For a fraud investigation agent, the durable moat is investigative methodology encoded as agent behavior - fraud-theory reasoning, chain of custody, corroboration, credibility assessment, and defensibility - not the volume of claims a platform has scored. Volume yields better anomaly detection. Methodology yields a defensible investigation. These are different bodies of domain knowledge that sit at different layers of the fraud stack, and conflating them is the most common mistake in how carriers evaluate claims AI.
This distinction matters because the industry's loudest "data moat" claims are detection-layer claims wearing investigation clothing. A platform that has scored hundreds of millions of claims is genuinely better at flagging what looks unusual. That advantage is real and it is hard to replicate. It also does not, by itself, teach a system how to take one flagged claim and work it to a conclusion an SIU lead can defend in an examination under oath, a SAR filing, or a deposition. The rest of this piece separates them: which domain knowledge is the moat at the investigation layer, why claims volume is table stakes upstream rather than a moat downstream, and how the two moats stack inside a carrier's fraud program.
We are building on a point a competitor made well. Eric Sibony, co-founder and chief product officer at Shift Technology, argues that domain expertise is the real barrier to good agents, not prompt engineering. He is right. Our disagreement is narrow and specific: which domain expertise is the moat for an agent whose job is investigation. We went deeper on Shift's handler-assist agents in Shift Claims agentic AI vs Hesper autonomous investigation, and on why investigation is a second axis beyond claims automation in the ARISE framework and investigation autonomy.
The moat question for claims AI, restated
The moat question is usually asked as "who has the most data," but for an investigation agent the sharper question is "who has encoded the most investigative judgment." Claims volume improves how well a system flags. Investigative methodology - the sequence a trained examiner runs from allegation to defensible finding - improves how well a system resolves. The first is a detection moat. The second is an investigation moat.
Naming the layers is the whole game here, because "AI fraud detection" gets used loosely to cover both flagging and investigating, and that looseness is what lets a detection-scale advantage masquerade as an investigation advantage. Prevention blocks bad claims before they enter, at underwriting. Detection scores and flags suspicious claims after FNOL. Investigation takes a flag and resolves it to a documented determination. Detection is upstream; investigation is downstream. A moat built on scored-claims history lives in the detection layer. It does not follow the claim downstream into the investigation.
The stakes are what make this more than a taxonomy argument. Per the Coalition Against Insurance Fraud, insurance fraud steals at least $308.6 billion a year from American consumers, and fraud occurs in about 10% of property-casualty losses. At that prevalence, detection already surfaces far more suspicious claims than SIUs can work. The binding constraint is not finding suspicious claims. It is investigating them to a defensible conclusion. That reframes the moat from "flag more" to "resolve more" - and resolving is where methodology, not volume, is decisive. (That is reasoning from the prevalence numbers, not a separately sourced statistic.)
What the claims-volume moat actually buys
Hundreds of millions of scored claims make a detection model better at recall on anomalies - flagging what looks unusual relative to a large learned baseline. That is a real, valuable, hard-to-replicate moat at the detection layer. It is not, by itself, a capability to investigate a flag to a conclusion. It improves the input to investigation. It does not perform the investigation.
The exemplar is worth stating precisely and fairly. In its 2020 Global Claims Solutions Market Leadership Award write-up, Frost & Sullivan noted that Shift's FORCE platform "has analyzed hundreds of millions of claims" and that Shift identifies more than $5 billion in claims fraud per year. Those are strong detection-layer numbers, and the volume behind them is a genuine advantage. Read them for what they are: outputs of a system optimized to score claims at scale. "Claims analyzed" and "fraud identified per year" are recall metrics. They measure how well the system flags. They say nothing about how each flag is then investigated.
The clearest tell that volume is a detection asset is the false-positive tax. A scoring layer tuned for recall flags a lot of claims that are not fraud - a rules-based layer runs a 60-85% false-positive rate before heavy tuning, and even strong ML scoring leaves a meaningful share. High recall is the point of a detection moat; it maximizes the chance a real fraud gets flagged. But it also means the output is a queue of maybes, each of which still has to be investigated before anyone can act on it. More scored claims makes the flag better. It does not shrink the investigation that every flag still demands.
