AI Compliance Framework for Health Insurance Governance
84% of US health insurers use AI. What health insurance AI governance requires: prior authorization, the NAIC Model Bulletin, and state rules in one framework.
For Compliance officers and medical directors at health insurers and health plans.
Read if Your plan runs AI in prior authorization, utilization review, or claims, and you need a governance framework regulators will accept.
If you are a compliance officer at a health insurer, the number that should matter to you is 84. That is the share of U.S. health insurers that told the National Association of Insurance Commissioners (NAIC) in late 2024 and early 2025 that they already use artificial intelligence or machine learning somewhere in their operations.1 The adoption is not a pilot program. It is live, and it is touching prior authorization, utilization review, claims adjudication, fraud detection, and sales.
That same survey, however, also showed why governance is now the hardest part of the job. More than half of the responding insurers use third-party components in their AI systems, and 15% rely entirely on outside AI solutions.1 Health plans are not just building models; they are buying them, embedding them, and then trying to explain them to regulators. The result is a governance problem that no single vendor contract or internal policy can fully solve.
This article explains what health insurance AI governance looks like in practice, why prior authorization has become the first flashpoint, and how the NAIC Model Bulletin and new state laws fit into a single operable framework.
What Health Insurance AI Governance Actually Means
AI governance in health insurance is the set of controls that make sure an AI system does not make, recommend, or accelerate a coverage decision that the health plan cannot defend. It sits at the intersection of insurance law, clinical policy, data governance, and vendor management. Unlike general AI governance, it must answer a specific question: can a regulator or a court understand why a patient was denied coverage or a claim was paid the way it was?
That question is harder than it sounds. A health plan may use dozens of AI tools across its operations. Some are built internally. Others are embedded in third-party platforms for utilization management, fraud detection, or claims routing. Many plans do not have a complete list. The first task of governance is to find them all, classify them by risk, and then build controls that match the risk. The NAIC Model Bulletin calls this a governance framework; Colorado’s regulation calls it a governance and risk management framework.2 The labels differ, but the work is the same.
Why Prior Authorization Became the Flashpoint
AI in health insurance is not new. Predictive models have been used for fraud detection, risk adjustment, and utilization management for years. What changed recently is the scale and the stakes. Generative AI and more advanced predictive tools have made it cheaper to apply algorithms to decisions that used to require a human reviewer, especially prior authorization.
According to the NAIC survey, 37% of responding health insurers use AI/ML for prior authorization, 44% for claims adjudication, and 56% for utilization management broadly.1 A separate Stanford HAI policy brief describes the risk plainly: automating prior authorization could reduce administrative burden, but it could also “supercharge a flawed process” by making denials cheaper and faster.3
The American Medical Association has documented the clinical reaction. In 2024, 61% of surveyed physicians said they were concerned that health plans’ use of AI was increasing prior authorization denials.4 Delayed or denied care followed. The point is not that AI causes denials; it is that AI can accelerate an existing process before the governance around that process is ready.
The UnitedHealthcare / nH Predict class action litigation is the most visible example. Plaintiffs allege that an AI model was used to override treating physicians’ medical necessity determinations for Medicare Advantage patients.5 The case is still in litigation, and the allegations are contested. For compliance officers, the lesson is narrower and more urgent: if an AI system influences a coverage decision, the health plan must be able to explain how, why, and by what human oversight.
What Regulators Are Actually Asking For
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers applies to health insurers just as it applies to life and property-casualty writers. It does not create new law. It restates that decisions made or supported by AI must comply with existing insurance law, including unfair trade practices and unfair discrimination prohibitions.6
For health insurers, the bulletin translates into five practical expectations:
- AI inventory and risk classification. Know which AI systems are in use, what decisions they support, and how much consumer harm a wrong output could cause.
- Model documentation and validation. Document training data, model development, testing for bias, and ongoing monitoring for drift.
- Third-party due diligence. A health plan is responsible for AI systems it buys from vendors, not just the ones it builds in-house. See our guide to AI vendor risk assessment for a checklist aligned with the NAIC’s third-party expectations.
- Human oversight. A human must be able to review and override AI-driven recommendations, especially adverse decisions.
