Time to Prepare: Your Frontier Operating Model Has a Landlord. Find Out Why!
Jul 18, 2026
Written by Sabine VanderLinden
KEY TAKEAWAYS
-
On 2 August 2026, EU AI Act Article 26(2) requires insurers deploying high-risk AI to assign human oversight to a named natural person: someone with “the necessary competence, training and authority.” Governance is the one layer of the Frontier Operating Model that cannot be outsourced to a vendor.
-
Two deals on 7 July 2026 assembled that governance layer in public: Norm Ai raised $120M at a $1.2B valuation (led by Khosla Ventures) to sell AI supervision, and Duck Creek acquired Send to buy the AI underwriting engine. One market sold the conscience; the other bought the muscle, and neither vendor signs the accountability box (yet)!
-
The question for every insurer is whether its AI governance layer is a capability it owns or a subscription it rents. Under Article 26(6), deployers must retain AI decision logs for at least six months. So, a vendor contract without log-and-exit rights puts the insurer, not the supplier, in breach.
Your frontier operating model has a landlord. This is the named natural person your firm must assign under Article 26(2) of the EU AI Act to hold human oversight over high-risk AI decisions. That accountability layer cannot be rented from a vendor or parked in a committee. It has to be owned inside the business, with a name in the box and the authority to answer for what a machine decided.
If you run AI operating models in insurance or financial services — as an insurer, reinsurer, broker, carrier executive, transformation lead, risk owner, or governance leader — this is no longer abstract design language. From 2 August 2026, deployers of high-risk AI systems must assign that oversight to a natural person who is competent, trained, authorized, and supported. Many European insurers still have not finished the document that makes that assignment real.
The box sits on a governance document with a heading like human oversight, and underneath it, a space for a person. Not a function. Not a committee. Not a vendor. A person, with a name, who answers for what a machine decided. The wording is not ambiguous: deployers shall assign human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.
This piece examines what that means for the Frontier Operating Model: how the EU AI Act changes AI governance, where renting supervision tools stops and owning accountability starts, how vendor relationships in underwriting and AI supervision platforms fit into that boundary, and what insurers should do now to build a compliant governance strategy before adoption outruns control.
Hold that person in your mind. Now look at what happened on 7 July.
Norm Ai — under three years old — raised $120 million at a $1.2 billion valuation, led by Khosla Ventures, with Blackstone, Bain Capital Ventures, Craft, Coatue, Vanguard, New York Life and TIAA alongside. It builds agents that read regulations and supervise other agents. Its clients represent more than $30 trillion in assets under management. Total raised: over $260 million, in less time than most carriers take to finish a core migration.
The same morning, Duck Creek acquired Send, the AI-native underwriting orchestration engine supporting more than $26 billion in business, and called the result the industry’s only agentic underwriting-to-core platform — a live signal of how algorithmic underwriting 2.0 is reshaping risk assessment.
One market bought the agents. The other sold the supervision. Both were filed as vendor news. Neither is vendor news. They are one event seen from opposite ends — the Frontier Operating Model being assembled in public, by people who will never sign the box.
The layer of AI agents nobody put on the architecture diagram
Every operating-model diagram drawn in the last eighteen months has three floors: data at the bottom, agents in the middle, humans on top making the calls. Clean picture. Missing a floor.
Between the agents and the humans sits the landlord layer in a Frontier Firm: the part that controls the core digital estate, including AI platforms, decides which agent actions are permitted, which are escalated, and which are logged for a regulator who has not asked yet. It also provides shared capabilities to business units and evaluates compliance of decisions made by AI agents to manage risk. It also maintains a single source of truth for data to support decision-making, which is foundational to any Frontier Firm competing on agentic AI. Nobody drew it, because until recently it was a person — a compliance officer with a spreadsheet and an instinct. That person does not scale to machine speed. The $120 million that just went into Norm Ai is the market’s estimate of what replacing them is worth.
What is a Frontier Operating Model? A Frontier Operating Model is how a frontier firm organizes artificial intelligence, humans, its AI agents, and the governance between them to make decisions at machine speed under named accountability — specifying which decisions agents take, which humans sign, and who answers when the agent is wrong.
Read that last clause again. From 2 August, it is not a design principle. It is Article 26.
Norm Ai’s cap table is the business leaders' story, not its valuation
The valuation is the least interesting number in the announcement. Look at who is on the paper.

