An insurance policy is a promise written in data. When nothing has gone wrong, that data looks ordinary: policy number, premium, nominee, health declaration, KYC, claim history, bank details, surveyor note, TPA file, medical report, payout record.

Then life happens. An accident. A hospitalization. A death in the family. A flood. A fire. A diagnosis nobody wanted to hear. Suddenly the policyholder isn't a row in a system, they're a person having one of the worst days of their life, and their data starts moving. The claim goes to internal teams, TPAs, agents, surveyors, hospitals, finance, support, legal, and reporting layers. Every handoff may be legitimate, and every handoff also creates one more place where sensitive policyholder data can be seen.

So the most important question often isn't "Do we have policyholder data?" Of course insurers do. The sharper question is: who can see a policyholder's worst day right now?

1. When the Claim Starts Moving

Insurance is full of intermediaries: TPAs, agents, brokers, surveyors, medical networks, claims processors, document-verification partners, call-center teams, and technology vendors. Each partner may need some data to do legitimate work. A TPA needs health and claims details. A surveyor needs case documents. An agent needs policy and customer context. A medical partner needs specific records. A support team needs enough information to resolve an issue.

But access granted for one workflow easily outlives the workflow. A claim closes, and the folder stays shared. A surveyor finishes, and access stays active. A TPA integration changes, and old credentials go unreviewed. An agent moves branches, and the previous records stay visible. A support user gets temporary elevated access during a crisis, then keeps it. The risk grows quietly, not because one person made a reckless decision, but because insurance operations depend on many people touching sensitive information at speed.

2. A Policy Record Is Not Just a Policy Record

Policyholder data isn't one category. It's several sensitive categories stacked on top of each other. Aadhaar and PAN identify the person. Policy records reveal the relationship. Health declarations can reveal medical conditions, family history, treatments, or lifestyle. Claims history can reveal accidents, illnesses, financial stress, or dependents. Nominee and beneficiary data brings family relationships into the record. Financial information may include payment details, bank accounts, premiums, payouts, and income context.

The sensitivity isn't only in each field. It's in the combination. A standalone name is one thing. A name tied to health history, policy coverage, nominee details, claim status, bank information, Aadhaar, and PAN is something else entirely. That's why "who can access the record" matters so much in insurance. Overexposure rarely looks dramatic. It looks like a broad role, a shared folder, a stale vendor account, or a report with too many columns. It's also cumulative. One exposed claim file looks isolated. Thousands of files across claims, underwriting, policy servicing, and partner folders become a pattern, and that pattern is what leaders need to see before they can reduce it.

3. The Regulatory Pressure Is Layered

Insurers don't operate under one expectation. They operate under several. The DPDP Act and Rules raise the stakes around personal data protection and breach notification. CERT-In requires covered cyber incidents to be reported within 6 hours. The IRDAI Information and Cyber Security Guidelines 2023 add sector-specific expectations for information and cyber security governance in insurance.

For an insurer, a single data incident can start multiple clocks and reach multiple audiences. The security team needs to understand what happened. The compliance team needs to understand what data was affected. The business team needs to understand which customers, policies, or claims are involved. The regulator needs a report. The board needs a clear view. The affected policyholders need notice. None of that is easy if the insurer only starts mapping sensitive data after the incident. The data map has to exist before the crisis.

4. The Claims Journey Is a Data Journey

Claims are where insurance becomes real for the customer, and they're also where data movement gets hardest to control. A claim may begin with a hospital document, accident report, loss assessment, death certificate, diagnostic record, invoice, photograph, surveyor note, repair estimate, bank detail, nominee record, or medical summary. It may pass through internal claims teams, TPAs, surveyors, medical reviewers, finance, legal, customer support, and external partners.

