The certificate of insurance request that comes in at 4:55 on a Friday
A contractor's GC needs a COI naming a new additional insured before Monday's job site walk. The request lands in a shared inbox. A CSR pulls the policy in the agency management system, checks whether the endorsement actually grants additional-insured status, generates the certificate, and emails it back. Multiply that by every CSR, every carrier, every renewal season, and you have the real shape of agency work: high-volume, source-bound, and bounded by what a policy genuinely covers — not what someone wishes it covered.
That is exactly where AI earns its keep in an agency, and exactly where a general-purpose chatbot is dangerous. The honest read on adoption is sober about this gap. The RSM middle-market AI survey and the San Francisco Fed analysis of AI and small businesses both show firms experimenting widely but converting little into production, and the OECD report on AI adoption by small and medium-sized enterprises ties the value gap to whether a firm can name the source of record and the person accountable for the output. In an agency, those are not abstractions. The source of record is your AMS — Applied Epic, EZLynx, AMS360, HawkSoft. The accountable person is a licensed CSR or producer. AI that doesn't respect both is a liability waiting for an audit.
So before anyone tests a prompt, write down four things for one workflow: which system holds the truth (the AMS, the carrier portal, the policy PDF), who is allowed to send the answer, what the answer is permitted to say, and where an exception goes. For the COI case: the AMS holds the policy and endorsement data, a licensed CSR approves the certificate, the output may only reflect coverage that exists, and any ambiguous additional-insured request escalates to the producer of record.
What the model touches, and what it must never decide alone
The failure mode is predictable: someone connects a slick assistant to the whole book of business and lets it answer coverage questions directly to insureds. Now an unlicensed model is effectively giving coverage opinions, your policyholder PII is flowing through a tool nobody scoped, and you have no log of what it told whom. The NIST AI Risk Management Framework gives you the structure to define that context and assign reviewer accountability, and CISA AI Data Security Best Practices tells you how to decide what carrier portal data, ACORD application detail, declarations pages, claims notes, and customer email threads may be exposed to a model, retained, logged, or excluded entirely.
Translate that into one page per workflow. For renewal prep, the AI can read the expiring policy and loss runs from the AMS, draft a renewal summary, and flag coverage gaps — but the producer decides the remarketing strategy and what goes to the client. For endorsement intake, the model can extract the requested change from a client email and pre-fill the ACORD form, but a CSR confirms it against the carrier's underwriting rules before submission. The line is the same every time: AI handles retrieval, extraction, and drafting; a licensed human owns any statement about what is or isn't covered, and any communication that leaves the agency.
The practical tell is whether the output carries its sources. A summary that says "auto liability renews 6/1, current limit $1M CSL, prior-term losses: two claims totaling $14K, gap: no hired/non-owned coverage" — with each fact traceable to a record in the AMS — is reviewable in seconds. A fluent paragraph with no record trail is a guess in a nicer outfit, and your E&O carrier will see it that way too.
Pick one path, measure it like an operator, then earn the next one
Deloitte's State of AI in the Enterprise 2026 is blunt that the line separating winners from dabblers is moving work into production, not counting pilots. For an agency, production value is one workflow — certificates, renewal prep, or endorsement intake — that measurably shortens turnaround without weakening data handling or the licensed-review step.
Measure it the way you'd measure a new CSR hire. Track turnaround time on the chosen request type (how long from inbound to client-ready), the reviewer correction rate (how often the CSR has to fix the draft), the missing-source rate (how often the AI produces an answer with no AMS record behind it), escalation volume to producers, and CSR adoption — because a tool your service team routes around is dead whatever the demo showed. If you can't name the system of record or the licensed reviewer for a given recommendation, that's the signal to fix the underlying process before bolting on more AI.
Start narrow on purpose. Use the manual-work scoring guide to confirm the certificate or renewal path is actually worth automating, then run the 90-day AI implementation plan to stage AMS data cleanup, a working prototype on one carrier or one line of business, CSR training, and a controlled launch. The agencies that win this don't roll AI across every document type at once — they prove one governed path, then extend to the adjacent one. On Monday, pick the single request type that eats the most CSR hours and write down its four boundaries. That page is the whole project's foundation.
