Skip to content
AI & Strategy · June 18, 2026 · 8 min read

AI supervision for insurers:
the division of tasks is not your problem

The Dutch Insurance Federation is asking for regulatory clarity. Fair enough. But the real brake on AI lies elsewhere — and no covenant will fix it.

Illustration for article: AI supervision for insurers: the division of tasks is not your problem
Twin Peaks (1990) — David Lynch & Mark Frost, ABC, Wikipedia (opens in new window)

TL;DR

  • Division of tasks: a fair request, but not the core problem. The Dutch Insurance Federation is right that double supervision by both AFM and DNB is undesirable. But even with a crystal-clear covenant, AI projects will still stall for the same reasons.
  • Knowledge gaps at three levels simultaneously. Regulator, board and execution layer share the same deficit: the ability to assess what an AI system actually does. The supervisors themselves acknowledge this in their joint report.
  • Twin Peaks was built for money, not for models. An AI model that sets premiums touches financial soundness (DNB's domain) and customer treatment (AFM's domain) at the same time. That dividing line is harder to draw with AI than with classic financial products.
  • Regulations tell you who to call, not whether your AI is sound. A clear division of tasks removes confusion about jurisdiction — not the question of whether the model works correctly.
  • AI literacy is mandatory but still scarce. Over 90% of organisations expect increased AI use; most lack guidelines. The EU obligation under Article 4 of the AI Act is enforced from 2 August 2026.

A business contact called me last week, delighted. His new AI application was ready to go live. Three weeks later, it was still sitting there, because going live just wasn't happening. Not because the technology had a problem, but because the people who needed to approve it kept asking endless questions. Almost none of the questions were about the technology itself. They simply couldn't assess what it would do to their process, their customers and their numbers.

That story stayed with me, especially this week. The Dutch Insurance Federation (Verbond van Verzekeraars) called for a clearer division of responsibilities between the AFM and DNB in supervising AI. The whole sector nodded that finally someone was asking for clarity. I think the question is fair. But I also think it points in the wrong direction.

What the Federation actually asked

First the facts, because they are more sober than the headline suggests. In its response to the consultation on the AI Act Implementation Act, the Insurance Federation asked for clarity about who does what: DNB on business operations, AFM on conduct and products. The proposal is to align with the existing Twin Peaks model and, when in doubt, fall back on the cooperation covenant that both supervisors already have. The underlying concern is double supervision and extra administrative burden. You can read it at InFinance (opent in nieuw venster) and Risk & Business (opent in nieuw venster).

This is a reasonable request. Two supervisors asking the same questions past each other — nobody wants that, and in a sector already buried under a mountain of compliance, every duplication is one too many. So I'm not arguing that the Federation is wrong.

What I want to show is something different. Namely that even if the AFM and DNB published a crystal-clear covenant tomorrow specifying to the last comma who is responsible for what, the story of my business contact would simply repeat itself. The division of tasks between supervisors is a real problem. It just isn't the problem that holds up AI applications.

The gap exists at three levels simultaneously

What strikes me as I follow the discussion is that almost everyone points upward. The sector points to the regulator: give us clarity. But if you look carefully, you see the same deficit playing out at three levels simultaneously, with all three levels pointing to another.

Start with the regulator itself. In their joint report on AI in the financial sector (opent in nieuw venster), AFM and DNB write in plain terms that they need to expand their own knowledge in this area and in certain cases develop or adapt their supervisory methods to assess AI. That is a remarkably honest statement. The party that is supposed to provide oversight acknowledges it is still learning how to do so. That is not a criticism — it is logical for a technology that changes every month. But it does say something about the assumption that clarity will come from above.

Drop down a level, to the boardroom. I have written before about the blind spot in the boardroom: supervisory boards that are supposed to oversee AI strategies without anyone at the table who really understands the technology. A board member can read a balance sheet and assess an acquisition proposal. But the question of whether a model systematically disadvantages certain customers, or how you demonstrate the explainability of an AI decision, falls outside the repertoire most executives have grown up with. The same gap the regulator identifies in itself exists one floor higher.

And then the work floor, where my business contact got stuck. There the application is ready and someone has to press a button. That person is not asking stupid questions. They are asking exactly the right questions, posed by people who don't have the knowledge to weigh the answers themselves. What does this model do when different data comes in later? Who is liable if something goes wrong? How do I know it won't produce nonsense at the moment it matters? Every one of them legitimate. Every one of them unanswerable for someone who can't assess the technology.

