Home
/
Designing AI for Trust

Designing AI for Trust | Trust as an Architectural Property

Insights from Notch Team
May 28, 2026

"Trust the AI" is a phrase that should not appear in regulated insurance operations. Trust as a feeling is the failure mode the architecture exists to remove. The right system does not ask users, adjusters, or regulators to extend faith. It earns trust the way bridges do - by being demonstrably predictable, traceably correct, and recoverable when something fails.

Trustable AI is an architectural property. It is built, layer by layer, into the system that runs the agent. This piece walks the design principles that make agent behavior trustable under regulated conditions, what each audience actually needs from the architecture, and how to evaluate a vendor's trust posture without taking their word for it. As of 2026 those design principles are no longer aspirational - they are the architectural counterparts to specific regulatory provisions enforcing within months.

Trust is not a feeling, it's a property

When operations leaders say "I don't trust this AI," they are almost never talking about a feeling. They are pointing at a missing control. The model produced an output and the leader cannot tell whether the output was correct, whether the system would have caught it if it was wrong, whether the next identical case will produce the same output, and whether anyone will know if it did not.

Those are property questions. Predictability, traceability, validatability, recoverability. A system that answers them with evidence is a system the leader trusts. A system that answers them with confidence is a system the leader does not. The difference is the architecture, not the marketing.

Three pillars of trustable AI

Across deployments into regulated environments, trustable agent architecture rests on three load-bearing properties. Each is independently testable; none of them is optional.

Deterministic boundaries

The model decides language. The system decides actions. Anything that touches money, customer records, coverage commitments, or regulated information is gated by deterministic rules - rolling counters, per-transaction caps, verification requirements, tenant policy. The model can propose an action; the system enforces whether it can execute.

The reason this matters is failure mode containment. Models drift, hallucinate, get prompted adversarially. Deterministic boundaries are not subject to any of those. They are code that either runs or does not. A regulated system needs both: language fluency for the conversation, deterministic constraint for the consequence.

Traceable decisions

Every action the agent takes - and every action it attempted and was blocked from taking - lands in an audit log with the decision path attached. The retrieved knowledge that informed the answer. The judge agent that approved or declined the response. The deterministic layer that allowed or blocked the action. The downstream system call and its response.

Traceability is what turns a model output from a black box into an inspectable decision. It is also the property a regulator asks about first. A vendor that cannot show you a real audit log on demand is selling marketing copy, not infrastructure.

Recoverable failures

Every failure mode the architecture catches needs a defined recovery path. Retry with different parameters. Escalate to a human with context. Hard-stop with an explanation to the user. Recovery is not an afterthought. It is the property that makes the system safe to deploy.

The absence of defined recovery is the signature of a system that has not been operated in production. Demos rarely fail; production always does. The vendor that can describe their recovery patterns by failure mode has been on the operating side. The vendor who cannot has not.

The regulatory map for each pillar

Each of the three pillars maps directly to a regulatory expectation already in force or enforcing within months. Trust as an architectural property is not abstract - regulators have named it, dated it, and assigned penalties to non-compliance.

  • Deterministic boundaries map to NAIC AI Systems Evaluation Tool Exhibit B (governance controls, risk mitigation processes) and EU AI Act Article 9 (risk management system throughout the AI lifecycle) and Article 15 (accuracy, robustness, and cybersecurity). The deterministic layer is the artifact regulators inspect when verifying that the carrier "ensures AI follows the rules," and the policy-as-code expression of compliance is what makes that verification cheap rather than forensic.
  • Traceable decisions map to NAIC Exhibit A (model inventory) and Exhibit C (high-risk model documentation, fairness analysis), EU AI Act Article 11 (technical documentation) and Article 12 (automatic record-keeping for high-risk AI systems), and GDPR Articles 13-15 (right of access and meaningful information about automated decisions). A traceable decision is the unit of measurement regulators use to assess the system.
  • Recoverable failures map to EU AI Act Article 14 (human oversight requirements for high-risk AI) and Article 73 (serious incident reporting to market surveillance authorities within 15 days), and to GDPR Article 22 (right to human review of solely automated decisions). Recovery is the regulatory artifact that proves the system caught the failure rather than escaped it.