- Auditability and transparency. Regulators can request documentation about how AI systems are governed, tested, and monitored.6
These expectations are being reinforced by state law. Colorado’s amended Regulation 10-1-1, which took effect on October 15, 2025, expands the state’s existing AI governance framework to health insurers and private passenger auto insurers.2 Covered health insurers must submit a narrative report by December 1, 2025, and achieve full compliance by July 1, 2026.7
California’s SB 1120, the Physicians Make Decisions Act, took effect on January 1, 2025. It prohibits health insurers and disability insurers from using AI or algorithms as the sole basis to deny, delay, or modify care based on medical necessity.8 Final medical necessity determinations must be made by a licensed physician or qualified health care provider who is competent in the relevant clinical area. The law applies prospectively, retroactively, and concurrently to coverage decisions. For a deeper look at how Colorado’s insurance AI regime is being implemented, see our analysis of Colorado SB 26-189 and its impact on insurers.
A Health Insurance AI Governance Framework
Health insurers operating in multiple states face a patchwork. The most practical approach is to build a single governance framework that meets the NAIC baseline and then layer in the stricter state requirements. The framework can be organized around five operational pillars.
How Health Insurance Differs from Life and P&C
Health insurance AI governance is not just a subset of general insurance AI governance. Three features make it distinct. First, the decisions are clinical. A coverage denial can be reviewed by a court or a medical board, not just a regulator. Second, the data is sensitive and fragmented, coming from claims, electronic health records, pharmacy records, and external consumer data. Third, the regulatory overlay is denser. Health plans must comply with state insurance law, the NAIC Model Bulletin, and health-specific rules like California’s SB 1120, sometimes all at once.
Life insurers use AI mostly for underwriting and mortality prediction. Property and casualty insurers use it for pricing, claims triage, and fraud. Health insurers use it for all of these, but the decisions that draw the most scrutiny are the ones that affect access to care.
1. Inventory and Risk Classification
Before a health plan can govern AI, it needs to know what AI it owns or uses. That includes vendor-hosted systems, embedded features in existing platforms, and models built internally. The inventory should record the business function, the decision type, the data inputs, and whether the system can influence an adverse coverage decision. Systems that affect eligibility, benefits, or medical necessity should be classified as high-risk and reviewed more frequently.
2. Model Documentation and Validation
The NAIC Model Bulletin and Colorado’s regulation both require documentation of model development, testing, and monitoring. For health insurers, this should include:
- A description of the training data and any external data sources
- Bias and fairness testing results, including protected-class proxies
- Accuracy and error-rate testing
- A plan for ongoing drift and performance monitoring
- Documentation of model changes and version control
The NAIC survey found that health insurers already report testing for model drift and bias, cross-validating for accuracy, and analyzing data for completeness and consistency.1 The gap is usually not the activity; it is the documentation that makes the activity auditable.
3. Vendor Oversight and Third-Party AI
Third-party AI is the hidden risk. When a health plan buys a utilization management platform or a fraud detection service, the model inside it is often opaque. The contract must preserve audit rights, require model change notifications, and specify how the vendor will support the plan’s regulatory obligations. Our analysis of NAIC vendor due diligence requirements covers the specific questions to ask before signing or renewing an AI vendor contract.
4. Human Review and Escalation
California’s SB 1120 makes the standard explicit: a licensed clinician must make the final medical necessity determination. Even in states without such a law, the NAIC Model Bulletin expects human oversight for AI-supported adverse decisions. Health plans should design escalation paths so that denials, especially algorithmic denials, are reviewed by a person with the right clinical competence and the authority to override the system.
5. Monitoring and State Compliance
Regulatory expectations are moving. Colorado and California are the early movers, but Pennsylvania, Illinois, and other states have introduced or enacted AI-related insurance bills. A compliance calendar should track:
- Effective dates of state AI insurance regulations
- Filing deadlines, such as Colorado’s December 1, 2025 narrative report
- NAIC working group developments, including the potential AI model law or regulation
- Litigation and enforcement trends that signal where examiners will focus
Red Flags Compliance Teams Should Watch
Some warning signs are easy to miss until an examiner or a plaintiff’s lawyer points them out. The most common include:
- An AI system is live without documented accuracy testing.
- A vendor will not disclose training data or model architecture.
- Prior authorization denial rates have risen after an AI tool was deployed.
- The human reviewer cannot override the AI recommendation or does not have time to do so.
- The same model is used across multiple lines of business without validation for each use case.
Each of these is a governance failure, not necessarily a model failure. Buying a more accurate model will not fix it. The problem is usually that nobody owns the decision once the algorithm has spoken.
FAQ
Does the NAIC Model Bulletin apply to health insurance? Yes. The bulletin applies to all insurers licensed in a state that has adopted it, including health insurers. It does not create new law but restates how existing unfair trade practice and unfair discrimination laws apply to AI-supported decisions.6
What is the difference between Colorado’s AI regulation and California’s SB 1120? Colorado’s amended Regulation 10-1-1 requires a written governance and risk management framework for AI systems, including documentation, testing, and monitoring.2 California’s SB 1120 is more specific to clinical decisions: it requires that a licensed physician or qualified health care provider make the final medical necessity determination.8 A health plan operating in both states must comply with both.
