Executive summary
Proof, before the model goes live, and every quarter after.
A regional mutual insurance company saw compelling reasons to use AI, but anticipated that state regulations would eventually block its ability to do so safely, effectively, and compliantly. A related issue: its frameworks were static, unable to adapt to the high degree of variability in the AI landscape. Swept built a workflow-informed, continuously monitored, state-compliant, and committee-approved system.
By the time this company engaged Swept, it was operating AI tools under a governance program that could not scale further without dedicated operational headcount. Shadow AI was a real and present risk: one vendor had been transcribing protected health information from injury-claim voicemails without anyone's knowledge, while a third-party roof-scoring model was claiming roughly 90% confidence on condition assessments because it had never been customized to the details. What Swept built addressed both visible and invisible risk.
The engagement began by building a regulated foundation for AI deployment: an isolated private cloud environment with data-sovereignty controls, encryption, and role-mapped access, confirmed before any agent touched production data. The Swept team joined the internal team, assessing AI literacy across departments, identifying priority use cases, and building the integration layer connecting core systems to AI tools. The governance platform took existing documentation and made it operational, with automated compliance logging, a live application index, and continuous vendor-AI monitoring.
With the foundation in place, Gemini and Claude, the most effective and right-sized models for this company's workflows, were deployed across all employees as a managed private environment, replacing Microsoft Copilot and GitHub Copilot. Department-by-department training ran over three weeks, in tandem with Swept engineers rather than handed off. Because of this trained rollout, the company now holds the internal capability to own the combined infrastructure.
A second phase applied the foundation across core workflows: five AI agents for the claims operation, a competitive-intelligence agent monitoring competitor rate filings daily across five states, and a field-notes application converting audio recordings into polished documents inside the private environment. An MCP gateway tied it together. Everything built in this phase was designed to run on the governance infrastructure established in the first.
Company background
A higher starting line than most.
This client is a regional mutual insurance carrier operating in a highly regulated environment, subject to state Department of Insurance oversight and NAIC compliance requirements. Like most carriers of its size, its competitive position depends on underwriting discipline, claims accuracy, and the operational reliability that regulators and policyholders expect from a mutual.
Also like most carriers of its size, the company arrived at the current AI moment without a clear path through it. The tools were multiplying faster than the governance infrastructure could absorb them. Vendors were releasing AI features inside internal products already in use, sometimes without announcement. The compliance obligations were real and non-negotiable, and the internal capacity to manage all of it, at scale, did not yet exist.
Leadership understood the risk clearly enough to have built a ten-component governance framework before engaging Swept. That is not a common starting point, but it meant the conversation began at a higher level, prioritizing optimization because documentation already existed.
The problem: governance without operationalization
A framework is a critical piece of documentation. It defines what the rules are, what the risk appetite is, and what compliance requires. But documentation is internal. It does not monitor vendors. It does not alert you when a vendor pushes an AI update into a product you already use. It does not catch a transcription service quietly processing protected health information. It does not tell you whether the scoring model you rely on for underwriting actually performs the way its vendor claims.
An infrastructure-centric, workflow-based program does do those things. The company had been operating multiple AI tools under a framework that was outpacing its own implementation. The framework described what should happen. The open question was whether it was actually happening, across every tool, every vendor update, and every employee interaction. The clearest illustration was the discovery that PHI was moving through a transcription pipeline no one had authorized for that purpose.
Active monitoring is the only mechanism that catches issues like these before they become a regulatory event.
The market has a name for the broader pattern: shadow AI. Vendors release AI features and products gain AI capabilities without anyone updating the intake process. Each event is individually manageable, but collectively, without active monitoring, they become a significant compliance exposure.
There is also a subtler problem that precedes all of this: most AI implementations stall before they start. Connecting legacy systems, standing up a governed environment, managing access controls, and training a team with variable AI experience are the challenges that live in the seemingly insurmountable space between a compelling demo and a working deployment. This company needed a partner who could close that gap.
Swept AI's approach
Foundation first, then operationalization, then expansion. The engagement was structured to build in sequence, and each layer depends on the one beneath it.
Phase A: The foundation
A dedicated Swept group joined the team at the outset, baselining AI literacy across departments and identifying priority use cases before any infrastructure was stood up. The assessment informed both the technical build and the rollout sequencing that followed.
The private environment came next: an isolated compute environment with data-sovereignty controls, encryption, and access mapped to the mutual's organizational structure, configured for governance compliance before any agent touched production data. Active Directory integration meant permissions reflected the actual role hierarchy. Per-user token budgets were built in from the start, not retrofitted. Data does not leave that environment without explicit authorization.
The governance platform operationalized the company's preexisting framework. What had been documentation became a live system: automated compliance logging, a vendor-AI inventory, a real-time application index, and risk-appetite enforcement running continuously rather than reviewed periodically.
Phase B: The rollout
With the foundation in place, Swept deployed the most effective LLMs for the use case, Gemini and Claude, across all employees as a managed private environment, replacing both Microsoft Copilot and GitHub Copilot. Swept engineers embedded with the team through onsite kickoffs, midpoint reviews, and working sessions designed to transfer capability rather than simply deliver output.
