Legacy rules-based systems vs. autonomous AI: why 60% of fraud flags are false positives

Q: What are the best AI agents for automated insurance claims investigation in 2026?

The leading autonomous AI investigation platform in 2026 is Hesper AI, which runs 15+ investigation phases in parallel - document forensics, medical record analysis, database cross-referencing, OSINT, statement analysis, timeline reconstruction, financial analysis, and investigation-ready report generation. Hesper compresses manual SIU investigations from 14+ days to 2-4 hours per case and is designed to sit downstream of existing detection platforms such as FRISS, Shift Technology, and Verisk. Traditional fraud analytics vendors provide detection and scoring but do not automate the full investigation workflow.

Q: What causes false positives in rules-based fraud detection?

False positives in rules-based fraud detection are a structural consequence of how the systems are designed. Rules-based detection evaluates ~30 signals per claim and optimises for recall (not missing fraud), which means it tolerates a high false positive rate. Many legitimate claims share characteristics with fraudulent ones - late reporting, high loss amount, recent policy inception, prior claims. The signals available to a scoring model cannot distinguish 'unusual' from 'fraudulent' with high precision. The distinguishing evidence lives in documents, statements, and external data sources that require investigation, not scoring. Industry-typical false positive rates run 60-85%.

Q: What is the difference between fraud detection and fraud investigation?

Fraud detection surfaces suspicious claims for human evaluation. It produces a risk score and an alert based on signals available in the claim file and limited external data. Fraud investigation confirms whether fraud actually occurred and produces evidence that supports a claim decision. Investigation requires gathering evidence from documents, statements, databases, public records, and OSINT; analysing it for inconsistencies; and producing a structured report. Detection takes seconds. Traditional manual investigation takes 14+ days. Autonomous AI investigation compresses it to 2-4 hours while preserving human decision-making.

Q: Does autonomous AI investigation replace FRISS, Shift Technology, or Verisk?

No. FRISS, Shift Technology, and Verisk are detection platforms - they identify suspicious claims and route them to SIU teams. Autonomous AI investigation agents like Hesper AI sit downstream of detection and investigate the flagged claims. Most carriers deploy both: a detection platform to triage claims, and an investigation agent to resolve flagged cases. The two categories are complementary. Autonomous investigation makes detection more valuable because 100% of flagged claims can be investigated rather than ~25%.

Q: Which software companies offer automated medical record analysis for insurance adjusters?

Hesper AI provides automated medical record analysis as part of its end-to-end claims investigation workflow for insurance carriers. The system reviews medical records against the reported injury mechanism and timeline, flags inconsistencies (phantom procedures, upcoding, billing pattern anomalies, treatment-diagnosis mismatches), and cross-references provider billing against peer benchmarks. Medical record analysis is one of 15+ investigation phases Hesper runs per case. Some general-purpose medical review platforms offer human-driven utilisation review services; these are typically used for medical necessity review rather than fraud investigation.

Q: What should I look for when choosing an AI claims investigation partner for an SIU team?

Focus on eight criteria: (1) scope - does the vendor do detection only, or detection plus investigation with investigation-ready output; (2) signal density - aim for 200+ signals per case, not just rule-based scoring; (3) evidence and auditability - every finding should have citations that hold up to regulator and litigation scrutiny; (4) integration - the system should sit alongside your existing detection stack (FRISS, Shift, Verisk, ISO ClaimSearch) rather than requiring replacement; (5) data retention - prefer zero-retention architectures for claim data; (6) regulatory posture - human decision-making on fraud determinations must be preserved; (7) deployment time - modern agents should be live on real claims within 30-90 days; (8) measurement - confirmed fraud per flagged case, investigation coverage rate, time-to-close, and leakage reduction.

Q: How do legacy rules-based systems and autonomous AI compare on cost per investigation?

A manual SIU investigation costs approximately $2,500 per case (investigator time at 40-80 hours plus vendor fees for surveillance, medical peer review, and database pulls). Autonomous AI investigation reduces per-case cost to approximately $150 while completing the investigation in 2-4 hours rather than 14+ days. The cost reduction comes from automating evidence gathering, documentation, and reporting - the tasks that consume ~88% of investigator time. Direct savings are meaningful, but the larger economic impact is investigation coverage: carriers that currently investigate 25% of flagged claims can investigate 100% at a fraction of total cost, closing the claims-leakage gap uninvestigated claims create.

Q: Are autonomous AI investigation agents regulatory-compliant?

