The NAIC AI Model Bulletin Compliance Checklist for 2026

What the NAIC AI Model Bulletin requires in 2026, the four pillars of the AIS Program, and where to start before an exam tests your AI governance.

For Compliance officers, CROs, and GCs at insurers operating in a state that has adopted or referenced the NAIC Model Bulletin.

Read if You filed the bulletin away in 2023 as guidance, and you want to know what it actually obligates you to build before an exam tests it.

By Simon Li · Updated JUN 24, 2026 · 7 min read

InsureAI Wire seal IAW 2026 Primary sources Methodology →

The NAIC AI Model Bulletin is easy to file under “guidance, deal with later,” and the bulletin’s own wording is what makes that feel safe. It is principles-based. It carries no penalties of its own. A general counsel can read those two facts and reasonably decide the document is advisory.

That decision is half right, and the wrong half is the expensive one. The bulletin does not write a new statute. What it does, the moment a state puts it in force, is tell that state’s examiners how to apply laws the carrier is already bound by, such as unfair trade practices, unfair claims settlement, and unfair discrimination, to decisions that now run through an AI system. The enforcement was never going to come from the bulletin. It comes from the market conduct authority the regulator already holds. The bulletin only tells everyone where to point it.

So the useful way to read the bulletin is not as a fresh rule to comply with. It is closer to a preview: your regulator’s expectations, written down in advance, in your own state’s voice. This article covers what the bulletin asks you to build, why “my state hasn’t adopted it” is a weaker defense than it sounds, and where to start before an exam puts the question to you.


What the bulletin actually asks you to build

The bulletin was adopted on December 4, 2023 1. Underneath the framing, it asks for one main thing: a written AI Systems Program, usually shortened to AIS Program.

The word doing the work there is written. Not a stated intention to govern AI responsibly, not a slide in a board deck, but a document with named owners, a review history, and a trail showing it grew alongside the company’s AI use. That last part is where carriers get caught. A regulator can tell the difference between a program that developed over two years and one that was assembled the month the exam notice landed. A spotless AIS Program dated three weeks ago does not read as diligence. It reads as a fire drill, and examiners have seen enough of those to know one on sight.


The four pillars, and the part most carriers skip

The bulletin expects the AIS Program to cover four areas 1. They read better as one connected system than as a checklist, because that is how an examiner reads them.

Governance structure. Someone has to own AI risk, and it cannot be a committee that exists only on an org chart. The bulletin expects cross-functional involvement from actuarial, data science, underwriting, legal, and compliance, with explicit roles, working escalation paths, and accountability that reaches senior management or the board. The test an examiner applies is plain. When a model misbehaves, does the documented path actually lead to a person?

Risk management and internal controls. Models get sorted by risk tier. The high-risk ones get validated, revalidated, and watched for drift, and they get tested for disparate impact across protected classes. None of it is a one-time exercise.

Third-party vendor oversight. This is the pillar carriers most often underbuild, and the cause is a quiet assumption: if the vendor is compliant, we are covered. The bulletin closes that door. Your diligence files, your contractual audit rights, and your ongoing monitoring of the vendor’s model are your responsibility, not the vendor’s. A vendor’s compliance is useful evidence. It is not a transfer of the obligation.

Consumer disclosure and transparency. When AI materially shapes a decision about a consumer, the consumer is owed notice, an explanation they can actually use, and a route to having an adverse outcome reviewed.

The connective tissue is the part that is easy to miss. Four well-written pillars that never reference each other still fail, because the governance committee in pillar one is supposed to see the risk-testing results from pillar two and the vendor monitoring from pillar three. An examiner looks for that flow. A program where each pillar sits in its own sealed binder is a program that is not really operating, however good each binder looks on its own.

Flow diagram of the AIS Program's four pillars: risk controls and vendor oversight feed their results into governance, and governance feeds consumer disclosure. The red arrows into governance are the connective tissue examiners look for. 1 GOVERNANCE named owner, a committee that actually meets 2 · RISK CONTROLS tiering, testing, watching for drift 3 · VENDOR OVERSIGHT diligence & audit rights 4 · DISCLOSURE notice, explanation, a route to review FOUR SEALED BINDERS FAIL — EXAMINERS READ THE FLOW BETWEEN THEM.
FIG. 1 — THE FOUR PILLARS AND THE CONNECTIVE TISSUE

These are not new obligations dressed up as new statutes. They are existing expectations, the same unfair-practices and fair-lending standards carriers already live under, made explicit for AI. The bulletin’s contribution is to stop them being implicit.


Why “has my state adopted it” is the wrong question

As of the NAIC’s April 2026 adoption map, 24 states and the District of Columbia have formally adopted the bulletin, and four more states, California, Colorado, New York, and Texas, regulate insurance AI through their own guidance rather than the model 2. That landscape pulls people toward the wrong question. Carriers ask whether their state has adopted the bulletin, read a no as a reprieve, and stop there.

Two things spoil that reading. The first is that adoption stretches across a wide range, from a formally issued bulletin to a line of staff-level guidance to a state that skipped the model and wrote its own rules, and the practical weight is not the same across them. The second matters more. A regulator does not need the bulletin in hand to ask about your AI. Authority over unfair practices and unfair discrimination already reaches AI-assisted decisions in most states. The bulletin makes those questions explicit and predictable. Its absence does not make them impossible.

