Sub-verticals
Three calling-side shapes; one shared platform.
Underwriting (risk assessment, premium, binding)
Applicant intake, risk assessment, premium calculation, policy issuance, declination, and referral to a human underwriter. The policy.declined, underwriter.referred, and policy.issued (above a sum-insured threshold) action classes are gated behind a senior underwriter in the loop.
Claims processing (intake, validity, payment, denial, appeal)
Claim intake (first notice of loss), validity assessment, evidence requests, fraud flagging, payment authorisation, claim denial, and appeal handling. The claim.denied, payment.authorised above a configurable amount threshold, and customer.appeal_outcome action classes are gated behind a senior handler.
Fraud detection (anomaly flagging, SIU referral, suspension)
Transaction anomaly flagging, case file creation, Special Investigations Unit (SIU) referral, customer flagging for enhanced monitoring, customer suspension on confirmed incidents, and regulator-report drafting. The customer.suspended, siu.referred, and case.escalated action classes are gated behind the head of fraud.
Regulators covered
Which frameworks the insurance pack maps to.
The per-sub-vertical pages below carry the full coverage table. The headline mapping: EIOPA (Solvency II governance and use of internal models, EIOPA AI Governance Principles, the EIOPA Cloud Outsourcing Guidelines, and IDD distribution rules), NAIC (Model Bulletin on AI Systems, Insurance Data Security Model Law #668, Privacy Protections Model Act #674, ORSA Model Act #505). The FCA SM&CR pack from the financial-services sector covers UK-authorised insurance intermediaries; the SEC and FINRA packs cover US insurance advisers operating under federal-securities rules; the DORA polish in frameworks.py covers EU insurance undertakings in scope of the Digital Operational Resilience Act.
- EIOPA
vortalis_proxy/compliance/eiopa.py
tests/conformance/regulators/eiopa/ - NAIC
vortalis_proxy/compliance/naic.py
tests/conformance/regulators/naic/ - FCA SM&CR (cross-reference)
vortalis_proxy/compliance/fca_smcr.py
tests/conformance/regulators/fca_smcr/ - SEC AI conduct (cross-reference)
vortalis_proxy/compliance/sec_ai_conduct.py
tests/conformance/regulators/sec_ai_conduct/ - FINRA (cross-reference)
vortalis_proxy/compliance/finra.py
tests/conformance/regulators/finra/ - DORA (cross-reference)
vortalis_proxy/compliance/frameworks.py
Honest limits
What this sector pack does not do.
Vortalis does not write policies, pay claims, or move premiums; it governs AI-agent decisions about those tasks and produces the audit evidence the operator uses.
The policy templates gate the actions an AI agent may take. The actual binding on the policy administration system, the actual payment instruction to the bank, the actual customer-portal suspension all happen in the operator's existing infrastructure. The audit chain records the agent's decision and the upstream outcome; it does not move money.
Counterparty certification with policy administration systems, claims platforms, and reinsurance networks is the operator's responsibility.
Vortalis ships sector adapters as code where they exist; production certification with each policy administration system (Guidewire, Duck Creek), claims platform, banking-payment service, and reinsurance network sits with the operator. The Vortalis adapters provide a starting shape; conformance against each counterparty's certification programme is the operator's track.
State-level US insurance adoption of NAIC model laws varies; the operator is responsible for confirming which model laws apply in each state of operation.
The NAIC publishes model laws and bulletins; individual US states adopt them with their own variations. The NAIC Model Bulletin on AI Systems (2023), the NAIC Insurance Data Security Model Law (#668), and the NAIC Privacy Protections Model Act (#674) all have rolling state-level adoption. Vortalis cites the model-law text; confirming which states have adopted each instrument in the form the operator's business reads is the operator's regulatory-affairs job.
Solvency II internal model governance under Articles 112 to 127 is an operator-level conclusion that requires PRA / EIOPA approval evidence on top of Vortalis runtime controls.
Solvency II internal-model approval is a home-state supervisor decision (PRA in the UK; the relevant home supervisor in the EU) based on the insurer's application. The platform supplies the runtime audit and governance evidence (chain validity, principal-chain, policy versioning, model id captured per action) the operator's application cites for the use test (Article 116), the statistical quality standards (Article 120), and the validation and documentation requirements (Articles 124 and 125). The approval itself sits with the supervisor.
The general-purpose honest limits sit at /security/limitations; this list is specific to the insurance pack.
Bring Vortalis to your insurance agents.
Pick the sub-vertical above. Read the integration brief if you would rather start with the engineering detail. Talk to us first if you would rather start with a conversation about your threat model.