Field Note April 2026 · Updated July 13, 2026

The Three Lanes of Enterprise AI

A framework for classifying any AI workload by data sensitivity, decision consequence, and where the liability sits when the system is wrong. Built for senior operators who have been asked about the AI strategy and know a single-slide answer is not it.

Reading Time 23–27 minutes
Framework Open · Contained · Sovereign
Context Enterprise governance, insurance
Current As Of July 13, 2026
The Short Version

Enterprise AI strategy cannot fit on one slide. The work runs in three distinct lanes, each with different data, deployment, and liability profiles. Lane 1 (Open) is low-sensitivity work on organization-sanctioned team-tier tools with training disabled; consumer AI is excluded from work tasks entirely. Lane 2 (Contained) is internal work on private enterprise infrastructure where the organization owns the risk and every consequential output receives meaningful human review. Lane 3 (Sovereign) is regulated, high-liability work defined by its governance apparatus, because the organization must defend the decision externally; the hosting model is a design choice within that apparatus. Most organizations need all three. The build-versus-buy question has different answers in each lane. The carriers getting this right have done the lane mapping before committing to any vendor.

Who it is for

Senior leaders being asked "what is our AI strategy?" and looking for an answer sharper than a single-slide generality.

What you will have when you finish

A three-lane vocabulary for classifying any AI workload, a migration logic for how work moves between lanes, a build-versus-buy decision rule per lane, a review of what large carriers (American International Group, Allianz, Liberty Mutual, Travelers, Progressive) are actually doing, and a one-question test to apply before every AI session at your own desk.

Every executive I work with is being asked some version of the same question. What is our AI strategy? The question is usually asked by a board member, a chief executive officer, or a chief risk officer, and it is usually asked with an expectation that the answer will be a single, coherent thing. One platform. One vendor. One policy.

That expectation is the first problem. There is no such thing as an enterprise AI strategy that fits on one slide and covers everything from marketing copy to underwriting decisions. The work runs in different lanes, and each lane has different rules.

This field note lays out The Three Lanes of Enterprise AI, a framework for classifying any AI workload inside an organization. It is the mental model I hand executives when they are trying to sort signal from noise in their own companies. It is also the framework I use to interpret what regulators, vendors, and consultants are actually saying when they talk about AI governance.

The three lanes, at a glance

Every AI workload an enterprise runs belongs in one of three lanes. The lane is determined by two visible variables: how sensitive is the data, and how consequential is the decision. A third variable sits underneath both and determines why the lane matters: who bears the liability when the system is wrong. Data and consequence are how you see the lane. Liability is why the lane exists.

Three questions make the classification operational, and they map to the three variables: what data is in this workflow, who is affected if the output is wrong, and who the organization would have to defend the decision to. Answer those and the lane is usually obvious.

The Framework
Three lanes, three deployment realities
Lane 1 Open Public / Low-Liability
Data Public or low-sensitivity. Nothing the organization would not post.
Typical Use Drafts, research, meeting prep, translation, everyday productivity.
Deployment Organization-sanctioned team tiers with training disabled (Claude Teams and equivalents). Free consumer versions excluded from work.
Liability Organization sanctions the tool and owns the policy. The individual owns misuse.
Lane 2 Contained Internal / Controlled
Data Internal. Not for training someone else's foundation model.
Typical Use Internal analysis, customer drafts, financial work, internal Q&A.
Deployment Virtual private cloud (VPC). Azure OpenAI, Amazon Bedrock, Claude for Enterprise, Google Vertex.
Liability Organization. Human in the loop on consequential outputs.
Lane 3 Sovereign Regulated / High-Liability
Data Regulated data, protected health information (PHI), personally identifiable information (PII) at scale, proprietary intellectual property (IP), consequential decisions.
Typical Use Underwriting, claims, automated decisions, externally defensible output.
Deployment Defined by governance apparatus, not hosting. Self-hosted open-weight is one option; governed frontier deployments are another.
Liability External and enforceable. Regulator, board, customer, court.

Most organizations need all three. Very few recognize that they need all three, and fewer still have named the lanes in a way that lets the organization reason about them together.

