Section guide Desk 01 · 8 guides

How to Build an AI Governance Program in Insurance

AI governance in insurance means the rules carriers answer to, from NAIC guidance to state law to federal moves, and the program you build to meet them. A guide to both.

For Compliance officers, CROs, GCs, and actuaries responsible for AI at insurers.

Read if You want one map of what governs insurance AI and what a compliant program actually looks like, without reading fifty law-firm alerts.

Maintained by Simon Li · Updated JUL 7, 2026 · 10 min read

InsureAI Wire seal IAW 2026 Primary sources Methodology →

If you are responsible for AI at an insurer, “AI governance” is two questions wearing one name. The first is what rules you answer to: NAIC model guidance, a growing examination toolkit, a patchwork of state adoptions, a handful of states running their own regimes, and now federal moves to reshape the whole picture. The second is what you have to build to satisfy them: a written program with owners, testing, documentation, and vendor oversight that an examiner will accept. Most coverage treats these as separate topics. On the ground they are one job. This guide is the map to both, and it links to the deeper analysis behind each piece.

AI governance in insurance is the set of expectations that require carriers to oversee AI used in underwriting, pricing, claims, and fraud, grounded in existing unfair-practices and unfair-discrimination law, made explicit for AI by the NAIC Model Bulletin, and enforced through market conduct authority. Governance is a program you run and can prove is running, not a one-time statute to check off.

What AI governance is and why it is suddenly on the exam table

The term can sound like a management-consultancy label. It is not. It is the practical answer to a real problem: insurance decisions that used to be made by people with file notes are now made, ranked, or nudged by models an underwriter or adjuster cannot fully reconstruct. Regulators do not need to understand the weights in a neural network to ask the question that matters: did this carrier ensure the outcome was fair, documented, and reviewable?

That question is not new. Unfair-trade-practices and unfair-discrimination statutes have covered it for decades. What is new is the scale and opacity of AI. A traditional underwriting rule had one page of reasoning. A modern model may have thousands of features, third-party data sources, and a lifecycle that outruns the policy paperwork. Governance is the layer that makes the modern decision legible to the people who must defend it: compliance officers, internal audit, external examiners, and eventually a judge or regulator.

The business case is defensive and offensive at once. Defensive, because a market conduct exam finding on AI can stop a product or trigger a corrective action plan. Offensive, because a carrier with a clean, documented program can adopt faster tools than competitors who hesitate for fear of the unknown. The insurers that separate the two will be the ones who treated governance as a product requirement, not a legal afterthought.

The rules you answer to

There is no single “insurance AI law.” What binds you is a stack: national model guidance that most states have made their own, an examination toolkit that turns that guidance into questions, and a set of states that went further and wrote their own rules. Read from the top down, it is more coherent than the headlines suggest.

The NAIC AI Model Bulletin is the anchor document. It does not write a new statute. It tells a state’s examiners how to apply the unfair-practices and unfair-discrimination laws carriers already live under to decisions that now run through an AI system. Once a state puts the bulletin in force, it becomes a preview of the questions your regulator will ask. Roughly half the states have adopted it, which makes it the closest thing to a national baseline.

The bulletin says what to build. The NAIC AI Systems Evaluation Tool says how regulators will check it, exhibit by exhibit, during a market conduct exam. If the bulletin is the standard, the tool is the answer key, and it is worth reading before an examiner reads it to you.

State adoption ranges from a formally issued bulletin, to staff-level guidance, to states that skipped the model and wrote their own law. “Has my state adopted it” is the wrong question, because the authority to ask about your AI usually already exists in unfair-trade-practices and anti-discrimination statutes. The states to watch closely are the ones that built something distinct. New York’s rules for AI in underwriting and pricing are among the most specific any regulator has issued, centered on a documented proxy test for protected-class correlation.

Colorado took the opposite path from a comprehensive risk-management law toward a narrower disclosure-and-recourse model, and its rewrite is a preview of how state AI regulation shifts under federal and industry pressure.

At the federal level, the White House has moved to assert a national AI policy framework and to challenge state AI laws it considers onerous. But under the McCarran-Ferguson Act, an executive order cannot on its own displace state regulation of the business of insurance. For now the daily compliance obligation stays state-by-state, and the federal effort is a litigation-and-legislation risk to track rather than a rule to comply with.

