Sixfold’s AI Governance Program

Sixfold's AI Governance Program is an ongoing internal process for identifying, assessing, and mitigating the risks of our AI. It is organized into five focus areas with named owners, defined deliverables, and a regular cadence of reviews. 

This post explains what it covers and why we built it the way we did.

Why we established this now

Responsible AI is not a new territory for Sixfold. We have been thinking carefully about how we build and deploy AI in insurance underwriting since the day we launched in May 2023. 

The honest answer to "why now?" is this: we wanted to formalize what we were already doing, and the regulatory environment gave us both the mandate and the structure to do it well.

The reality is that AI legislation is different from most compliance frameworks insurers and vendors are familiar with. AI compliance is process-based. It is about building the organizational muscle to understand whether your systems could cause harm, and then evaluating that question consistently over time.

That kind of ongoing work requires real ownership, clear processes, and people who are explicitly accountable for staying on top of it. We also made a deliberate choice not to chase specific legislation line by line. AI laws are still in progress across jurisdictions and contested at every level. Instead, we anchored the program around established industry reference points:

1. The NIST AI Risk Management Framework (AI RMF 1.0), an industry framework that gives durable guidance for risk and oversight.
2. The EU AI Act's high-risk provider requirements (Articles 9-17), which has concrete expectations on documentation, testing, and accountability

That approach is more durable and more honest about where regulation actually is today.

From principles to practice

Sixfold has had a set of responsible AI principles since early on, we formalized and launched our first Responsible AI approach in 2024 and established and launched an updated version in 2025. What the governance program does is translate those principles into organized action.

"Principles are well and good, but without action words they're just hot air."
‍
– Noah Grosshandler, Product Manager and AI Governance Program Lead at Sixfold

The program gives us specific owners, defined deliverables, and a cadence for revisiting each area. It creates the connective tissue between what we believe and what we actually do.  And critically, it builds the structure to change over time, because the landscape will constantly move forward, our product will change, and what it means to apply those principles responsibly will change with them.

We are building toward a complete Annex IV documentation package. That is the concrete output regulators and enterprise customers ask for. The program also addresses requirements to prevent algorithmic discrimination in much of the emerging global AI legislation, especially relevant to our customers operating in the life and health space. . Bias and fairness testing is part of the program, with methodology tailored to each line of business. 

How the program is structured

The program is organized around five focus areas, each with its own owners and activities:

General governance covers the program itself: keeping the right people informed, running annual retrospectives, and ensuring continuity when things change.

Risk and compliance is responsible for identifying and tracking AI-specific risks, reporting on them quarterly, and handling any ad hoc mitigation or incident response as needed.

Data and model governance focuses on the data used to develop and train our systems. This means understanding where data comes from, confirming it is used ethically, and being able to clearly explain how system behavior relates to the inputs that shaped it.

Ethics and responsible AI covers fairness, explainability, and human oversight. It is the function that asks where humans should stay in the loop, what our position is on where AI should and should not operate, and whether the way our system works is genuinely ethical, not just technically sound.

Security and privacy handles the technical infrastructure: making sure the underlying systems meet the security and privacy requirements of what we are building.

Each area has its own cadence. Risk and compliance runs quarterly reviews. The ethics function does the same, looking at new functionality and evaluating human oversight design. Between those cycles, the full group of program owners meets bi-weekly to stay coordinated.

"Our different areas of focus don't need to change when a new regulation drops or a new product drops, we can slot new requirements into the existing structure."
‍
– Noah Grosshandler, Product Manager and Facilitator of the AI Governance Program

One thing worth being explicit about: having dedicated program owners does not mean this is only their responsibility. At the end of the day, the company is accountable. Every person at Sixfold is responsible for building software that is honest, transparent, and ethical. The program owners exist to maintain the expertise and the process rigor that makes that possible at scale.

What this means for our customers

We have customers in North America, EMEA, South America and Australia today. Across the globe our customers face their own compliance pressures as deployers, and we can support them with that. Many of them are being asked by their own regulators and partners to demonstrate responsible AI practices, and most are still working out what that means for them.

The governance program helps us support our customers directly: 

• When a customer receives a compliance questionnaire about their AI vendor, we will have clear and documented answers. 
• When they are trying to build their own responsible AI stance, we can share what we have learned. We are not just handing over a package of documents; we are trying to be a resource to support them build out their own AI Governance practices. 
• Our customer success team works with each customer individually, because our customers operate across different jurisdictions, different product lines, and different regulatory environments. There is no one-size-fits-all approach here.

"The company is accountable. Just because there is this program and this charter doesn't mean that it is not every single person at this company's job to make sure that what we're building is built ethically, built honestly, built transparently."
‍
– Noah Grosshandler, Product Manager and AI Governance Program Lead 

What comes next

In the near term, we are focused on achieving the right baseline: making sure all documentation is in place, all processes are codified, and we are ready for the enforcement deadlines that matter.

The longer-term goal is bigger. We want to continue to be at the forefront of what responsible AI development actually looks like in insurance, not just compliant on paper but genuinely ahead of the problem. That means working with bodies like the NAIC to share what has worked and what has not. And it means making sure the program itself stays modular and adaptable, so when new regulations drop or our product evolves, we can slot in new requirements without rebuilding from scratch.

We built the governance program because Responsible AI is a core part of Sixfold. The structure the program provides is how we make sure that commitment holds.

Questions about Sixfold's AI governance approach? Reach out to your customer success representative or get in touch with our team. 

Learn more about our commitment to being a Responsible AI organization here. 

━━━

FAQ

What is an AI Governance Program? An AI Governance Program is a structured and ongoing internal process for identifying, assessing and mitigating risks. Sixfold developed the program to mitigate the risks of deploying our AI in insurance underwriting. It is organized into five focus areas, each with named owners, defined deliverables, and a regular review cadence.

Why did Sixfold create a formal AI governance program? To formalize responsible AI practices it had been following since launch, and to meet the requirements of emerging AI legislation. AI compliance is process-based and requires ongoing evaluation.

Is the AI Governance Program required by law? Not by a single law, but most emerging AI regulations require some form of oversight program. Rather than chasing specific legislation, Sixfold anchored the program in established frameworks like NIST AI RMF, which is more durable given how frequently AI laws are still changing.

How often does Sixfold review its AI governance program? Program owners meet bi-weekly. Risk and compliance runs quarterly reviews, as does the ethics and responsible AI function. Incident response is handled ad hoc as needed.

How does the AI Governance Program help insurance customers with their own compliance? Sixfold gives customers documented answers to vendor compliance questionnaires and a framework they can learn from as they build their own responsible AI practices. Sixfold's customer success team works with each customer individually given differences in jurisdiction and product line.

Who is responsible for AI governance at Sixfold? The whole company. Named owners across the five focus areas maintain the expertise and process rigor, but every person at Sixfold is accountable for building software that is honest, transparent, and ethical.