Coverage feed online · Q2 MMXXVI
Continuous underwriting · The methodology.
Underwriting · Methodology

We price drift, not snapshots.

The questionnaire is a photograph. The model is a film. Conventional liability underwriting prices a snapshot at bind and reconciles a year later. For autonomous systems and decision agents, twelve months is six versions of the model and four versions of the policy that governs it. The premium that was correct in March is wrong by August.

Castra runs continuous underwriting. We instrument every bound model with three measurements — an action audit, a classification stability signal, and a dependency graph. Each transmits to our underwriting feed. Each contributes to a per-quarter premium adjustment and to the cession we hold against our reinsurance treaty. None of them require us to read your prompts.

What follows is the contract. It is in three parts — the instruments themselves, the telemetry they transmit, and the premium mechanics. We publish it because reinsurers and counsel both ask. The wording in the binder governs.

A model that was safe at bind can drift by Friday.

§ I · The three instruments

Three measurements, one binder.

Per model · Per quarter

Each bound model is instrumented at policy inception. The three instruments operate on different time horizons — the action audit is event-level, the classification stability signal is daily, and the dependency graph is monthly. Together they describe the model's posture in a way that a single-shot questionnaire cannot.

No. I

The action audit.

A cryptographically signed ledger of every consequential action the bound model authorises in production.

Every action that crosses a defined consequence threshold — a payment, a clinical recommendation, a route revision, a counter-action by an autonomous platform — is recorded with timestamp, model version, input class, decision class, and downstream effect. The record is hashed and signed in sequence; tampering is detectable.

The audit is the substrate on which a claim is later reconstructed. Without it, a loss is an argument. With it, a loss is a record.

CadenceEvent-level
Retention7 years
FormatSigned JSONL
TransportmTLS / SFTP
No. II

The classification stability signal.

A daily measurement of how a bound model classifies a fixed canary set against its own prior behavior.

At bind, we agree a canary set — inputs the model has been seen against and whose correct labels are known. Each day, the bound model is re-evaluated against the set. We measure agreement with prior runs, agreement with the labelled ground truth, and the distribution of confidence.

Drift is the difference. The signal is how we know the model has changed without your developers having to tell us they shipped.

CadenceDaily
Canary size5,000–25,000
MetricPSI · KL · Top-k
Alert thresholdPer coverage line
No. III

The dependency graph.

A monthly map of upstream models, datasets, vendors, and inference paths the bound system depends on.

An autonomous system is rarely one model. It is a model that calls a retrieval index, that depends on an embeddings family, that consumes a third-party API, that is fine-tuned on a private corpus. A failure in any of those nodes is a loss event in the bound policy.

We maintain the graph against your software bill of materials. Concentration in any single upstream — one provider, one dataset, one embeddings family — is priced as a correlation risk on the portfolio side, not yours alone.

CadenceMonthly
FormatCycloneDX + delta
InputsSBOM · API trace
Portfolio useConcentration model
§ II · Telemetry · The contract

What we ingest, and what we do not.

Tab. 01 · Telemetry schema

The telemetry contract is annexed to every Castra binder. It enumerates exactly what the insured agrees to transmit, the cadence, and the retention. It is bidirectional — we commit to what we will not ingest as firmly as to what we will.

Castra ingests metadata describing the insured's AI deployment under the telemetry contract — specifically the action audit, classification stability signal, and dependency graph described below. Castra does not ingest raw model inputs (prompts, queries, or source documents), raw model outputs (free-text responses or generated content), model weights, training data, or end-user personal information. The action audit records categorical metadata about each consequential action — timestamp, model version, input class, decision class, and downstream effect — sufficient to reconstruct a claim without reading the underlying interaction. The audit ledger is held by the insured and made available under defined claim-readiness conditions; we do not stream it.

Data is transmitted over mutually authenticated TLS or, for batch submissions, SFTP against a per-cedant key. Retention defaults are listed below. The insured may shorten any retention period; the underwriting price will adjust accordingly. SOC 2 Type II controls are maintained by our processing vendor; the report is available to brokers and treaty counterparties under NDA.

Data residency: US-East and Frankfurt by default. Other regions on request. Castra does not transmit telemetry outside the residency region.

Tab. 01 · Telemetry schema Indicative.
Item Cadence Retention
Signed action audit (hashed ledger) Event 7 yrs
Canary set re-evaluation Daily 3 yrs
Drift statistics (PSI, KL, top-k) Daily 3 yrs
Incident report (operator-initiated) Event 7 yrs
Dependency manifest (SBOM) Monthly 5 yrs
Material change notice Within 15 d 7 yrs
Prompts, inputs, outputs, weights Not ingested.

The full schema is annexed to every binder as Schedule C. Where the schedule and this page disagree, the schedule governs.

§ III · Premium mechanics

A base, a drift charge, a quarterly true-up.

Fig. 01 · Indicative ladder

Premium is composed of three elements. A base rate, set at bind, against exposure class, coverage line, jurisdiction, and limits. A drift charge, recalculated quarterly against the classification stability signal and the dependency graph. A cession reserve, held against the portfolio's correlation exposure as measured against our cat methodology.

The drift charge moves the premium in both directions. A model whose canary agreement tightens, whose dependencies consolidate, and whose action audit shows no consequence-threshold incidents pays less in quarter four than it did in quarter one. A model whose drift widens pays more. The mechanism is asymmetric only in one place: the drift charge cannot reduce the base by more than 35 percent in any single quarter, and cannot widen it by more than 65 percent without triggering a binder review.

The annual true-up reconciles the four quarters against the actuals. Material changes — substantial fine-tunes, jurisdiction additions, new dependency classes — trigger a mid-cycle adjustment instead of waiting for the renewal.

Premium is the price of telemetry. Without it, we cannot price.

Fig. 01 · Indicative drift ladder Per £1 of base
Quiet −28%
Mild drift −12%
Baseline 0%
Material drift +22%
Sustained drift +38%
Review trigger +65%

Indicative, not actuarial. Per £1 of base annual premium, range of the quarterly drift adjustment under the standard binder. Sustained drift over two consecutive quarters or a single review-trigger reading initiates a binder review under Section 6.4 of the form wording.

Imperium per disciplinam.
Through discipline, command.

One submission per placement. Six business days to bind.

Request a quote For reinsurers