The lanes apply to your own desk first

Before the framework becomes an organizational discussion, it is a personal discipline. Every executive using AI is the first governance surface in their organization. The decision about which AI to open, what to paste into it, and what to do with the output is being made hundreds of times a week by the individual at the keyboard, long before any policy, review, or deployment has been formalized. The person who has internalized the Three Lanes does not have a shadow AI problem, because their own work already follows the discipline they would want their organization to adopt.

Applied to an individual's work, the lanes look like this.

Lane 1 work at your desk. Drafting a blog post. Brainstorming a title. Summarizing a public article you just read. Researching a public company. Translating a passage. Writing a personal bio. Two rules now govern this lane. First, no consumer AI model is used at work or for any work task at all. Consumer tools raise data privacy and privilege questions their standard terms address only partially, and in ways misaligned with enterprise risk tolerance, and work context puts the exposure on the organization, not just the individual. Second, Lane 1 work runs on the organization-sanctioned team tier with settings that disable training (Claude Teams and equivalents), never the free consumer version. What individuals do with AI on their own devices, on their own time, sits outside the enterprise perimeter and outside this framework. The disclosure test survives: paste what you would post on LinkedIn. Do not paste what you would not.

A note on terms, since the distinction is the whole point of Lane 1. An enterprise deployment means a tenant-isolated interface with model training disabled and data use governed by contract. A consumer tool means a public interface whose standard terms permit training or that lacks those enterprise-grade controls. The line is drawn by the controls and the contract, not by price, and the free consumer tier sits on the consumer side of it whatever the vendor's brand name on the login screen.

Lane 2 work at your desk. Analyzing your organization's actual financial numbers. Drafting an email to a specific customer with their real name and real situation. Summarizing notes from an internal meeting that touched non-public strategy. Querying a document from your organization's contract repository. Working with a spreadsheet that contains any real employee, customer, or counterparty data. For this work, the public consumer interface is the wrong tool, even if it is faster. The right tool is your organization's enterprise deployment of a frontier model (Claude for Enterprise, Azure OpenAI, Google Vertex, or equivalent), where data does not leave the tenant and the terms of service do not allow the vendor to train on your prompts. If your organization does not yet have that deployment, the correct behavior is to do the work without AI rather than put Lane 2 data into a Lane 1 tool.

Lane 3 work at your desk. This is the category most individual users do not have. Lane 3 work is work where the output will be defended externally: a regulator, a court, a board, a customer in a dispute. For most executives, this work does not happen at an individual desk; it happens inside systems the organization has built specifically for it, with audit trails, decision logs, and approval paths. The individual discipline for Lane 3 is knowing where the line is and not crossing it. If you find yourself about to use a Lane 1 or Lane 2 tool to draft something that will be relied upon in a regulatory filing, an underwriting decision, a claims determination, or any other externally defensible output, the correct response is to stop and escalate. That is a workflow that belongs in a system, not a chat window.

The operational test for any individual AI session is a single question asked before the first paste: what lane is this? The answer determines which tool to open. Shadow AI is usually not a policy failure; it is this question going unasked.

What each lane actually looks like

The differences between the lanes are not about which tool is better. The differences are about what the deployment model requires, what controls apply, and what the organization can defend when asked.

Lane 1 · Open

Sanctioned team-tier tools, disclosure discipline

Typical Deployment
Organization-sanctioned team-tier deployments with organizational settings that disable training (Claude Teams and equivalents). The free consumer versions of ChatGPT, Claude.ai, Perplexity, and Gemini are excluded from work entirely. What individuals run on their own devices, on their own time, is outside the enterprise perimeter and outside this framework.
What Is Acceptable
Low-sensitivity work. Anything the user would be comfortable posting on LinkedIn. Anything that does not identify a customer, a counterparty, a piece of proprietary work, or a sensitive commercial term. Research. Drafting. Learning.
What Is Not
Any work task in a free consumer tool. Anything the organization would not want indexed, trained on, or cached by a third party. Real customer names. Real contract terms. Real financial figures. Internal strategy. Personnel information.
Governance Posture
An acceptable use policy that says plainly: no consumer AI model at work or for work tasks. A clear statement of what can and cannot be pasted into a Lane 1 tool, and of the data privacy and privilege questions consumer terms address only partially. Disclosure discipline when AI is used in a deliverable. Training so people understand the line between Lane 1 and Lane 2 work. Most organizations stop here and pretend that is a governance program. It is not. It is the starting line.
Lane 2 · Contained