Phase C: The expansion
The second phase followed the same sequencing logic: every project depended on infrastructure that had to exist before it. The integration layer was built before the agents that relied on it. An MCP gateway and OCR document-processing gateway connected the company's core claims systems, policy, billing, and document management to the agent layer. Access was authenticated and least-privilege, governance was logged on every call, and each connection was documented to the framework as it came online.
The claims projects were delivered in waves: first, claim summarization; then demand-package review for liability claims, total-loss valuation support for auto claims (pulling CCC, Kelley Blue Book, and J.D. Power data into a side-by-side comparison), and medical-document processing for large packages once requiring manual organization across thousands of pages; and finally a claims chat interface for natural-language questions against live claim data, once the live API integrations were in place.
A decision ran through all five claims agents: every agent was built to Level 1 autonomy by design. Each produces output only when invoked, flags everything for human review, and takes no action on a claim. The architecture reflects a deliberate position about where AI belongs in a regulated claims operation.
| Claims agent | Wave | Autonomy | | --- | --- | --- | | Claim summarization | Wave 1 | Level 1 | | Demand-package review | Wave 2 | Level 1 | | Total-loss valuation support | Wave 2 | Level 1 | | Medical-document processing | Wave 2 | Level 1 | | Claims chat interface | Wave 3 | Level 1 |
The rate-filing monitoring agent operated independently of the integration layer. It polls its home state's rate-filing system daily, along with four other states, categorizing competitor filings, generating summaries, and compiling results into a long-term database for product development. A configurable rules engine lets the team author and maintain the logic that drives insights, so the intelligence reflects the team's own institutional knowledge, not a generic model's.
The field-notes application completed the picture. Field agents record audio, the application converts it into a cleaned transcript and structured summary, and the result is delivered as a Word document inside the private environment. Audio is processed in transient memory and immediately discarded, never stored, with outputs governance-logged like everything else.
What the work revealed
The existing governance framework was genuinely strong, but it could not monitor itself. There was a gap between what the documentation described and what was actually happening: in real time, across multiple tools, in an expanding vendor landscape.
Vendor confidence claims require independent verification. There is a meaningful difference between being uncomfortable with a vendor's numbers and being able to demonstrate, with evidence, that those numbers do not hold up on your data. The AI transcription of PHI from injury-claim voicemails was not a policy gap or a bad actor. It was a vendor capability operating in a space monitoring had not yet uncovered. Active monitoring is the only mechanism that catches issues like these before they become a regulatory event.
The implementation gap is a common point of failure. A strong governance framework and a clear vendor strategy do not, by themselves, produce a working AI program. The integration layer, the access controls, and the training that transfers rather than instructs are three components that collectively determine whether good intentions become operational reality.
What this tells us
Governance has to be operational to be scalable.
The distinction between governance as documentation and governance as infrastructure is the difference between compliance that satisfies an audit and compliance that actually manages risk. Regulated industries need verification, not assurance. Insurance carriers operate where the consequences of inaccurate models, unauthorized data handling, or ungoverned vendor behavior are concrete: regulatory action, litigation exposure, reputational damage. "The vendor says it works" is not an adequate standard of evidence. Independent evaluation, run against actual company data, is the standard that matches the stakes.
The right AI architecture starts with how your team actually works, and cost-efficient AI is not just about cheaper models. It depends on matching model capability to task requirements, then monitoring usage to find where that match is drifting. Per-user token budgets, task-specific agents, and usage visibility keep AI investment aligned with actual value. Knowing where AI does not belong is as valuable as knowing where it does.
The same principle applies to expansion. A well-designed program does not deploy everywhere at once. It identifies the highest-value workflows, matches the right level of autonomy to each, and builds outward from a governed foundation. This engagement's second phase was structured exactly that way: agents assisted rather than acted, audit trails ran continuously, and a rules engine was put in place for the team to own and tune. That architecture reduces compliance risk while building the institutional trust that lets AI use expand responsibly over time.
Conclusion
A head start, made live.
The company's AI ambitions began with leadership that understood the stakes early enough to build a real governance framework before the pressure to act became urgent. That head start meant the work could begin at operational depth rather than foundational basics. What the engagement added was the infrastructure to make that framework live:
- A private environment built before any data touched it.
- An integration layer that compounds in value with every downstream project.
- Monitoring that runs continuously rather than reporting quarterly.
- A deployment model that clarifies how employees actually use AI tools, and how they could.
- A claims operation equipped with five purpose-built agents, each scoped to assist rather than act.
- A competitive-intelligence capability that keeps state filing activity current without manual monitoring.
- A field-notes application that keeps audio ephemeral and outputs governed.
The insurance industry is not going to get more forgiving about data handling, vendor oversight, or model accuracy. AI as a toolset is expanding quickly, and sometimes unsafely, without your knowledge. An engagement like this is how a company gets on the correct side of that gap.