Hesper AI
BlogTechnical
TechnicalJuly 13, 2026·13 min read·Pankaj Dhariwal

Domain knowledge in fraud investigation AI: why it's investigative methodology, not claims volume

For a fraud investigation agent the durable moat is SIU investigative methodology encoded as agent behavior, not the volume of claims a platform has scored. Volume buys detection; methodology buys a defensible investigation.

PD
Pankaj Dhariwal · CEO and Co-founder
July 13, 2026·13 min read
$308.6B
Annual US insurance fraud loss
~10% of P&C losses involve fraud (Coalition Against Insurance Fraud)
hundreds of millions
Claims a detection platform may have scored
The volume-scale moat, as exemplar (Frost & Sullivan 2020)
~25% → 100%
Flagged-claim investigation coverage
Manual SIU vs Hesper (Hesper benchmark)
14+ days → 2-4 hrs
Investigation cycle time per case
Manual SIU vs Hesper (Hesper benchmark)

For a fraud investigation agent, the durable moat is investigative methodology encoded as agent behavior - fraud-theory reasoning, chain of custody, corroboration, credibility assessment, and defensibility - not the volume of claims a platform has scored. Volume yields better anomaly detection. Methodology yields a defensible investigation. These are different bodies of domain knowledge that sit at different layers of the fraud stack, and conflating them is the most common mistake in how carriers evaluate claims AI.

This distinction matters because the industry's loudest "data moat" claims are detection-layer claims wearing investigation clothing. A platform that has scored hundreds of millions of claims is genuinely better at flagging what looks unusual. That advantage is real and it is hard to replicate. It also does not, by itself, teach a system how to take one flagged claim and work it to a conclusion an SIU lead can defend in an examination under oath, a SAR filing, or a deposition. The rest of this piece separates them: which domain knowledge is the moat at the investigation layer, why claims volume is table stakes upstream rather than a moat downstream, and how the two moats stack inside a carrier's fraud program.

We are building on a point a competitor made well. Eric Sibony, co-founder and chief product officer at Shift Technology, argues that domain expertise is the real barrier to good agents, not prompt engineering. He is right. Our disagreement is narrow and specific: which domain expertise is the moat for an agent whose job is investigation. We went deeper on Shift's handler-assist agents in Shift Claims agentic AI vs Hesper autonomous investigation, and on why investigation is a second axis beyond claims automation in the ARISE framework and investigation autonomy.

The moat question for claims AI, restated

The moat question is usually asked as "who has the most data," but for an investigation agent the sharper question is "who has encoded the most investigative judgment." Claims volume improves how well a system flags. Investigative methodology - the sequence a trained examiner runs from allegation to defensible finding - improves how well a system resolves. The first is a detection moat. The second is an investigation moat.

Naming the layers is the whole game here, because "AI fraud detection" gets used loosely to cover both flagging and investigating, and that looseness is what lets a detection-scale advantage masquerade as an investigation advantage. Prevention blocks bad claims before they enter, at underwriting. Detection scores and flags suspicious claims after FNOL. Investigation takes a flag and resolves it to a documented determination. Detection is upstream; investigation is downstream. A moat built on scored-claims history lives in the detection layer. It does not follow the claim downstream into the investigation.

The stakes are what make this more than a taxonomy argument. Per the Coalition Against Insurance Fraud, insurance fraud steals at least $308.6 billion a year from American consumers, and fraud occurs in about 10% of property-casualty losses. At that prevalence, detection already surfaces far more suspicious claims than SIUs can work. The binding constraint is not finding suspicious claims. It is investigating them to a defensible conclusion. That reframes the moat from "flag more" to "resolve more" - and resolving is where methodology, not volume, is decisive. (That is reasoning from the prevalence numbers, not a separately sourced statistic.)

What the claims-volume moat actually buys

Hundreds of millions of scored claims make a detection model better at recall on anomalies - flagging what looks unusual relative to a large learned baseline. That is a real, valuable, hard-to-replicate moat at the detection layer. It is not, by itself, a capability to investigate a flag to a conclusion. It improves the input to investigation. It does not perform the investigation.