Blackstone. Vanguard. New York Life. TIAA. Coatue. These are not thesis investors chasing an AI multiple — Khosla led that part. These are institutions that will also be customers of the thing they are funding, in a market where the supervisory layer above their agents is now a product with a price and a roadmap. When firms that must answer to a regulator put money into the company that automates the answering, they are telling you something they did not put in the release: governance stopped being a department and became a dependency.
You can rent the muscle. Rent the conscience, and it is still your name in the box.
Here is the uncomfortable symmetry. Duck Creek now owns the engine that orchestrates underwriting agents within your business — Send continues as a standalone unit, with Andy Moss leading it as General Manager of Underwriting, which is exactly the reassurance an acquirer offers. Norm Ai sells the layer that supervises them. Neither company works for you in the sense that matters. They work to a roadmap, and the roadmap is not yours. Your Human-Agent Ratio: the number every board now asks for, will be set by two vendors’ release cycles and a procurement calendar in a market where agentic AI coworkers are fast becoming your next competitors.
The resigned middle, and why nobody chose it
Now, the part I have watched from inside the room, because this is not a failure of intelligence.
In the control-environment reviews I have sat in over the past year, the pattern is not panic. It is resignation. A framework designed for quarterly review is being asked to sign off on decisions arriving by the second, and the honest people in the room will tell you the reviews became rubber stamps months ago — not because anyone decided that, but because nobody had a moment to decide otherwise. Building an internal supervisory layer means hiring engineers who could earn double at Khosla’s portfolio companies, and defending a two-year build to a board that wants an AI story by Q3. So you buy. Of course, you buy. Buying is the rational move for a leader with a real calendar and a real budget, and I would not pretend otherwise.
The mistake is not buying. The mistake is buying without deciding what you are buying: a tool, or your accountability. Those are different transactions, and only one of them is reversible, especially as we approach AI Horizons 2030 at ITC Vegas for insurance operations.
Efi Pylarinou has been sharpest on the adjacent question with Know Your Swarm — how you govern multi-agent systems in finance. That is the framework question. This is the ownership question, and it comes first: before you design the governance, decide whose it is.
Be precise about what actually binds you
One caution: the opposite of ignoring the regulation is overreacting to it, and both are expensive.
The AI Act does not make everything you do high-risk. Annex III names risk assessment and pricing for life and health insurance. P&C underwriting is not automatically caught, even as AI transforms underwriting and pricing across insurance lines. But Annex III also names recruitment and worker-management systems, which apply to every insurer as an employer, regardless of what you write. And there is a bridge worth noting: under Article 26(5), financial institutions already subject to internal governance requirements under Union financial services law are deemed to meet the monitoring obligation by complying with those rules. Your Solvency II governance isn't nothing here. It is scaffolding.
What it is not is a substitute for the box. Article 26(2) still wants a natural person.
The operating model playbook for this quarter

-
Draw the fourth floor, then find the name. Explicitly add the supervisory layer to your operating-model diagram, designed so that business functions can still modify operations according to their needs. Name every decision an agent takes today without a human signature, then identify who would sign the Article 26 box for each one. Most firms cannot complete this in a week. That difficulty is the finding.
-
Sort capability from the supplier, and let the box decide. Which supervisory decisions stay in-house: model approval, appetite, escalation thresholds, the regulatory narrative? Use a single test: if a named person must answer for it personally, you cannot rent the judgement behind it. That is not a preference. It is the shape of the law. Set cost-allocation mechanisms for the shared layer so accountability stays transparent.
-
Put the logs and the exit in the contract. Article 26(6) requires you to keep the system’s automatically generated logs for at least six months. If your vendor holds those logs and your contract does not guarantee them, you are the one in breach. So the vendor agreement needs three things standard SaaS does not carry: your audit rights over their decisions, your logs and decision records on exit, and a named human at their end who will answer your regulator’s questions, all to support high-capacity utilization of shared assets rather than duplicated local tooling. In DIVAAA™ terms, this is Adopt-stage work... The clause architecture between the MOU and the Vendor Agreement.
-
Venture-client the layer instead of renting it. Norm Ai is not the only company doing this, and it is priced like the only one. Run a 90-day KPI-driven pilot phase with a scaleup under your governance, using pilot projects as the small-scale test before broader deployment, with a production contract as the finish line — capability from outside, supervisory decisions in-house. Foundational infrastructure from the landlord should let teams innovate quickly, and 30–50% of startups move into longer-term relationships after successful pilot projects when they follow a structured venture clienting approach to startup collaboration and use a venture client deployment readiness assessment to tighten execution. That is the difference between a supplier and a landlord.
