From Black‑Box to Explainable: Cloud‑Native AI Demand Engineering for Life‑Insurance

Insurance AI must provide not only a recommendation but also the reasoning, rule references, clause versions, health disclosures, and a complete audit trail because underwriting errors can cause adverse selection, claim disputes, regulatory penalties, and reserve pressures.

The solution is an explainable, traceable, auditable decision chain that augments expert judgment. It satisfies eight production requirements: Explainability, Audibility, Controllability, High Concurrency, Scalability, High Availability, Consistency, and Operability.

Overall Architecture

The platform is a cloud‑native AI demand‑engineering system composed of four layers: Data & Event, Ingress, Cloud‑Native Infrastructure, and Application Services. Core components include Spring Boot 3, Spring AI, Kafka, Redis, Milvus (vector store), Neo4j (graph store), Drools rule engine, and an AI Orchestrator that handles model routing, prompt versioning, tool orchestration, security guardrails, and cost governance.

AI Orchestrator (simplified)

public class AiOrchestrator {
    private final ChatClient chatClient;
    private final PromptTemplateRepository promptTemplateRepository;
    private final ObjectMapper objectMapper;
    private final MeterRegistry meterRegistry;
    private final AuditTraceService auditTraceService;

    public AiOrchestrator(ChatClient.Builder builder, PromptTemplateRepository repo,
                         ObjectMapper mapper, MeterRegistry registry, AuditTraceService audit) {
        this.chatClient = builder.build();
        this.promptTemplateRepository = repo;
        this.objectMapper = mapper;
        this.meterRegistry = registry;
        this.auditTraceService = audit;
    }

    public <T> T callJson(AiTaskRequest request, Class<T> responseType) {
        PromptTemplateVersion template = promptTemplateRepository
            .findPublished(request.promptCode())
            .orElseThrow(() -> new IllegalStateException("Prompt not found: " + request.promptCode()));
        String prompt = template.render(request.variables());
        long started = System.nanoTime();
        try {
            String content = chatClient.prompt()
                .system(template.systemPrompt())
                .user(prompt)
                .options(ChatOptions.builder()
                    .model(request.model())
                    .temperature(request.temperature())
                    .maxTokens(request.maxTokens())
                    .build())
                .call()
                .content();
            T result = parseStrictJson(content, responseType);
            auditTraceService.recordModelCall(ModelCallTrace.success(
                request.traceId(), request.promptCode(), template.version(),
                request.model(), prompt, content, elapsedMillis(started)));
            meterRegistry.counter("ai_call_total", "prompt", request.promptCode(),
                "model", request.model(), "result", "success").increment();
            return result;
        } catch (Exception ex) {
            auditTraceService.recordModelCall(ModelCallTrace.failure(
                request.traceId(), request.promptCode(), template.version(),
                request.model(), prompt, ex.getMessage(), elapsedMillis(started)));
            meterRegistry.counter("ai_call_total", "prompt", request.promptCode(),
                "model", request.model(), "result", "failure").increment();
            throw new AiCallException("AI call failed, traceId=" + request.traceId(), ex);
        }
    }

    private <T> T parseStrictJson(String content, Class<T> type) throws IOException {
        String json = JsonExtractor.extractFirstJsonObject(content)
            .orElseThrow(() -> new IllegalArgumentException("LLM response is not valid JSON"));
        return objectMapper.readValue(json, type);
    }

    private long elapsedMillis(long started) {
        return TimeUnit.NANOSECONDS.toMillis(System.nanoTime() - started);
    }
}

GraphRAG for Explainable Underwriting

Standard RAG (vector retrieval → prompt) is insufficient because underwriting must consider entity relationships such as disease classification, TI‑RADS level, product‑specific rules, and historical cases. GraphRAG enriches retrieval with Neo4j edges, enabling queries like “which rules apply to disease E04.1 for product TERM_LIFE_A?” and returns a sub‑graph that the LLM must cite.

Domain Modeling

Natural‑language requirements are transformed into typed domain objects. Example enums:

public enum DecisionAction {
    STANDARD, RATING, EXCLUSION, POSTPONE, DECLINE, MANUAL_REVIEW
}

public enum EvidenceSourceType {
    REQUIREMENT_TEXT, POLICY_CLAUSE, UNDERWRITING_RULE, HEALTH_DECLARATION,
    MEDICAL_KNOWLEDGE, GRAPH_RELATION, RULE_ENGINE, HUMAN_REVIEW, LLM_REASONING
}

Rule objects include versioning, applicability, status, and an isEffective(LocalDate) method to enforce temporal validity.

Fast‑Path / Slow‑Path Underwriting

Fast path: cache hit, deterministic rule engine, minimal or no LLM call; P99 latency 300‑800 ms.

