← Blog

AI Underwriting Under the EU AI Act: Life and Health Pricing Is High-Risk

The EU AI Act names AI used for risk assessment and pricing in life and health insurance as high-risk under Annex III. That brings automatic logging, human oversight, and traceability duties to underwriting models. This article walks the obligations, separates the actuarial fairness work from the record-keeping work, and shows which duties a policy gateway produces evidence for on the AI request path.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Industry Verticalseu-ai-actinsurance-aiunderwritinghigh-risk-aiai-audit-trail

Annex III of the EU AI Act names AI systems used for risk assessment and pricing in relation to natural persons in life and health insurance as high-risk. That is a narrow, deliberate scope: it targets the underwriting and pricing decisions that determine whether a person gets covered and at what premium. High-risk classification carries a fixed set of duties, including automatic logging of events over the system's lifetime, human oversight, and the ability to demonstrate to a supervisor how the system reached a decision. An underwriting model that prices a life or health policy sits squarely inside that scope, and the obligations attach to what that model does on each case.

What high-risk means for an underwriting model

The Act's high-risk requirements read as an engineering specification once you translate them. Traceability means every underwriting decision leaves a record. Human oversight means a person can review and, where needed, override a consequential pricing decision. Logging under Article 12 means the record is automatic and captures the inputs, the period of use, and the people connected to the decision. An underwriter's memory and a spreadsheet of outcomes do not meet this. The record has to be systematic and tied to each individual pricing decision the model produced.

Two kinds of work, again

Underwriting-AI compliance divides the way hiring-AI compliance does. One body of work is actuarial and statistical: ensuring the model does not price on prohibited characteristics or produce unjustified disparate outcomes. That is model governance, handled by actuaries and data scientists, and a policy gateway plays no part in it. The other body of work is evidentiary: proving, for any given policy, what the model was asked, what it returned, which identity ran the decision, and what policy applied. That is the record-keeping the Act mandates, and it is produced at the AI request boundary. Confusing the two leads teams to think a fairness audit satisfies Article 12, which it does not.

Adverse decisions need explanations tied to records

When an applicant is declined or priced unfavorably, the pressure for an explanation is highest. Regulators and applicants both expect a reason, and the reason has to correspond to what actually happened in the decision. A general statement about how the model works is not a per-case explanation. The specific record of the inputs that decision used and the output it produced is what supports an honest adverse-decision explanation. Without that record captured at decision time, the explanation is reconstructed after the fact, which is exactly the position the traceability requirement exists to prevent.

Controlling what the model sees

Underwriting models pull rich personal data, and not all of it belongs in every call, particularly when the model runs on an external endpoint. Policy on the request path can restrict which categories of personal and health data reach the model and can block calls to endpoints not approved for that data. This reduces both the fairness exposure, by keeping prohibited characteristics out of the input, and the data-protection exposure, by controlling where sensitive health data travels. It is the same input-side discipline that the EU AI Act high-risk deadline pillar describes across categories, applied to underwriting.

The penalty context

High-risk non-compliance under Article 99 carries penalties up to 15 million euros or 3% of global annual turnover, whichever is higher. For an insurer running underwriting at volume, the inability to produce decision records is not a paperwork gap; it is direct exposure. Building the record into the AI request path is the lower-cost path to readiness. For the model-governance side of financial-services AI, see fintech AI fraud model governance.

DeepInspect

This is the gap DeepInspect closes on the evidence side. DeepInspect sits inline between your underwriting systems and the models they call. For every pricing or risk-assessment call it records the calling identity, the model, the input policy applied, and the outcome, producing the traceable per-decision record Article 12 requires. It applies policy to the content of each request, so categories of personal or health data you withhold do not reach the model, and it blocks calls to endpoints not approved for that data.

DeepInspect does not run your actuarial fairness testing; that stays with your model-governance program. It produces the record that program and the Act both rely on, and gives a reviewer the specific decision to examine when oversight or an adverse-action explanation is required. The pricing model decides the premium. The gateway records what it did and controls what it saw.

If you run life or health underwriting models under the EU AI Act, let's talk today.

Frequently asked questions

Is insurance AI high-risk under the EU AI Act?

Life and health insurance AI is. Annex III specifically names AI used for risk assessment and pricing of natural persons in life and health insurance as high-risk. That scope brings automatic logging under Article 12, human oversight, and traceability duties to underwriting and pricing models. Other insurance uses may fall outside this specific high-risk category.

What does traceability require for underwriting?

A systematic record of each pricing decision: the inputs used, the period of use, the identity that ran it, the model, and the outcome. An outcomes spreadsheet does not meet this, because it lacks the input and identity context of the individual decision. The record has to be automatic and written where the model call happens.

Can a gateway make an underwriting model fair?

No. Ensuring a model does not price on prohibited characteristics or produce unjustified disparate outcomes is actuarial and statistical work owned by your model-governance program. A gateway addresses the separate evidence duty: recording what each decision involved and controlling what data reaches the model.

How does the record support adverse-decision explanations?

When an applicant is declined or priced unfavorably, the explanation has to match what actually happened in that decision. The per-case record of the inputs used and the output produced is what supports an honest, specific explanation. Captured at decision time, it removes the need to reconstruct the reasoning afterward, which is what the traceability requirement is designed to avoid.