Cross-carrier data networks are the purest form of the volume-is-the-moat case. An industry data utility that matches a claim against a very large contributory database catches connections no single carrier could see - the same claim filed at three insurers, a shop that appears across dozens of suspicious losses. That matching is a detection and data moat, and rebuilding it is not the problem an investigation agent solves. It flags the connection. It still does not corroborate the red flag, weigh the claimant's credibility, or write the finding. Same pattern: volume is decisive for detection, silent on investigation.
Recall is not resolution
A platform optimized to score hundreds of millions of claims is optimized for recall on anomalies - the probability that a real fraud gets flagged. That is a detection objective. Resolution is a different objective: taking one flagged claim and producing a finding that holds up under an EUO, a SAR filing, or a deposition. No amount of scoring volume trains a system to preserve chain of custody or corroborate a red flag before concluding. Those are investigation competencies, learned from investigations, not from scoring throughput.
What a real fraud investigation requires
A defensible fraud investigation runs a methodology, not a score. The examiner defines the allegation, preserves evidence and establishes chain of custody, develops a fraud theory, runs targeted tests tied to the suspected scheme, corroborates every red flag before concluding, assesses claimant and witness credibility, and documents the facts, methods, and limitations of the work. None of those steps is an output a scoring model produces. Each is a discipline that has to be run.
This is a credentialed, legal-facing discipline, not a data-science output. The Association of Certified Fraud Examiners frames fraud examination as resolving an allegation "from inception to deposition," and stresses that "the proper procedures, techniques and skills must be used to conduct an effective fraud investigation." The word deposition is the point. Investigation is scoped to what survives legal scrutiny, and that scoping shapes every step upstream of it, from how evidence is collected to how a conclusion is worded.
Who staffs this work tells you what kind of knowledge it requires. Per the Insurance Information Institute, carrier SIUs are staffed with "former law enforcement officers, attorneys, accountants, and claim experts," and complex cases are referred to the National Insurance Crime Bureau, which "specializes in preparing fraud cases for trial." That is the composition of an investigative and legal function, not an analytics function. The domain knowledge an SIU carries is investigative methodology, evidentiary standards, and courtroom-defensibility - a body of expertise that scoring volume does not contain.
Chain of custody and corroboration are architectural, not cosmetic
Two competencies show why this is an architecture problem, not a prompt problem. Chain of custody means every piece of evidence has a documented, unbroken record of how it was collected, handled, and stored, because defense counsel attacks collection first and errors there cannot be fixed after the fact. Corroboration means a red flag is treated as a hypothesis to be tested against independent evidence before it becomes a conclusion - a flag that a fire loss is suspicious is a starting point, not a finding. An investigation agent has to be built to preserve custody and corroborate by design. You cannot bolt those onto a scoring model that was architected to output a probability.
This is why the output of a real investigation has to be audit-trail-native. Every decision the agent makes is logged with its sources, reasoning, and timestamps, so an SIU lead can see what the agent examined, override any step, and produce a documented trail for a state DOI. That is the requirement behind California's 10 CCR 2698.36 documented-decision rule and the antifraud-plan filings under NAIC Model Act 680, adopted in 48 states. Hesper runs 15+ investigation phases in parallel on a single flagged claim - document forensics, statement cross-reference, timeline reconstruction, financial-pattern analysis - and synthesizes them into a finding a human reviews. The defensibility payoff of methodology-as-moat is the subject of the defensibility standard for fraud investigation AI.
A volume moat vs an investigative-methodology moat
The two moats optimize for different outcomes and therefore do not substitute for each other. A volume moat maximizes recall on suspicious claims - the share of real fraud that gets flagged. A methodology moat maximizes the share of flagged claims resolved to a defensible conclusion. One is measured in what gets caught, the other in what gets closed. A carrier needs both, which is why the honest framing is complementary layers rather than competing vendors.
Read the table down the second column and it describes detection done well. Read it down the third and it describes investigation done well. The economics of moving each bottleneck are different too. When the methodology moat is doing its job, cycle time drops from 14+ days to 2-4 hours per case, cost per investigated case drops from about $2,500 to about $150, and flagged-claim coverage moves from roughly 25% to 100%. A better detection model does not move those numbers - it fills the same 25%-capacity queue faster. Only the investigation layer moves the resolution numbers.