Do health insurers need to test vendor AI systems the same way as internal models? Yes, and arguably more carefully. The NAIC Model Bulletin emphasizes third-party due diligence. A health plan remains responsible for decisions made with AI it does not own. See our AI vendor risk assessment checklist for the specific questions to ask.
Is prior authorization the only high-risk use case? No. It is the most visible because of the UnitedHealthcare litigation and physician concerns. Other high-risk use cases include claims adjudication, utilization management, and any AI system that can affect eligibility or benefits.
Conclusion
AI in health insurance is past the experimental stage. The NAIC’s survey shows that most large health insurers are already using it, and state regulators are writing rules faster than many plans can update their governance frameworks. The compliance task is not to stop AI adoption. It is to make sure that every AI system that affects a coverage decision can be explained, overridden by a qualified human, and documented for a regulator.
For health insurers, that means building one framework that works across the NAIC baseline, Colorado’s detailed requirements, and California’s clinical-decision rule. The plans that do this now will face the next wave of state laws from a position of control. The ones that wait will be catching up while they are already under exam.
Footnotes
-
National Association of Insurance Commissioners, “Health Insurance Artificial Intelligence/Machine Learning Survey Results,” May 2025: https://content.naic.org/sites/default/files/inline-files/Health%20Survey%20Report%20-%20FINAL%205.9.25.pdf ↩ ↩2 ↩3 ↩4
-
Colorado Division of Insurance, “Notice of Adoption - Amended Regulation 10-1-1 Governance and Risk Management Framework,” 2025: https://doi.colorado.gov/announcements/notice-of-adoption-amended-regulation-10-1-1-governance-and-risk-management-framework ↩ ↩2 ↩3
-
Stanford Institute for Human-Centered AI, “Toward Responsible AI in Health Insurance Decision-Making,” 2025: https://hai.stanford.edu/policy/toward-responsible-ai-in-health-insurance-decision-making ↩
-
American Medical Association, “Physicians concerned AI increases prior authorization denials,” 2024: https://www.ama-assn.org/press-center/ama-press-releases/physicians-concerned-ai-increases-prior-authorization-denials ↩
-
KLRD, “Briefing Book 2026: Artificial Intelligence Use in Health Insurance,” March 2026: https://klrd.gov/2026/03/02/briefing-book-2026-artificial-intelligence-use-in-health-insurance/ ↩
-
National Association of Insurance Commissioners, “Model Bulletin: Use of Artificial Intelligence Systems by Insurers,” December 2023: https://content.naic.org/sites/default/files/cmte-h-big-data-artificial-intelligence-wg-ai-model-bulletin.pdf.pdf ↩ ↩2 ↩3
-
American Academy of Actuaries, “Colorado Expands AI Governance to Auto and Health Insurers,” 2025: https://ar.casact.org/colorado-expands-ai-governance-to-auto-and-health-insurers/ ↩
-
California Legislative Information, “SB 1120, Becker. Health care coverage,” Chapter 879, Statutes of 2024: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB1120 ↩ ↩2
Simon Li · Founding Editor
Simon Li is the founding editor of InsureAI Wire, an independent publication tracking how the NAIC and individual states regulate AI in insurance — and translating it into what compliance teams must actually do. Every figure is traced back to a primary NAIC or state source.
Free · Weekly
Track these developments weekly
Get the InsureAI Wire dispatch in your inbox. Free, sourced, no spam.
Free weekly · No spam · Unsubscribe anytime
Related reading
AI in Health Insurance Claims, Prior Authorization, and Risk Adjustment
How health insurers use AI in prior authorization, claims adjudication, and risk adjustment. What the NAIC, CMS, and recent litigation mean for governance.
AI in Homeowners Insurance Pricing and the State Rate Review
How homeowners insurers use AI, aerial imagery, and catastrophe models to price property risk, and what state regulators now require for transparency.
AI in Life Insurance Underwriting and the New Regulatory Test
How life insurers use AI in accelerated underwriting and what regulators now require for proxy testing, fairness, and documentation.
AI in Reinsurance Treaty Pricing and Catastrophe Modeling
How reinsurers use AI in treaty pricing, catastrophe modeling, and contract analysis. What model transparency and capital governance mean for risk carriers.
Information aggregation and analysis, not legal advice. See our disclaimer.