Artificial intelligence is no longer a future-state aspiration for the property and casualty insurance industry. It is an operational reality, and the regulatory environment is catching up quickly. For small and mid-size P&C insurers, which have typically watched AI governance debates play out at the enterprise level, 2026 marks a meaningful shift. The National Association of Insurance Commissioners has launched the NAIC AI Evaluation Pilot, moving from issuing guidance to deploying a formal examination tool, and the implications of that shift for carriers of every size deserve serious attention from the executive suite.
From Bulletin to Examination: What Has Changed
In December 2023, the NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. At the time, the bulletin was explicitly framed as guidance, not a model law or regulation. Its purpose was to remind carriers that existing insurance laws, including prohibitions against unfair trade practices and unfair claims settlement practices, apply equally to decisions made or supported by AI systems. The bulletin encouraged carriers to develop written AI governance programs but stopped short of mandating specific practices or documentation formats.
What has changed since then is the pace and seriousness of state adoption. As of early 2026, 24 states have adopted the NAIC Model Bulletin in full or without material customization, and the NAIC reports that more than half of all states have now enacted it or similar guidance. States including Wisconsin, Maryland, and others adopted the bulletin with expectations covering AI use across the full insurance lifecycle: product development, marketing, underwriting and pricing, policy servicing, claims management, and fraud detection.
Critically, the NAIC is no longer content to let the bulletin stand on its own. Regulators are now piloting an AI Systems Evaluation Tool, a structured framework of questionnaires and checklists designed to standardize how state insurance departments assess carriers’ AI governance, risk management, and use during market conduct examinations. Ten insurance companies are participating in the initial pilot, with results expected to inform whether a formal model law follows.
The Examination Tool: What Regulators Will Be Looking For
The NAIC AI Systems Evaluation Tool is designed to assess whether a carrier’s use of AI aligns with the principles in the Model Bulletin. While the tool is still being refined based on pilot feedback, the areas of inquiry are clear and consistent with what state regulators have already signaled in their adopted bulletins. Carriers should expect examiners to probe the following areas.
Written AI Governance Program
Carriers must be able to produce a documented, board-level AI governance program that addresses how AI systems are used in regulated insurance practices. This is not a technology document. It is a governance document, and it must demonstrate clear executive accountability, defined roles across business units, actuarial, data science, underwriting, compliance, and legal functions, and an escalation path for adverse outcomes or performance breaches.
Vendor and Third-Party Oversight
A significant share of AI use in insurance is delivered through third-party vendors: insurtech platforms, data providers, predictive model developers, and more. Regulators have made clear that insurers remain fully responsible for AI systems they use, regardless of who built them. Carriers will be expected to demonstrate documented vendor diligence, including model origin, testing standards, explainability protocols, and contractual audit rights. A model law on third-party data and AI oversight is anticipated to emerge from the NAIC in 2026, potentially including licensing requirements for vendors. Carriers that lack formal vendor management documentation for their AI systems will find themselves exposed on this front.
Bias Testing and Consumer Protection
The NAIC’s own survey data revealed that nearly one-third of health insurers do not regularly test their models for bias or discrimination, even though the Model Bulletin recommends such practices. State regulators have specifically flagged this gap as a concern. Florida introduced legislation requiring human review of all claims denial decisions before finalization. Colorado enacted the nation’s first comprehensive AI governance framework with provisions covering insurers. New York’s Department of Financial Services issued guidance requiring carriers to demonstrate that AI and external data systems do not proxy for protected classes or generate disproportionate adverse effects. Carriers that cannot document bias testing methodologies are taking on meaningful compliance and legal exposure.
Auditability and Documentation
Regulators have indicated they will request documentation production during investigations and market conduct actions. This includes validation records, testing histories, governance meeting documentation, model drift monitoring, and evidence of ongoing oversight. The expectation is not that carriers will have perfect AI systems. The expectation is that they will have defensible, documented processes for how those systems are governed, tested, and reviewed.
Why This Matters Differently for Small and Mid-Sized P&C Insurance Companies
Enterprise carriers with dedicated AI governance teams and in-house compliance resources have a head start on this regulatory shift. For small and mid-size carriers, the challenge is more immediate. The operational infrastructure required to meet NAIC Model Bulletin expectations, written programs, governance committees, vendor audit trails, bias testing documentation, and model drift monitoring, requires a level of data discipline and system coherence that many carriers running on legacy or fragmented infrastructure simply cannot support today.
The gap between AI adoption and AI governance is measurable. Industry data shows that more than 60 percent of P&C insurers are piloting or deploying AI technologies, but fewer than 15 percent have scaled them across core operations in a governed, documented way. Many pilots have stalled precisely because of siloed data, legacy infrastructure, and the absence of a governance framework. For smaller carriers, this is not merely a technology problem. It is a business risk with regulatory consequences.
