Pattern Scenario · 03 CIO & Board AI Governance 8 min read 2025
CIO Board AI Governance InsurTech · BFSI

The board approved the AI budget. Nobody approved the guardrails.

A 600-person general insurance company had been running AI tools across six teams for eighteen months. When the CIO commissioned an audit, they discovered customer policy data, claim narratives, and personal health information had been flowing through external LLM APIs with no data processing agreement in place.

Pattern Scenario
This is an illustrative composite — built from a failure mode I've documented across multiple engagements. The details, numbers, and sequence are representative of how this pattern plays out. It is not a single client's story.

§ 01The situation

The company had done what most mid-market insurers did in 2023 and 2024: they encouraged their teams to explore AI tools, approved a modest budget for productivity software, and trusted that the existing IT governance processes would handle the details. The board, at its annual strategy session, had noted AI adoption as a priority. The CIO had interpreted that note as a green light to move fast.

Moving fast, in practice, meant that six business units — underwriting, claims, customer service, compliance, finance, and HR — had independently adopted AI-assisted tools. Some were enterprise agreements. Most were individual subscriptions purchased by team leads on corporate cards. Two were free-tier accounts that a compliance officer had signed up for with a personal email and a company dataset.

Eighteen months in, the CIO received an inquiry from the company's UK legal entity about data handling obligations under the EU AI Act, whose high-risk provisions were moving toward enforcement. The legal team asked a simple question: which AI systems is the company using, and where is the data going? The CIO did not have a complete answer. That was the moment that triggered the call.

§ 02What we found

We ran a shadow AI audit over three weeks: procurement review, email header analysis for SaaS domains, IT network logs, and structured interviews with team leads across all six business units. What we found was not unusual — but it was serious.

Eleven distinct AI tools were in active use across the company. Four had been formally procured through IT. Seven had been adopted by individual teams without IT involvement. Of the seven unofficial tools, three were configured to send data to external APIs with no data processing agreement in place. One of these was being used by the claims team to draft settlement summaries — summaries that routinely included claimant names, policy numbers, claim values, and in some health-related cases, diagnosis codes.

Regulatory exposure identified

EU AI Act (UK entity): AI systems used in insurance underwriting and claims assessment fall under Annex III as high-risk, requiring mandatory conformity assessment and human oversight documentation — neither of which existed.

RBI data localisation guidance (India operations): three external LLM API endpoints routed data through servers in the United States, with no Data Processing Addendum or localisation exemption on file.

DPDP Act, India 2025: personal data of Indian policyholders — names, health information, financial details — was being processed by third-party AI systems without explicit consent provisions in the company's policy documentation.

The board had approved AI adoption in the abstract. Nobody had approved any of the eleven specific tools. Nobody had assessed whether the data those tools processed was classified, sensitive, or regulated. Nobody had assigned accountability for AI decisions. The accountability had been assumed away: IT assumed business units had assessed their tools. Business units assumed IT had governance frameworks. The CIO assumed the board's directive implied a mandate. The board assumed the CIO had managed the details.

"The gap was not between what the board intended and what the organisation did. The gap was between what the board said and what they meant — and nobody had asked them to specify the difference."
90%
of enterprises are using AI in daily operations. Only 18% have fully implemented governance frameworks. The other 72% are running on assumed accountability.Knostic Enterprise AI Governance Report · 2025

§ 03What we did

The first priority was not policy. It was triage. Three tools were suspended immediately — not as a disciplinary measure, but because the risk of continued data transmission while the governance framework was being built outweighed any productivity benefit. The teams were informed clearly: the tools would return, with approved configuration, once the controls were in place. People had built real workflows around these tools, and a suspension framed as permanent would have created shadow workarounds.

The second step was a data classification exercise — the one that should have preceded any tool adoption. We mapped the company's data assets against four tiers: public, internal, confidential, and regulated. Every AI tool in use was then assessed against a single question: what data tier does this tool process, and is it configured to handle that tier appropriately? We pulled sample inputs from each tool's usage logs and classified them. The classifications made the risk concrete in a way that abstract policy discussions cannot.

Third, we built an AI governance structure with three components. A named executive owner — the CIO, with explicit board-level accountability and quarterly reporting obligations. A cross-functional AI steering committee meeting monthly, with representatives from IT, legal, compliance, and one business unit rotating each quarter. And an approved AI tool registry: a living document specifying which tools are permitted, for which data tiers, with which configuration requirements and DPA status.

The CISO was brought in for the final review before the board presentation. AI governance at this company had been treated as a productivity question. It needed to be reframed as a risk question — and the CISO's presence at the board table did more to communicate that reframing than any slide deck could.

§ 04The outcome

6 wks
AI governance policy live and board-approved
3
Tools suspended; 2 returned with approved config and DPAs
0
Regulatory findings escalated before enforcement window
Quarterly
AI risk now a standing board agenda item

The UK legal entity received a complete response to their inquiry within the six-week window — before the EU AI Act enforcement provisions became active for their risk tier. The India operations team documented the data localisation position and filed for the relevant exemption on the tools that remained in use. The regulatory risk, which had been escalating passively for eighteen months, was contained before it became a finding.

The board's response was relief, and then a question that should have been asked eighteen months earlier: why didn't we have any of this before?

The answer is that the board's mandate to adopt AI had been treated as a directive to move fast, and moving fast and building governance simultaneously requires a level of deliberateness that most organisations don't apply to AI because they don't classify it as a risk category yet. They classify it as a productivity category. The tools look like Slack. They feel like SaaS. Nobody runs a data protection impact assessment before deploying Slack.

The difference is that Slack doesn't process your claimants' health data through a third-party model trained on an undisclosed dataset and stored on infrastructure in a jurisdiction your regulator has opinions about. That distinction has to be made explicit, by someone with the standing to make it, before the tools are deployed — not eighteen months after.

The CIO did not fail here. The organisation failed to give the CIO a framework within which responsible adoption was possible. Every AI mandate without a corresponding governance mandate is a liability accumulating on a schedule the organisation cannot see.

Recognise this pattern?
The first conversation costs nothing. The alternative already has.
If this scenario maps to where you are