The states covered in our earlier posts (Colorado, New York, and Florida) represent distinct legislative and regulatory approaches to insurance AI oversight. For carriers operating primarily in other markets, those posts can feel like watching a compliance problem that belongs to someone else.
That framing deserves scrutiny. As of early 2026, over half of all states have adopted the NAIC Model Bulletin on the Use of AI Systems by Insurers or substantially similar guidance.¹ For carriers writing business across a standard national or regional footprint, the majority of their exposure may sit in the bulletin states, where the regulatory expectation is principle-based but the examination apparatus is real and now actively developing.
Which States Adopted the Bulletin
States that adopted the NAIC Model Bulletin with minimal or no material customization include Delaware, Hawaii, Kentucky, Maryland, Massachusetts, Nebraska, New Jersey, North Carolina, Oklahoma, Pennsylvania, Rhode Island, Vermont, Wisconsin, and others with the full list tracked and updated by the NAIC directly.²
The NAIC also tracks states that have adopted related regulations or guidance addressing similar topics without formally adopting the bulletin text. The total universe of states where carriers should be prepared to demonstrate AI governance practices is substantially larger than the bulletin adoption list alone.
What the Bulletin Actually Requires
The NAIC bulletin is principle-based, not prescriptive. It does not mandate specific testing methodologies, require annual filings, or specify governance structures in granular detail. What it does is establish that insurers should implement and maintain a written AIS Program covering:
Governance: A documented accountability structure involving appropriate disciplines (business units, actuarial, data science, underwriting, claims, legal, and compliance) with senior management or board accountability for oversight.
Risk Management and Internal Controls: Validation, testing, and retesting processes to assess AI outputs, evaluate data quality, and identify potential bias. The bulletin specifically recommends verification and testing methods to identify errors, bias, and unfair discrimination.³
Third-Party Vendor Oversight: Written standards and policies for the acquisition, use of, and reliance on AI systems or data sources developed or deployed by third parties. Insurers are responsible for vendor compliance; the obligation does not transfer.
Documentation: Documentation of policies, procedures, model validation, and testing results sufficient to respond to regulatory inquiries. The bulletin advises insurers to anticipate regulatory requests including document production during investigations or market conduct exams.⁴
Consumer Notice: Notification to consumers when AI systems have been used in decisions affecting them, and a process for consumers to understand and, where applicable, appeal those decisions.
What Examiners are Expected to do with it
The critical development in 2026 is the NAIC’s AI Systems Evaluation Tool, a structured framework designed to give examiners a standardized approach to reviewing insurer AI governance programs during market conduct examinations.
The tool is currently in a multistate pilot running January through September 2026, with twelve participating states.⁵ The results of the pilot will inform how widely the tool is deployed and whether it supports the development of a formal model law. Industry trade groups have pushed back, urging that the evaluation tool’s references to governance and risk assessment frameworks not be interpreted as creating new regulatory requirements beyond those established in the bulletin.⁶
For carriers, the practical implication is this: market conduct examinations in bulletin states will increasingly include structured questions about AI governance programs. The evaluation tool is being designed to make that inquiry consistent and repeatable. Carriers that have documented, defensible governance programs will navigate those examinations with meaningfully less exposure than carriers who cannot produce the documentation when asked.
What has Happened So Far
As of mid-2025, there does not yet appear to be significant formal enforcement of AI governance requirements in the states that adopted the bulletin.⁷ That is not a signal that enforcement will not come. It reflects that the examination infrastructure, particularly the AI Systems Evaluation Tool, has been in development. The pilot launched in January 2026 is specifically designed to operationalize examiner capability.
Carriers should also consider that the absence of formal enforcement actions does not mean absence of regulatory scrutiny. Market conduct exams that identify poorly documented AI programs can generate recommendations, consent orders, and examination findings that precede formal action. The enforcement risk is not hypothetical but is in the process of being operationalized.
The Vendor Problem
The key question for carriers in the bulletin states is not whether the regulatory expectation exists. It does. The question is how to build a governance program that is both substantively adequate and defensible when examined.
Based on the NAIC framework and the evaluation tool’s published structure, a compliance-ready AIS Program should include:
- A written, board-approved AI governance policy
- A documented inventory of AI systems used in regulated insurance functions
- Validation and bias testing records for each system
- Vendor contracts with audit and cooperation provisions
- Consumer notice procedures tied to adverse decisions
- A clear internal escalation path for governance concerns
Carriers that have not yet taken that inventory, particularly those using AI tools embedded in third-party platforms they did not build themselves, should treat that gap as a near-term priority. The examination environment in the bulletin states is becoming more structured, and the carriers best positioned when the AI Systems Evaluation Tool becomes standard practice are the ones building documentation now.
About WaterStreet
About WaterStreet Company: WaterStreet provides cloud-based policy administration software for small to mid-size P&C carriers. Our platform is designed to support the governance, documentation, and workflow requirements carriers increasingly need to meet regulatory expectations in an AI-driven environment.
Contact Us to see a demo or learn more!
Sources:
- NAIC, Statement on AI Executive Order (December 2025)
- NAIC, Implementation of NAIC Model Bulletin: Use of Artificial Intelligence Systems by Insurers (updated 2025)
- Holland & Knight, The Implications and Scope of the NAIC Model Bulletin (May 2025)
- Quarles, Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers’ Use of AI (March 2025)
- Crowell & Moring, NAIC Intensifies AI Regulatory Focus (March 2026)
- Crowell & Moring, NAIC Intensifies AI Regulatory Focus (March 2026)
- Holland & Knight, The Implications and Scope of the NAIC Model Bulletin (May 2025)
- Holland & Knight, The Implications and Scope of the NAIC Model Bulletin (May 2025)
- Fenwick, Tracking the Evolution of AI Insurance Regulation (December 2025)
