EVE AI Core
EVE AI Core
Deterministic compliance enforcement for NAIC Model Bulletin, state insurance codes, ECOA, and FCRA — at the automated underwriting decision layer. Every rate-setting, claims, and credit-based insurance scoring decision ships with a signed audit certificate before it reaches your policyholder.
Insurance AI operates at the intersection of 50-state regulatory regimes, federal civil rights law, and consumer reporting obligations — a compliance surface no other industry faces at the same scale.
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted 2023) establishes that AI systems must comply with all existing insurance laws, produce decisions that are explainable to consumers, and be governed by a documented AI governance framework. Carriers that adopt the Model Bulletin — or whose domicile state enacts it — face direct examination exposure for ungoverned automated underwriting. CoreGuard provides the enforcement and documentation layer the Model Bulletin requires.
Every state insurance code prohibits rate discrimination based on characteristics such as race, sex, national origin, and religion. Colorado, Illinois, New York, and Maryland have enacted or proposed AI-specific insurance regulations that require impact assessments for algorithmic underwriting. CoreGuard's policy pack enforces prohibited-characteristic rules and generates the adverse action documentation state codes require when coverage is denied or rated up.
While ECOA directly governs credit transactions, federal courts and the CFPB have extended disparate impact analysis to insurance products tied to credit. The Fair Housing Act (FHA) applies to homeowners insurance underwriting and pricing. AI underwriting systems that produce disparate impact on protected classes face liability under both FHA and state human rights laws. CoreGuard's disparate impact monitor tracks these patterns at the decision level before they accumulate to an enforcement pattern.
When AI underwriting systems incorporate credit data — either directly or through credit-based insurance scores (CBIS) — FCRA obligations apply: permissible purpose, accuracy, and adverse action notices when CBIS contributes to a less favorable rate or denial. Fourteen states restrict or prohibit CBIS entirely. CoreGuard enforces FCRA compliance and tracks CBIS usage against a real-time state restriction registry.
Regulators including the DOJ and HUD have brought redlining cases against carriers using geographic variables as proxies for race. Machine learning underwriting models can learn these proxy relationships from historical data. CoreGuard's prohibited-proxy registry flags decisions where geographic or behavioral features are correlated with protected-class status above a configurable threshold — enforcing at the individual decision level, not just in aggregate statistical audits.
The EU AI Act classifies AI systems used in life and health insurance underwriting as high-risk, requiring conformity assessments, mandatory human oversight, transparency documentation, and accuracy and robustness standards. Carriers with EU operations or EU-domiciled policyholders must demonstrate governance of their underwriting AI. CoreGuard's signed decision certificates and policy audit trail directly support EU AI Act conformity documentation requirements.
Most carriers have an AI use policy and a vendor due-diligence checklist. What most do not have is runtime enforcement at the underwriting decision layer. The AI governance committee meets quarterly. The actual underwriting model runs every second.
The enforcement gap materializes in three ways. First, model drift: a model validated against last year's data silently shifts its decision boundary as the training distribution changes — the governance documentation remains current but the model's behavior is no longer what was approved. Second, policy changes: a state enacts a new restriction on the use of credit data in homeowners underwriting. The carrier's policy team documents the change. Whether the production underwriting system actually stops using that data on the relevant policies depends entirely on whether a developer remembered to push the update. Third, prompt injection: generative AI layers added to underwriting workflows to handle unstructured data (inspection reports, prior claim narratives) introduce hallucination risk that no static test suite can fully capture.
State insurance examiners are increasingly asking for decision-level evidence, not governance policy documents. CoreGuard provides that evidence automatically.
CoreGuard's insurance policy pack implements rule-level enforcement for each underwriting obligation — not generic AI safety checks, but insurance-specific compliance logic.
CoreGuard maintains a prohibited-factor registry keyed to line of business and jurisdiction. Before any AI-generated rate or rating factor is applied to a policy, the evaluation engine checks whether any input feature is prohibited in that state for that line. Race, national origin, gender, religion, and domestic violence victim status are examples of universally prohibited factors. Zip code and certain behavioral signals are prohibited in specific states for specific lines. When a prohibited factor is detected, the request is blocked and a compliant re-evaluation path is returned in the decision certificate.
AI-powered claims triage and straight-through processing systems face examination scrutiny when denial rates differ across demographic groups. CoreGuard evaluates claims AI decisions against state unfair claims settlement practice standards and the NAIC Model Bulletin requirements. Decisions to deny, delay, or reduce a claim generate a structured certificate with the rule basis for the disposition — the documentation adjusters and supervisors need for complaint and litigation response.