Every participant may need some information. Very few need everything, and that gap is where the access-governance problem appears. If a surveyor needs a case file, can they still open it after the case closes? If a TPA needs medical documents, does that cover only active claims or old records too? If a claims report gets exported for review, does it carry Aadhaar, PAN, nominee, bank, or health data that could have been masked? If finance needs payout context, does it need full medical history? If customer support needs status visibility, does it need every attachment? These questions are uncomfortable because they cut into daily operations, but they're exactly what insurers need to answer before access drift turns into exposure.

5. Access Drift Is the Hidden Insurance Risk

Insurance teams usually know their primary systems well. The harder part is access drift across the full operating estate. A claims system may have clear roles, but a claims export in a shared drive may not. A policy-admin system may require named users, while a reporting table is reachable by a broad analytics group. A TPA portal may be reviewed at onboarding, but access may go unreviewed after the engagement changes. An agent may need access to active policies, while old customer records stay visible after a territory or role change.

This is how least privilege breaks. Not as one giant failure, but as a series of small exceptions that never get revisited. The insurer still has policies. The system still has roles. The vendor still has a contract. The access picture just no longer matches the business need.

6. Why Insurance Third-Party Access Is Different

Third-party access in insurance isn't like handing a vendor a narrow tool login for a back-office task. Many partners are part of the service itself. TPAs sit close to health claims. Surveyors need documents to assess loss. Agents and brokers need policy and customer context. Medical networks need enough information to support care or claims. Technology partners connect systems that move data between policy, claims, billing, and reporting.

That makes access hard to reduce with one broad rule. The insurer can't simply say "no third parties," because the business depends on them. The better question is: which third party needs which data, for which purpose, for how long? That sounds simple until the data is spread across portals, shared drives, document stores, reports, and old exports. Without discovery and access visibility, vendor governance becomes a contract exercise. With visibility, it becomes operational, and the insurer can see where the sensitive data sits and whether the access still matches the purpose.

7. The Question Leaders Need to Ask

For one policyholder record, ask:

• Which systems store this person's data?
• Which documents contain Aadhaar, PAN, health, nominee, or financial details?
• Which internal users can access the record?
• Which TPAs, agents, surveyors, or vendors can access it?
• Which old exports or reports contain the same data?
• Which access was granted for a specific claim but never removed?
• Which service accounts can reach the data?
• Can the insurer prove who had access at the time of review?

A clear answer gives the organization a foundation for governance. An answer spread across people, emails, tickets, and assumptions is a visibility gap, and that gap matters because insurance data is both deeply sensitive and operationally distributed.

8. Why Discovery Alone Is Not Enough

Finding sensitive data is step one. Insurance companies need to know where policyholder health and financial data lives across policy-admin, claims, TPA-connected systems, document repositories, ticketing tools, reporting layers, and data warehouses. But discovery alone doesn't close the gap. The next layer is access. Who can see the data? Who should be able to? Who still has access because of an old workflow? Which third parties have more visibility than the current process needs? Which roles are too broad? Which exports have slipped past the official permission model?

That's why access governance isn't a narrow security concern. It's how insurers make policyholder-data protection operational.

9. What IRIS Can Actually Help With

IRIS fits the insurance use case because it connects discovery, classification, and access visibility. Its verified capabilities include:

• 105+ data connectors
• 85+ sensitive-data patterns
• 99.9% Aadhaar detection accuracy using the Verhoeff checksum
• first report in 30 minutes
• agentless deployment
• zero customer data leaving the customer environment

For insurers, these matter in direct ways. The 105+ connectors matter because policyholder data spreads across policy-admin systems, claims platforms, document stores, ticketing tools, and reporting environments. The 85+ patterns matter because insurance data combines identity, health, financial, nominee, employee, and customer information. The 99.9% Aadhaar detection accuracy matters because Aadhaar is common in KYC and false positives can exhaust already-stretched compliance and security teams. Agentless deployment matters because insurance estates often contain legacy systems and partner-connected workflows where heavy installation slows down visibility. Zero data leaving the environment matters because insurers can't let the tool built to discover sensitive data become a new data-movement risk. The 30-minute first report matters because teams need a fast starting point, not another months-long inventory exercise.

