NAIC’s Model Bulletin
Given that insurance has traditionally fallen into the regulatory remit of the states, the states’ recent focus on AI creates a potentially fertile ground for regulation as it pertains to insurance products. Recognizing that the prospect of 50 different state regulatory regimes could constrain the public’s access to insurance products, the National Association of Insurance Commissioners (NAIC) adopted a Model Bulletin on AI in late 2023. The bulletin details how insurers should “govern the development/acquisition and use of certain AI technologies” including AI systems. Although the NAIC Bulletin on AI is nonbinding, as of March 2025 approximately half of the states have adopted and/or substantially incorporated its language.
STATES ADOPTING AND/OR INCORPORATING NAIC MODEL BULLETIN ON AI
Source: Click here to visit source material.
The expectations of the NAIC Model Bulletin include:
Creating an AI Plan. The Model Bulletin outlines expectations that insurers draft and implement a written program (an “AIS Program”) “for the responsible use of AI systems that make, or support decisions related to regulated insurance practices.” The core focus of the AIS Program is on “governance, risk management controls, and internal audit functions.” As part of the AIS Program, insurers should provide clear notice “to impacted consumers” when AI systems are in use.
Governance Matters. Under the AIS Program, insurers are directed to craft an AI-oversight governance framework, including the formation of a multidisciplinary committee of representatives from across the insurer (product, actuary, data science, legal, etc.) to oversee AI-governance matters.
Risk Management and Internal Controls. The insurer should, as a part of the AIS Program, create and document detailed risk management plans and internal controls with respect to the use, security, and oversight of AI systems (including predictive models), related data practices, quality assurance/validation of data, and proper data retention.
Oversight of Third-Party AI. The AIS Program should detail how the insurer will obtain and utilize: (i) third-party data necessary to develop AI systems; and (ii) AI systems created by a third-party. The insurer should establish appropriate standards regarding thorough due diligence of the third party and external data and thoughtful contracting which create audit rights for the insurer and ensure third party cooperation with any regulatory investigation made into the insurer’s use of the third party’s data or AI systems.
Regulatory Oversight. The Model Bulletin provides categories of information and documentation relating to the use of AI by insurers that companies may need to produce during regulatory inquiries and market conduct actions.
Conclusion
The NAIC’s Model Bulletin, which has been adopted in nearly half of the states and in the District of Columbia, provides an excellent summary of how to craft an AI plan, particularly with respect to today’s state of the art and commonly accepted risk management practices; however, AI governance will be a moving target. The technology is poised to explode, both in terms of use cases and its underlying capabilities. Insurers need to do the difficult work of getting their governance into shape for the here and now, but they should also consider the broader, longer-term impacts of AI, especially on consumer behavior and how consumers access information.
In addition to insurance regulation, states also enforce significant consumer protection laws. It is reasonable to expect that states will follow AI’s impact on the insurance marketplace very closely, examining market conduct through several lenses at once—data privacy, advertising and marketing, product development, to name a few. It might be too early to tell how AI will transform the insurance industry, but with so much information at the fingertips of both insurers and policyholders, there is hardly an area of operation that does not have some kind of AI-adjacent use case that could disrupt the status quo.
Managing these disruptions will require agility, which is hard to come by without a sound governance structure already in place. Any such structure should bring together all disciplines and units (e.g., business units, product specialists, actuarial, data science and analytics, underwriting, claims, compliance, and legal), each with a well-defined scope of responsibility and authority, chain of command, and decisional hierarchy.