CoreGuard's CBIS enforcement module operates from a real-time state restriction registry. In the fourteen states that restrict or prohibit CBIS — including California, Hawaii, Maryland, Massachusetts, Michigan, and Oregon — any underwriting request including credit score features is blocked before the decision is made. In states that permit CBIS with adverse action notice requirements, the certificate automatically includes a structured adverse action reason citing the credit factor, as FCRA and state insurance codes require.
CoreGuard tracks every underwriting decision against a rolling disparity index. When the adverse impact ratio for a protected-class cohort drops below the four-fifths rule threshold — or a configurable insurer-specific threshold — the system generates a compliance alert for actuarial and compliance team review. The disparity calculation uses the same decision-level certificate data, so the alert has full decision-level backup from the moment the pattern emerges rather than in retrospective sample audits.
The NAIC Model Bulletin and multiple state laws require that insureds receive an explanation when AI contributes to an adverse decision. CoreGuard extracts the top contributing model features and formats them as human-readable adverse action reasons suitable for inclusion in declination letters and rating notices. For black-box models where native feature attribution is unavailable, CoreGuard supports integration with SHAP or LIME explanation layers to produce the required specific reasons.
CoreGuard is designed to sit between your AI scoring engine and your policy administration system without requiring architectural changes to either.
CoreGuard is called from the Guidewire business logic layer as an external REST service. Underwriting and claims decisions pass through CoreGuard evaluation before the disposition is written to PolicyCenter or ClaimCenter. Decision certificates are logged in the Guidewire activity record and in CoreGuard's own hash-chained audit store for examiner access.
Duck Creek's open API architecture allows CoreGuard to be called from the policy rating engine as a pre-decision evaluation step. The evaluation adds under 3 milliseconds to the rating workflow. For Duck Creek OnDemand cloud deployments, CoreGuard is available as a co-located container to minimize network latency below 1 millisecond.
CoreGuard integrates with Majesco CloudInsurer's workflow engine via webhook or synchronous API call. Underwriting workflow rules can be configured to invoke CoreGuard evaluation before any AI-assisted decision is committed. Majesco CloudClaims uses the same integration pattern for claims AI governance.
For carriers and MGAs running proprietary underwriting platforms or modern
insurtech stacks, CoreGuard exposes a single REST endpoint
(POST /v1/decisions/evaluate)
and a Python SDK for direct integration. The SDK handles certificate storage,
chain verification, and compliance report generation.
State insurance market conduct examinations increasingly include requests for documentation of how AI systems make decisions. Examiners from the NYDFS, California CDI, and Illinois DOI have issued targeted information requests to carriers about their automated underwriting governance.
CoreGuard responds to those requests by design. Every underwriting decision evaluated through CoreGuard produces a signed certificate stored in an immutable hash-chained ledger. When an examiner requests the full decision record for a specific policy or cohort, your compliance team generates the report from the CoreGuard API by date range, policy number, or decision type — in minutes, not weeks.
Every certificate references the exact policy pack version active at decision time. When a carrier updates their underwriting guidelines — for example, in response to a new state regulation — the certificate record shows which decisions were made under which version of the rules, enabling clean before/after analysis.
State examiners conducting disparity or redlining examinations typically request cohort-level data. CoreGuard's certificate store supports query by decision type, date range, line of business, and jurisdiction — enabling carriers to produce structured disparity analysis backed by decision-level certificates rather than reconstructed log data.
Certificates are HMAC-SHA256 signed and hash-chained. Any tampering with a certificate in the chain is detectable by verifying the chain hash. Examiners can run chain verification via the CoreGuard API or request a signed chain integrity report, providing independent assurance that the audit record has not been altered.
Every AI underwriting decision evaluated through CoreGuard produces a signed JSON certificate returned synchronously with the decision. The example below shows a homeowners underwriting decision that was blocked because a CBIS factor was presented in a state where credit-based insurance scoring is prohibited.
{
"certificate_id": "cert_2c8f4a1d-9e7b-41a3-b2c5-0d1e3f2a4b6c",
"issued_at": "2026-05-05T10:14:22.519Z",
"policy_set": "insurance_v1",
"policy_pack_hash": "sha256:4a9f1d2c8e3b0c4...f17a",
"model_id": "ho-underwriting-ml-v2.8.0",
"model_version_hash": "sha256:c3d2e1f0a9b8c7d6...",
"decision": {
"status": "BLOCKED",
"risk_level": "HIGH",
"risk_score": 0.91,
"action_type": "homeowners_underwriting",
"block_reason": "CBIS_PROHIBITED_IN_JURISDICTION"
},
"policy_evaluation": {
"rules_evaluated": 18,
"rules_triggered": 1,
"violations": [
{
"rule_id": "ins.cbis.state_prohibition",
"description": "Credit-based insurance scoring prohibited in CA for homeowners",
"feature_flagged": "credit_score",
"jurisdiction": "CA",
"line_of_business": "homeowners"
}
],
"disparate_impact_check": "BLOCKED_BEFORE_EVALUATION",
"adverse_action_reasons": [
"Credit data may not be used in homeowners underwriting in California"
]
},
"context": {
"policy_type": "homeowners",
"jurisdiction": "CA",
"application_id": "app_HO_29471"
},
"chain": {
"previous_cert_hash": "sha256:8b3c5d1e7f2a4...",
"chain_position": 104837
},
"signature": "HMAC-SHA256:9c2d1e4f3a5b..."