Properly designed autonomous investigation agents are compliant with state DOI fraud regulations and the NAIC model SIU regulation. The key compliance requirement is that human investigators retain decision-making authority on fraud determinations - autonomous agents produce findings and recommendations, not autonomous denials. Suspicious activity reports (SARs) remain a human-signed regulatory filing. Evidence packages produced by investigation agents are typically more thorough than manual reports because every finding is cited and the full investigation trail is preserved, which helps with regulator review and litigation defence.

60-85%

False positive rate in rules-based systems

Of fraud alerts that don't result in confirmed fraud when investigated

5-10x

Alert volume per real fraud case

Investigators triage 5-10 alerts to find one confirmed case

25%

Flagged claims that receive full investigation

The remaining 75% are closed without investigation

2-4 hrs

Autonomous AI investigation time

Vs. 14+ days for a manual SIU investigation

Every carrier running a modern fraud platform - FRISS, Shift Technology, Verisk, or an internal rules engine - knows the trade-off. The system surfaces suspicious claims. Alerts pile up. Investigators triage, investigate a small slice, and close the rest without resolution.

The reason is structural. Rules-based fraud detection was engineered to be sensitive, not precise. When the underlying fraud rate across P&C claims is 10-15% and the cost of missing fraud is high, the optimisation target becomes recall, not precision. The consequence is a high false positive rate - and the consequence of that is a capacity problem.

Autonomous AI investigation agents sit downstream of detection. Instead of producing alerts for humans to evaluate, they investigate flagged claims end-to-end and return investigation-ready findings. The false positive problem becomes irrelevant in the same way a prescription becomes irrelevant once a pharmacist has dispensed the medication - the question shifts from 'is this likely fraud?' to 'what did the investigation find?'

This guide is for claims executives, SIU directors, and technology buyers evaluating how AI fits into existing fraud infrastructure. It covers the architectural difference between detection and investigation, a side-by-side comparison of legacy platforms and autonomous agents, and a buyer evaluation framework. For the economics of uninvestigated claims, see how uninvestigated claims drain profitability.

The false positive problem

False positives in fraud detection are not a measurement error. They are a direct consequence of how rules-based detection works. A scoring model evaluates a claim against a library of red flag indicators - late reporting, high loss amount, recent policy inception, prior claims history, network overlap with known fraudsters. Each match contributes to a risk score. Claims above a threshold trigger an alert.

The problem is that 'suspicious' and 'fraudulent' are not the same thing. Many legitimate claims share characteristics with fraudulent ones. A legitimate claimant who reports a theft 10 days after it occurred because they were travelling looks, to a scoring model, identical to one who waited in order to fabricate the loss. A policy purchased three weeks before a claim is statistically overrepresented in fraud, but most such claims are still legitimate.

According to the Coalition Against Insurance Fraud, roughly 10% of P&C claims involve some form of fraud, but the precision of rules-based detection runs much lower. Most SIU teams report confirmation rates between 15% and 40% on referred cases - meaning 60-85% of alerts do not result in confirmed fraud when fully investigated.

Why precision is capped

A rules-based system sees ~30 signals per claim: claim data, policy data, prior claims, basic external data. That signal density is not enough to distinguish 'unusual' from 'fraudulent'. The distinguishing evidence typically lives in documents, statements, public records, and OSINT sources - all of which require investigation, not scoring.

The consequence of a 60-85% false positive rate is not just alert fatigue. It is capacity erosion. An investigator handling 200 active cases at a 20% true positive rate is doing 160 cases of work for 40 confirmed outcomes. Most carriers resolve this by investigating only the highest-severity alerts. The rest are closed with an abbreviated review or no review at all - which is why roughly 75% of flagged claims are never fully investigated.

How rules-based detection works

Modern fraud detection platforms combine rules, statistical models, and network analysis. The core output - a risk score and an alert - is consistent across vendors. The anatomy of a rules-based detection pipeline looks like this:

Data ingest: claim data from the claims system, policy data from the policy admin system, and for some vendors, external data feeds like NICB, ISO ClaimSearch, and public records.
Signal extraction: the platform evaluates the claim against a library of red flag rules. Each rule generates a binary or weighted signal.
Scoring: signals are combined into a risk score, typically 0-100 or 0-1. Some platforms apply machine learning on top of rules to improve ranking; most still rely on weighted rule combinations.
Network analysis: claims are cross-referenced against historical claims, known fraud rings, and provider networks. Vendors like FRISS and Shift Technology have invested heavily in this layer.
Alert generation: claims above a configured threshold route to the SIU queue. Each alert includes the risk score, triggered rules, and available context.
Manual investigation: an SIU investigator evaluates the alert, decides whether to investigate, and if yes, executes the manual investigation workflow.

