How companies go about modernizing their core technologies – long viewed as an essential exercise for insurers – is changing with the advent of agentic artificial intelligence (AI) developments. A new whitepaper from McKinsey & Company discusses how agentic AI may finally make the difference for companies struggling with the exercise.

One of the paper’s authors also discussed the matter in an email exchange with the Insurance Portal. A Q&A with McKinsey & Company partner in the company’s New York office, Arun Gundurao, follows.

“Core modernization has for good reason long been viewed as one of the largest and most risk-laden technology investments insurers undertake,” they write, adding that AI agents can directly address the bottlenecks and expertise gaps that prevail today. “The strategic question becomes not whether to experiment with agents but how to deploy them in ways that materially improve certainty on cost, risk and timeline.”

The report, Can agentic AI (finally) modernize core technologies in insurance? further says that agentic AI presents the opportunity to fundamentally transform how modernization is accomplished, end-to-end, with auditable outputs and human-in-the-loop controls.

“While the challenges of core system modernization have proved insurmountable for many insurers, agentic AI may prove a solution. Autonomous or semiautonomous software agents can interpret legacy artifacts, produce structured documentation, generate and validate configuration or code, create and run test and coordinate workflows,” the paper states. “This is different from a developer copilot. While copilots assist a user moment by moment, agents are designed to pursue a goal, break it into tasks, use tools and context and iterate based on feedback and controls.”

That work can include decoding and translating programming language that few are fluent in today, drafting rules and mapping artifacts. “Agents can read code written in archaic languages, reverse engineer the logic and convert it into plain English. Likewise, agents can parse code and extract and document the business rules embedded within it.”

What the paper and its authors also advocate for is the use of agents which are reusable. They say once agents are established, the incremental cost of modernization can fall quickly because the same agents, patterns and context layers can be reused. “Agentic AI creates a portfolio option that insurance technology leaders have not had before.”

McKinsey’s research further finds that the greatest impact comes when AI is embedded across workflows, rather than used in isolated ways. “This does not mean that value cannot be realized from tackling modernization in phases,” they write, “but the ideal end state for optimal impact is full modernization of the legacy core. With a reusable agent stack in place, the incremental effort to modernize additional products or adjacent applications has the potential to fall materially.”

The paper’s author’s call it a value-compounding modernization model.

Q&A with one of the report’s authors

The following is a partial conversation with one of the report’s authors, Arun Gundurao. Note that the conversation has been edited for length.

Insurance Portal: Agentic AI – what are the risks?

Arun Gundurao: The biggest risk is believing that agentic AI turns core modernization into an automated technology exercise. It does not.

In insurance, the core is not just code, it is the operating history of the company (including) product rules, underwriting exceptions, billing workarounds, claims interfaces, regulatory treatments, broker compensation logic and decades of local decisions embedded in systems and processes.

The risks fall into a few categories.

  • Agents can misinterpret legacy logic. A 30-year-old mainframe program may contain business rules that are not documented anywhere else. If an agent extracts that logic incorrectly, the new system may look right technically but behave differently commercially.
  • Execution risk. Core modernization already has many points of failure: data conversion, product configuration, integration testing, downstream feeds, cutover planning, user readiness and reconciliation. Agents can accelerate these tasks, but if the work is not governed, they can also accelerate mistakes.
  • Control risk. Insurers need to know what an agent did, what source material it used, what output it produced, who reviewed it and what evidence supports the decision. That traceability is non-negotiable in a regulated industry.

So the risk is not “AI risk” in the abstract. The practical risk is putting AI into a complex modernization environment without the operating discipline to manage it.

IP: Are guardrails needed? Can you provide a specific example?

Gundurao: Absolutely. In fact, guardrails are what make the technology usable in this setting. A practical example would be legacy rule extraction. Suppose an insurer is moving a commercial lines product from a mainframe policy system to a modern policy administration platform. An agent may be used to read the legacy code, identify eligibility rules, produce a decision table, generate test cases and compare the new platform’s output against the old system.

The guardrail is that the agent does not simply “decide” the rule and push it into production. It creates a review package. That package should show the source code, the extracted rule, the mapped target configuration, the test cases, the exceptions and the reconciliation results. Product, actuarial, compliance and technology owners then approve it before it becomes part of the production configuration. That is the practical version of human-in-the-loop control. The agent does the heavy lifting, but humans remain accountable for the business decision.

IP: What is sequencing?

Gundurao: Sequencing is the order in which the insurer modernizes. Good sequencing is one of the most underrated success factors.

Insurers often want to go after the biggest pain point first. That is not always the best move. Sometimes the right first wave is a product, state, or function that is complex enough to prove the pattern but not so complex that it overwhelms the program.

For example, an insurer might begin with a smaller commercial product in one region before taking on a multi-state (province) personal auto book. Or it might modernize a set of peripheral interfaces before migrating the highest-volume product. The objective is to create repeatable patterns, reduce uncertainty and build organizational confidence. Poor sequencing creates avoidable risk. Good sequencing compounds learning.

IP: Your report discusses “coordinating discrete tasks with auditable outputs and human-in-the-loop controls.” How real is this?

Gundurao: It is real, but it takes effort and execution. The most credible use is a set of agents performing specific, bounded tasks: reading legacy code, extracting rules, generating mappings, drafting test cases, reconciling outputs, summarizing defects, preparing documentation and escalating exceptions.

Each task produces an output. Each output can be reviewed. Each stage has approval criteria. These programs will scale not through one all-powerful agent, but through many controlled agents embedded into the delivery workflow.