}
BLOCKED decisions include a structured adverse_action_reasons array
and the specific rule_id and jurisdiction
that triggered the block — the documentation your compliance team needs for declination letter drafting.
Work with the EVE Core insurance team to configure your policy pack: lines of business, jurisdictions, AI use cases (underwriting, claims, rating, communication), and any carrier-specific prohibited factors beyond the standard regulatory set. The policy pack is version-controlled and deployed separately from your underwriting model so it can be updated independently as regulations change.
Add a single REST call to POST /v1/decisions/evaluate between
your AI scoring layer and your policy administration system. The call is
synchronous and returns within 3 milliseconds. Use the Python SDK for
Guidewire, Duck Creek, or Majesco integrations to reduce boilerplate.
Decision certificates stream to CoreGuard's immutable certificate store automatically. Configure webhook forwarding to your SIEM, data lake, or compliance platform. Built-in connectors are available for Splunk, Datadog, and S3-compatible object storage. Chain integrity verification is available via API for ongoing audit validation.
Set disparity alert thresholds for each line and jurisdiction. The default is the four-fifths (80%) rule, but carriers operating under more stringent state guidance can configure lower thresholds. Alert routing is configurable — typically to actuarial and compliance team dashboards. Trend reports are generated weekly and available on demand for examination preparation.
Generate your first examination-ready compliance report from the CoreGuard dashboard. Reports include decision volume by type, policy rule hit rates, CBIS usage by jurisdiction, disparity trend charts, and chain integrity verification results. Reports are exportable as PDF or structured JSON for direct submission to state examiners.
The NAIC Model Bulletin requires insurers to ensure that AI systems comply with existing insurance laws, produce explainable decisions, and are governed by a documented AI governance framework. CoreGuard directly satisfies these requirements by enforcing policy rules at every automated underwriting decision, generating a signed decision certificate that documents which rules were evaluated, and flagging decisions that fail explainability thresholds. The certificate chain provides the documentation an insurer needs to demonstrate governance to state regulators. CoreGuard is updated as state legislatures and insurance departments adopt, amend, or deviate from the Model Bulletin — enterprise subscribers receive policy pack updates with a 30-day implementation window.
Yes. CoreGuard's insurance policy pack includes a disparate impact monitor that tracks approval and pricing disparity across protected-class proxies in real time. When the adverse impact ratio for any demographic cohort crosses a configurable threshold — typically the four-fifths rule applied to insurance outcomes — the system generates a compliance alert and can be configured to escalate for human review before the decision is finalized. All disparity monitoring records are included in the audit trail for state examination, giving actuarial teams structured data from the first decision rather than reconstructed proxies from aggregate log data.
CoreGuard exposes a REST API that sits between your AI scoring engine and your policy administration system. For Guidewire PolicyCenter and ClaimCenter, CoreGuard is called as an external service in the business logic layer before the underwriting or claims decision is written. Duck Creek and Majesco integrations follow the same pattern. The API call adds under 3 milliseconds of latency, and decision certificates are returned synchronously for logging in your PAS audit trail. For carriers on cloud-native PAS platforms, CoreGuard can be deployed as a co-located sidecar to reduce network round-trip latency below 1 millisecond.
Credit-based insurance scoring is subject to FCRA requirements and state-specific restrictions. Several states — including California, Hawaii, Maryland, Massachusetts, Michigan, and Oregon — restrict or prohibit CBIS entirely for certain lines. CoreGuard's insurance policy pack enforces state-specific CBIS usage rules at evaluation time: in states where CBIS is prohibited, any decision request that includes credit data is blocked before the decision is made; in states where adverse action notices are required for CBIS-based rate increases, those notices are automatically structured in the decision certificate. The state restriction registry is maintained by EVE Core and updated within 30 days of any legislative or regulatory change affecting CBIS use.
Talk to the EVE Core insurance team about a CoreGuard deployment scoped to your lines, jurisdictions, and AI use cases. We start with a 30-minute architecture review at no cost.
Also see: Financial Services AI Governance | Healthcare AI Governance | Legal AI Compliance | HR & Employment AI
Each pack is a versioned, deterministic rule set with a documented regulatory basis. Reference the
policy_id in your /v1/decisions/evaluate calls, or enumerate the full
27-pack catalog at /docs/policy-packs.