The through-line: the rules are additive, not alternative. A program built to the NAIC baseline is the floor. New York and Colorado stack specific obligations on top for carriers doing business there, and the federal picture changes the legal weather without yet changing the floor.

The regulatory stack: existing state unfair-practices and unfair-discrimination law is the hatched foundation; the NAIC baseline of Model Bulletin plus evaluation tool sits on it; state add-ons like New York Circular Letter 7 and Colorado SB 26-189 stack on top; the federal push of EO 14365 floats above as pressure, described here as litigation risk, not yet law. FEDERAL PUSH — EO 14365 litigation risk, not yet law PRESSURE STATE ADD-ONS (IF YOU WRITE THERE) NY CL NO. 7 · COLO. SB 26-189 NAIC BASELINE — THE FLOOR MODEL BULLETIN + EVALUATION TOOL EXISTING STATE LAW UNFAIR PRACTICES · UNFAIR DISCRIMINATION THE RULES STACK; THEY DON'T REPLACE EACH OTHER.
FIG. 1 — THE REGULATORY STACK, READ FROM THE GROUND UP

The program you build to meet them

Knowing what the rules require is one thing. Building a program an examiner will accept is another. This is the operational half of governance, and it is where competitors offer the least practical help.

A written AI Systems (AIS) Program is the core deliverable. It needs named owners, a cross-functional committee that actually meets, a review history, and a trail showing it grew alongside the company’s AI use. Examiners can tell the difference between a program that developed over two years and one assembled the month the exam notice arrived. A spotless program dated three weeks ago does not read as diligence. It reads as a fire drill.

The program does not need to be perfect on the first version. It does need to be credible. Credibility comes from three things: a risk-tiering scheme that matches models to their consumer impact, testing records that show you looked before the model went live, and a governance committee that can explain what it approved and why. If the committee minutes are sparse, the examiner will assume the committee did not meet. If the testing records are missing, the examiner will assume the testing was not done.

Third-party vendor oversight is where programs most often fall short, and the cause is a quiet assumption that a compliant vendor makes the carrier compliant. It does not. The obligation to run diligence, hold contractual audit rights, and monitor the vendor’s model over time stays with the insurer. A vendor’s compliance is useful evidence, not a transfer of responsibility.

The rest of the program is the connective tissue the bulletin’s four pillars assume: risk-tiering your models, testing high-risk ones for disparate impact, keeping a human in the loop where decisions are consequential, and documenting all of it so the governance committee can actually see what risk-testing and vendor monitoring found. Four well-written pillars that never reference each other still fail, because an examiner looks for the flow between them. Risk tiering must drive testing. Testing must drive human-review thresholds. Human-review records must feed back into model updates. Vendor monitoring must trigger re-testing when the vendor changes a feature. When these loops are visible, the program looks alive. When they are not, it looks like shelfware.

Where governance gets tested

Governance is abstract until an operation makes it concrete. Scrutiny rises wherever AI shapes a high-stakes decision a consumer feels, and the clearest live example is health insurance, where prior-authorization and denial systems sit squarely in a regulator’s line of sight. Watching how a large payer’s AI investment collides with governance expectations is the fastest way to see what examiners now expect of everyone.

The venue where all of this is enforced is the market conduct exam. That is why the evaluation tool matters so much: it is not a study guide, it is the instrument regulators will actually use. A program that can produce its inventory, its testing records, and its adverse-outcome reviews on demand passes. One that cannot, however good its policies look on paper, does not.

Colorado offers a sharp example of how state-specific obligations can turn a general program into a set of concrete tasks. The state’s revised AI rules require carriers to disclose when an AI system has made or materially contributed to a decision, and to give consumers a clear path to appeal or correct inputs. That is a workflow problem, not an abstract fairness principle: notification language, escalation paths, data correction, and evidence retention. A carrier that has only built for the NAIC baseline will scramble to add it. A carrier that mapped its state exposure early will have already rehearsed it.

