AI Agents for insurance: How to Automate KYC verification (single-agent with LangGraph)
Insurance KYC verification is still too manual in most carriers, MGAs, and brokers. Underwriters and operations teams spend hours checking identity documents, beneficial ownership records, sanctions lists, and policyholder data across fragmented systems, which slows onboarding and creates avoidable compliance risk.
A single-agent setup with LangGraph is a good fit when the workflow is mostly deterministic but still needs judgment at a few decision points. You get one orchestrated agent that can read documents, call verification tools, apply policy rules, and route edge cases to humans without turning the whole process into a brittle RPA script.
The Business Case
- •
Cut onboarding time from 2-5 days to 15-45 minutes for standard commercial accounts.
- •In insurance, KYC often blocks policy issuance, broker activation, or claims-related account setup.
- •A well-scoped agent can automate document intake, data extraction, sanctions screening, and rule-based checks for low-risk cases.
- •
Reduce manual review load by 40-70%.
- •Most KYC files are repetitive: certificate of incorporation, tax ID, proof of address, directors list, UBO declarations.
- •The agent handles the first pass; compliance analysts only review exceptions like mismatched names, missing ownership chains, or high-risk jurisdictions.
- •
Lower rework and exception errors by 20-35%.
- •Human teams miss transposed registration numbers, outdated addresses, or inconsistent entity names across source documents.
- •A structured agent workflow catches these before submission to compliance or underwriting.
- •
Improve audit readiness and reduce control failures.
- •Every decision point can be logged: extracted fields, tool calls, confidence scores, policy checks, human overrides.
- •That matters for SOC 2 evidence collection and internal model risk reviews.
Architecture
A production KYC agent for insurance should be small enough to control and explicit enough to audit. Single-agent does not mean single-function; it means one orchestrator owns the workflow end-to-end.
- •
1. Intake and document processing layer
- •Use OCR and document parsing for passports, incorporation certificates, proof-of-address letters, W-9/W-8 forms, broker mandates, and UBO declarations.
- •Common stack:
- •
LangChainfor document loaders and extraction chains - •AWS Textract / Azure Document Intelligence / Google Document AI for OCR
- •Pydantic schemas for normalized outputs
- •
- •
2. Agent orchestration layer
- •Use
LangGraphto define the state machine: intake → extract → verify → enrich → decide → escalate. - •The agent should call tools deterministically:
- •sanctions/PEP screening
- •company registry lookup
- •address validation
- •beneficial ownership resolution
- •policy rules engine
- •Keep the LLM out of final approval logic. It should summarize evidence and classify exceptions.
- •Use
- •
3. Retrieval and policy memory layer
- •Store internal KYC policies, underwriting thresholds, jurisdiction rules, and prior case notes in
pgvector. - •This helps the agent retrieve the right control language for a UK SME binder versus a US surplus lines submission.
- •Pair vector retrieval with hard-coded rule checks so regulatory logic is not “remembered” from prompts.
- •Store internal KYC policies, underwriting thresholds, jurisdiction rules, and prior case notes in
- •
4. Audit and case management layer
- •Persist every step in Postgres with immutable event logs.
- •Push exceptions into ServiceNow, Salesforce Financial Services Cloud, or your existing case management system.
- •Add observability with OpenTelemetry so compliance can trace why a file was escalated.
| Layer | Example Tools | Why It Matters |
|---|---|---|
| OCR / parsing | Textract, Document AI | Extracts identity and entity data from messy PDFs |
| Orchestration | LangGraph | Controls branching logic and human escalation |
| Retrieval | pgvector + Postgres | Stores KYC policies and jurisdiction-specific guidance |
| Audit / workflow | Postgres + ServiceNow + OpenTelemetry | Supports traceability and operational controls |
What Can Go Wrong
- •
Regulatory risk: wrong decisioning under KYC/AML obligations
- •Insurance firms still need to meet AML/KYC expectations where applicable, especially for commercial lines, cross-border business, premium finance flows, and certain life products.
- •If you operate in the EU or UK under GDPR expectations around data minimization and purpose limitation matter as well.
- •Mitigation:
- •Keep approval rules deterministic
- •Require human review for high-risk countries, complex ownership structures, PEP hits, or low-confidence extractions
- •Maintain full decision logs for audit
- •
Reputation risk: false positives frustrate brokers and clients
- •If the agent flags too many clean submissions as suspicious or incomplete, distribution teams will stop trusting it.
- •That hurts broker relationships faster than a slow manual queue.
- •Mitigation:
- •Start with narrow use cases like standard SME onboarding
- •Tune thresholds against historical cases
- •Measure precision on exception detection before expanding scope
- •
Operational risk: bad data propagates into downstream systems
- •A wrong legal entity name can break policy issuance, billing setup, claims correspondence, or reinsurance reporting.
- •In insurance operations that becomes a chain reaction across underwriting admin and finance.
- •Mitigation:
- •Validate against authoritative sources where possible
- •Use schema enforcement before writing to core systems
- •Never let the agent directly overwrite source-of-truth fields without confirmation
Getting Started
- •
Pick one narrow workflow
- •Start with new commercial policyholder onboarding for one line of business: SME property/casualty or specialty commercial packages work well.
- •Avoid complex multinational accounts in the first pilot.
- •Target a queue with at least 200 monthly cases so you have enough signal in 6-8 weeks.
- •
Build a controlled pilot team
- •Keep it small: one product owner from operations/compliance, one engineer familiar with LangGraph/LangChain, one data engineer, one security reviewer, one compliance analyst.
- •That is usually a 4-5 person squad for an initial pilot over 8-10 weeks.
- •
Define hard guardrails before any model work
- •Write explicit policies for escalation:
- •sanctions hits
- •missing UBO documentation -= jurisdiction restrictions -= mismatched legal names -= unusual ownership chains
- •
Map these rules to your existing KYC standard operating procedures so legal/compliance signs off early.
- •Write explicit policies for escalation:
- •
Measure operational outcomes against baseline
Track: -= average handling time -= first-pass completion rate -= escalation rate -= false positive rate on exceptions -= analyst override rate
Compare against your current manual process after the first month of live shadow mode. If you cannot show time saved without increasing compliance defects under GDPR/SOC2 controls relevant to your environment, do not expand scope yet.
A single-agent LangGraph design works when you want control more than novelty. For insurance KYC, that usually means faster onboarding, better auditability, and fewer compliance bottlenecks without handing critical decisions to an opaque black box.
Keep learning
- •The complete AI Agents Roadmap — my full 8-step breakdown
- •Free: The AI Agent Starter Kit — PDF checklist + starter code
- •Work with me — I build AI for banks and insurance companies
By Cyprian Aarons, AI Consultant at Topiax.
Want the complete 8-step roadmap?
Grab the free AI Agent Starter Kit — architecture templates, compliance checklists, and a 7-email deep-dive course.
Get the Starter Kit