Insurance Decision Record Audit Stream v0.1 draft. Per-application / claim / pricing-decision AI-tool-access events, hash-chained and signed, designed to bridge ACORD + state DOI examination semantics to the Kinetic Gain Protocol Suite audit-stream spine. The Operator surface that lets an insurer's policy-admin / claims-admin system + vendor AI tool emit Suite-compliant audit events covering the three primary insurance-AI decision surfaces — underwriting, claims, pricing — under one schema with kind enum branching.
Part of the Kinetic Gain Protocol Suite. Opens the InsurTech vertical alongside the existing HealthTech, EdTech, and PropTech 6-packs.
Status: v0.1 draft. Schema at
schema/insurance-decision-event.schema.json, Node verifier atsrc/verify.mjs, canonical example atexamples/coastguard-claimstriage-2026q4/. Full record structure + invariants also consolidated inSPEC.md, including a proposed additive decision-card-lifecycle branch pending review.
Every AI-assisted insurance decision touches at least one regulatory expectation: the NAIC AI Model Bulletin (Nov 2023) — adopted by 20+ states and counting — names governance, risk-management, third-party-AI testing, and bias-monitoring expectations that examiners now reference at every market-conduct exam. NY DFS Circular Letter No. 7 (Jul 2024) adds explicit expectations for life insurers using external consumer data + AI/ML. Colorado SB 21-169 (effective Nov 2023 for life, additional lines staged) requires testing for unfair-discrimination outcomes from AI systems. California DOI has been issuing pre-rule guidance since 2022. State DOI examiners look for: provable consent + recordkeeping + human-adjudicator-in-loop on adverse-action + reproducible reason codes + third-party-vendor due diligence.
The insurer's policy-admin / claims-admin system already knows the ACORD field names. The vendor AI tool already knows the recommendation it issued. What's missing is a uniform stream that names which AI tool read which ACORD field at which timestamp under which regulatory basis under which buyer-published Decision Card — provable to a state DOI market-conduct examiner without forcing the insurer to rebuild its admin systems or the vendor to abandon ACORD.
This repo defines the schema + verifier for that stream.
Each event is a JSON object with:
| Field group | Purpose |
|---|---|
event_id, timestamp, kind |
Append-only identity |
source |
The emitting system (policy-admin, claims-admin, vendor AI tool) |
subject_ref |
Tokenized policy / claim / application ID — raw policy number, applicant SSN, claimant SSN, applicant / claimant name MUST NOT appear |
line_of_business |
One of 20 personal + commercial + specialty lines |
resource |
ACORD form / element + optional XPath + tokenized resource ID + logical fields accessed |
action / outcome |
C/R/U/D/E + 0/4/8/12 codes (cross-vertical audit semantics) |
agent |
Which AI tool, which Decision Card, optional principal (adjuster / underwriter / CSR) |
regulatory_basis |
Code + citation + URI to the basis document (NAIC bulletin / state-DOI bulletin / NY DFS / CO SB 21-169 / CA DOI / ECOA / FCRA / consumer opt-in / judicial order) |
decision_card_ref |
Required pointer to the buyer-published Decision Card governing this access |
records_of_disclosure_status |
Whether the access was logged in the state DOI record + FCRA dispute log |
purpose_of_use, redaction_applied |
Free-text + applied tokenization/redaction list |
ai_recommendation |
OPTIONAL — recommendation, reason codes, model version, human_adjudicator_required = true (invariant when adverse-action-capable) |
signature |
Optional ed25519 signature on the canonical-JSON serialization |
prev_hash, hash |
Hash chain (SHA-256 over canonical-JSON of the event minus hash) |
- Schema — every event validates against the JSON Schema.
- Hash chain —
events[0].prev_hash = "0"*64;events[i].prev_hash = events[i-1].hash;hash = sha256(canonical_json(event - {hash})). - Canonical JSON — keys sorted lexicographically at every level, no insignificant whitespace, UTF-8.
- Human-adjudicator invariant — every event whose
kindis in the adverse-action-capable set AND whoseai_recommendation.recommendationis in{decline, rate-up, approve-with-conditions}MUST setai_recommendation.human_adjudicator_required = true. NAIC AI Model Bulletin governance expectation + state DOI guidance — no autonomous adverse-action issuance.
Adverse-action-capable kinds: insurance.underwriting.recommendation-produced, insurance.claim.recommendation-produced, insurance.claim.triage-produced.
The verifier exits 0 on success, 1 on schema failure, 2 on chain failure, 3 on human-adjudicator violation, 4 on usage error.
examples/coastguard-claimstriage-2026q4/source.json — three events from Coastguard Insurance's 2026 Q4 stream covering a homeowner's claim:
insurance.claim.intake-read— VendorI ClaimsTriage v3.x reads the ACORD 3 General Form fields (date of loss, cause-of-loss code, loss location county, estimated loss amount, prior-claims 24-mo count) under NAIC AI Model Bulletin §4 third-party AI testing-and-monitoring expectations. Tokenized claim ID. Claimant name / SSN / street address redacted before reaching the model.insurance.claim.triage-produced— VendorI issues arefer-to-humanrecommendation with reason codesLOSS_AMOUNT_ABOVE_FAST_TRACK_THRESHOLD+PRIOR_CLAIMS_PATTERN_FLAG, model_version3.2.1,human_adjudicator_required: true. (NOT a final decision.)insurance.claim.adverse-action-evaluated— Coastguard's human adjuster issues the partial-claim-denial notice under FCRA §615 + applicable state DOI notice rules.
npm install
npm run build:examples
npm run verifyCI runs both on every push + PR.
| Repo | Role |
|---|---|
evidence-bundle-spec |
Underlying audit-stream conventions |
fhir-resource-access-audit |
Sibling HealthTech audit-stream profile (FHIR / HIPAA) |
student-data-access-audit-stream |
Sibling EdTech audit-stream profile (CEDS / Ed-Fi / FERPA) |
mortgage-decision-record-audit-stream |
Sibling PropTech audit-stream profile (MISMO / URLA / ECOA / RESPA / HMDA) |
ai-claims-decision-card-spec |
Referenced by the proposed decision_card_lifecycle branch (see SPEC.md §5) — pending review |
InsurTech-readiness scaffolding for NAIC AI Model Bulletin (Nov 2023) governance + risk-management + third-party AI testing expectations, state DOI examination logs, NY DFS Circular Letter No. 7 (Jul 2024), Colorado SB 21-169 anti-discrimination testing requirements, California DOI pre-rule guidance, FCRA consumer-report documentation, and ECOA-applicable credit-based insurance scoring. The schema + verifier support an insurer's program toward those expectations but do not by themselves establish compliance with any of them. Per the standing public-language guardrail: readiness · evidence · posture · controls · scaffolding — never "NAIC-compliant" or "state-DOI-attested" without an external attestation.
MIT — see LICENSE.