Preskočiť na obsah
Allianz Strategic Brief
07 · ALLIANZ STRATEGIC BRIEF

Compliance & governance

4 brány v paralelnej exekúcii (~4–6 mesiacov pred Phase 1 build kickoff). OneTrust + AI Community + AT review + DPO/DPIA. Regulatory matrix: GDPR, DORA, EU AI Act, NIS2, Solvency II, Allianz AI Code of Conduct.

10 min čítania

COMPLIANCE LANDSCAPE

Štyri brány, paralelná exekúcia, 4–6 mesiacov

Pred Phase 1 build kickoff musí prejsť cez OneTrust, AI Community, AT review a DPO/DPIA. Žiadna z brán nie je dnes začatá. Realistický odhad pri paralelnom otvorení je 4–6 mesiacov; sekvenčné otvorenie by znamenalo 6–10 mesiacov a posun Phase 1 timeline.

Compliance brány
4
OneTrust · AI Community · AT · DPO
Celková doba
4–6 mes.
paralelná exekúcia
Doba per gate
6–12 týždňov
OneTrust + AI Community

Diagram — Compliance gates v paralelnej exekúcii (~6 mesiacov, 2026 H1)

GateTracker widget
Astro island — interactive status board s 5 activities per brána, owner, blocking dependencies
GATE 1 · ONETRUST

Privacy Impact + AI Risk Assessment v jednej platforme

Allianz používa OneTrust nielen pre privacy, ale aj pre AI risk. Toto nám umožňuje zlúčiť GDPR DPIA + EU AI Act risk assessment v jednom workflow. Status: ešte nezačal.

5 activities

  1. 01
    Registration v OneTrust platform
    Matúš dostane podklady od klienta (OQ-15)
  2. 02
    Initial risk assessment submission
    Data flows, AI usage, vendors (Anthropic + Microsoft)
  3. 03
    Privacy Impact Assessment (PIA)
    GDPR-compliant DPIA pre Phase 1 scope
  4. 04
    AI risk assessment
    Allianz uses OneTrust pre AI risk too — high-risk classification per EU AI Act
  5. 05
    Sign-off pre Phase 1 build kickoff
    Final approval workflow s DPO + Privacy Officer
Timeline~6–12 týždňov (paralelne)
GATE 2 · AI COMMUNITY

Model risk review pre Anthropic + Azure OpenAI multi-model

AI Community je Allianz Group orgán, ktorý posudzuje AI model risk. Naša pozícia: scaling existing approval — Group už má Anthropic kontrakt (pricing actuaries precedent). Nepýtame sa o nový vendor; pýtame sa o nové use cases na existujúcom kontrakte.

5 activities

  1. 01
    Initial submission s Group contract reference
    Pozícia: 'scaling existing approval', nie 'new vendor procurement'
  2. 02
    Model risk review
    Claude Sonnet/Haiku/Opus + Azure OpenAI text-embedding-3-large + GPT-4o-mini multi-model
  3. 03
    Use case risk classification
    Customer-facing CRM AI = likely 'high-risk' per EU AI Act → vyšší kontrolný režim
  4. 04
    Hallucination handling + guardrails review
    Output validation, source attribution, confidence thresholds
  5. 05
    Sign-off pre Phase 1 build kickoff
    AI Community Governance Committee final approval
Timeline~6–12 týždňov, paralelne
GATE 3 · AT REVIEW

Cold pitch playbook — pre-emptívne pripravujeme sami

Allianz Technology review je single biggest risk pre celý projekt (sekcia 12.2 risk register: Medium-High likelihood, Catastrophic impact). Stratégia: pre-emptívny cold pitch s plne dokumentovaným HTML deliverable + 30-min walkthrough offer.