The exemplar is worth stating precisely and fairly. In its 2020 Global Claims Solutions Market Leadership Award write-up, Frost & Sullivan noted that Shift's FORCE platform "has analyzed hundreds of millions of claims" and that Shift identifies more than $5 billion in claims fraud per year. Those are strong detection-layer numbers, and the volume behind them is a genuine advantage. Read them for what they are: outputs of a system optimized to score claims at scale. "Claims analyzed" and "fraud identified per year" are recall metrics. They measure how well the system flags. They say nothing about how each flag is then investigated.

The clearest tell that volume is a detection asset is the false-positive tax. A scoring layer tuned for recall flags a lot of claims that are not fraud - a rules-based layer runs a 60-85% false-positive rate before heavy tuning, and even strong ML scoring leaves a meaningful share. High recall is the point of a detection moat; it maximizes the chance a real fraud gets flagged. But it also means the output is a queue of maybes, each of which still has to be investigated before anyone can act on it. More scored claims makes the flag better. It does not shrink the investigation that every flag still demands.

Cross-carrier data networks are the purest form of the volume-is-the-moat case. An industry data utility that matches a claim against a very large contributory database catches connections no single carrier could see - the same claim filed at three insurers, a shop that appears across dozens of suspicious losses. That matching is a detection and data moat, and rebuilding it is not the problem an investigation agent solves. It flags the connection. It still does not corroborate the red flag, weigh the claimant's credibility, or write the finding. Same pattern: volume is decisive for detection, silent on investigation.

Recall is not resolution

A platform optimized to score hundreds of millions of claims is optimized for recall on anomalies - the probability that a real fraud gets flagged. That is a detection objective. Resolution is a different objective: taking one flagged claim and producing a finding that holds up under an EUO, a SAR filing, or a deposition. No amount of scoring volume trains a system to preserve chain of custody or corroborate a red flag before concluding. Those are investigation competencies, learned from investigations, not from scoring throughput.

What a real fraud investigation requires

A defensible fraud investigation runs a methodology, not a score. The examiner defines the allegation, preserves evidence and establishes chain of custody, develops a fraud theory, runs targeted tests tied to the suspected scheme, corroborates every red flag before concluding, assesses claimant and witness credibility, and documents the facts, methods, and limitations of the work. None of those steps is an output a scoring model produces. Each is a discipline that has to be run.

This is a credentialed, legal-facing discipline, not a data-science output. The Association of Certified Fraud Examiners frames fraud examination as resolving an allegation "from inception to deposition," and stresses that "the proper procedures, techniques and skills must be used to conduct an effective fraud investigation." The word deposition is the point. Investigation is scoped to what survives legal scrutiny, and that scoping shapes every step upstream of it, from how evidence is collected to how a conclusion is worded.

Who staffs this work tells you what kind of knowledge it requires. Per the Insurance Information Institute, carrier SIUs are staffed with "former law enforcement officers, attorneys, accountants, and claim experts," and complex cases are referred to the National Insurance Crime Bureau, which "specializes in preparing fraud cases for trial." That is the composition of an investigative and legal function, not an analytics function. The domain knowledge an SIU carries is investigative methodology, evidentiary standards, and courtroom-defensibility - a body of expertise that scoring volume does not contain.

Chain of custody and corroboration are architectural, not cosmetic

Two competencies show why this is an architecture problem, not a prompt problem. Chain of custody means every piece of evidence has a documented, unbroken record of how it was collected, handled, and stored, because defense counsel attacks collection first and errors there cannot be fixed after the fact. Corroboration means a red flag is treated as a hypothesis to be tested against independent evidence before it becomes a conclusion - a flag that a fire loss is suspicious is a starting point, not a finding. An investigation agent has to be built to preserve custody and corroborate by design. You cannot bolt those onto a scoring model that was architected to output a probability.