Slow path: GraphRAG retrieval, LLM explanation, optional human review; P99 latency 3‑8 s (asynchronously queued).

Semantic Cache

A vector‑based cache stores normalized request text together with product code, rule version, and disease code. Keys are persisted in Redis and indexed in Milvus for similarity search, improving cache‑hit ratios for semantically equivalent requests.

Concurrency Controls

Gateway rate limiting per channel/tenant.

Service‑level bulkheads for underwriting, batch jobs, and model services.

Model‑quota management per model/prompt.

Asynchronous Kafka queues for low‑priority batch processing.

Outbox Pattern for Eventual Consistency

Business updates and outbox events are written in the same DB transaction. A scheduled publisher reads pending events, sends them to Kafka with idempotent keys, and marks them published. Consumers use Redis‑based idempotency keys to guarantee exactly‑once processing.

Observability & Metrics

Beyond QPS/latency, the platform tracks AI‑specific KPIs: call counts, token usage, RAG hit ratio, decision auditability, missing‑evidence counts, rule‑conflict totals, and cache‑hit ratio. Example metric component:

public class AiMetrics {
    private final MeterRegistry registry;
    public AiMetrics(MeterRegistry registry) { this.registry = registry; }
    public Timer.Sample start() { return Timer.start(registry); }
    public void recordAiCall(Timer.Sample sample, String model, String promptCode, String result) {
        sample.stop(Timer.builder("ai_call_latency")
            .tag("model", model)
            .tag("prompt", promptCode)
            .tag("result", result)
            .publishPercentileHistogram()
            .register(registry));
        registry.counter("ai_call_total", "model", model, "prompt", promptCode, "result", result).increment();
    }
    public void recordDecision(String action, boolean humanReview) {
        registry.counter("underwriting_decision_total", "action", action,
            "humanReviewRequired", String.valueOf(humanReview)).increment();
    }
}

Kubernetes Deployment

Production services are deployed as Deployments with rolling updates, readiness/liveness probes, resource requests/limits, and Istio sidecars for mTLS, traffic splitting, and circuit breaking. Horizontal Pod Autoscalers use CPU and memory metrics; advanced setups can use KEDA to scale on Kafka lag.

Security & Guardrails

PII masking replaces ID numbers and phone numbers with placeholders before any LLM call. Output guardrails reject responses that lack evidence, contain absolute promises (e.g., “guarantee coverage”), or violate rule‑based constraints. The guardrail returns a structured GuardrailResult indicating pass or block with error messages.

public GuardrailResult validate(AiUnderwritingResponse response) {
    List<String> errors = new ArrayList<>();
    if (response.evidences() == null || response.evidences().isEmpty())
        errors.add("Underwriting decision must include evidence chain");
    if (response.action() == DecisionAction.DECLINE &&
        response.evidences().stream().noneMatch(e -> e.sourceType() == EvidenceSourceType.UNDERWRITING_RULE))
        errors.add("Decline must cite a published underwriting rule");
    if (containsAbsolutePromise(response.reason()))
        errors.add("Output contains absolute promise");
    return errors.isEmpty() ? GuardrailResult.pass() : GuardrailResult.block(errors);
}

Testing Strategy

Testing spans unit tests for rule parsing, integration tests for Kafka/Redis/DB, a Golden Set of fixed underwriting scenarios, adversarial tests for ambiguous phrasing, regression suites for Prompt/model/rule upgrades, and load tests targeting fast‑path latency, cache‑hit ratio, and batch throughput.

Case Study: Thyroid Nodule Underwriting

A real‑world requirement for 25‑45 year‑old applicants with thyroid nodules is processed through requirement pre‑review, rule extraction (producing standard‑body, manual‑review, and postpone rules), automatic test‑case generation, and a staged rollout that includes expert approval, compliance sign‑off, golden‑set verification, 10 % traffic canary, and full‑scale release after monitoring human‑review and override rates.

Evolution Roadmap

Stage 1: Single‑module MVP with Spring Boot, MySQL, Redis, mock LLM.

Stage 2: Service‑oriented decomposition, Kafka + Outbox, Milvus & Neo4j, Prompt versioning.

Stage 3: Cloud‑native production with Kubernetes, Istio, Prometheus/Grafana, HPA/KEDA.

Stage 4: Multi‑Agent orchestration (requirement analyst, rule generator, compliance, test, and orchestration agents).

Common Pitfalls

Never let LLMs directly modify production rules; always route through validation and approval.

Persist full audit trails (input hash, prompt version, model, evidence, human review) instead of only final decisions.

Combine vector retrieval with strict structured filters for product code, rule version, disease code, and channel permissions.

Maintain a feedback loop where human overrides feed back into model fine‑tuning.

Separate batch pipelines from online request pools with distinct thread pools and resource quotas.