IP: What is a bespoke program example that insurers should move away from?

Gundurao: A common example is the one-off core migration program. An insurer takes one product line, builds a dedicated migration team, creates custom conversion scripts, designs bespoke reconciliation processes, manually extracts product rules, builds one-time test packs and stands up program governance just for that migration. Then the next product line starts and much of the work begins again. That is expensive and slow.

The better model is to build reusable modernization capabilities: reusable rule-extraction agents, reusable data-mapping patterns, reusable test-generation methods, reusable reconciliation logic, reusable governance artifacts and reusable cutover playbooks.

Cutover: the moment when the insurer moves from an old system to a new one for a defined scope of business. Although this sounds simple, Gundurao says in insurance it is usually a highly choreographed event.

IP: “Early adopters of agentic AI may gain a competitive edge.” For how long will the advantage remain?

Gundurao: The advantage from simply having access to agentic AI will not last long. The tools are moving too quickly, and access will become increasingly commoditized.

The more durable advantage will typically come from implementation learning. Insurers that start early will learn where agents work, where they do not, what controls are needed, how to structure review, what artifacts matter, how to integrate with legacy systems and how to scale beyond pilots. That learning curve matters.

In core modernization, institutional confidence is a major asset. If one insurer has a proven way to migrate products with better cost certainty, fewer defects and cleaner evidence, while another is still experimenting with pilots, that is a real advantage. A reasonable way to say it is this: the technology-access advantage may compress relatively quickly, but the operating-model advantage can last longer because it is built through execution.

IP: How quickly is this technology moving or developing?

Gundurao: Our view is this is moving very quickly, but unevenly. The important shift is from copilots to agents. Copilots help individuals perform tasks. Agents can be given a goal, break it into steps, use tools, call other systems, produce outputs, check results and route exceptions. That distinction matters in modernization.

Core transformation is not one task. It is thousands of linked tasks across discovery, configuration, data, testing, conversion, cutover and governance. The promise of agentic AI is that it can coordinate parts of that workflow, not merely help a developer write code faster.

The technology is moving faster than most insurers’ operating models. The limiting factor is often not the model. It is data access, controls, architecture, risk appetite and the organization’s ability to change how work gets done.

IP: What are best practices? Are any of these your favorite?

Gundurao: The most important best practice is to design for reuse from the beginning.

Many companies make the mistake of using AI to accelerate a single project. That can create value, but it does not change the structural economics. The bigger opportunity is to create reusable agents, reusable evidence standards, reusable mappings, reusable test assets and reusable governance.

My favorite principle: do not let AI help you replicate legacy complexity or inefficiency faster. Modernization should be a chance to simplify. If agents are used only to translate old complexity into a new platform, the insurer may end up with a more modern version of the same problem. The better approach is to use agents to understand the legacy estate, expose complexity, identify where rules are obsolete or duplicative and help leaders make informed decisions about what not to rebuild.

IP: You recommend insurers shift from a single-program mindset to portfolio modernization. What does that entail?

Gundurao: It means modernization becomes an enterprise capability, not a heroic one-time program.

In the old model, an insurer launches a major transformation around a specific core platform. It is staffed, governed, funded and measured as a large program. When the program ends, much of the learning dissipates.

In the portfolio model, the insurer builds a modernization factory. It identifies the full estate of legacy capabilities, prioritizes them, sequences them and applies reusable agents, patterns, controls and delivery methods across multiple waves.

That could include policy administration, billing, claims interfaces, rating, document generation, data feeds, reporting utilities and adjacent custom applications.

The point is to make each wave cheaper, safer and faster than the last.

IP: For those who get it right, what are they doing differently?

Gundurao: They are more disciplined in five ways.

  1. They involve business subject matter experts differently. Experts are not asked to manually rediscover everything. They are asked to review evidence, resolve exceptions and make judgment calls where they matter.
  2. They simplify before they migrate. They do not blindly replicate every legacy rule and exception.
  3. They put governance into the workflow rather than bolting it on at the end.
  4. They manage modernization as a portfolio of risk and value. They pick sequences that create learning, reduce uncertainty and build confidence.
  5. They build reusable assets from day one. They assume there will be a second, third and fourth wave.

IP: Redesigning roles, governance and risk management for agentic use — what does this entail?

Gundurao: It means agents become part of the operating model, not an experimental tool on the side. Insurers need to define which tasks agents can perform, what systems and data they can access, what outputs they must produce, when humans must approve, how exceptions are handled and how evidence is retained.

Roles also change. Business subject matter experts spend less time manually searching for rules and more time reviewing agent-generated evidence. Test teams shift from writing every test manually to validating generated tests and coverage. Architects focus more on patterns and controls. Risk and compliance teams need to be involved earlier, because the evidence model needs to be designed into the workflow.

IP: Do insurers have this expertise?

Gundurao: Some have pieces of it. Few have all of it assembled into a mature capability.

Insurers understand their products, customers, operations, regulatory obligations and legacy constraints. Many also have strong technology and risk functions. What is newer is the ability to combine those strengths with AI engineering, agent orchestration, model governance, data controls and modern delivery practices.

The leaders will not be the companies that simply buy the most advanced tools. They will be the companies that create the right operating model around the tools. That usually means cross-functional teams, selective external partners, strong internal ownership, reusable delivery assets and a clear governance spine. Insurers do not need to have all the expertise on day one. But they do need enough internal capability to be an intelligent owner of the work. They cannot outsource judgment, accountability, or risk ownership.