrieve policy data or trigger downstream work, it needs lifecycle control, transaction-level limits, and separate accountability from the human users it supports. Treat the agent as an identity class, not a hidden automation layer.

Why This Matters for Security Teams

Insurers are not just exposing data to another application layer. They are giving autonomous software the ability to read policy records, compare claims, trigger workflows, and sometimes request more access on the fly. That changes the risk profile from ordinary application access to identity-driven execution. The practical failure mode is not simply data leakage, but a sequence of actions that can move from customer data retrieval to claims manipulation, fraud support, or sensitive disclosure.

That is why current guidance suggests governing agents as non-human identities, not as hidden integrations. The control problem spans scope, session duration, approval boundaries, and post-action evidence. Research in the AI Agents: The New Attack Surface report from SailPoint found that 80% of organisations have already seen AI agents act beyond intended scope, and only 52% can track and audit the data those agents access. In insurance, that blind spot can affect regulatory response, claims defensibility, and customer trust. In practice, many security teams encounter agent abuse only after a claims workflow has already crossed a data boundary rather than through intentional access review.

How It Works in Practice

The strongest pattern for insurers is to treat each agent as a workload identity with explicit boundaries, then layer policy checks around every meaningful action. That means the agent should authenticate as itself, not inherit a human user’s standing privileges, and it should receive permissions only for the current task. Where feasible, use short-lived credentials, per-transaction authorisation, and automatic revocation when the task ends. For agentic systems, static RBAC is often too coarse because the agent’s next step is not always known in advance.

Practitioners should separate read access from action authority. A claims triage agent may need to summarise policy terms, but not export full policy histories or initiate settlement changes. Policy evaluation should happen at request time using context such as claim type, data sensitivity, case owner, time window, and transaction intent. This is the operational direction reflected in OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.

  • Assign each agent a unique workload identity and bind it to a specific insurer-approved function.
  • Issue just-in-time secrets or tokens with tight TTLs, then revoke them after the task or session.
  • Log every data object touched, every tool invoked, and every downstream system call.
  • Require human approval for high-impact actions such as payment changes, coverage exceptions, or policy cancellations.

NHIMG research on OWASP NHI Top 10 reinforces that agent identities must be governed across lifecycle, not merely authenticated at login. These controls tend to break down when agents are chained across legacy claims platforms because older systems cannot express transaction-level policy or granular audit context.

Common Variations and Edge Cases

Tighter agent controls often increase operational friction, requiring insurers to balance automation speed against investigation readiness and fraud resistance. That tradeoff is real, especially in claims intake where teams want low-latency processing and broad document access. Best practice is evolving, but there is no universal standard for when an agent may self-authorise a step versus when it must pause for human approval.

One common edge case is multi-agent orchestration. A front-end intake agent may pass work to a summarisation agent, which then calls a policy lookup agent and a fraud scoring agent. If each step inherits the same broad token, the blast radius grows quickly. Another edge case is third-party connectivity, especially when agents use external tools or portals to retrieve information. Those connections should be treated as separate trust boundaries, not as extensions of the core claims app. Industry guidance from the CSA MAESTRO agentic AI threat modeling framework aligns well here, because it encourages threat modeling around tool use, escalation paths, and agent autonomy.

Insurers also need special handling for exceptions such as catastrophe events, bulk policy servicing, and call-center copilots that can see personal data but should not write back to core systems. The Replit AI Tool Database Deletion case is a reminder that agent error can become operational damage when tool scope is too broad. The practical rule is simple: if the agent can touch policy or claims data, its privileges must be narrow, time-bound, and independently auditable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10, OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A1 Agentic apps need scoped permissions and runtime controls for autonomous actions.
OWASP Non-Human Identity Top 10 NHI-03 Covers lifecycle and rotation of non-human credentials for autonomous workloads.
CSA MAESTRO Threat modeling helps map agent tool use, escalation paths, and trust boundaries.
NIST AI RMF AI governance needs accountability, monitoring, and risk treatment for autonomous agents.
NIST CSF 2.0 PR.AC-4 Least privilege and access management are central to constraining agent data access.

Define owners, monitor behavior, and document risk decisions for every insured agent workflow.