Lifecycle orchestration and shadow-AI audit for insurance.

Why this matters for Insurance

What does NYDFS 23 NYCRR 500 require from the former-employee access trail?

State insurance departments (NAIC model audits) and customer PII exposure risk make insurance one of the tightest audit markets for former-employee access. Underwriting, claims, and broker operations teams now use AI document-review and AI underwriting-assist tools that rarely pass formal IT review before adoption.

SaaS per employee

25–40 apps/employee, concentrated in industry-specific platforms

Key regulatory pressure

NAIC Model Data Security Law, state insurance department audits (NYDFS 23 NYCRR 500 being the toughest), GLBA safeguards, CCPA / CPRA, and EU AI Act for insurers operating in the EU.

Shadow-AI angle

AI underwriting-assist and claim-triage tools touch some of the most sensitive PII a consumer has ever disclosed. Tenet surfaces these tools in the offboarding trail so the NYDFS examiner asking 'what AI was used, on whose data, by whom, until when' has an answer in minutes.

Executive summary

How does Tenet handle industry-specific platforms like Guidewire and Duck Creek?

Insurance at 500-5,000 employees operates under a state-regulator matrix unmatched by any other mid-market vertical. Every US state has an insurance department with exam authority over licensed carriers and MGAs, and the NAIC Model Data Security Law has been adopted in 20+ states by 2026 — each with its own amendments. NYDFS 23 NYCRR 500 is the toughest, and insurers licensed in New York effectively use NYDFS as the baseline standard. GLBA Safeguards Rule applies federally, and the growing cluster of state AI laws (Colorado SB 24-205 effective 2026, California AB 2930 pending, similar bills in NY, NJ, Illinois) add an AI-system audit dimension on top of the already-dense data-privacy stack.

Meanwhile, the underwriting, claims, and broker operations teams have adopted AI document-review, AI underwriting-assist, AI claim-triage, and AI fraud-detection tools in 2024-2026 at a pace that routinely outstrips IT's ability to catalog. Every new tool touches some of the most sensitive PII a consumer has ever disclosed — medical history, financial records, driving records, biometric claims evidence, detailed property data. Tenet is built for the regulatory density and the AI-tool proliferation together: the VP People + CISO + Compliance Officer + Chief Actuary co-buying committee shares one audit surface, and the NAIC / NYDFS / state-AI-law audit evidence is produced natively rather than reconstructed under exam pressure.

Representative stack

What is the right audit format for a state insurance department examination?

Tenet plugs into the stack most insurance companies at 500–5,000 employees already run. You don’t switch HRIS. You don’t switch IAM. Tenet becomes the orchestration layer between them and the long tail of SaaS and AI tools where the audit evidence used to disappear.

• Workday or Paylocity (HRIS)
• Okta (IAM)
• Duck Creek / Guidewire / Majesco
• Salesforce Financial Services Cloud
• Google Workspace / Microsoft 365
• Internal claim & underwriting AI tools

Use cases

How does Tenet orchestrate jurisdiction-licensing-based access for claims adjusters?

Implementation playbook

What does Colorado SB 24-205 require from insurers using AI in underwriting?

Most insurance deployments complete the 4-phase playbook in 28 days. Accelerated deployments (14-21 days) are available for teams with pre-approved service accounts and existing Okta / HRIS investments.

1. Phase 1 · Week 1

   Connect

   Activities

   Service accounts for Workday or Paylocity HRIS, Okta IAM, Guidewire PolicyCenter and ClaimCenter, Duck Creek, Majesco (as applicable), Salesforce FSC, AI underwriting-assist / claim-triage tools, and back-office SaaS. CISO + Compliance + Chief Actuary approve scopes. NAIC covered entity confirms exam-data-handling compliance in Tenet's audit pipeline.

   Artifacts produced

   Integration scope matrix · NAIC exam readiness baseline · AI-tool initial inventory

2. Phase 2 · Week 2

   Baseline

   Activities

   Baseline audit: orphan accounts, residual access on departed underwriters, adjusters, brokers; shadow-AI tools; state-licensing boundary violations. Orphan cleanup and jurisdiction-boundary corrections in dry-run, then committed with compliance approval.