Virtual private cloud deployments, human-in-the-loop discipline

Typical Deployment
VPC deployments of commercial foundation models. Azure OpenAI. Amazon Bedrock. Claude for Enterprise. Google Vertex. The model is the same one running in the public consumer product, but the deployment is private. Data does not leave the tenant. Prompts and outputs are not used to train the vendor's models. The organization signs a contract that says so.
The Defining Line
In Lane 2, AI assists humans making decisions. The human is in the loop on every consequential output, and the review is meaningful: the reviewer has the authority, the competence, and the time to reject the output, and the organization can document that overrides actually happen. A signature is necessary but not sufficient. A rubber stamp does not defeat the conclusion that the machine decided, and high-volume review is where automation bias lives. This is what an examiner will ask about.
What Is Acceptable
The full range of knowledge work on internal data. Analysis of the organization's financial performance. Drafting communications to customers. Querying internal document corpora. Summarizing recordings of internal meetings. Coding against proprietary codebases where the work is internal tooling rather than regulated product.
What Is Not
Automating a decision that will be defended externally without a human signing it. Processing data that is regulated at a level the deployment is not certified for. Training or fine-tuning on data the organization does not own.
Governance Posture
Contractual controls on data use and model training. Access controls and audit logging at the tenant level. Model cards for significant internal uses so the organization can describe what the AI does and does not do. A review process for new use cases before they move from experimentation to production. A fourth question asked alongside data and consequence: does the organization have the right to use this data for this purpose? Purpose limitation and data minimization attach to the data, not the infrastructure; data collected for claims processing is not automatically available for fine-tuning just because the tenant is private, and containment answers the confidentiality question without answering the permission question. A clear line between Lane 2 experimentation (which should be easy to start) and Lane 3 production (which should not).
Lane 3 · Sovereign

Governed deployments, externally defensible decisions

Typical Deployment
The lane is defined by its governance apparatus, not by a hosting model. Deployments range from self-hosted open-weight models (Llama variants, fine-tuned models the organization owns outright) to governed deployments of commercial frontier models with contractual accountability and full decision logging. Regulators require accountability, documentation, and vendor oversight, not self-hosting as such, and self-hosted open-weight carries its own legal baggage: license terms, training data provenance, and full safety responsibility resting on the organization. Deployment is a design choice made inside the governance apparatus, and the right answer will continue to evolve as platforms and regulation mature.
The Defining Line
In Lane 3, AI materially shapes or automates decisions that must be defended externally. The output has a regulator, a customer, a court, or a counterparty on the other side of it. The organization must be able to explain what the system did, why it did it, and what controls were in place when it did it.
What Is Acceptable
Anything the organization needs to defend in an examination. Underwriting decisions. Claims triage. Processing of PHI and PII at scale. High-volume automated recommendations with consumer impact. Proprietary code that cannot leave the perimeter.
What Is Not
Pretending that a Lane 2 deployment is a Lane 3 deployment. Running Lane 3 workloads on Lane 2 infrastructure because it is faster to implement. Treating the hosting model as a substitute for the governance apparatus. Using an ungoverned public application programming interface (API) for anything in this lane.
Governance Posture
A model registry. Bias testing. Human override paths. Decision logs. Version control for models, data, and configurations. Impact assessments. Vendor governance with teeth: for most mid-market carriers, AI governance is mostly vendor governance, and a Lane 3 contract must contain no-training commitments, audit rights, deletion on termination, incident notice SLAs, sub-processor transparency, and model change notification. The full apparatus the National Association of Insurance Commissioners (NAIC) Model Bulletin describes. This is the lane where governance becomes operational infrastructure rather than policy documentation.

Why most organizations get this wrong

The failure mode I see most often is treating AI as a single question. The organization has a debate about whether to build or buy, whether to pick one model or several, whether to allow ChatGPT or ban it. The debate gets stuck because the people having it are implicitly talking about different lanes without noticing.

The information technology leader who says "we need to build our own" is almost always thinking about Lane 3 work and is correct for that lane. The chief financial officer who says "why are we spending money on this when ChatGPT is free" is thinking about Lane 1 work and is correct for that lane. The compliance officer who says "we cannot allow any AI use until we have a policy" is thinking about Lane 3 work and is applying it to Lane 1, which is why the organization feels paralyzed.

