
AI tools in insurance agencies | Shadow IT | ChatGPT data risks | Applied Epic | Policyholder data | Salt Lake City
Across independent insurance agencies in Salt Lake City and beyond, agents and staff are using AI tools to write client emails, summarize policy documents, draft proposal language, and research coverage options. Most of them are doing this without any agency-level policy governing what they can feed into those tools. A 2024 study by CybSafe and the National Cybersecurity Alliance found that 38% of employees share confidential data with AI tools without employer approval. A separate BlackFog survey found that 49% of employees use AI tools that haven't been vetted or approved by their organization. In an industry where your clients' Social Security numbers, health histories, and financial records are in the mix, that's a liability your agency can't afford to ignore.
The AI Hallucination Problem That Could Cost You a Client
Before getting to the data risk, there's a more immediate problem worth understanding: AI tools make things up. This behavior — called hallucination — occurs when an AI model generates plausible-sounding but factually incorrect information. For insurance agencies, the practical consequences can be serious.
Imagine a producer asking an AI tool to draft a commercial lines proposal for a new client. The AI helpfully generates a document that references specific coverage limits, endorsements, and even cites statistics about industry claims rates to make the case for the recommended coverage. The producer, under deadline pressure, sends it without verifying the details. The cited statistics are invented. The endorsement described doesn't exist on the policy as quoted. The client signs based on what they read in the proposal.
That's not a hypothetical edge case — it's the predictable output of a technology that generates text based on probability, not fact. AI can be enormously useful for drafting and summarizing, but every output that touches a client needs human review before it leaves your agency.
What Your Agents Are Actually Feeding Into AI Tools
Here's the risk that matters most from a data security standpoint. When your agent pastes a client's policy details into ChatGPT to ask for a summary, or drops a claims letter into an AI tool to get a simpler explanation, they may be transmitting:
- Client names, addresses, and contact information
- Social Security numbers and dates of birth from policy applications
- Health and medical information from life or health insurance underwriting
- Financial information and property values from commercial applications
- Claims histories and legal correspondence
Many consumer-facing AI tools — the free or low-cost versions your team is most likely using without approval — use submitted data to train their models or store it in ways that are not covered by a Business Associate Agreement or any equivalent security commitment. Your agency's client records don't belong in an AI training dataset.
This is a form of shadow IT: technology used by employees for work purposes that hasn't been evaluated, approved, or configured by the agency. Shadow IT is difficult to detect and difficult to control after the fact. The better approach is to get ahead of it with a clear policy.
The Specific Risk for Applied Epic and AMS360 Users
Agency management systems like Applied Epic and Vertafore AMS360 contain your entire book of business — every policyholder record, every document, every note. When agents start copy-pasting client data from these systems into external AI tools, you lose control over where that data goes.
Some agents may not realize this is a problem. They're trying to be efficient. They see AI as a productivity tool, the same way they see a Google search. The difference is that a Google search doesn't receive your client's Social Security number as input. That distinction is worth making explicit in your agency's policies and training.
Three Ways to Use AI Safely in Your Agency
AI Drafts, Humans Approve
Establish a clear rule: AI tools can help produce a first draft, but no AI-generated content goes to a client or a carrier without a licensed agent reviewing and approving it. This applies to proposal language, coverage explanations, client emails, and any document that will be relied upon for an insurance decision. The agent is responsible for the accuracy of what goes out under their name. AI assistance doesn't change that — it just changes how the first draft got written.
Define What Not to Feed AI
Create a short, explicit list of what your team is never permitted to paste into an external AI tool: client names and contact details, Social Security numbers, health or financial information, policy numbers, claims documents, and any content extracted from Applied Epic, AMS360, or DocuSign. Post it where people will see it. Reference it in onboarding. Make it a standing item in your next agency meeting.
Evaluate AI Tools Before They Spread
If your agency wants to formally adopt an AI tool for productivity purposes, evaluate it before it becomes the default. Look at whether it offers data privacy protections, whether your data is used for training, whether there's an enterprise or business tier with stronger security commitments, and whether it can be configured to avoid storing sensitive inputs. Microsoft Copilot deployed through your Microsoft 365 tenant, for example, is configured with your organization's data policies — it's a very different security profile than a free consumer chatbot.
Shadow IT Is the Bigger Problem
The AI tools your agents are using without approval are just one example of shadow IT — but they're particularly high-risk because they're designed to ingest and process text, and your agents' most valuable asset is the text inside your client files.
Shadow IT is hard to see and hard to stop once it's entrenched. The way to manage it isn't to ban everything and wait for people to ignore the rule. It's to acknowledge that your team wants useful tools, evaluate options with security in mind, establish clear policies, and give people a way to request approval for tools they find valuable. An agency that engages its team on this question is far more likely to actually influence behavior than one that issues a memo and moves on.
Your Clients Trust You With Sensitive Information
Insurance is a relationship business, and the foundation of those relationships is trust. Your clients share their most sensitive personal and financial information with your agency because they trust you to handle it responsibly. That responsibility extends to how your team uses technology — including the AI tools they're adopting on their own initiative. A data exposure through an unapproved AI tool isn't just a security incident. It's a breach of the trust your clients placed in you.
State insurance regulators expect licensees to maintain appropriate data security practices. Using unapproved tools to process nonpublic personal information could implicate your obligations under Utah's adoption of the NAIC Insurance Data Security Model Law. Getting a policy in place now — before something goes wrong — is the right move.
Want help building an AI acceptable use policy for your insurance agency?
We work with Salt Lake City insurance agencies to protect policyholder data and keep agency systems running. Schedule a free discovery call and let's talk about how to use AI productively without putting your clients' data at risk.
Frequently Asked Questions
Are any AI tools actually safe to use with client data?
Some enterprise-tier AI products are designed with stronger data security controls and don't use your inputs to train their models. Microsoft Copilot deployed through Microsoft 365, for example, operates within your organization's security perimeter and is governed by Microsoft's enterprise data agreements. The key questions to ask of any AI tool: Does it use my inputs for training? Where is my data stored? Is there a Business Associate Agreement or equivalent available? Free consumer AI tools generally fail all three of these tests for insurance agency use.
What if a state regulator asks about our AI use? Do we have to disclose it?
Regulatory expectations around AI are evolving, and state insurance departments are actively developing guidance in this area. What's clear now is that your existing data security obligations apply regardless of what technology your team uses. If an AI tool resulted in unauthorized disclosure of nonpublic personal information, that would likely trigger your breach notification obligations under Utah law. Having a documented AI policy — even a simple one — demonstrates that your agency is managing this proactively.
How do we find out which AI tools our team is already using?
Start with a direct conversation. Ask your team what tools they're using to help with their work — frame it as wanting to understand what's useful, not a gotcha. You can also ask your managed IT services provider to audit network traffic and installed applications for cloud-based AI services. Many agencies are surprised by how many tools are already in use. The goal of the discovery process isn't to shut things down immediately but to understand the landscape so you can make informed policy decisions.