   Artifacts produced

   Baseline audit · Jurisdictional-boundary report · Orphan cleanup receipt

3. Phase 3 · Week 3

   Activate

   Activities

   Underwriter, adjuster, broker termination automation live. Jurisdiction-boundary policy enforcement live. Scheduled access reviews prepared for next state insurance department exam cycle. Shadow-AI monitoring to CISO + Compliance queue.

   Artifacts produced

   Live termination automation · Jurisdiction enforcement receipt · Scheduled review preview

4. Phase 4 · Week 4

   Audit-ready

   Activities

   First NAIC Section 4/5 evidence packet generated. First NYDFS 500.16 evidence packet. First Colorado SB 24-205 impact assessment artifact on a high-risk AI system. Compliance Officer presents audit readiness to Chief Risk Officer and CEO.

   Artifacts produced

   NAIC evidence packet · NYDFS 500.16 packet · Colorado impact assessment · Leadership briefing

Regulatory deep dive

How does Tenet produce NAIC Model Data Security Law Section 4 and 5 evidence natively?

Insurance at 500-5,000 employees operates under a nearly unique regulatory matrix where federal law, state insurance department authority, state privacy law, and state AI law converge. The NAIC Model Data Security Law (adopted in 20+ states including AL, CT, DE, IN, KY, LA, MI, MN, MS, NH, NY, ND, OH, RI, SC, TN, VA, WI, and others as of 2026) codifies Sections 4 (Information Security Program), 5 (Investigation of a Cybersecurity Event), 6 (Notification of a Cybersecurity Event), and 8 (Board Oversight). Section 4 requires access-control policies with evidence; Section 5 requires forensic evidence on cybersecurity events including former-employee access trails.

NYDFS 23 NYCRR 500 is the toughest state insurance / financial regulator standard, with the 2023 amendment (23 NYCRR 500.16) requiring board-level certification of compliance, incident response planning, and specifically former-employee access termination within reasonable time. Insurers licensed in New York typically adopt NYDFS 500 as the baseline standard across all their licensure jurisdictions, which means NYDFS 500.16 becomes the de facto operational standard for carriers writing in NY.

GLBA Safeguards Rule (16 CFR 314, as amended 2021-2023) applies federally to insurers as financial institutions. Section 314.4(a) requires access-control policy with documented implementation. Section 314.4(c) requires encryption of customer information. Section 314.4(g) requires incident response planning. Tenet's event-driven audit maps to Sections 314.4(a), 314.4(g), and 314.4(j) (periodic risk assessment) evidence.

State privacy laws layer on top. California CCPA / CPRA, Virginia CDPA, Colorado privacy law, Connecticut CTDPA, Texas TDPSA, Oregon OCPA all require 45-day DSAR response on former employees. California's Department of Insurance has issued specific guidance on how CCPA / CPRA applies to insurance carriers.

On the AI side, Colorado SB 24-205 (effective 2026) is the first state to impose impact-assessment requirements on high-risk AI systems — and insurance underwriting and claims AI are explicitly high-risk. California AB 2930 (pending) would add similar requirements in California. Illinois, New York, New Jersey, and Washington have similar bills in active consideration. The NAIC Model Bulletin on Use of Artificial Intelligence Systems by Insurers (adopted 2023) sets expectations for AI system governance across all adopting states. Tenet's shadow-AI registry plus per-subject operator record schema produces the evidence these overlapping AI laws require.

For insurers operating in the EU (many US mid-market insurers with European reinsurance partnerships or European subsidiaries), the EU AI Act Article 26 applies directly. The operator record requirement for high-risk AI systems is compatible with the NAIC Model Bulletin expectations, and Tenet's Article 26 schema covers both.

Pricing context

What pricing looks like for insurance at buyer scale

At 1,500 employees in insurance, Tenet pricing typically lands $54,000-75,000 annual for the full regulated-industry stack (lifecycle + shadow-AI AI-tool inventory + NAIC Section 4/5 evidence + NYDFS 500.16 + state-insurance exam support + Colorado SB 24-205 impact assessment). Competing enterprise IGA + GRC + AI-governance combinations typically run $300,000-600,000 annual at the same scale. Insurance compliance budgets typically absorb the Tenet ACV without escalation given the state-regulator exam readiness value. Professional services are minimal; Tenet self-deploys in 4-6 weeks for most carriers.

Frequently asked — Insurance

What insurance buyers ask before signing

Is the Tenet audit format compatible with NAIC Model Data Security Law expectations?

