Solvency II was built for a world of spreadsheets, actuarial tables, and models that, however complex, behaved predictably. You fed in assumptions. You got out numbers. You could trace every figure back to its source, explain every result to a regulator, and stress-test every scenario with reasonable confidence that the model would behave tomorrow as it did today.
Artificial intelligence does not work like that. And that gap, between what Solvency II was designed to govern and what AI actually does, is now one of the most pressing, and most overlooked, risk management challenges facing insurers in the UK and across Europe.
What Solvency II Actually Covers
Solvency II is a sophisticated piece of regulation. Its three-pillar structure: quantitative requirements, governance and risk management, and disclosure, covers a vast territory. Article 41 on the system of governance, the ORSA process, model validation requirements, and the prudent person principle have all been adapted over the years to accommodate changing business conditions. But the framework was designed around deterministic logic.
When Solvency II talks about internal models, it assumes you can explain how the model works, validate its outputs against known benchmarks, and demonstrate that it behaves consistently within defined parameters. Regulators expect a clear audit trail. They expect human oversight to be meaningful, not nominal. AI, particularly machine learning and generative AI, disrupts every one of those assumptions.
The Four Gaps Solvency II Cannot Bridge
1. The Explainability Problem
A gradient boosting model that prices motor insurance or a neural network that flags claims for fraud may well outperform any traditional actuarial model on accuracy. But ask it *why* it produced a specific output and you will not get a clean answer. The model has learned patterns across millions of data points in ways that cannot be reduced to a formula or a decision tree. Solvency II requires that you understand your models.
The prudent person principle assumes that the person making decisions is, in fact, in a position to exercise prudent judgement. If your underwriters, risk officers, or board cannot meaningfully interrogate the outputs of an AI system, that requirement is met on paper but not in substance. The OECD has flagged this “black box” problem as a core weakness in financial AI governance, and it sits squarely outside anything Solvency II’s model validation requirements were designed to address.
2. Model Drift and Lifecycle
Blind SpotsTraditional actuarial models are relatively static. They are updated periodically, validated against historical data, and reviewed on a defined cycle. AI models, by contrast, can and do change their behaviour over time, not because anyone has changed the code, but because the data they encounter shifts. This is known as model drift, and it is particularly dangerous in insurance.
An AI system trained on pre-pandemic claims patterns, pre-inflation pricing data, or pre-climate-change catastrophe distributions may produce outputs today that look plausible but are systematically wrong. Solvency II’s model governance requirements do not contemplate continuous monitoring for drift, nor do they require the kind of real-time performance tracking that AI systems demand. The regulatory lifecycle framework simply was not built for models that can degrade invisibly between validation cycles.
3. Third-Party AI and the Outsourcing Illusion
Many insurers are not building AI in-house. They are buying it from insurtech vendors, embedding it via APIs from major technology providers, or licensing underwriting tools that use AI under the hood. Solvency II’s outsourcing requirements under Article 49 require that material outsourced functions remain subject to appropriate oversight. But in practice, the opacity of commercial AI systems makes this extraordinarily difficult.
You may be able to audit the contractual terms. You may receive model performance summaries. But if you cannot access the model architecture, the training data, or the validation methodology, your oversight is limited. European Insurance and Occupational Pensions Authority (EIOPA)’s 2025 Opinion on AI Governance acknowledges this tension explicitly, the outsourcing rules apply, but they do not resolve the fundamental challenge of governing a system you cannot fully see inside.
4. The EU AI Act Sits in a Different Silo
The EU AI Act, which entered its enforcement phases from 2024 onwards, introduces a risk-based classification system for AI. High-risk AI applications in insurance, including systems used in credit scoring, life and health underwriting, and claims assessment, now carry obligations around data governance, human oversight, technical documentation, and conformity assessment.
These obligations do not map neatly onto Solvency II’s structure. They are not coordinated with ORSA cycles. They do not align with SCR calculations or internal model approval processes. Insurers operating across both regulatory regimes face a genuine governance gap: two sets of rules, each incomplete on its own, with no clear framework for how they interact. EIOPA has flagged that its AI governance opinion is designed to sit on top of Solvency II, but it explicitly excludes certain high-risk AI Act systems, leaving a regulatory no-man’s-land in between.
What Regulators Are Saying
EIOPA’s 2025 Opinion on AI Governance is the clearest signal yet that supervisors know the current framework is insufficient. The Opinion calls for proportionate but meaningful AI governance layered on top of existing Solvency II obligations. It stresses the importance of data quality, human oversight, and accountability structures for AI systems. It acknowledges that third-party AI creates outsourcing risks that the existing framework does not fully address.
But the Opinion is advisory, not binding. It provides direction without providing answers. And it explicitly does not cover every AI application that insurers are now deploying. Insurance Europe’s response to the consultation noted the risk of over-regulating through ill-fitting frameworks, a concern that highlights just how uncertain the regulatory landscape remains.What is clear is this: supervisors are looking at AI governance. And when they look at yours, the question they will ask is not whether you have complied with Solvency II. They will ask whether you have genuinely understood and managed the risks that your AI systems create. Those are different questions.
The Practical Implications for Your Business
If you are using AI in underwriting, claims, reserving, customer-facing decisions, or fraud detection, you almost certainly have a governance gap. Not because your Solvency II compliance is poor, but because Solvency II was not designed for the problem you now face.Closing that gap requires more than adding a line to your ORSA or bolting an AI policy onto your model governance framework.
It requires a systematic review of which AI systems you are using and how they are classified under the EU AI Act, how each system is validated and monitored for drift, what your third-party AI vendors are actually doing inside their models, whether your board and senior management can exercise meaningful oversight, and how your AI governance maps across to DORA obligations if you are also subject to those requirements.
This is not a theoretical exercise. Firms that get this wrong face regulatory scrutiny, reputational damage, and, in the context of high-risk AI Act applications, direct legal liability.
Time to Get Ahead of This
The insurers who will navigate this well are not the ones waiting for a binding regulatory standard to tell them exactly what to do. They are the ones who are already conducting AI risk assessments, building layered governance frameworks, and asking hard questions of their technology vendors.
If you are uncertain whether your current Solvency II framework is adequate to cover your AI exposures, or if you suspect it is not but you are not sure where the gaps are, that uncertainty is worth addressing now, before a regulator asks the same question.
We work with insurers and reinsurers to identify and close the governance gaps that standard regulatory frameworks do not cover.
If the issues raised in this article resonate with challenges you are facing, whether that is AI model validation, EU AI Act compliance, ORSA integration, or third-party AI oversight, we would welcome the opportunity to talk.
Get in touch today at contact@rtivara-advisory.com for a no-obligation conversation about where your AI governance framework stands and what practical steps would make the greatest difference.
We advise. You decide.
The information in this article is provided for general informational purposes only and does not constitute legal or regulatory advice. Regulatory requirements may vary by jurisdiction and firm-specific circumstances.