The Three Lanes resolve these debates not by picking a winner, but by forcing each person to articulate which lane they are actually talking about. Once the lane is named, the liability question follows naturally. Who owns the risk when this goes wrong? In regulated industries, that question is no longer a luxury the organization can afford to leave unanswered.

How work moves between lanes

Classification is useful only if the framework also shows motion. Work does not stay still. A use case that starts in Lane 1 as a personal experiment often deserves to move into Lane 2 once it matures, and some Lane 2 uses eventually need the controls of Lane 3. Two triggers are worth naming explicitly.

From Lane 1 to Lane 2: repeated use plus internal data dependence. When a pattern that started as a one-time personal experiment becomes a recurring workflow, and when the pattern increasingly depends on internal data to be useful, the work has outgrown the public tools. The individual can still do it in Lane 1, but the organization is now exposed. The signal is simple: if removing the individual from the equation would break the process, the process has become organizational and needs Lane 2 infrastructure.

From Lane 2 to Lane 3: external accountability. The trigger is not complexity, volume, or even data sensitivity in isolation. The trigger is the moment the output crosses an organizational boundary and becomes something the organization must defend to an outside party. A regulator. A customer. A court. A counterparty in a dispute. When that line is crossed, the work needs the audit trail, the model registry, and the governance apparatus of Lane 3, regardless of how comfortable the Lane 2 infrastructure feels. The transition itself should produce an artifact: an AI impact assessment recording the documented decision to cross the line and the risks identified. When in doubt, assume the line is crossed and escalate to Lane 3 with a documented and visible risk assessment. Handled this way, the framework generates the documentation an examiner asks for, not just a classification.

There is also a third, quieter trend: migration back toward lower lanes as platforms mature. Some work that has historically required Lane 3 infrastructure will move into Lane 2 over the next eighteen months as the major cloud platforms strengthen their audit and compliance capabilities. Watch this direction, but do not reorganize around it until the controls are certified, not just marketed. An organization that anticipates the migration before the controls are actually in place is taking on the same risk as an organization that misclassified the lane in the first place. Any migration back down the lanes deserves the same discipline as the trip up: clear documentation to substantiate the decision.

Build versus buy, inside the lanes

The build versus buy question changes completely depending on the lane.

In Lane 1, buy. Always. The economics are not close. A team-tier subscription with training disabled (Claude Teams or equivalent) for every knowledge worker costs less than one junior analyst, and the free consumer versions are excluded from work regardless of price. The tools are commodity-grade, the switching costs are low, and the value is personal fluency rather than organizational differentiation. Organizations that try to build their own ChatGPT equivalent for general knowledge work are burning money to solve a problem that has already been solved.

In Lane 2, buy the platform, build the integration. The foundation model is not the differentiation. Azure OpenAI, Bedrock, and Claude for Enterprise are all commercial-grade deployments of frontier models with reasonable enterprise controls. The differentiation is what the organization connects to them. Which internal data sources. Which workflows. Which approval paths. The platform is commodity, the integration is proprietary, and the integration is where the effort and investment should go.

In Lane 3, the question gets serious. Here the decision is real. A widely cited Massachusetts Institute of Technology (MIT) study from 2025 found that purchased AI solutions and vendor partnerships reached successful deployment about twice as often as internal builds, roughly 67% versus 33% across the projects it tracked. The underlying claim is more durable than any single statistic: organizations consistently underestimate the operating discipline that production AI requires, and the discipline is easier to buy than to build from scratch. If the default executive instinct is to build, the instinct is usually wrong.

The practical Lane 3 pattern that is emerging in 2026 is hybrid, and it holds whichever deployment model the governance apparatus selects. Buy the inference infrastructure and the tooling for monitoring and evaluation, whether the model is self-hosted open-weight or a governed frontier deployment. Build the fine-tuning, the data pipelines, the governance layer, and the application that sits on top. The organization owns what it needs to own, which is the judgment embedded in the system, and does not try to own what it cannot operate, which is the foundation model itself.