Yes — Tenet's event-driven audit exports include the access control review evidence, incident response indicators, and former-employee access cessation records that map to the NAIC Model Data Security Law §4 and §5, plus the specific NYDFS 23 NYCRR 500 §500.04 and §500.16 expectations for CISO oversight of former-employee access revocation.

Does Tenet integrate with Guidewire PolicyCenter, ClaimCenter, and BillingCenter?

Yes via the IAM federation layer (Okta) and via direct API where Guidewire's integration hub is available. Tenet logs access grants and revocations at the role level within Guidewire's role schema, producing evidence at the granularity state insurance department examiners typically ask for.

How does Tenet handle the per-jurisdiction licensing constraints on claims adjusters?

Tenet's policy engine enforces per-jurisdiction access boundaries based on the adjuster's active licenses. When a license expires in a state, Tenet revokes that jurisdiction's claim access automatically. The per-jurisdiction audit trail is exportable for state insurance department exams on demand.

Can Tenet produce Colorado SB 24-205 impact-assessment artifacts?

Yes. The Colorado SB 24-205 impact-assessment schema is compatible with Tenet's Article 26 operator record schema — both cover system identifier, decision logic, human oversight configuration, retention period, and subject outcomes. Colorado-licensed insurers meet the impact-assessment obligation with the Tenet-generated artifact.

How does Tenet coordinate across multiple concurrent state insurance department exams?

Tenet's per-subject audit is jurisdiction-aware — the export can be filtered to a specific state's data subjects, a specific state's terminated employees, or a specific state's claim access scope. For a carrier licensed in 50 states with 8-15 concurrent exams, one Tenet instance supports all exams from one data source rather than state-by-state reconstruction.

Does Tenet support the NAIC Model Bulletin on AI systems?

Yes. The NAIC Model Bulletin on Use of Artificial Intelligence Systems by Insurers sets expectations for AI governance — inventory, monitoring, bias mitigation, documentation of decisions. Tenet's shadow-AI registry plus Article 26 operator record schema meets the inventory and documentation expectations. Bias mitigation and fairness-specific evaluation remain on the AI vendor and actuarial function, but Tenet provides the governance-layer evidence.

How is Tenet different from Stitchflow?

Tenet is built for the 500-5,000 employee mid-market with shadow-AI discovery and state-privacy audit trails as first-class capabilities, priced for dept-head purchase ($500-2,000/mo entry), while Stitchflow is moving upmarket with an IT-first UX and enterprise pricing. Both orchestrate SaaS lifecycle across HRIS and IAM, but Tenet's spine is the audit line — every provision, revocation, and shadow-AI tool detection produces a record a state-privacy regulator can read, and VP People + CISO share one view instead of Stitchflow's IT-centric console.

What is the smallest company that actually needs Tenet?

Roughly 100 employees with more than 20 SaaS apps per person, or any company where an employee departure triggers a manual checklist across more than 5 systems. Below that threshold, spreadsheets still scale. Above it, the probability of a 90-day-old ghost account rises sharply, and that single ghost account is the fact pattern every state-privacy and EU AI Act audit begins with.

Does Tenet work with my HRIS — Rippling, BambooHR, Workday, or Gusto?

Yes, Tenet reads lifecycle events from Rippling, BambooHR, Workday, and Gusto at launch, with ADP, Deel, Justworks, and UKG on the 2026 roadmap. Tenet is designed as the unbundled orchestration layer that sits above your HRIS — you do not switch HRIS to adopt Tenet, and Tenet never tries to replace payroll, benefits, or time tracking. HRIS stays your system of record for people; Tenet becomes your system of record for what those people can access.

How does Tenet's shadow-AI audit trail satisfy EU AI Act and state privacy law requirements?

Tenet records every shadow-AI tool discovered in employee workflows, every provisioning and revocation event, and every policy decision as an immutable audit entry in a format that exports to the evidence templates expected under EU AI Act (effective August 2026), ISO 42001, NIST AI RMF, and state privacy laws including CCPA-CT and CPRA. The audit format is citizen-request-ready — when a former employee exercises access or deletion rights, Tenet produces the per-subject trail in minutes instead of the week most orgs currently budget. Regulated customers can also export to their existing GRC tooling (Vanta, Drata, Secureframe) via webhook.