Red Teaming Strategies to Strengthen AI Governance in Insurance

The Role of Red Teaming in AI Governance for the Insurance Industry

The insurance sector’s adoption of artificial intelligence (AI) faces growing attention from regulators. One practical method insurers can use to manage AI risks is red teaming. According to the U.S. Department of Commerce’s National Institute of Standards and Technology, a red team is "a group authorized to simulate adversarial attacks against an enterprise’s security posture." The goal is to reveal vulnerabilities by mimicking potential threats, helping defenders improve security in a real-world setting.

What Is Red Teaming?

Red teaming originates in cybersecurity but is gaining traction in insurance risk, legal, and compliance functions. Regulators view AI as potentially risky for consumers, prompting efforts to regulate AI use in insurance. For instance, 24 states have adopted the NAIC Model Bulletin on AI use by insurers, New York has issued specific cybersecurity and AI-related regulations, and Colorado has rules focused on governance and risk management for AI-driven insurance activities.

While these regulations don’t explicitly require red teaming, adversarial testing is a valuable tool for insurers seeking to strengthen their AI governance frameworks.

Why Red Teaming Matters for AI in Insurance

Red teaming provides a strategic way to test and improve AI systems used in underwriting, claims, fraud detection, and customer service. By simulating attacks, red teams expose weaknesses in AI models, including potential biases or discriminatory outcomes. This helps ensure AI systems maintain data integrity, protect privacy, and operate reliably under threat.

Testing includes feeding AI models manipulated data or malicious inputs to see how they respond. This process uncovers risks such as errors, vulnerabilities, and bias that might otherwise go unnoticed. Insurers often red team both internally developed AI and third-party solutions. However, relying solely on vendors’ red teaming assurances isn’t enough. The insurer’s unique data and customizations can introduce new risks that require independent testing.

Best Practices and Legal Points to Consider

Effective red teaming strengthens security and supports sound AI governance. Insurers should also consider whether legal protections, like attorney-client privilege, apply to their red teaming exercises. These privileges depend on how the exercises are conducted and whether the communications are confidential and intended for legal advice.

Including red teaming as part of your AI governance toolkit demonstrates to regulators that your organization actively manages AI risks. Keeping clear records of red teaming assessments can help when responding to regulatory inquiries.

• Use red teaming to identify and fix AI vulnerabilities before deployment.
• Don’t rely solely on third-party vendor testing—test AI models with your own data and configurations.
• Document red teaming exercises thoroughly for transparency with regulators.
• Consult legal counsel to understand privilege protections and compliance requirements.

For insurance professionals looking to deepen their AI knowledge and governance skills, training resources like those available at Complete AI Training offer practical courses tailored to industry needs.