This is why the output of a real investigation has to be audit-trail-native. Every decision the agent makes is logged with its sources, reasoning, and timestamps, so an SIU lead can see what the agent examined, override any step, and produce a documented trail for a state DOI. That is the requirement behind California's 10 CCR 2698.36 documented-decision rule and the antifraud-plan filings under NAIC Model Act 680, adopted in 48 states. Hesper runs 15+ investigation phases in parallel on a single flagged claim - document forensics, statement cross-reference, timeline reconstruction, financial-pattern analysis - and synthesizes them into a finding a human reviews. The defensibility payoff of methodology-as-moat is the subject of the defensibility standard for fraud investigation AI.

A volume moat vs an investigative-methodology moat

The two moats optimize for different outcomes and therefore do not substitute for each other. A volume moat maximizes recall on suspicious claims - the share of real fraud that gets flagged. A methodology moat maximizes the share of flagged claims resolved to a defensible conclusion. One is measured in what gets caught, the other in what gets closed. A carrier needs both, which is why the honest framing is complementary layers rather than competing vendors.

DimensionVolume / anomaly-detection moatInvestigative-methodology moat
Core assetScored-claims history at scaleEncoded SIU investigative playbook
Optimizes forRecall on anomaliesDefensible resolution of a flag
OutputA score or a flagAn audit-ready finding
Layer in stackDetection (upstream)Investigation (downstream)
Bottleneck it movesFinding suspicious claimsWorking the flagged claims
Human left in loopInvestigator does the work after the flagInvestigator reviews the finished finding
Fails whenFalse positives overwhelm the SIU queueCoverage gap: not enough flags investigated
Regulatory postureScore handed off, rationale often opaqueDocumented decision (CA 10 CCR 2698.36, NAIC 680)

Read the table down the second column and it describes detection done well. Read it down the third and it describes investigation done well. The economics of moving each bottleneck are different too. When the methodology moat is doing its job, cycle time drops from 14+ days to 2-4 hours per case, cost per investigated case drops from about $2,500 to about $150, and flagged-claim coverage moves from roughly 25% to 100%. A better detection model does not move those numbers - it fills the same 25%-capacity queue faster. Only the investigation layer moves the resolution numbers.

The volume-versus-methodology debate resolves by layer, not by winner. Scoring hundreds of millions of claims is a detection moat and it is real. Investigating one flagged claim to a defensible finding is a different moat, learned from investigations rather than from scoring throughput. A carrier that wants to reduce loss cost needs both - the flag and the finding.

Hesper AI product research

Why 350 million policyholders is not a fraud investigator

A platform running general claims-scoring AI across hundreds of millions of policyholders is doing detection at industrial scale - a genuinely hard problem it may be excellent at. An agent that reasons like a trained SIU investigator over a single flagged claim is doing investigation. Same input claim, categorically different job, and a categorically higher defensibility bar. Scale confers detection strength. It does not confer investigative judgment.

Sibony makes the sharpest possible version of the domain-expertise argument, and it is worth extending rather than rebutting. He names the moat as "deep insurance business modeling to define when an agent should act, escalate, or say 'I don't know,'" and says "prompt engineering alone is simply not enough." Agreed on every word. Now apply it to investigation: knowing when to escalate a suspicious fire loss, when a red flag is corroborated enough to conclude, and when the honest answer is "we cannot support this finding" is exactly SIU judgment. And that judgment is trained on investigations - on the sequence from allegation to deposition - not on the volume of claims a platform has scored.

This is the layer distinction stated as a capability, not a slogan. A detection vendor's domain expertise is insurance business modeling: which features predict fraud, where the scoring thresholds sit, how the network connects. Real expertise, correctly claimed. An investigation agent's domain expertise is a different corpus: evidentiary standards, corroboration discipline, credibility assessment, chain of custody, and how to document a finding so it survives cross-examination. Both are domain expertise. They are not the same domain. Volume of scored claims builds the first and is silent on the second.

Scored-claims volume sharpens the flag at the detection layer; encoded SIU methodology - fraud theory, chain of custody, corroboration, credibility, defensibility - is a separate moat one layer down, where the flag becomes an audit-ready finding.

The practical consequence for the investigator is not displacement but re-aiming. The agent runs the methodology at machine speed and volume; the human SIU lead reviews the finding, applies judgment at the escalation points, and owns the call. The investigator's role shifts from execution to decision-making. That is the opposite of a black box - it is judgment made faster and applied to 100% of flags instead of the 25% a manual team can reach.

