This series has covered the Insurance AI regulatory landscape state by state: Colorado’s layered governance regime, New York’s proxy assessment requirements, Florida’s human review mandate in progress, and the quiet but real compliance expectations building in the 20-plus states that adopted the NAIC Model Bulletin. The final question is what the landscape looks like from here, and what carriers should be building toward regardless of which direction the regulatory environment moves.
The answer is more settled than the current political noise suggests.
The Third-Party Model Law
The most consequential near-term development in NAIC’s regulatory agenda is the anticipated model law on third-party AI and data oversight. The NAIC’s Third-Party Data and Models (H) Working Group has adopted a broad definition of ‘third party’ encompassing any nongovernmental entity providing data, models, or outputs for insurance activities, which would include rating agencies, insurtech vendors, data aggregators, and AI platform providers.¹
A model law is anticipated in 2026, potentially including licensing requirements for vendors that provide AI tools to insurers.² The implications are significant. If vendor licensing becomes a regulatory requirement, carriers will need to verify that their third-party AI partners are operating in compliance with that framework. Vendors that cannot meet licensing standards may create regulatory exposure for the carriers using their tools.
For now, the operative obligation is what the NAIC bulletin already requires: written vendor oversight standards, contracts with audit rights and regulatory cooperation provisions, and documentation sufficient for the carrier to perform its own governance review of third-party AI. Carriers that build those vendor management practices now will be positioned to comply with a more structured vendor oversight regime when it arrives.
The Federal Preemption Question
The federal landscape shifted significantly in December 2025 when President Trump signed an executive order directing the creation of a national AI governance framework and establishing a DOJ AI Litigation Task Force with an explicit mandate to challenge state AI laws viewed as inconsistent with federal policy.³ The order specifically identified Colorado’s anti-discrimination statute as an example of legislation it viewed as problematic.
In March 2026, the White House released high-level recommendations for a National AI Legislative Framework calling for federal preemption of ‘unduly burdensome’ state AI regulation, while routing oversight through existing sector-specific agencies rather than creating a new federal AI body.⁴
The NAIC responded with an Issue Brief formally reaffirming state authority over insurance AI oversight under McCarran-Ferguson, and opposing federal preemption that would undermine existing consumer protections.⁵ Thirty-six state attorneys general had previously urged Congress to oppose state preemption proposals.⁶ The ‘One Big Beautiful Bill’ moving through Congress as of early 2026 contains a provision that would prohibit states from enacting or enforcing AI-specific laws for ten years, which NAIC has actively opposed.⁷
What Should Carriers Assume About the Federal Timeline
The preemption debate will not resolve quickly. Legislation takes time to pass. Litigation challenging preemption under McCarran-Ferguson is likely to take years. The practical guidance from multiple legal analysts, including Carlton Fields and Baker Botts, is the same: state AI laws remain fully in force until federal preemption is enacted and upheld by courts, and even if preemption narrows regulatory requirements, it does not create a safe harbor against private litigation including class actions.⁸
Carriers that defer governance program development while waiting for federal clarity are taking real risk with real exposure. The examination environment in state markets is becoming more structured, not less. The NAIC’s AI Systems Evaluation Tool pilot launches examiner capability across twelve states in 2026 and the results will inform practice nationally.
What to Build Regardless
The governance foundations that satisfy the NAIC bulletin, Colorado’s §10-3-1104.9, New York’s Circular Letter 2024-7, and the anticipated third-party model law are largely the same foundations. Building them once, building them well, and maintaining them over the AI system lifecycle is the most efficient compliance strategy available, and also the right operational strategy for carriers managing the actual risk of algorithmic error in a regulated business.
Specifically:
AI System Inventory: Every AI system used in underwriting, pricing, claims, or other regulated functions should be identified, documented, and classified by risk level. This is the foundation. Without knowing what systems are in use and how they make or influence decisions, no other governance work is possible.
Bias Testing and Validation: For systems in scope under the NAIC bulletin, Colorado’s regulation, or New York’s circular letter, formal bias testing against protected classes is an expectation, not a recommendation. Carriers that have not conducted this testing are operating with a governance gap that examiners are now equipped to identify.
Governance Policies and Board Accountability: The NAIC bulletin, Colorado SB 205, and New York’s Circular Letter all require that AI governance accountability sit at the senior management or board level. A written policy that assigns that accountability and documents the governance structure is a prerequisite for any examination response.
Vendor Contracts: Contracts with AI and data vendors should include audit rights, regulatory cooperation obligations, and documentation requirements that allow the carrier to perform its own governance review. This is not standard SaaS contract language and it requires intentional negotiation.
Consumer Disclosure Workflows: Carriers should build procedures for notifying consumers when AI is used in adverse decisions, and for providing the information consumers need to understand and appeal those decisions. Both Colorado and New York impose specific disclosure requirements; the NAIC bulletin establishes a general notice expectation.
Documentation as a Living Asset: All of the above should be documented in a way that is retrievable, current, and organized to respond to an examination request. The carriers that navigate the emerging AI examination environment best will be the ones who can produce a regulator-ready package on demand, not the ones scrambling to reconstruct documentation after a request arrives.
The Broader Picture
The regulatory arc of AI in insurance is consistent regardless of what the federal government ultimately does. Regulators, examiners, litigants, and the public are all paying more attention to how carriers use AI to make decisions that affect policyholders. The bias testing gap revealed in NAIC surveys (nearly one-third of insurers not regularly testing their models for bias or discrimination) is a compliance gap and a consumer protection problem. State regulators know it, and the examination infrastructure being built in 2026 is specifically designed to address it.
The carriers that get ahead of building documented governance programs, testing their models, managing their vendors, and owning their AI decisions through qualified human accountability, are building durable operational advantages. The carriers that wait are building regulatory liability.
This series will be updated as new states act, the third-party model law advances, and the federal preemption question develops further. The landscape is moving. The governance foundations are not.
About WaterStreet
About WaterStreet Company: WaterStreet provides cloud-based policy administration software for small to mid-size P&C carriers. Our platform is designed to support the governance, documentation, and workflow requirements carriers increasingly need to meet regulatory expectations in an AI-driven environment.
Contact Us to see a demo or learn more!
Sources:
- Fenwick, Tracking the Evolution of AI Insurance Regulation (December 2025)
- Fenwick, Tracking the Evolution of AI Insurance Regulation (December 2025)
- Seyfarth Shaw, President Trump Signs Executive Order Preempting State AI Laws (December 2025)
- Freshfields, White House Publishes AI Legislative Framework to Preempt State AI Regulation (March 2026)
- Crowell & Moring, NAIC Intensifies AI Regulatory Focus (March 2026)
- Seyfarth Shaw, President Trump Signs Executive Order Preempting State AI Laws (December 2025)
- One Inc, AI Regulation in Insurance: NAIC & PIA’s Take on Federal Oversight (December 2025)
- Carlton Fields, AI Executive Order Calls for Changes, But the Need for Good Governance Remains (December 2025)