The useful distinction from 2026 industry analysis: build to learn versus build to run. Build to learn means prototypes, experiments, and internal leverage tools that help the organization understand what is possible. Build to run means production systems with SLAs, audits, and long-term maintainability. Organizations that do not label which kind of build they are doing will accidentally treat a prototype like a product and pay for it later.

What this means for an executive right now

If you are a senior leader inside an organization that has not yet had this conversation explicitly, there are three things worth doing this quarter.

Map the current footprint. Where is AI actually being used in your organization right now, including the shadow usage no one has sanctioned? Classify each use into one of the three lanes. The map will almost always surface two things: Lane 1 work happening with no policy and no training, and Lane 2 work happening in Lane 1 tools because the Lane 2 infrastructure does not yet exist. Both are fixable. Neither gets fixed until someone draws the map. The map is an AI inventory in substance: a maintained AI use register is the foundational artifact under the National Institute of Standards and Technology AI Risk Management Framework (NIST AI RMF), ISO/IEC 42001 (the international standard for AI management systems), and the European Union (EU) AI Act, which anchors the footprint exercise to external standards and gives the framework external validity.

Name the lanes in your own vocabulary. The framework above is a starting point, not a finished product. The vocabulary that matters is the one your organization will actually use. Some organizations prefer Open, Internal, Regulated. Some prefer Public, Private, Sovereign. Pick the words that will travel through the organization and use them consistently.

Resist the one-platform temptation. The vendor pitch that an organization can standardize on a single platform for all three lanes is rarely true in practice today. The largest cloud providers are getting closer, but the trade-offs across model quality, data controls, and deployment flexibility still favor a multi-platform posture for most organizations doing material work in Lane 3. An organization that locks into a single platform before understanding its own lane distribution is trading strategic flexibility for procurement simplicity, usually at the wrong moment.

Why this matters in insurance specifically

The regulatory clock in insurance is running faster than most executives realize. The NAIC Model Bulletin has been adopted by 24 states and the District of Columbia per the NAIC implementation map. The NAIC AI Systems Evaluation Tool is in a twelve-state pilot that began March 2, 2026 and runs through September 2026, with participating insurers spanning property and casualty, life, and health lines. Colorado's comprehensive AI Act, Senate Bill 24-205 (SB 24-205), never took effect: originally set for February 1, 2026 and delayed to June 30, 2026 (by SB 25B-004), it drew a federal constitutional challenge from Elon Musk's xAI in April 2026 (xAI v. Weiser), after which the state agreed to pause enforcement, and it was then repealed and replaced by SB 26-189, signed May 14, 2026, which takes effect January 1, 2027 as a disclosure and transparency framework. Colorado SB 21-169 and its governance regulation on external consumer data, algorithms, and predictive models are in effect. Regulation 10-1-1 took effect for life insurers in November 2023 and was extended to private passenger auto and health benefit plan insurers effective October 15, 2025, while the dedicated quantitative bias testing methodology for life insurers remains a draft and is not yet in force. The EU AI Act classifies AI used for risk assessment and pricing in life and health insurance as high-risk under Annex III, with those obligations deferred to December 2, 2027 by the Digital Omnibus adopted June 29, 2026. The NAIC Third-Party Data and Models Working Group is developing a state-based registration framework for AI data and model vendors, with adoption anticipated in late 2026 or 2027. That is a state initiative, not a federal law. Regulatory status in this section is current as of July 13, 2026, and this landscape is moving quickly.

For insurance organizations, the mapping is concrete. Marketing copy and public research sit in Lane 1. Internal analysis, rating-factor development, and model prototyping are Lane 2 work. Production underwriting, pricing, and claims adjudication, the outputs a regulator can examine, are Lane 3, and that is where nearly all the regulatory weight lands. The AI Systems Evaluation Tool asks insurers to describe their governance framework, their risk management, their monitoring, their high-risk models, and their third-party arrangements. An organization that has not done the lane mapping, and cannot describe which deployments are handling which categories of work, will struggle to answer those questions in an examination context.

This is not a future problem. The pilot states are already using the tool. The executives who will do well in this environment are the ones who can describe their organization's AI footprint in a structured way before a regulator asks. The Three Lanes are one way to do that.

