The question is no longer whether your organization uses AI. For most carriers and MGAs, it is already embedded in underwriting workflows, claims triage, fraud detection, and pricing models. The question regulators are beginning to ask is whether you can account for it and how carriers are preparing for a new wave of insurance AI regulation.
As of early 2026, 23 states and Washington, D.C. have adopted the NAIC’s Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, with more expected to follow. A 12-state pilot of the NAIC’s new AI Systems Evaluation Tool launched in early 2026. The tool is a structured examiner questionnaire designed to assess AI governance, risk management, and model oversight. When it becomes standard exam practice, carriers that have not built a documented governance posture will find themselves in reactive, expensive territory.
This post is not about compliance theory. It is a practical orientation to what regulators are looking for, what documentation you need in place, and why the time to build this infrastructure is now, before the exam notice arrives.
The Regulatory Backdrop
The NAIC’s December 2023 Model Bulletin did not create new law. What it did was codify regulator expectations about governance, documentation, and accountability for AI use. It also signaled that existing enforcement mechanisms (the Unfair Trade Practices Act, the Unfair Claims Settlement Practices Model Act) apply fully to AI-assisted decisions.
The bulletin requires insurers to develop and maintain a written AI Systems (AIS) Program. It establishes that in any investigation or market conduct action, a carrier can expect to be asked to produce documentation of its governance framework, risk management controls, internal controls, testing records, and any adverse consumer outcomes associated with AI use.
The enforcement posture is still developing. As of mid-2025, there has been limited formal enforcement activity in states that have adopted the bulletin. The NAIC’s pilot of the AI Systems Evaluation Tool, the ongoing development of a potential model law, and the parallel work of the Third-Party Data and Models Working Group all signal that the examination infrastructure is being built. The window to get ahead of it is narrowing.
What Regulators are Actually Looking for
The NAIC Model Bulletin, state-level adoptions, and the emerging exam framework point to five consistent areas of regulator focus. Each demands specific documentation.
1. A Written AI Governance Program (AIS Program)
Regulators expect a documented, board-acknowledged program that describes how your organization governs AI use across the policy lifecycle. This is not a single policy document. It is a framework that spans underwriting, claims, pricing, marketing, and fraud.
The governance structure should establish cross-functional accountability, with representation from actuarial, data science, underwriting, legal, and compliance functions. Roles, authorities, and escalation paths should be explicitly defined. The NAIC Model Bulletin is clear that responsibility for oversight should rest with senior management or a committee accountable to the board.
Documentation minimum: A written AIS Program with defined scope, governance structure, named accountabilities, and board acknowledgment. Version history matters. Regulators will want to see that governance evolved as your AI use did.
2. Model Inventory and Risk Tiering
You cannot govern what you have not catalogued. A model inventory covering all AI and predictive models in production use is foundational to every other governance obligation. The inventory should capture the model’s function, data inputs, the decision context it supports (underwriting, claims, fraud, pricing), the business unit responsible, the vendor if third-party, and the review cadence.
Risk tiering matters here. Not all models carry the same regulatory exposure. A claims routing model that flags documents for human review carries different risk than a model that produces rate indications used in filed products. Regulators will ask about your highest-risk models first. Know which those are before they do.
Documentation minimum: A complete, current model inventory with tiered risk classifications and clear ownership assignments.
3. Validation, Testing, and Bias Monitoring Records
The Model Bulletin requires that insurers use verification and testing methods to identify potential biases in the use of AI systems and other predictive models. This is not a one-time exercise at implementation. It is an ongoing obligation.
For models that touch underwriting, pricing, or claims decisions, regulators will expect documentation of initial validation, periodic revalidation, testing for model drift, and testing for disparate impact across protected classes. The CFPB and state regulators have both emphasized that existing fair lending and unfair discrimination statutes apply to algorithmic models. If your AI model produces outcomes that correlate with race, national origin, gender, or similar characteristics, documentation of your bias testing and mitigation protocols is your first line of defense.
Documentation minimum: Dated testing and validation records for each model in use, including bias and disparate impact analysis. Revalidation schedules should be documented and followed.
4. Third-Party Vendor Oversight Records
A significant and growing area of regulatory attention is the use of third-party AI and data vendors. The NAIC’s Third-Party Data and Models Working Group is actively developing a regulatory framework specifically to address how carriers rely on external models and data sources they may not fully control.
The principle embedded in every state adoption of the NAIC bulletin is straightforward: outsourcing the AI does not outsource the compliance obligation. Carriers remain responsible for the outputs of vendor models used in regulated decisions, regardless of whether they built the model themselves.
Regulators will ask for evidence of vendor due diligence, contract terms that preserve audit rights, documentation of how the vendor model was validated for your use case, and records of ongoing oversight.