Three layers. Regulator, board, execution. At all three, the same thing is missing: the ability to assess what an AI application actually does. That is not a supervision problem. That is a knowledge problem.

What a clear division of tasks does and does not solve

Let's finish the thought experiment. Suppose the implementation act is passed with a crystal-clear division of tasks. DNB handles model risk and business operations, AFM handles conduct and explainability towards the customer, and when in doubt they reach for the covenant. Good. What changes on the day my business contact wants to go live?

Nothing at the core. The questions that held up his go-live were not about which supervisor has jurisdiction. They were about whether the thing works. A clear division of tasks tells you who to call. It does not tell you whether your application is sound. That distinction is consistently conflated in the debate, and that is where the mistake lies, in my view.

Moreover, DNB's research among insurers (opent in nieuw venster) shows that AI use is increasing, that just over seventy percent of insurers incorporate EIOPA's six AI principles into their governance, but that the embedding of those principles is still developing. Knowing principles is different from being able to apply them to a specific model. And many institutions indicate they are cautious about generative AI for the time being. That caution does not stem from uncertainty about the supervisory structure. It stems from the fact that you dare not make decisions about something you don't fully grasp.

That is not reluctance. That is sensible behaviour in the absence of knowledge. Anyone who cannot estimate the impact of something should be cautious. The problem is only that this caution becomes permanent when knowledge never grows — and that is exactly what is happening now.

Twin Peaks was built for money, not for models

There is another wrinkle in the Twin Peaks proposal, and it explains why complete clarity is an illusion anyway. The Financial Supervision Act (Wft) (opent in nieuw venster) model separates prudential supervision (DNB, is the institution financially sound) from conduct supervision (AFM, is the customer treated properly). That separation works well for classical financial risks. A solvency question is different from a question about a misleading product condition.

With AI that dividing line seems harder to draw. Take a model that sets premiums. In my view, something like that touches the financial soundness of the insurer (model risk, DNB's domain) and the treatment of the customer (explainability and fairness, AFM's domain) at the same moment. I am not a lawyer and practice will have to show how often that overlap really chafes. But it is at least conceivable that you cannot always cleanly divide a single piece of technology across two supervisory domains.

If that is true, it still does not argue against the Federation's proposal. Twin Peaks as a framework is better than no framework. It would only mean that a division of tasks in which there is never any overlap is difficult to achieve with AI, and that a grey zone remains where you need to be able to assess what is happening yourself rather than looking it up in a covenant.

Why this comes down to knowledge, not rules

I understand why the supervision debate is so attractive. It is concrete, it is external, and it provides a clear address for frustration. Once the rules are clear, we can finally move forward. It is a comfortable narrative because it puts the ball in someone else's court.

The uncomfortable alternative is that the ball is in our own court. That the reason AI projects keep stalling in the sector is not so much the regulator, but the fact that too few people at too few levels can assess what AI does. That is a much harder problem, because you can't solve it with a law. You solve it with knowledge, and building knowledge takes time and effort and the willingness to admit you don't know yet.

Outside the financial sector you see the same pattern. The AI trend research by Berenschot and Waag (opent in nieuw venster) among five hundred respondents shows that the majority of organisations lack guidelines for responsible AI use, while more than ninety percent expect use to increase in the coming years. The gap between using and understanding is wide, and it exists everywhere. That is precisely why the European legislator included an AI literacy obligation (opent in nieuw venster) that is enforced from 2 August 2026. Not because Brussels likes rules, but because without basic knowledge all other requirements hang in the void.

The supervisors know this better than anyone. They write it down. They indicate they need to build up their knowledge, they conduct sector-wide surveys to understand what is happening, and they will keep an eye on things again in 2026. The party you would designate as the source of clarity is itself still very much learning. That is not a criticism. That is the reality of a technology that moves faster than any supervisory structure can keep up with.

The question I missed in the debate

So yes, give the AFM and DNB a clear division of tasks. It reduces burden, it prevents duplication, and the Federation is absolutely right to ask for it. Do it.

But don't expect it to unblock your AI project. The entrepreneur who called me last week would have gained nothing from a covenant between two supervisors. What he needed — and what his people needed — was the ability to assess for themselves whether the thing was sound. That capability is not something you buy from a regulator. You build it yourself, within your own organisation, one question at a time.

The question I heard so little this week is not who oversees AI. It is whether we ourselves can actually assess what AI does. As long as that question remains unanswered, every application will stay where my business contact's stood. Ready to go live, and waiting for knowledge that isn't there yet.

Sources