What carriers are actually doing

The public record on carrier AI strategy is thinner than the vendor marketing suggests, and three distinct postures emerge when you read it carefully. All three are defensible, all three are Lane 3, and the difference among them is the deployment choice made inside the governance apparatus, which is exactly what the refined definition of Lane 3 predicts. The choice among them reveals more about how a carrier thinks than any single product announcement would.

Two large carriers have made public, substantive commitments to a specific foundation model partner.

AIG
Named partner · Lane 3 workload · Publicly disclosed

At its Investor Day in late March 2025, AIG detailed a partnership with Anthropic and Palantir that put Anthropic's Claude to work on the underwriting workflow, with Palantir Foundry as the data layer. AIG has set an ambition of reaching 500,000-plus Excess & Surplus submissions and at least $4 billion in new business premiums by 2030 through this work; by year-end 2025 it had surpassed 370,000 submissions in its Lexington business, a 26% year-over-year increase. Early rollouts improved data accuracy from 75% to over 90% and compressed review cycle time by more than 5x, figures CEO Peter Zaffino has stated publicly. Zaffino and Claude Wade, then Chief Digital Officer, presented the work to analysts at Investor Day, and it has been covered independently by Carrier Management and CNBC, among others. In Lane terms, this is a Lane 3 workload (underwriting, regulated, externally defensible) running on commercial frontier model infrastructure with AIG retaining end-to-end ownership of data, application, and governance.

Allianz
Named partner · Safety-forward framing · Early

Allianz followed on January 9, 2026 with a similar partnership, naming safety and regulatory compliance as explicit selection criteria and committing to log every decision, rationale, and data source for traceability. The partnership is still early, and operational evidence will emerge over the course of 2026.

The more common pattern is the opposite.

Liberty Mutual, Progressive
Model-agnostic · Infrastructure-forward

Liberty Mutual offers the most publicly developed example of this posture. LibertyGPT is deployed across Liberty's workforce of roughly 45,000, on a model-agnostic architecture spanning multiple foundation models, and adoption reached about 74% of employees by early 2026, supported by a responsible AI steering committee and a deliberate experimentation framework. Monica Caldas (Liberty Mutual global chief information officer) has spoken publicly about the discipline of building platforms rather than committing to a single vendor, and about the cultural work required to move AI from pilot into production at scale. Progressive has made substantial generative AI investments across marketing, pricing, and operations without tying the work to a specific foundation model in the public record.

A third posture is rarer and more ambitious: build the model itself.

Travelers
Proprietary domain model · Vertically integrated

Travelers has taken the most vertically integrated posture of the three. On June 30, 2026 it announced TravelersLLM, a proprietary large language model tailored to its property and casualty business and built in-house by the company's own engineers and data scientists. Trained on millions of company documents, it is meant to sharpen underwriting analysis, speed research and model development, surface decades of institutional knowledge, and streamline workflows, and Travelers casts it as a core piece of its AI ecosystem and a base for agentic applications across the company. The company reports that in internal testing across tens of thousands of insurance questions it outperformed commercially available models on quality, cost, and speed. Notably, Travelers positions the model as working alongside leading frontier models rather than replacing them, contributing domain precision and context that a general model lacks, and its Chief Technology and Operations Officer, Mojgan Lefebvre, is the named voice on the work. The model earned a CIO 100 Award for innovative use of technology. Travelers has not published model architecture, formal benchmark methodology, or governance detail, so the posture is clearer than the proof. In Lane terms, a proprietary model built on the carrier's own regulated corpus is close to the textbook Lane 3 case: the advantage is domain-specific accuracy, institutional knowledge, and auditability rather than general conversational performance, and the carrier owns the model, the data, and the governance end to end. It is a different route to the same Lane 3 destination AIG reached: one carrier putting a frontier model to work on a narrow underwriting workflow, the other building a domain model of its own to run alongside frontier models across the enterprise.

Three observations worth holding.

First, the carriers that have named a public model partner have done so for Lane 3 workloads where the governance case is specific and testable. AIG did not announce a broad Claude deployment. They announced Claude for a particular underwriting application, with specific metrics, a specific data infrastructure partner, and public accountability. That is a very different posture from a blanket "we use Claude" statement, and it is the posture that will age well under regulatory scrutiny.