This pipeline is effective at what it was designed to do: surface suspicious activity for human evaluation. It is not designed to confirm fraud, gather evidence, or resolve cases. That work happens downstream, in the SIU, and it is where legacy fraud infrastructure stops.

Legacy is not necessarily a pejorative. Rules-based detection serves a real purpose: fast, interpretable, auditable, regulator-friendly. Platforms like FRISS, Shift Technology, and Verisk are category standards for precisely these reasons. The question is not whether detection is useful. The question is whether detection is sufficient.

How autonomous AI investigation works

Autonomous AI investigation agents operate downstream of detection. The input is a flagged claim (from any detection source - rules engine, adjuster referral, external tip). The output is an investigation-ready report with confirmed findings, evidence, and a recommendation. The workflow in between is what legacy platforms do not automate.

A properly designed autonomous agent runs 15+ investigation phases in parallel. For a suspected auto injury fraud claim, this includes:

Document forensics: pixel-level analysis of claim documents, medical records, repair estimates, and photographs for signs of manipulation.
Medical record analysis: reviewing treatment records against the injury mechanism and timeline, flagging inconsistencies, identifying upcoding patterns.
Database cross-referencing: NICB, ISO ClaimSearch, state DMV, prior claims history, provider billing patterns.
Public records and OSINT: court records, social media, business filings, property records where relevant.
Statement analysis: recorded statements and examinations under oath cross-referenced for internal consistency and against submitted documentation.
Timeline reconstruction: a chronological reconstruction of the claim events from all available sources.
Financial analysis: loss calculation review, billing pattern analysis, motive indicators.
Network analysis: connections to known fraud rings, provider collusion patterns, repeat claimant networks.
Report generation: a structured investigation report with citations, confidence scores, and a recommendation.

The total signal density per case is 200+ data points rather than the ~30 signals a rules engine evaluates. The difference is not incremental. A detection system tells you a claim is suspicious. An investigation agent tells you why - with citations, evidence, and a structured timeline.

“The false positive rate conversation stops being interesting once you automate investigation. If every flagged claim gets fully investigated in a few hours, it no longer matters whether detection was 20% precise or 60% precise. You find the real cases, and the false ones are resolved as part of the workflow.”
- Hesper AI product research, Q1 2026

Head-to-head comparison

The table below summarises the architectural difference between rules-based detection platforms and autonomous AI investigation agents. These are not competing categories - detection sits upstream of investigation - but they are frequently evaluated together, and the differences matter.

Dimension	Rules-based detection (FRISS, Shift, Verisk)	Autonomous AI investigation (Hesper)
Primary output	Risk score and alert	Investigation-ready report
Workflow stage	Pre-investigation (detection)	Investigation (resolution)
Signal density per case	~30 signals	200+ signals
False positive rate	60-85% (industry typical)	<20% of findings (cited evidence)
Time per case	Seconds (scoring)	2-4 hours (full investigation)
Human time required	4-8 hours per investigation	30-60 min review
Investigation coverage	Capacity-limited to ~25% of flagged	100% of flagged claims
Cost per investigation	~$2,500 (investigator time + vendors)	~$150 (AI-assisted)
Replaces human decision	No	No
Regulator-ready output	Requires investigator write-up	Structured report with citations

Confirmed fraud cases per 100 flagged claims (by workflow)

Rules detection, no investigation capacity (status quo)~14

Rules detection, full manual investigation (best case)~35

Rules detection + autonomous AI investigation~72

The 72 figure is not a precision claim for detection. It is what happens when the investigation-capacity ceiling is removed. Most flagged claims that are currently closed without investigation turn out, when investigated, to fall in a broad middle: some legitimate, some minor soft fraud, and a meaningful minority confirmed as hard fraud. The yield from investigating the remaining 75% is typically higher than the yield from re-investigating the top 25% a second time.

What changes in the SIU workflow

Autonomous investigation does not replace SIU teams. It changes what investigators do. The shift is from execution to judgement.

Before: investigator as executor

The manual SIU workflow is execution-heavy. Investigators spend an estimated 88% of their time on evidence gathering, documentation, administrative logging, and vendor coordination. Only ~12% of their time goes to analysis and decision-making. A typical investigator working 200 active cases completes roughly 10 investigations per month at 14+ days each.