How to tell if you are already behind

Most carriers are not starting from zero. They have policies, model-validation functions, and vendor-management offices. The gap is usually integration: each group owns a piece, but no one owns the whole AI lifecycle. If your AI Systems Program cannot be produced in one document, you are behind. If your model inventory lists the model owner but not the business-line owner, you are behind. If your vendor diligence questionnaire never asks about AI training data or model updates, you are behind. If your governance committee has not met this quarter, you are behind. The good news is that these are all fixable before an examiner arrives. The bad news is that an examiner will ask for exactly these things, and the timeline to produce them credibly is not a weekend.

What to start doing this week

You do not need to solve the whole stack at once. Start with the things an examiner will ask for first, and build outward.

First, inventory your AI systems. Not every model, but every system that materially influences a decision about a consumer. Include third-party tools you license. Include vendor models embedded in a workflow you own. For each system, record what it does, where it touches a consumer, and what business line it serves. A spreadsheet is fine at this stage; a clean inventory is better than a perfect taxonomy.

Second, assign ownership to a named person and a committee that meets on a regular cadence. Governance without an owner is a draft policy without a phone number. The committee should include compliance, legal, underwriting or claims, actuarial, and IT or data science. It should have authority to pause deployments. A committee that cannot stop a model from going live is a steering group, not a governance committee.

Third, document your risk-tiering and testing decisions. A high-risk model that touches underwriting, pricing, claims, or health utilization should have pre-deployment testing for disparate impact and a record of less-discriminatory alternatives considered. A low-risk model that ranks internal work queues needs less, but it still needs monitoring. The tiering logic itself should be written and reviewed, not carried in one person’s head.

Fourth, map your state exposure. If you write in New York, Colorado, California, or Texas, you are not operating under a single national baseline. Layer their specific obligations on top of the NAIC baseline. Document which obligations apply where, and where you have chosen a single standard that exceeds the most demanding state. That is a defensible posture, but only if you can show the reasoning.

Finally, treat the federal preemption fight as a reason to document how your program aligns with state insurance law, not as a reason to wait. A federal executive order cannot unilaterally displace state insurance regulation. It can create litigation risk, delay, and confusion. The carrier that builds to the state floor now and watches the federal layer closely will be in a better position than the carrier that paused and waited for clarity.

Governance does not end with a single guide. The rules side and the program side are each worth a deeper pass. For the rule-by-rule breakdown, start with the NAIC Model Bulletin and the Evaluation Tool. For the operational program, read the AI vendor risk assessment checklist and the UnitedHealth case study. If you are looking for the same governance lens applied by business line (claims, underwriting, health, and fraud), the AI use cases by business line guide is the next step.

We track these developments every week and update this guide as the evaluation-tool pilot advances and the federal-versus-state picture moves. If you want the short version in your inbox, the InsureAI Wire dispatch is free and sourced.

The Bottom Line

  • AI governance in insurance has two halves most coverage splits apart: the rules you answer to, and the program you build to meet them. You need both in one view.
  • The NAIC Model Bulletin is the anchor. It writes no new statute; it tells examiners how to apply existing unfair-practices and unfair-discrimination law to AI-driven decisions.
  • A written AI Systems (AIS) Program is the core deliverable: named owners, a review history, and evidence it grew with your AI use, not a binder assembled the month the exam notice arrived.
  • Third-party vendor oversight is the pillar carriers most often underbuild. A vendor's compliance is evidence, not a transfer of your obligation.
  • State rules keep tightening while a federal preemption fight plays out. The safe posture is to comply state-by-state and treat the federal picture as a risk to monitor, not a reason to pause.
Engraved portrait of Simon Li

Written by

Simon Li · Founding Editor

Simon Li is the founding editor of InsureAI Wire, an independent publication tracking how the NAIC and individual states regulate AI in insurance — and translating it into what compliance teams must actually do. Every figure is traced back to a primary NAIC or state source.

Free · Weekly

Track these developments weekly

Get the InsureAI Wire dispatch in your inbox. Free, sourced, no spam.

Free weekly · No spam · Unsubscribe anytime

Related reading

Colorado Replaces Its AI Act with SB 26-189

Governance

Colorado Replaces Its AI Act with SB 26-189

Colorado replaced its AI Act with SB 26-189, a disclosure-and-recourse law effective Jan 1, 2027. What changed, what survived, and what insurers must do now.

JUN 30, 2026

Information aggregation and analysis, not legal advice. See our disclaimer.