Second, the carriers that have taken the model-agnostic posture are doing so deliberately and with substantial investment behind the choice. Liberty Mutual and Progressive are both large-scale AI operators. An architecture that keeps foundation models interchangeable is a governance stance in its own right. It preserves optionality as the model landscape shifts, it prevents any single vendor from accumulating strategic leverage over the enterprise's AI operations, and it centers the governance work on infrastructure and process rather than on the model layer. For carriers with the scale to build and run that platform discipline, it is probably the stronger long-term posture.

Third, the proprietary-model posture is the deepest commitment and the largest bet. Building a domain model on your own corpus turns proprietary data into a capability a competitor cannot rent, which is the most durable version of a Lane 3 advantage. It also concentrates responsibility: the carrier now owns model performance, safety, and governance with no vendor to share the load. Travelers positions its model as working alongside frontier models rather than replacing them, which is the pragmatic version of the bet, keeping the proprietary layer where domain precision pays and renting general capability everywhere else. It is the strongest posture for an organization with the data and the discipline to run it, and the least forgiving for one that lacks either.

The operating lesson is that each of these postures can work when it is chosen deliberately. The failure mode is none of them: it is a loud public commitment to a single model without the Lane 3 specificity that makes the commitment defensible, or a nominally model-agnostic architecture that masks the absence of actual governance discipline underneath. In Lane terms, AIG demonstrates Lane 3 specificity (regulated workload, externally defensible metrics, contractual clarity on data and governance). Liberty demonstrates Lane 2 experimentation discipline at scale while preserving optionality for future Lane 3 commitments. Travelers demonstrates the proprietary-model version of Lane 3, converting its own regulated data into the advantage and running the model alongside frontier capability rather than in place of it. The carriers getting this right, whichever posture they have chosen, have done the lane mapping first and let the architectural and vendor relationships follow.

What I am watching, and where the conventional wisdom is probably wrong

Three things worth tracking over the next six to twelve months, each with a note about what the consensus view is likely to miss.

The lane boundaries will move, but not as fast as the vendors will tell you. As Azure OpenAI, Bedrock, and Claude for Enterprise mature their controls, some Lane 3 work will migrate into Lane 2. The consensus view is that this migration is imminent. The consensus view is probably early. Audit and compliance tooling looks complete until it is tested in an actual examination, and the first wave of regulatory actions against organizations that trusted platform-level controls prematurely will recalibrate the market. Watch for the first enforcement action, not the first product announcement.

The governance tooling market will consolidate, and most of the current tools will not survive it. Gartner projects spending on AI governance platforms at roughly $492 million in 2026, surpassing $1 billion by 2030 as AI regulation expands to cover most of the world's economies. Most of the current offerings are point solutions built for the Lane 3 enterprise buyer. The surviving tools will be the ones that work across all three lanes rather than optimizing for one, because organizations are discovering that governance cost structures scale with lane coverage, not with model count. The framework predicts the winners better than the feature comparisons do.

The executive role will formalize, but the title will not be Chief AI Officer for most organizations. Only a minority of enterprises have named AI roles or centralized AI governance functions today, though far more could and should. That ratio will shift meaningfully over the next eighteen months. The consensus view is that a Chief AI Officer will own this function. The consensus view is probably wrong at the mid-market. My specific bet, falsifiable by year-end 2026: among mid-market carriers (under $5 billion in premium) that formalize AI governance leadership in 2026, fewer than one in five will use the Chief AI Officer title. Most will attach the function to an existing trusted role: the CIO, the General Counsel, the Chief Risk Officer, or a business-unit president who has demonstrated operational fluency. The executives who already think in lanes will be the natural candidates, whatever the title ends up being.

The operating takeaway

Three sentences to take into Monday.

First, ask the lane question before every AI session, your own and your organization's. What lane is this? The answer determines the tool, the controls, and the liability. Shadow AI is usually this one question going unasked.

Second, map the footprint before you pick a platform. Where is AI being used in your organization today, across all three lanes? Until that map exists, every vendor conversation is premature and every governance policy is aimed at the wrong target.

Third, let the governance work lead the architecture, not the other way around. The carriers getting this right have done the lane mapping first and let the model, vendor, and infrastructure choices follow from it. The carriers getting this wrong have picked a platform and tried to retrofit governance onto it. The sequence matters.