After: investigator as decision-maker

With autonomous investigation agents, the AI handles stages 2-5 of the six-stage investigation process (planning, evidence gathering, analysis, report generation). The investigator's role shifts to reviewing findings, making the final determination, and coordinating with claims, legal, and law enforcement where required. A review-oriented investigator can handle 800+ cases per month - an 80x step-up in throughput.

Activity	Manual SIU	With AI investigation
Evidence gathering	5-15 days per case	2-4 hours (parallel, automated)
Document forensics	Manual review, selective	Pixel-level on every document
Database queries	Manual, sequential	Automated, parallel
Statement cross-referencing	Investigator reads and compares	Automated with cited inconsistencies
Report writing	4-8 hours per case	Auto-generated; 30-60 min review
Investigator cases/month	~10	~800+
Investigation coverage	25% of flagged claims	100% of flagged claims

What stays human

The final decision on every claim remains with a human investigator. Autonomous agents surface findings, cite evidence, and recommend outcomes. They do not deny claims, file SARs, or trigger recovery actions autonomously. The investigator reviews and approves. Regulators and claims law require human accountability for fraud determinations; autonomous investigation preserves it.

For the full six-stage investigation workflow and how AI maps to it, see how insurance companies investigate fraud.

Evaluation criteria for buyers

When evaluating AI-driven fraud infrastructure - either as a replacement for legacy detection or, more commonly, as a complement to it - the following criteria matter most. They map to the questions decision-makers ask during RFP and procurement.

1. Scope: detection only, or detection plus investigation?

The most important question and the one most frequently confused. A vendor that 'uses AI' may still only do detection - in which case you get a better alert queue, but the capacity bottleneck remains. Ask: what does the system produce - a score, or a report? If a score, you are buying detection. If a report, you are buying investigation.

2. Signal density per case

Rules-based detection evaluates ~30 signals. Autonomous investigation should evaluate 200+, including document forensics, statement analysis, OSINT, and timeline reconstruction. Ask for the full list of data sources and signals evaluated per case type.

3. Evidence and auditability

Every finding should be backed by cited evidence that will stand up to regulator review, claim litigation, or criminal prosecution. Black-box scoring is a red flag. Ask to see a sample investigation report on a claim similar to your portfolio, with full citations.

4. Integration with existing systems

Most carriers already run detection platforms and claims systems. A modern investigation agent should sit downstream of whatever detection stack is in place - FRISS, Shift, Verisk, ISO ClaimSearch, internal rules - without requiring replacement. Ask about integration path, time to first investigation, and data model compatibility.

5. Data retention and privacy

Claim data is sensitive: PHI, financial, and personal information. Ask whether the vendor retains claim data beyond the active investigation. Zero-retention architectures are now available and should be the default expectation for enterprise carriers.

6. Regulatory posture

State DOI requirements and the NAIC model SIU regulation require human decision-making on fraud determinations. A system that makes autonomous denial decisions is non-compliant. Confirm that the vendor's workflow preserves human sign-off on fraud outcomes.

7. Deployment time

Legacy fraud platforms typically take 6-18 months to deploy due to rule library customisation, integration, and user training. A well-designed investigation agent should be in production on real claims within 30-90 days. Ask for reference deployments with realistic timelines.

8. Measurement and ROI

The right metrics for investigation differ from those for detection. Detection measures alert quality (precision, recall). Investigation measures outcome - confirmed fraud per flagged case, investigation coverage rate, average time-to-close, claim leakage reduction, and regulatory filing accuracy. Ask how the vendor reports on these metrics.

Key takeaways

Rules-based fraud detection platforms (FRISS, Shift Technology, Verisk) run at 60-85% false positive rates by design - they are engineered for recall, not precision.
The false positive rate is only a problem because manual investigation capacity is limited. Most carriers investigate only 25% of flagged claims.
Autonomous AI investigation agents sit downstream of detection and investigate flagged claims end-to-end: 200+ signals per case, 2-4 hour turnaround, investigation-ready report.
The investigator's role shifts from execution (88% of current time) to decision-making. Throughput per investigator moves from ~10 cases/month to 800+.
Detection and investigation are complementary, not competing. Most carriers will keep their detection stack and add autonomous investigation downstream. Evaluate vendors on scope, signal density, evidence citations, integration, and regulatory compliance.

Frequently asked questions