Why 350 million policyholders is not a fraud investigator
A platform running general claims-scoring AI across hundreds of millions of policyholders is doing detection at industrial scale - a genuinely hard problem it may be excellent at. An agent that reasons like a trained SIU investigator over a single flagged claim is doing investigation. Same input claim, categorically different job, and a categorically higher defensibility bar. Scale confers detection strength. It does not confer investigative judgment.
Sibony makes the sharpest possible version of the domain-expertise argument, and it is worth extending rather than rebutting. He names the moat as "deep insurance business modeling to define when an agent should act, escalate, or say 'I don't know,'" and says "prompt engineering alone is simply not enough." Agreed on every word. Now apply it to investigation: knowing when to escalate a suspicious fire loss, when a red flag is corroborated enough to conclude, and when the honest answer is "we cannot support this finding" is exactly SIU judgment. And that judgment is trained on investigations - on the sequence from allegation to deposition - not on the volume of claims a platform has scored.
This is the layer distinction stated as a capability, not a slogan. A detection vendor's domain expertise is insurance business modeling: which features predict fraud, where the scoring thresholds sit, how the network connects. Real expertise, correctly claimed. An investigation agent's domain expertise is a different corpus: evidentiary standards, corroboration discipline, credibility assessment, chain of custody, and how to document a finding so it survives cross-examination. Both are domain expertise. They are not the same domain. Volume of scored claims builds the first and is silent on the second.
Scored-claims volume sharpens the flag at the detection layer; encoded SIU methodology - fraud theory, chain of custody, corroboration, credibility, defensibility - is a separate moat one layer down, where the flag becomes an audit-ready finding.
The practical consequence for the investigator is not displacement but re-aiming. The agent runs the methodology at machine speed and volume; the human SIU lead reviews the finding, applies judgment at the escalation points, and owns the call. The investigator's role shifts from execution to decision-making. That is the opposite of a black box - it is judgment made faster and applied to 100% of flags instead of the 25% a manual team can reach.
Where the two moats meet in a carrier stack
The modal deployment is both moats, stacked. A detection vendor's volume moat flags the claim; an investigation agent's methodology moat works it to a finding. Carriers run FRISS, Shift Technology, or Verisk for detection and Hesper for investigation. The moats do not compete because they occupy different layers - Hesper accepts flagged claims as input and is complementary to FRISS, Shift Technology, and Verisk, not a replacement.
The funnel makes the coverage gap concrete. Detection flags a large volume of claims. Manual SIU investigates only about 25% of them, because a human investigator works one case at a time, carries 200+ open cases, and takes 14+ days per investigation. The other 75% are paid, denied without full work, or queued indefinitely - and that gap is where fraud loss actually leaks, independent of how good the detection model is. Improving the flag does not close it. Investigating the rest to a defensible standard does.
Flagged-claim investigation coverage: manual SIU vs Hesper (Hesper internal benchmark)
This is the layer no other named vendor occupies. Hesper takes a flagged claim - from FRISS, Shift, Verisk, or a carrier's own model - and runs the full SIU playbook, 15+ investigation phases in parallel, returning an audit-ready report in 2-4 hours instead of 14+ days. That is from fraud detection to fraud resolution. The moat debate resolves cleanly once you place each moat in its layer: claims volume is the right moat for detection, investigative methodology is the right moat for investigation, and a carrier that wants to move loss cost runs both. For the full comparison of handler-assist detection agents and autonomous investigation agents, see Shift Claims agentic AI vs Hesper autonomous investigation.
Key takeaways
- For a fraud investigation agent, the durable moat is investigative methodology encoded as agent behavior, not the volume of claims a platform has scored.
- Claims-volume scale is a genuine detection-layer moat - it improves recall on anomalies - but it does not teach a system chain of custody, corroboration, credibility assessment, or defensibility.
- A defensible investigation runs the ACFE-style methodology from inception to deposition, and US SIUs are staffed with former law enforcement, attorneys, and accountants precisely because investigation is a legal-facing discipline, not a scoring output.
- A platform scoring hundreds of millions of policyholders and an agent reasoning like a trained investigator over one flagged claim are doing categorically different jobs at different layers of the stack.
- The moats are complementary: detection vendors flag with their volume moat, Hesper investigates with its methodology moat, and the modal carrier stack runs both.