There is also a competitive dimension. As the soft market that has emerged in 2026 compresses margins and rewards operational efficiency, carriers that have invested in modern core systems with clean, structured data and documented workflows will be better positioned to compete. Carriers still managing underwriting, pricing, and claims through disconnected tools and manual processes face compounding disadvantages: regulatory exposure, operational inefficiency, and diminished ability to leverage AI meaningfully.
What Carrier Leadership Should Be Doing Now
The NAIC AI evaluation pilot is expected to conclude and inform further rulemaking within 2026. Waiting for a formal model law to take effect before building governance infrastructure is a risk that executive teams should not accept. The following actions are appropriate for carrier leadership to prioritize now.
- Conduct an inventory of every AI system currently in use, including vendor-supplied models, predictive analytics tools embedded in policy administration or claims workflows, and any algorithm-driven pricing or underwriting tools. Document model origins, use cases, and the decisions they inform.
- Assess whether a written AI governance program exists and whether it meets the substantive requirements outlined in the NAIC Model Bulletin. If not, treat this as a board-level priority, not a technology department task.
- Review third-party vendor contracts for AI systems. Confirm that audit rights, model transparency provisions, and cooperation with regulatory inquiries are explicitly addressed.
- Initiate or formalize bias testing for models used in underwriting, pricing, and claims. Document the methodology, results, and any corrective actions taken.
- Evaluate whether the carrier’s policy administration and data infrastructure can support the documentation and audit trail requirements that examiners will expect. Where gaps exist, the investment in modern core systems is no longer a discretionary upgrade. It is a compliance necessity.
The Broader Context: A Patchwork That Is Consolidating
One of the most operationally challenging aspects of the current AI regulatory environment is its fragmented nature. Not every state has adopted the NAIC Model Bulletin. Some states with active AI regulatory frameworks, including Colorado and New York, have gone beyond the bulletin with their own requirements. Carriers operating across multiple states face varying compliance obligations that are still evolving. The anticipated NAIC model law on third-party AI oversight, expected to be drafted in 2026, is likely to accelerate consolidation around a more uniform standard. Carriers that build governance programs aligned with the NAIC Model Bulletin now are positioning themselves well for whatever that model law ultimately requires.
There is also a federal dimension worth monitoring. The NAIC has publicly expressed concern about federal executive actions that could preempt state AI regulation, and has stated its position that state-based oversight of AI in insurance is necessary, effective, and consistent with more than 150 years of insurance regulatory precedent. The outcome of that jurisdictional tension will shape the compliance landscape in ways that are not yet fully predictable. What is predictable is that the regulatory direction is toward more scrutiny, not less.
The Policy Administration Layer Beneath AI Governance
AI governance in insurance is, at its core, a data and systems problem. The ability to produce audit-ready documentation of AI decisions, demonstrate bias testing, manage vendor relationships with appropriate oversight, and monitor model performance over time requires that the underlying policy administration and core systems infrastructure be capable of capturing, storing, and surfacing structured data at the level of granularity regulators will expect.
For carriers still operating on legacy systems, this creates a dependency that deserves direct acknowledgment in strategic planning conversations. Modernizing core systems is not simply a technology refresh. In the current regulatory environment, it is the foundation on which defensible, scalable AI governance is built. Carriers that have already made investments in modern cloud-based policy administration platforms are better positioned to operationalize the NAIC’s requirements because the data architecture to support them already exists.
As the NAIC AI evaluation pilot moves through 2026 and the regulatory framework continues to evolve, carrier executives who treat AI governance as a compliance project managed at the technology layer will find themselves underprepared. Those who treat it as a governance priority supported by modern infrastructure will find themselves ahead of both their peers and the regulatory curve.
About WaterStreet
WaterStreet Company’s cloud-based policy administration platform is built for the data discipline that AI governance now demands. Every policy transaction is captured in structured, auditable form at the point of issuance, which means the documentation regulators expect under the NAIC Model Bulletin, including validation records, decision trails, and model-level data, exists as a natural output of how the system runs, not as a retroactive compliance project.
Built-in Business Intelligence capabilities give compliance, actuarial, and underwriting teams real-time visibility into the data behind AI-assisted decisions, so that when a state examiner requests documentation under the NAIC AI Systems Evaluation Tool, the answer comes from the core system rather than a manual reconstruction effort.
For carriers evaluating whether their current infrastructure can support the governance, auditability, and third-party oversight requirements taking shape in 2026, WaterStreet provides the policy administration foundation to meet those obligations operationally, not as a layer bolted on top of the business, but as a function of how the business runs.
To learn more about how WaterStreet supports P&C carriers building AI-ready operations, visit waterstreetcompany.com.
Reach out to WaterStreet Company today to request a consultation and demo.
Sources:
3. Fenwick & West LLP, “Tracking the Evolution of AI Insurance Regulation,” December 2025.
8. Fitch Ratings, U.S. P&C Insurance Sector Outlook 2026, via Reinsurance News, January 2026.
9. NAIC, Statement on AI Executive Order, 2026.
10. NAIC, Model Bulletin: Use of Artificial Intelligence Systems by Insurers, December 2023.