Where the two moats meet in a carrier stack

The modal deployment is both moats, stacked. A detection vendor's volume moat flags the claim; an investigation agent's methodology moat works it to a finding. Carriers run FRISS, Shift Technology, or Verisk for detection and Hesper for investigation. The moats do not compete because they occupy different layers - Hesper accepts flagged claims as input and is complementary to FRISS, Shift Technology, and Verisk, not a replacement.

LayerJobWho owns itThe moat that layer rewards
PreventionBlock bad claims pre-FNOLUnderwriting, LexisNexis, Duck CreekUnderwriting data and rules
DetectionScore and flag after FNOLFRISS, Shift Technology, Verisk, SASClaims volume and cross-carrier data
InvestigationResolve a flag to a documented findingHesper AI (and manual SIU today)Encoded SIU investigative methodology

The funnel makes the coverage gap concrete. Detection flags a large volume of claims. Manual SIU investigates only about 25% of them, because a human investigator works one case at a time, carries 200+ open cases, and takes 14+ days per investigation. The other 75% are paid, denied without full work, or queued indefinitely - and that gap is where fraud loss actually leaks, independent of how good the detection model is. Improving the flag does not close it. Investigating the rest to a defensible standard does.

Flagged-claim investigation coverage: manual SIU vs Hesper (Hesper internal benchmark)

Manual SIU~25% of flags
Hesper100% of flags

This is the layer no other named vendor occupies. Hesper takes a flagged claim - from FRISS, Shift, Verisk, or a carrier's own model - and runs the full SIU playbook, 15+ investigation phases in parallel, returning an audit-ready report in 2-4 hours instead of 14+ days. That is from fraud detection to fraud resolution. The moat debate resolves cleanly once you place each moat in its layer: claims volume is the right moat for detection, investigative methodology is the right moat for investigation, and a carrier that wants to move loss cost runs both. For the full comparison of handler-assist detection agents and autonomous investigation agents, see Shift Claims agentic AI vs Hesper autonomous investigation.

Key takeaways

  • For a fraud investigation agent, the durable moat is investigative methodology encoded as agent behavior, not the volume of claims a platform has scored.
  • Claims-volume scale is a genuine detection-layer moat - it improves recall on anomalies - but it does not teach a system chain of custody, corroboration, credibility assessment, or defensibility.
  • A defensible investigation runs the ACFE-style methodology from inception to deposition, and US SIUs are staffed with former law enforcement, attorneys, and accountants precisely because investigation is a legal-facing discipline, not a scoring output.
  • A platform scoring hundreds of millions of policyholders and an agent reasoning like a trained investigator over one flagged claim are doing categorically different jobs at different layers of the stack.
  • The moats are complementary: detection vendors flag with their volume moat, Hesper investigates with its methodology moat, and the modal carrier stack runs both.

Frequently asked questions

For a fraud investigation agent, the moat is investigative methodology encoded as agent behavior - not the raw volume of claims a platform has processed. Claims volume is a detection-layer advantage: scoring hundreds of millions of claims makes a model better at flagging anomalies, which is valuable but different work. Investigation requires a separate body of domain knowledge: building a fraud theory, preserving chain of custody, corroborating every red flag before concluding, assessing claimant and witness credibility, and documenting a finding that survives a deposition. The Association of Certified Fraud Examiners frames real fraud investigation as resolving allegations from inception to deposition. A platform optimized to score claims at scale is optimized for recall on suspicious claims, not for resolving each one to a defensible conclusion.

More claims data makes an AI better at detecting fraud - flagging which claims look suspicious - but not necessarily at investigating them. Detection and investigation are different layers. A larger scored-claims history improves a model's recall on anomalies, which is why volume is a real moat for detection vendors. But investigation begins after a claim is flagged: it requires reasoning across conflicting evidence, corroborating anomalies before concluding, assessing credibility, and producing an audit-ready finding. None of that is taught by claims volume alone. Insurance fraud costs the US $308.6 billion a year per the Coalition Against Insurance Fraud, and roughly 10% of property-casualty losses involve fraud - detection already flags more suspicious claims than SIUs can work. The binding constraint is investigating them, not finding more.