Sources & References

Sources and references

This field note draws on public sources. The framework itself is original.

Insurance Regulation

NAIC Model Bulletin and AI Systems Evaluation Tool pilot. The NAIC's official AI topic page maintains current adoption counts, the AI Systems Evaluation Tool pilot status, and the list of twelve participating states.

State-by-state implementation tracker. The NAIC publishes a regularly updated tracker of which states have adopted the Model Bulletin and the citations for each adoption.

Colorado AI Act. Colorado SB 24-205 was originally scheduled to take effect February 1, 2026 and was delayed to June 30, 2026 by SB 25B-004. Elon Musk's xAI challenged the Act in federal court in April 2026 (xAI v. Weiser), the state agreed to pause enforcement, and SB 26-189, signed May 14, 2026, repealed and replaced the Act with a disclosure and transparency framework effective January 1, 2027. Coverage available at the Akin Gump AI Law and Regulation Tracker and law firm client alerts (Seyfarth, Norton Rose Fulbright, Baker Botts).

Carrier Deployments · AIG

AIG Investor Day 2025 presentation. AIG's primary source for the AIG Underwriter Assistance deployment, including the targets for Excess & Surplus submissions, new business volume, accuracy improvements, and review cycle times. Peter Zaffino and Claude Wade presented to analysts on March 31, 2025.

Carrier Management coverage of the AIG deployment. Independent reporting on the Investor Day presentation and the underlying agentic AI ecosystem.

Carrier Deployments · Allianz

Allianz primary press release. Allianz's official announcement of the Anthropic partnership, including the three-project structure (employee enablement, agentic AI automation, transparent and compliant AI systems) and the commitment to log every decision, rationale, and data source.

CIO Dive coverage. Independent reporting framing the partnership in the context of the broader insurance industry shift toward AI governance and traceability.

Carrier Deployments · Liberty Mutual, Progressive

Liberty Mutual. LibertyGPT employee count, responsible AI steering committee, and Monica Caldas's public statements on platform-oriented architecture have appeared across CIO Dive, Insurance Innovation Reporter, and Liberty Mutual's own corporate communications.

Progressive. Generative AI investments across marketing, pricing, and operations have been referenced in Progressive's quarterly disclosures and CEO commentary without specifying a foundation model partner.

Carrier Deployments · Travelers

TravelersLLM announcement. Travelers' own June 30, 2026 press release describing TravelersLLM as a proprietary large language model tailored to its property and casualty business, built in-house and trained on millions of company documents, and applied to underwriting analysis, research and model development, institutional knowledge access, and workflow improvement. The company reports that in internal testing across tens of thousands of insurance questions the model outperformed commercially available models on quality, cost, and speed, and positions it as working alongside frontier models rather than replacing them. Quoted executive: Mojgan Lefebvre, Chief Technology and Operations Officer. Recognized with a CIO 100 Award. The release does not include model architecture, formal benchmark methodology, or governance specifics.

Build versus Buy Research

MIT NANDA, "The GenAI Divide: State of AI in Business 2025." The study reported that vendor-purchased and partnership approaches reached deployment roughly twice as often as internal builds (about 67% versus 33%), alongside its headline finding that 95% of enterprise generative AI pilots produced no measurable profit-and-loss impact. Published by MIT's Project NANDA in 2025.

Stanford Digital Economy Lab "Enterprise AI Playbook." Cross-case analysis of 51 enterprise AI deployments, with the recurring conclusion that organizational discipline matters more than model selection.

Governance Tooling Market

AI governance platform market projection. Gartner's February 2026 forecast puts spending on AI governance platforms at approximately $492 million in 2026, more than doubling to over $1 billion by 2030 as AI regulation expands to roughly 75% of the world's economies. Source: Gartner newsroom, "Global AI Regulations Fuel Billion-Dollar Market for AI Governance Platforms" (February 2026).

The Three Lanes of Enterprise AI is a framework taught in the AI Executive Accelerator and used in advisory engagements with senior operators navigating organizational AI decisions. Claude assisted with research synthesis and editing in producing this field note. This is the same workflow I teach in the AI Executive Accelerator: Lane 1 work, performed by a practitioner who knows what lane they are in. Feedback welcome.