Most importantly, IRIS can help surface who can access sensitive records. It detects and shows the access picture. It doesn't revoke permissions by itself. It doesn't enforce least privilege. It doesn't replace the insurer's controls, legal judgment, or vendor-management process. It gives the insurer the evidence needed to act.

10. Turning the Map Into Decisions

Once the insurer has a map, the next steps get practical. The claims team can review whether TPAs and surveyors still need access. The security team can prioritize the most sensitive stores. The compliance team can line up evidence for DPDP and IRDAI-driven reviews. The data team can identify copies that should be minimized, masked, archived, or removed. The vendor-management team can ask sharper questions of partners. The business can stop arguing in the abstract and start making owner-led decisions.

That's the real value of access governance. It moves the conversation from "we should tighten access" to "these are the exact places where access is too broad."

11. What Board-Ready Evidence Looks Like

Senior leaders don't need a list of every file. They need evidence that the insurer is in control. That evidence can be simple:

• which sensitive policyholder data types exist
• where those data types live
• which systems and partners can access them
• which access paths are excessive or stale
• which teams own cleanup
• which high-risk stores are being reviewed first
• whether the posture is current or based on a one-time exercise

This is the difference between activity and assurance. Activity says, "We are reviewing access." Assurance says, "Here are the sensitive stores, here are the access paths, here are the exceptions, and here is what we are reducing." For insurers, that matters because trust flows upward and outward. The board wants confidence. Regulators want evidence. Customers want care. Partners want a responsible data handler. Internal teams want clarity. A current access map helps each audience without turning the conversation into panic.

12. A Simple Insurance Data Test

Pick one high-risk workflow. Claims is a good starting point. Now ask:

• Where does claims-related policyholder data live?
• Which systems and repositories contain health records, Aadhaar, PAN, nominee data, and payout details?
• Which TPAs, surveyors, agents, and internal teams can access those records?
• Which vendors have standing access after the claim closes?
• Which reports or exports contain claim data outside the core system?
• Which service accounts can read the records?
• If a breach happened tomorrow, could the insurer quickly scope which policyholders and data types were affected?

Immediate answers mean the insurer has operational control. Answers that require manual chasing mean there's work to do, and that work should start before the breach, before the audit, and before the board asks.

13. The Product Under the Product

Insurance sells protection. The policy is the visible product. Trust is the product underneath it. That's why this problem matters to Sylox. Our work sits where data becomes operational: security, compliance, data architecture, master data management, analytics, automation, ETL, enterprise applications, and cloud infrastructure. Across 35+ enterprise projects, 22+ AI and data solutions, and 9+ Fortune 500 enterprises served, the same pattern keeps appearing. Sensitive data is rarely risky only because it exists. It becomes risky when access spreads beyond purpose and no one can prove the current state.

IRIS helps insurers build that proof. It discovers where sensitive data lives, classifies it across 105+ sources and connectors and 85+ sensitive-data patterns, and produces a first risk view in 30 minutes without customer data leaving the customer's environment. For insurers in India, that means policyholder health, financial, Aadhaar, PAN, nominee, claims, and customer data across the systems and partners where insurance work actually happens.

Dipal Panchal's background gives this a practical edge: twenty years across Time Warner, Ameriprise, CBRE, Amazon, and Vialto Partners, with $300B+ in client assets, $500B in real estate, 300M+ Amazon customers, 1B+ annual transactions, 50+ enterprise systems, 10M records a day, $66.95M+ in quantified savings or avoidance, and 334,126+ annual hours saved.

At that scale, the lesson is simple: access that isn't visible can't be responsibly governed. Policyholder trust deserves more than a permission model everyone hopes is still accurate. It deserves a current map.

If your insurance organization can't clearly answer who can see policyholder records across TPAs, agents, surveyors, claims systems, and reporting layers, start there.