5 activities playbook

  1. 01
    Pre-meeting
    Doručíme HTML deliverable + offer 30-min walkthrough; AT má kontext pred prvým call-om
  2. 02
    Meeting 1: Big Picture + odporúčaná architektúra overview
    High-level architecture, 3 differentiators, alternatives considered (konzervatívna + experimentálna)
  3. 03
    Meeting 2: Deep dive na priority sekcie
    Typicky security + landing zone alignment + identity/network — AT najviac zaujímajú
  4. 04
    Iteration: AT feedback → adjustments → re-submit
    ADRs sú updatované, document re-published, second-pass review
  5. 05
    Sign-off pre Phase 1 build start
    AT acceptance certificate; alignment confirmed s reference architecture
Timeline~8–12 týždňov

Pre-emptive countermeasures

Top 10 AT objections

Každá z 10 typických AT objections (sekcia 2.3) má matching counter v dedicated sekcii dokumentu. RedTeamBlock components sú embedded inline.

Every ADR má AT alignment

12 ADRs v sekcii 3.6 — každý má explicitný “Allianz Technology alignment” line. Žiadna decision nie je orphaned bez AT context.

Fallback if AT rejects

Each architectural choice má explicit “fallback” option (e.g., MCP rejected → REST adapters; Anthropic rejected → Azure OpenAI only). Žiadny single point of failure v review.

GATE 4 · DPO + DPIA

Special category claims data — GDPR čl. 9 flag

Data Protection Impact Assessment je povinný pod GDPR pre processing involving AI + automated decision-making. Najväčšia red flag: claims data potentially zahŕňajú health data per GDPR čl. 9 (special category). Status: nezačaté.

5 activities

  1. 01
    DPIA pre Phase 1
    Required pod GDPR pre AI + automated decision-making; covers C360, kampane, AI chat-bot
  2. 02
    Special category data assessment ⚠
    Claims data potentially health data per GDPR čl. 9 — encryption with customer-controlled keys, restricted access, no AI training
  3. 03
    Cross-border transfer assessment
    Anthropic deployment — likely EU residency; OQ-2 driver
  4. 04
    Data minimization review
    Cache TTL policy (5–15 min), no replication, toggle-off mode pre cache
  5. 05
    Right to explanation + AI transparency
    User-facing AI labelling, audit trail per inference, decision explainability
Timeline~4–8 týždňov
REGULATORY MATRIX

Sedem regulácií + Allianz AI Code of Conduct

Phase 1 produkt je v scope GDPR (vrátane čl. 9), DORA (FSI ICT risk), EU AI Act (high-risk klasifikácia), NIS2 (cybersecurity FSI), Solvency II (operational risk) a Allianz Group AI Code of Conduct. Tento matrix je vstup pre OneTrust + AI Community submissions.

RegulationApplicationNáš compliance approach
GDPRPersonal data processingDPIA, lawful basis (legitimate interest + consent for marketing), data minimization, right to explanation
GDPR čl. 9Special category (health data v claims)Explicit consent / vital interest; encryption with customer-controlled keys ak treba; no AI training; restricted access
DORA
EU 2022/2554		ICT risk for FSI from Jan 2025ICT risk register, third-party risk (Anthropic + Microsoft), incident reporting, resilience testing, exit strategy from vendors
EU AI Act
2024/1689		High-risk AI systemsKlasifikácia: customer-facing CRM AI = likely high-risk; risk management system, data governance, human oversight, transparency to users
Solvency II
EIOPA		Insurance prudentialOperational risk + ICT risk components; alignment s DORA
NIS2
EU 2022/2555		Cybersecurity FSISecurity controls per Annex II, incident reporting; alignment s DORA pre FSI
Allianz AI Code of ConductGroup internalDisclosure of AI tools v dev lifecycle; respect for Group AI principles
Slovak data localizationSektorovéTBD — confirm s DPO Allianz SK
OPEN QUESTIONS

Dve blokujúce OQ pre compliance gates

Compliance plan je dobre dokumentovaný, ale dve otvorené otázky priamo blokujú submission do OneTrust + AI Community. Bez nich nevieme dokončiť initial filings.

Compliance fázu vieme spustiť hneď po získaní OQ-7 a OQ-15. To sú dve top sponsor asks pre prvé interné Allianz meetingy. Akonáhle máme dáta, paralelne otvárame všetky 4 brány a 4–6 mesačná lehota začína plynúť.

← Predchádzajúca Phase 1 — detailný scope Nasledujúca → Bezpečnosť a riziká