Whose name is on the lease
The trajectory is not dramatic. It is worse than dramatic. The agents arrive faster than the reviews, the reviews become approvals, the approvals become defaults, and one morning your Agentic Frontier is running on a governance stack you license, on terms you did not negotiate, priced at whatever the market bears once you have no alternative. Nobody will call it a failure. Your Intelligence Layer will still be yours on paper. The decisions on top of it will belong to somebody else’s release notes, rather than being guided by independent research on AI-powered insurers and governance.
And on 2 August, someone’s name goes in the box.
If your governance layer is a subscription, that person is being asked to take personal responsibility for a system whose rules are written on a roadmap they cannot see, whose logs sit in a cloud they do not control, and whose next release they will read about the same morning as their competitors. They will sign anyway. That is the part that should stay with you. Good people sign things they cannot fully stand behind every day because the alternative is telling the board the AI story is delayed — and the market has been very clear about which of those two is a career risk.
Norm AI’s investors made a decision this month. Duck Creek’s customers had one made for them. Both are now living inside a Frontier Operating Model that somebody designed, and the lease is being signed either way — increasingly shaped by AI-driven innovation leaders like the Alchemy Crew.
So find out whose name is going in the box. Not the function, the person. Then ask them one question: what would you need in order to sign this honestly? Their answer is your governance strategy; it will take an afternoon to get, and you have 18 days.
Frequently Asked Questions
What does EU AI Act Article 26 require of insurers using AI?
From 2 August 2026, Article 26(2) of the EU AI Act (Regulation (EU) 2024/1689) requires deployers of high-risk AI systems to assign human oversight to a named natural person with “the necessary competence, training and authority,” rather than to a function or a vendor. Article 26(6) additionally requires deployers to retain the system’s automatically generated logs for at least six months. For insurers, this makes human oversight of high-risk AI a personal, legally non-outsourceable duty — the reason your Frontier Operating Model’s governance layer cannot simply be a vendor subscription.
Is insurance AI classified as high-risk under the EU AI Act?
Only in part. Annex III(5)(c) of the EU AI Act classifies AI used for “risk assessment and pricing in relation to natural persons in the case of life and health insurance” as high-risk — so life and health pricing is caught, but property and casualty (P&C) underwriting is not automatically high-risk. Separately, Annex III(4) captures AI used in recruitment and worker management, which applies to every insurer as an employer regardless of the lines it writes.
What was the Norm Ai and Duck Creek news on 7 July 2026?
On 7 July 2026, two deals landed the same morning. Norm Ai raised a $120 million Series C at a $1.2 billion valuation, led by Khosla Ventures, with Blackstone, Bain Capital Ventures, Craft, Coatue, Vanguard, New York Life and TIAA participating; it builds AI agents that read regulations and supervise other agents. The same day, Duck Creek acquired Send, an AI-native underwriting orchestration engine supporting more than $26 billion in business, to create what it called the industry’s only agentic underwriting-to-core platform. Read together: one company sold AI supervision, and the other bought the AI agents, assembling the governance layer of the Frontier Operating Model in public.
Should insurers build, rent, or venture-client their AI governance layer?
Rent commodity capability, but keep supervisory decisions — model approval, risk appetite, escalation thresholds, and the regulatory narrative — inside the house, because Article 26 makes a named person personally accountable for them and you cannot rent the judgement behind a signature. For capabilities you lack internally, venture-client it: adopt a scaleup’s technology under your own governance through a 90-day sprint, with a production contract as the finish line, keeping sovereign decisions in-house. That is the difference between a supplier and a landlord.
What should be in an AI vendor contract under the EU AI Act?
Because Article 26(6) makes the deployer responsible for retaining AI decision logs for at least six months, a standard SaaS agreement is not enough, if the vendor holds the logs and your contract does not guarantee them, you are the party in breach. An AI vendor agreement should secure three things a normal contract omits: your audit rights over the vendor’s automated decisions, your logs and decision records on exit, and a named individual at the vendor who will answer your regulator’s questions. In DIVAAA™ terms, this clause architecture belongs at the Adopt stage, between the MOU and the Vendor Agreement.
References
-
Regulation (EU) 2024/1689 (EU AI Act), Article 26 — Obligations of Deployers of High-Risk AI Systems (FLI mirror of the OJ text of 13 June 2024; verify against the official text before publishing)
-
Regulation (EU) 2024/1689, Annex III — High-Risk AI Systems