Identity that survives the NAIC examination.
IGA, PAM, and zero-trust programs for insurers, reinsurers, and broker networks. NAIC, NYDFS Part 500, SOC 2, and HIPAA aligned.
- NAIC
- NYDFS Part 500
- SOC 2
- HIPAA
- NIST 800-53
- GLBA
Use cases we have shipped in insurance.
- Use case · 01
Producer + agent lifecycle automation
Joiner-mover-leaver flows for independent producers, captive agents, and broker networks. License-state attestation and appointment lifecycle wired into access policy.
- Use case · 02
Policy administration system access governance
Role-based access reviews for Guidewire, Duck Creek, and SAP for Insurance environments. SoD ruleset tuned to underwriting / claims / accounting separation.
- Use case · 03
Customer identity for self-service portals
Customer identity for policyholder portals, claims self-service, and broker workflows. Risk-adaptive MFA with fraud signals; consent flows aligned to state insurance regulations.
- Use case · 04
Privileged access for actuarial + claims systems
Privileged session governance for actuarial computing, large-loss claims, and reinsurance treaty systems. Recording and just-in-time elevation engineered around the operational tempo.
- Use case · 05
Third-party data exchange identity
Identity and access for ACORD, ISO, and other industry data exchange interfaces. Federation patterns and credential lifecycle wired into the partner agreement registry.
- Use case · 06
NYDFS Part 500 program alignment
IAM evidence engineered to satisfy NYDFS Part 500 §500.07 (Access Privileges) and §500.12 (MFA). The same control test produces NAIC, NYDFS, and SOC 2 artifacts.
- Use case · 07
M&A identity integration for insurers
Acquisition-cadence identity merging across insurer combinations with disparate policy admin systems. Right-sized access by close-date with deferred consolidation planned over the first audit cycle.
The buyer archetypes we have shipped programs for.
We hold NDA on most engagements. Tiers below reflect the buyer archetypes we have shipped programs for. References available on request, after mutual NDA.
- TB
Tier-1 US Bank
FFIEC · SOX
- CB
Custody Bank
GLBA · FFIEC
- FA
Federal Agency
FedRAMP High
- SS
State System
StateRAMP
- HS
Top-10 Hospital
HIPAA · HITRUST
- HP
Health Payer
HIPAA
- FP
FinTech Platform
PCI-DSS · SOC 2
- AM
Asset Manager
SOX · SOC 2
Practices that anchor this industry.
Common questions.
Do you have direct experience with NAIC and NYDFS Part 500 expectations?+
Yes. Every IAM program we deliver in insurance is mapped to NYDFS 23 NYCRR 500 (where applicable), NAIC Insurance Data Security Model Law, and SOC 2 CC-series controls. Deliverables include the control mapping artifacts your auditors and state regulators will request.
How do you handle the SoD model for underwriting / claims / accounting?+
We engineer the SoD ruleset around the actual operational separation insurers depend on — underwriting cannot pay claims, claims cannot adjust premiums, accounting cannot create policies. The ruleset is tuned to your business risk appetite during the first two campaigns, then refined quarterly.
Can you support Guidewire, Duck Creek, and SAP for Insurance?+
Yes. We have shipped IGA integrations against all three. Each platform has its own role model and integration surface; we engineer the IGA layer to fit the policy administration system rather than forcing the system into a generic IGA pattern.
How do you handle producer / agent identity at scale?+
Producer lifecycle is the most distinctive identity scenario in insurance. We engineer flows that account for state license attestation, appointment cycles, and the high turnover of independent producer populations. The pattern looks different from employee lifecycle and we design for that.
What is a typical engagement timeline for a regional insurer?+
8-week diagnostic + reference architecture, then 12-to-16-week build for the first audit-scope workflow (typically PAS access reviews + privileged session governance). Audit-ready evidence by month 6.
Ready to scope a insurance engagement?
Same-day reply during business hours. NDA on request before discovery.