Hide Nothing
Cattle-claim insurance, biometric identity
Regional carrier insuring smallholder cattle herds was paying low-eight-figures annually on fraudulent death claims. The pattern was crude but effective: the same animal re-enrolled under a neighbor's policy, then 'died' twice. Field assessors couldn't be everywhere and a photo by itself didn't prove much, two black-and-white cows look like two black-and-white cows. Legitimate claims paid out but took 4 to 8 weeks of paperwork; the fraud cases looked indistinguishable until after the wire transfer. Manual photo review caught a fraction of substitutions and burned the assessors' time on the ones it didn't.
Biometric enrollment at policy bind
At enrollment the rancher's phone captures a wide profile shot, a close-up muzzle frame, and a head-side angle. The app refuses anything blurry. Three encoders run on-device in parallel: muzzle print (the primary signal, uniqueness comparable to a fingerprint), an anatomy encoder for eyes, ears, and horns (secondary verification), and a body-marking extractor for coloring patterns and scars. The combined embedding is signed locally and queued for upload.
Field capture, same app, claim time
When a claim is filed, the same app captures fresh imagery. Geotag stamped; EXIF checked for tamper markers; the quality gate forces a re-shoot if the photo is unusable. Nothing leaves the device unsigned. Captures are queued offline and uploaded opportunistically.
Identity match against the enrolled embedding
At intake, fresh embeddings are cosine-matched against the policy's enrolled embeddings. The threshold is adaptive per region (different breed mixes, different baselines). If the match passes, the claim moves on; if it fails, the file routes to a fraud investigator before any payout decision is even computed.
Cause classification + policy reasoning
Verified-identity claims get a second model pass to classify cause of death (predator strike, disease, age, lightning, drowning) and check it against the policy's exclusions and coverage windows. The decision engine produces a recommendation; the human approves, holds, or overrides.
Audit-grade evidence trail
Every step writes a signed record into a hash-chained ledger. The regulator can export their format directly. No claim moves through the system without a verifiable chain of custody from first photo to final payout.
Mobile capture is the entry point; the preprocessor gates quality before anything reaches the extractors. Three encoders run in parallel (muzzle CNN, anatomy CNN for eyes, ears, and horns, and body-marking extractor); all three write to the embedding store, partitioned per policy. The identity matcher is the load-bearing decision, a fail routes to fraud hold before payout logic even runs. The audit log receives signed entries from both the pay and hold branches.
Muzzle photos vary wildly under field conditions, mud, wet noses, low light, sideways angles.
Heavy field-condition augmentation during encoder training; an on-device quality gate rejects unusable photos at upload time with a re-shoot prompt rather than letting them poison the match.
Breed variance swamped the single-encoder model; the same architecture that worked in one region drifted in the next.
Per-breed adapter heads layered on a shared backbone. New region onboarding triggers an adapter fine-tune, not a full retrain.
Collusion risk, a corrupted assessor in the loop with a fraudulent rancher.
Independent secondary verification on random spot-checks; geo-fenced enrollment requires being within range of the registered location; EXIF tamper checks at upload.
Cold-start enrollment over millions of pre-existing policies, no biometric on file for any of them.
A 90-day amnesty window underwritten by the carrier; mobile-team-on-tour for ranchers without smartphones; bulk enrollment days run alongside vaccination rounds.
Rural connectivity is often nonexistent; field uploads can't depend on the link being up.
App captures, signs, and queues fully offline; uploads opportunistically when a link returns; daily reconciliation report flags missing uploads to the field team.
Mobile capture
- ·Flutter + Camera2 (Android first, iOS second)
- ·Offline sign + queue with local SQLite
- ·EXIF integrity + geofence check
Vision pipeline
- ·ONNX Runtime on edge GPU + cloud fallback
- ·Three encoders: muzzle CNN (primary), anatomy CNN for eyes, ears, horns, body-marking extractor
- ·Per-breed adapter heads on shared backbone
Vector store
- ·Milvus, self-hosted
- ·Per-policy partitioning, adaptive per-region threshold
- ·Embedding rotation on adapter updates
Orchestration
- ·Python + Ray for batch + retraining jobs
- ·Decision engine in Python (rules DSL)
- ·Per-claim trace IDs end-to-end
Audit
- ·PostgreSQL append-only ledger
- ·S3 chain-of-custody hash + regulator export format
- ·Daily reconciliation against payout system
Model ops
- ·Per-encoder drift score, twice-yearly evaluation pass
- ·Per-breed adapter fine-tune triggered by region drift
- ·Held-out regression suite + A/B harness for new adapter heads
Biometric Threshold Theater
Six cattle, three legitimate same-animal photos at varying quality, three substituted impostors at varying similarity. Drag the match threshold and watch the per-card decisions shift. The counters below tell the precision/recall story in concrete numbers, not abstraction.
- → Fraudulent claims caught at intake before any payout
- → Legitimate claim TAT compressed from 4 to 8 weeks down to under 48 hours for clean cases
- → Audit trail surfaced regulator-grade evidence with no extra work
- → Insurance ratios improved by double-digit percentage points within two underwriting cycles
Live across [REDACTED] multi-region farms across two underwriting books. Continuous adapter retraining as new breeds enroll. Audited internally and by the client's GRC team annually.
Live across multi-region farms. Continuous model retraining as new breeds enroll. Audited internally and by client's GRC team.