Documentation minimum: Vendor due diligence files, contracts with explicit audit rights and model documentation requirements, use-case validation records, and ongoing oversight protocols.
5. Adverse Consumer Outcome Tracking
The NAIC Model Bulletin uses the term Adverse Consumer Outcomes and makes clear that regulators will ask about them. Your governance program needs a mechanism to identify, document, and remediate situations where AI-assisted decisions may have harmed consumers, whether through inaccurate underwriting decisions, biased claim outcomes, or inappropriate denials.
This is also where your exception and appeal processes become relevant. If your AI produces a decision that falls outside expected parameters, who reviews it? How is it documented? That process needs to exist and be documented before you need it.
Documentation minimum: An adverse outcome tracking mechanism, incident response protocols for AI-related consumer harm, and documentation of any corrective actions taken.
The Third-Party Problem is Getting Harder to Ignore
For carriers and MGAs relying on policy administration platforms, rating engines, or predictive analytics from technology vendors, including insurtech platforms, the third-party governance obligation deserves particular attention.
The NAIC’s Third-Party Data and Models Working Group is building a framework to standardize how regulators evaluate vendor-embedded AI. The current expectation is that carriers will maintain documentation of what third-party models they use, what those models do, how they were validated, and what contractual protections exist for audit and oversight.
If your technology vendors cannot provide model documentation, validation records, or audit support, that is a governance gap that sits in your lap during an examination, not theirs. Procurement and contracting practices need to catch up to this reality.
The Documentation Structure, Practically Speaking
Building an AI governance documentation infrastructure does not require a separate technology platform or a specialized AI risk function, though larger organizations may eventually need both. What it requires is organizational discipline about documentation that should exist for any significant operational process.
At minimum, carriers should have:
- A written AIS Program reviewed and acknowledged at the board or senior management level
- A current model inventory with risk tiers, ownership, and review dates
- Validation and testing records for each model, including bias analysis, maintained in a retrievable format
- A third-party vendor file for each externally sourced model or AI component, including due diligence, contract terms, and validation records
- An adverse outcome log and incident response process
- Governance meeting minutes that demonstrate active oversight, not just policy documents that exist on paper
The documentation burden is real but manageable if built systematically. The burden of reconstructing this documentation retroactively under an exam timeline is significantly larger.
Where is Insurance AI Regulation Heading
The regulatory environment is not moving toward less scrutiny. The NAIC’s pilot of the AI Systems Evaluation Tool is designed to create standardized exam procedures that any state regulator can apply. The Big Data Working Group spent much of 2025 debating whether a comprehensive AI model law is necessary. A model law would shift the current principle-based guidance into binding statutory requirements.
Separately, states including Colorado, Virginia, Connecticut, and Pennsylvania have moved toward more prescriptive requirements. Colorado’s regulations for life insurers on external consumer data and algorithmic models are already in effect, and the state’s broader AI governance law includes specific provisions for the insurance sector.
Carriers that treat AI governance as a compliance checkbox will find themselves perpetually reacting to the next state action or exam finding. Those that build genuine governance infrastructure, documentation that reflects how AI is actually used, tested, and overseen, are positioned to respond with confidence.
About WaterStreet
WaterStreet Company is a cloud-based policy administration platform purpose-built for small to mid-size property and casualty carriers and managing general agents. Designed to support the full policy lifecycle, including quoting, binding, endorsements, renewals, billing, and regulatory reporting, WaterStreet helps carriers go to market faster without the implementation overhead of enterprise legacy systems. WaterStreet’s Back Office Support Services (BOSS) division extends that value with outsourced policy processing, document management, and operational support for carriers who need scalable staffing alongside scalable technology.
Contact Us to see a demo or learn more!
Sources:
- NAIC, Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (December 2023)
- NAIC, Artificial Intelligence Topic Page: AI Systems Evaluation Tool pilot and state adoption tracker
- Fenwick & West, Tracking the Evolution of AI Insurance Regulation (February 2026)
- Baker Tilly, The Regulatory Implications of AI and ML for the Insurance Industry (August 2025)
- Holland & Knight, The Implications and Scope of the NAIC Model Bulletin on the Use of AI by Insurers (May 2025)
- McDermott Will & Emery, State Regulators Address Insurers’ Use of AI: 11 States Adopt NAIC Model Bulletin (June 2024)
- Kennedys, Understanding the NAIC Model AI Bulletin: What It Means for Insurers (January 2025)
- Cherry Bekaert, AI in Insurance: How to Build a Compliant Governance Framework (2025)
- RNA Analytics, AI in Insurance: Navigating Regulation Across the US (December 2025)
