Vendor Oversight

The insurer's responsibility to govern, monitor, and audit AI systems developed or operated by third-party vendors.

Vendor oversight is the set of practices an insurer uses to manage AI risk that sits outside its direct control. It includes systems developed by vendors, hosted by vendors, or operated by vendors on the insurer’s behalf.

The NAIC Model Bulletin and the NAIC AI Evaluation Tool expect insurers to:

  • Perform due diligence before acquiring AI systems.
  • Include contractual controls such as audit rights, performance standards, and incident notification.
  • Monitor vendor systems on an ongoing basis.
  • Maintain documentation that demonstrates oversight, even when the system is not built internally.

Vendor oversight is a common examination focus because regulators expect insurers to retain accountability for AI outcomes, regardless of who built the model. Our AI vendor risk assessment guide maps the NAIC requirements to a practical checklist.