Detection flags suspicious claims; investigation resolves them. Detection sits upstream and outputs a score or an alert - this claim looks unusual. Investigation sits downstream and outputs a defensible finding - here is what we examined, what corroborates it, and why the conclusion holds. Detection vendors like FRISS, Shift Technology, and Verisk are strong at flagging; the manual SIU then does the 14+-day workflow on each flag. Because that workflow is slow, US SIU teams investigate only about 25% of flagged claims; the rest are paid, denied without full work, or queued. The two functions reward different moats: detection rewards data volume, investigation rewards methodology. They are complementary layers, not substitutes.

Because scale and investigation are different capabilities. A platform running general claims-scoring AI across hundreds of millions of policyholders is doing detection at industrial scale - a genuinely hard problem it may be excellent at. But an investigation agent has to take one flagged claim and reason like a trained SIU investigator: preserve chain of custody, build and test a fraud theory, corroborate red flags with documents and statements, weigh witness credibility, and write a finding a defense attorney cannot dismantle. US SIUs are staffed with former law enforcement officers, attorneys, and accountants for exactly this reason - investigation is a legal-facing discipline. Volume of scored claims does not confer that judgment; encoded investigative methodology does. Same input claim, categorically different job.

No - Shift and Hesper sit at adjacent layers and are complementary. Shift is a detection and handler-assist vendor: its agentic AI helps claims handlers, and its data network flags suspicious claims. Hesper sits downstream at the investigation layer, taking a flagged claim and running the full SIU playbook to an audit-ready finding in 2-4 hours instead of 14+ days. Shift's Eric Sibony argues, correctly, that domain expertise is the real barrier to good agents - deep insurance business modeling to define when an agent should act, escalate, or say I don't know. The nuance is that an investigation agent's domain expertise is SIU investigative methodology specifically. The modal carrier deployment runs a detection vendor and Hesper together; the moats stack rather than compete.

A defensible fraud investigation runs a methodology, not a score. The Association of Certified Fraud Examiners describes it as resolving an allegation from inception to deposition using proper procedures and techniques. In practice that means defining the allegation, preserving evidence and establishing chain of custody, developing a fraud theory, running targeted tests tied to the suspected scheme, corroborating every red flag before concluding, assessing witness and claimant credibility, and documenting facts, methods, and limitations. Chain of custody matters because defense counsel attacks how evidence was collected, and errors cannot be fixed later. This is why a fraud finding has to be audit-trail-native - every decision logged with its sources and reasoning - to satisfy requirements like California 10 CCR 2698.36 and NAIC Model Act 680.

AI can do both, but they require different architectures. Most insurance AI today - including cross-carrier data networks and handler-assist agents - operates at the detection layer, flagging suspicious claims. Autonomous investigation is a newer, harder problem: an agent has to run 15+ investigation phases in parallel on a single flagged claim - document forensics, statement cross-reference, timeline reconstruction, financial pattern analysis - then synthesize them into an audit-ready finding a human SIU lead reviews. Hesper compresses the manual 14+-day investigation to 2-4 hours and lifts flagged-claim coverage from about 25% to 100%, at roughly $150 per case versus about $2,500 manually. The difference from detection AI is that the output is a defensible investigation, not a score.

Because the value at the investigation layer comes from judgment and defensibility, not pattern volume. In many AI domains, more data reliably means a better model. In fraud investigation, more scored claims improve the flag but not the finding. Once a claim is flagged, the work is corroborating evidence, resolving contradictions, assessing credibility, and producing documentation that survives legal scrutiny - all governed by investigative methodology, not by dataset size. A carrier already has more flagged claims than its SIU can investigate: roughly 25% get worked. The lever is investigating the rest to a defensible standard. That is why, at this layer, encoded methodology is the durable moat and claims volume is table stakes for the detection step upstream.

← More articles on the Hesper AI blog

See Hesper AI on your documents

Request a demo and we'll run an analysis on your real document samples.