The Review Nobody Can Give¶

Q: What penalties make AI governance a near-term financial risk?

The EU AI Act carries penalties up to 35 million euros (about 38 million dollars) or 7% of global annual revenue, whichever is larger, with high-risk obligations set to take hold in 2026. In the United States, Colorado passed the first comprehensive state AI law and a dozen states are piloting AI evaluation tools. The regulatory reviews are arriving whether or not organizations can pass them.

Five of the largest insurers in America are hiring AI governance leads. In a 2026 Grant Thornton survey, three out of four insurance executives said they could not pass an independent AI governance review in ninety days. The reason is not that the review is hard. It is that no independent party exists to give it, because the companies building AI governance tooling grade their own work.

Five of the largest insurers in America are hiring for a job that did not exist eighteen months ago. They are also, by their own admission, not ready to do it.

Allstate is hiring an AI Governance Lead. So are Liberty Mutual, MetLife, Prudential, The Hartford. Net-new roles, net-new teams, built this year. The largest insurers in the country are staffing a function that was not on their org charts a year and a half ago.

That tells you the demand is real. Here is what tells you it isn't solved.

In Grant Thornton's 2026 survey, only 24% of insurance executives said they were very confident they could pass an independent AI governance review in ninety days. Read the inverse. Three out of four insurance leaders believe they would fail a review of whether their AI stayed inside its limits.

Grant Thornton, one of the largest audit and advisory firms in the country, has a name for this. They call it the AI proof gap.

Sit with the phrase they used: independent governance review. Not "do we have a policy." Not "did we write the controls." Independent. Someone outside the building looks at the evidence and says whether the governance actually held.

Here is the problem. There is no one to give that review.

The companies building AI governance tooling are operators. They enforce policy and then grade their own enforcement. The bodyguard writing his own performance review. The grade may be honest, but nobody outside the building has a reason to trust it, because the grader and the graded are the same entity.

That is not a knock on any vendor. It is structural. It is the same reason the FDA does not make the drugs it approves, and your bank does not set your credit score.

The scorekeeper has to sit outside both the operator and the rulebook, or the score does not travel.

The insurers hiring governance leads are filling the operator role: the people who build and run internal controls. Necessary work. But an operator cannot certify itself any more than a company can audit its own books and call it an audit. The internal team is the controls. The review is supposed to be the thing the controls answer to.

That seat, the independent referee who can say whether the AI governance held, is empty. The 76% number is what an empty seat costs when the regulator's clock is running: three out of four insurers cannot prove their AI is governed, on the eve of laws that will require exactly that proof. The EU AI Act carries penalties up to €35M (about $38M) or 7% of global annual revenue, whichever is larger, with its high-risk obligations set to take hold in 2026. That is not a theoretical ceiling. Europe already proved with privacy law that it collects. It is not only Europe. Colorado passed the first comprehensive state AI law in the country, and the fight over how and when to enforce it has been running ever since. Twelve states are piloting an AI evaluation tool of their own right now. The reviews are coming whether or not anyone is qualified to give them.

What an independent review actually requires is three things, in order:

Governed. The AI's actions are bound by policy that runs as code, before the action reaches the wire. Not a guideline a model is asked to honor after the fact.

Attested. The system produces evidence of what it did and what it was allowed to do. Evidence the governed system cannot edit. Immutable, in one word. A log the operator can rewrite is not evidence. It is a press release. This is where the gap becomes a liability. In the same survey, 68% said their controls exist but the evidence is fragmented across teams and tools. The governance is real. They just cannot produce it on demand. A control you cannot prove is a control you do not have.

Measured. An independent party scores whether the governance held. It scores the evidence the system couldn't touch, against a standard the operator didn't write.

Governed, attested, measured. Most AI deployments have the first, fake the second, and skip the third entirely. The third is the one that turns "we have governance" into "we can prove governance held to someone who has a reason to doubt us." A regulator. An insurer. A court, after something goes wrong. That third thing is the empty chair: the independent referee who does the measuring, the one seat no operator can fill for itself.

Insurers feel this before anyone, because their whole business is putting a number on risk. A risk you cannot independently measure is a risk nobody can put a number on. So the 76% is not an insurance problem. It is the first place a measurement gap shows up as a number, because that is where unmeasured risk goes to become expensive.

Some firms will sell you an audit. An audit is a photograph. It tells you the governance held on the day the consultant looked, and says nothing about the day after they leave. A standard is different. A standard is a system that keeps measuring, the same way, against the same bar, long after anyone is in the room. Insurers do not price risk with a photograph. They price it with a score that updates.

The seat is still empty. The reviews are still coming. The question every insurer hiring a governance lead will eventually ask is not "did we build the controls." It is "who, that we don't employ, can tell us the controls held."

I build the independent measurement layer for that question.

Frequently asked¶

What is the AI proof gap in insurance?

The AI proof gap is the distance between having AI governance and being able to prove it held. In Grant Thornton's 2026 survey, most insurers reported that their controls exist but the evidence is fragmented across teams and tools, so only 24% were very confident they could pass an independent AI governance review in ninety days. The governance is real; the provable, on-demand evidence is missing.

Why can't an insurer's internal AI governance team give the independent review?

Because the internal team is the operator. It builds and runs the controls, which means it cannot also be the independent party that grades whether those controls held. An operator certifying itself is a company auditing its own books and calling it an audit. The review is supposed to be the thing the controls answer to, not a report the same team writes about itself.

What does an independent AI governance review actually require?

Three things, in order. Governed: the AI's actions are bound by policy enforced before the action, not reviewed after. Attested: the system produces evidence of what it did and what it was allowed to do, evidence the governed system cannot edit. Measured: an independent party scores whether the governance held, against a standard the operator did not write. Most deployments have the first, fake the second, and skip the third.

Why do insurers feel the AI measurement gap before other industries?

Because their entire business is putting a number on risk. A risk that cannot be independently measured is a risk nobody can price with confidence. Insurance is simply the first place an unmeasured-governance gap shows up as a hard number, because that is where unmeasured risk becomes expensive.

How is an independent standard different from an AI governance audit?

An audit is a photograph: it reports that governance held on the day a consultant looked, and says nothing about the day after they leave. A standard is a system that keeps measuring, the same way, against the same bar, continuously. The difference matters most when something goes wrong long after the audit closed.

What penalties make AI governance a near-term financial risk?

The EU AI Act carries penalties up to €35M (about $38M) or 7% of global annual revenue, whichever is larger, with high-risk obligations set to take hold in 2026. In the United States, Colorado passed the first comprehensive state AI law and a dozen states are piloting AI evaluation tools. The regulatory reviews are arriving whether or not organizations can pass them.