- Claim — claimNo, lossType, amount, status, fraudScore
- Policyholder — name, policyNo, ssn (PII, restricted)
- Payout — amount (restricted), method, approvalState
Automate the claim. Gate the payout.
A signed, versioned Solution Pack for property & casualty claims: intake, fraud triage, and payout approval as governed actions. Payouts at or above $5,000 route to a human before a dollar moves, every triage decision is explained, and the whole outcome is sealed in the Trust Ledger — imported into your tenant with its hash and signature checked at the door.
payout ≥ $5,000 → human approval (409 without it) · representative targets · verifyPack(hashOk + signatureOk)
One signed artifact — the whole governed solution.
The Claims pack governs the path from a filed claim to a paid (or denied) outcome. It bundles the claims ontology (claim, policyholder, payout), the policies that cap autonomous payouts and force fraud holds, the Action Fabric actions that approve or deny a payout, and three curated agents — so claims automation ships as one provable artifact with the money-moving step always under human control.
The targets the pack is tuned to.
Illustrative targets for this use-case, configurable per deployment — the gates that enforce them ship in the pack.
Four governed sections, one signed bundle.
A pack is a contents bundle plus its integrity envelope. The bundle carries the definitions; the envelope — canonicalize → sha256 contentHash → HMAC signature — is what makes it portable and provable.
- Payout ≥ $5,000 → require human approval
- fraudScore over threshold → hold for investigation
- ssn is restricted — read denied outside intake
- Deny requires a cited reason code (no silent denials)
- approvePayout — riskTier: high, approval-gated ≥ $5k
- denyClaim — riskTier: medium, cited reason required
- requestDocuments — riskTier: low, auto-executed
- flagFraud — riskTier: medium, opens an investigation
- Claims Intake — structures the FNOL into the ontology
- Fraud Triage — scores risk, cites the signals it used
- Payout Approver — proposes payout, routes ≥ $5k to human
Governed agents, mapped to real Cortex controls.
Every capability in this pack is enforced by a runtime control you can audit — identity, policy, action approvals, and a sealed Trust Ledger. The pack configures them; the platform enforces them.
- approvePayout is a high-risk Action Fabric action: at or above $5,000 the agent can only propose — a human approves before the money moves. Below the cap, low-risk claims clear straight through.
- The Fraud Triage agent scores each claim and cites the signals it used. No black-box denial: every hold and flag carries an explanation a reviewer (or regulator) can read.
- denyClaim won't execute without a cited reason — policy forces every adverse decision to name the rule it rests on, so the claimant and the examiner both get an answer.
- Approve, deny, or compensate — each executed action mints a signed receipt into the hash-chained Trust Ledger, so a disputed payout has a verifiable record behind it.
- ssn and payout amount are restricted properties: read-denied outside the agents that need them, keeping sensitive claimant data out of prompts that shouldn't see it.
- Every claims agent reports into the Control Tower with live state — pause a misbehaving agent, disable a tool, or arm the kill switch across the whole fleet.
See what changes, verify the signature, then apply — to your tenant only.
Importing a pack is a verify-first, two-step flow. importPreview gives you a per-section diff against your live definitions; importApply re-checks the hash and signature, then idempotently upserts. Tamper with the contents and verifyPack returns hashOk:false — and any apply returns a 409 with no partial write.
- canonicalize → sha256 contentHash → HMAC signature — deterministic bytes, re-checkable offline
- verifyPack checks hashOk and signatureOk before a single row is written
- importPreview diff: added / changed / unchanged per section
- Tampered contents → hashOk:false → importApply 409, always your own tenant
How this pack gets into your tenant.
Cross-tenant distribution works because the HMAC signature is over the content hash with the deployment's signing secret — a pack published by one tenant verifies and installs cleanly for another, and install always targets the caller's own tenant.
- 01
Browse & preview
Find the signed pack in the registry on a stable or beta channel. importPreview shows verifyPack plus a per-section diff against your live ontology, policies, and actions — nothing is written yet.
- 02
Verify the signature
importApply re-checks hashOk and signatureOk first. A tampered bundle or a wrong secret fails closed with a 409 — there is no partial application, ever.
- 03
Apply & operate
On a valid pack, ontology types, policies, and actions idempotently upsert into your own tenant. Agents are captured for reference; the registry/licensing flow owns agent creation. Then operate the fleet from the Control Tower.
The pack ships the controls your auditors already cite.
The ontology permissions, fail-closed policies, approval gates, and sealed Trust Ledger map directly to the frameworks this use-case reports against. Aligned with — never claiming a certification you don't hold.
The pack is configuration — the runtime does the enforcing.
This pack rides the same governed runtime as every other Cortex solution. Explore the controls it configures and the industry it serves.
Insurance industry page
The Northwind Claims demo: claims intake, fraud triage, and the $5,000 payout approval gate.
Action Fabric
Approve / deny / compensate as dry-run → propose → approve → execute actions with receipts.
Control Tower
Watch every claims agent live and pause the fleet the moment something looks wrong.
Oversight
Tune the autonomy floor for payouts — automation can only tighten the human-approval gate.
Ship claims automation that keeps the payout under control.
Import the signed Claims pack, verify it, and automate the claim while every dollar over $5,000 still stops for a human.