Penalties under the EU AI Act reach €35 million or 7% of global annual turnover, whichever is higher. EIOPA's August 2025 Opinion expects AI governance to be embedded in the insurer's Own Risk and Solvency Assessment (ORSA), with board-level accountability and no path to delegating responsibility to a vendor. The trust pillars are not vendor marketing - they are the architectural counterparts to specific regulatory provisions, and the audit log is the evidence each provision was met.

Governed autonomy as the design principle

The shorthand for the architecture above is governed autonomy. The agent acts independently within a defined boundary; the boundary is configurable, auditable, and enforced by something other than the agent itself. "Governed" and "autonomous" are not in tension. They are co-dependent. Autonomy without governance is risk theater; governance without autonomy is workflow software with extra steps.

The design principle that follows: the agent is given more autonomy as the governance layers can verify more behavior. Trust accrues. A new workflow starts with tight boundaries and broad escalation. Over weeks of production data, the patterns that consistently resolve cleanly get more autonomy. The patterns that consistently route to humans stay routed. The governance layer learns alongside the agent.

This is the operational opposite of "trust the model." It is "let the model earn the boundary." Operationally that earned autonomy reaches 67-87% in Notch deployments, with the residual 13-33% routing to humans because the architecture - not the model - flagged the case for review.

What trust looks like to each audience

A trustable system serves three audiences with different definitions of trust. The architecture has to satisfy all three at once.

The policyholder

The policyholder trusts a system that resolves their issue without making them repeat themselves, gives them a real answer rather than a redirect, and tells them clearly when the answer requires a human. The trust signal is the resolution rate, not the technology. They do not care that an agent runs the workflow; they care that the workflow runs. Under EU AI Act Article 13 and GDPR Articles 13-15, that policyholder also has a legal right to a plain-language explanation of how AI was used in the decisions affecting them - and the right to request human re-review under GDPR Article 22.

The adjuster and ops manager

The adjuster trusts a system that hands them a clean file with the relevant context attached, escalates the right cases at the right time, and does not silently fail under their name. The trust signal is the quality of the escalation queue. A system that escalates everything is no help. A system that escalates the wrong things is a liability.

The regulator and the compliance officer

The regulator trusts a system that produces an audit trail dense enough to reconstruct any decision after the fact, including the ones the agent did not make. The trust signal is the completeness of the log. Not just what happened. What was attempted, what was blocked, what was escalated, and why. Under EIOPA's August 2025 Opinion this expectation reaches into the boardroom - AI governance must be embedded in the insurer's Own Risk and Solvency Assessment (ORSA), with named senior accountability. A trustable system makes that board-level reporting a query against the audit log, not a separate construction project. NAIC's Third-Party Data and Models Task Force (formed 2024) extends the same expectation to vendor AI: outsourcing the model does not outsource the audit trail.

A system that satisfies one audience and not the others is not trustable. It is partially designed.

The five guardrail layers as trust scaffolding

The architecture that delivers the properties above sits in five independent layers. Each catches a different class of failure. None of them is the last line of defense; together, they are.

  • Layer A - LLM-as-judge: a separate model evaluates the conversation against pre-made and tenant-specific policy boundaries. Catches drift, frustration, stuck loops, and knowledge gaps before they reach the user. Operationally satisfies EU AI Act Article 14 (human oversight precursor) and EIOPA's explainability expectation.
  • Layer B - Technical defenses: built into architecture. Catches prompt injection, instruction smuggling, tool abuse - the failures that exploit the model rather than misuse it. Operationally satisfies EU AI Act Article 15 (cybersecurity) and DORA ICT third-party risk management.
  • Layer C - Deterministic access limits: answers "is this user allowed to see or do this, given what we know about them?" Driven by authentication, verification, ownership, channel, region - not model judgment. Operationally satisfies GDPR Article 22 and the consumer rights frameworks in CCPA, CPRA, the Colorado Privacy Act, and the Connecticut Data Privacy Act.
  • Layer D - Deterministic business limits: answers "even if the user is allowed, is the system allowed to do this right now?" Per-transaction caps, rolling counters, threshold-based approval requirements. Operationally satisfies EU AI Act Article 9 (risk management) and NAIC Exhibit B (governance controls).
  • Layer E - Deterministic geo and jurisdiction limits: answers "what is allowed in this user's jurisdiction?" State DOI rules, GDPR, FCA, cross-border data restrictions - applied as code, not as model discretion. Operationally satisfies state-specific frameworks including Colorado Regulation 10-1-1, Colorado SB21-169, California DOI Bulletin 2022-5, and the New York Proposed Insurance Circular Letter.