For a carrier operating across several states, the realistic planning assumption is not “we are exempt wherever the bulletin has not landed.” It is closer to this: the questions are coming, and where the bulletin is in force, it has already told you what they will be.


How regulators will test it

The bulletin tells you what to build. A second instrument, the NAIC AI Systems Evaluation Tool, tells you how regulators will check it. The tool launched as a 12-state pilot in March 2026, with adoption targeted for the November 2026 NAIC fall meeting 3. It walks an examination from a basic count of your AI systems through to a close look at the high-risk ones and the data behind them.

The detail of how that tool works, what each of its four exhibits asks for and how to prepare the documentation, is a subject of its own, and we take it apart in a separate guide to Exhibits A through D. For the bulletin’s purposes, the thing to hold onto is simpler: the tool is the mechanism that turns the four pillars from a written promise into something a regulator checks line by line.

The bulletin also spells out its own examination provisions. Its oversight section puts carriers on notice that, in an investigation or market conduct action, a regulator may ask about how an AI system was developed, deployed, and used, and about the governance, controls, and documentation behind it 1. Read plainly, that is the bulletin telling you the AIS Program is not a shelf document. It is the thing you will be asked to produce. The same responsibility runs through to vendors: the bulletin is explicit that the AIS Program has to cover AI systems whether the insurer built them or bought them from a third party, and that the diligence, contractual audit rights, and oversight stay with the insurer 1.


Where to start

You do not need the whole program standing by next week. You need the parts an examiner reaches for first, and for the bulletin specifically, that is the governance spine rather than the model inventory. (The inventory is where the evaluation tool begins. The bulletin begins with accountability.)

Put a name on it, and make the committee real. Assign AI risk to an actual owner, and make sure the cross-functional group around that owner meets and has somewhere to escalate. A committee that exists only on the org chart is worse than none, because the org chart then documents a control that is not actually running.

Start the written AIS Program now, and let it age. A short, honest program with a real version history beats a polished one carrying a single recent date. Begin it today so that, six months from now, it has a history instead of a birthday.

Read your pillars for connective tissue, not just coverage. Do not only ask whether each pillar exists. Ask whether the governance committee can actually see the risk-testing results and the vendor monitoring. A pillar that feeds nothing is the gap an examiner finds first.


The carriers that struggle with the bulletin are rarely the ones that disagreed with it. They are the ones who read “no penalties” and heard “no hurry,” then met the existing law it points to during an exam instead of before one. The bulletin is less a new burden than an early warning, written in the regulator’s own hand, about questions that were always going to be askable. The work it asks for is the work of being able to answer them on a schedule you choose.

InsureAI Wire tracks NAIC and state-level AI governance developments weekly. If you are preparing for an AI examination, you can subscribe here.

Footnotes

  1. NAIC Model Bulletin, “Use of Artificial Intelligence Systems by Insurers,” adopted December 4, 2023: https://content.naic.org/sites/default/files/inline-files/2023-12-4%20Model%20Bulletin_Adopted_0.pdf 2 3 4

  2. NAIC, “State Adoption Map for AI Model Bulletin,” updated 2026: https://content.naic.org/sites/default/files/cmte-h-big-data-artificial-intelligence-wg-map-ai-model-bulletin.pdf

  3. Fenwick, “NAIC Expands AI Systems Evaluation Tool Pilot Program to 12 States,” 2026: https://www.fenwick.com/insights/publications/naic-expands-ai-systems-evaluation-tool-pilot-program-to-12-states-key-updates-for-insurers-and-ai-vendors-supporting-insurers

The Bottom Line

  • Assign AI risk to a named owner and a cross-functional committee that actually meets. One that exists only on the org chart documents a control that isn't running.
  • Start the written AIS Program now, not before the exam. A short, honest program with real version history beats a polished one dated last week.
  • Check that your four pillars connect, not just exist. If the governance committee can't see risk-testing and vendor monitoring, that seam is the first gap an examiner finds.
  • Don't read "our state hasn't adopted it" as exemption. Authority over unfair practices and discrimination already reaches AI-assisted decisions in most states.
Engraved portrait of Simon Li

Written by

Simon Li · Founding Editor

Simon Li is the founding editor of InsureAI Wire, an independent publication tracking how the NAIC and individual states regulate AI in insurance — and translating it into what compliance teams must actually do. Every figure is traced back to a primary NAIC or state source.

Free · Weekly

Track these developments weekly

Get the InsureAI Wire dispatch in your inbox. Free, sourced, no spam.

Free weekly · No spam · Unsubscribe anytime

Related reading

Colorado Replaces Its AI Act with SB 26-189

Governance

Colorado Replaces Its AI Act with SB 26-189

Colorado replaced its AI Act with SB 26-189, a disclosure-and-recourse law effective Jan 1, 2027. What changed, what survived, and what insurers must do now.

JUN 30, 2026

Information aggregation and analysis, not legal advice. See our disclaimer.