The layers are independent. A failure that bypasses one is caught by another. The architecture's defining property is that every consequential action passes through deterministic checks before it executes. The model can be wrong about language. The system cannot be wrong about whether an action was permitted.

A specific scenario: high-risk action under trust scaffolding

A verified policyholder requests a same-day refund of a premium overpayment. The agent confirms the request, retrieves the account, and reads the refund amount. Layer A confirms the conversation is on a sanctioned path (refund flow, not unrelated drift). Layer C confirms the user is verified to the level required for financial actions. Layer D checks the amount against the per-transaction cap, the rolling daily counter, and the segment policy. Layer E confirms the user's jurisdiction allows the refund flow without additional disclosure requirements.

If all five clear, the action executes. If any one declines, the action is blocked, the user receives an appropriate response, and the audit log captures which layer fired and why. The agent does not retry the same action through a different path. The boundary holds.

That is trust as an architectural property. The customer trusted that the right thing happened. The compliance officer trusted that the audit trail captured every check. The adjuster trusted that escalation came their way only when the deterministic layers could not complete the action. None of them had to take anything on faith.

How to evaluate vendor trust architecture

The diligence questions that separate trust theater from trust architecture:

  • Show me a real audit log entry for a blocked action. Not a slide deck. The actual log line, with the layer name and the decision reason.
  • Walk me through the recovery path for each named failure mode. If the answer is "the model retries," that is not a recovery path. It is a retry loop.
  • Demonstrate the deterministic layers independently. Each layer should be configurable, testable, and bypassable only with explicit override and full logging.
  • Show me an action you blocked that the model wanted to take. The most informative artifact in any vendor evaluation. If they cannot produce one, the deterministic layers are not load-bearing.
  • What happens when a Layer A judge agent disagrees with the primary model? A trustable architecture has a defined precedence. An untrustable one has a tie-break that defaults to the primary model.
  • Show me the configuration in effect at the time of a specific past decision. EU AI Act Article 12 requires the configuration to be reconstructible. A vendor that cannot answer this has a logging gap that compromises the entire audit trail.
  • How do you support a NAIC Exhibit A inventory export and an EU AI Act Article 11 technical documentation pack? The work the carrier has to produce for either framework should be exportable directly from the platform, not assembled in parallel through a separate IT and legal effort. NAIC carriers in the 11 pilot states are already being asked.

FAQ

How is trust different from explainability?

Explainability is one input to trust. The full property includes predictability (will the system do the same thing in the same situation?), recoverability (what happens when it does not?), and accountability (can we reconstruct the decision after the fact?). Explainability alone is necessary but not sufficient - and under EIOPA's 2025 Opinion it is now the regulatory minimum, with black-box models facing heightened scrutiny.

Doesn't governed autonomy reduce the value of AI?

Not in regulated contexts. The value of AI in insurance ops is not unbounded autonomy; it is the ability to run high-volume workflows under controlled conditions. Governed autonomy is what makes the system deployable at all. Ungoverned agents do not get past evaluation. The economic data is consistent: deployments under layered governance achieve 67-87% autonomous resolution with 70% cost reduction and 92% faster resolution times - the unconstrained alternative does not get deployed.

How long does trust take to build with a new vendor?

The architecture either supports trust or it does not - that part is up front. The empirical trust, built from production data, accrues over the first 3-6 weeks of deployment, the same window as the typical Notch production rollout. By the end of that window, the audit log carries enough density to support real evaluation and the carrier has the artifacts NAIC Exhibits A through D will require.

What if the model itself becomes more capable?

Trust architecture is model-agnostic by design. Each LLM module supports model swapping across Amazon Bedrock, Google Vertex, Azure Foundry, and OpenAI. The deterministic layers do not move when the underlying model changes. That stability is itself part of the trust property, and it is the carrier's hedge against the EU AI Act Article 17 quality management requirement that the system remain compliant across the model's lifecycle.

If you are evaluating AI architecture for regulated workflows, book a demo. We can walk the deterministic layers, the audit log, and the NAIC and EU AI Act exports together, on real production traffic.

The AI Engine Behind
Regulated Operations

Book a Demo