Senior-led AI governance for insurers running algorithmic underwriting, automated claims triage, and predictive pricing models. When a market-conduct examiner, a state insurance department, or your own actuarial committee starts asking how an AI decision was reached, we get your AI to a place you can defend.
Insurance is the hardest AI governance problem in financial services, because there is no single federal regulator and the rules differ in every state you write business in. We build a program that holds up across that patchwork.
Banks answer to a handful of federal supervisors. Insurers answer to up to 50 state insurance departments at once, and each one is moving on AI at its own pace. That is the structural fact that shapes every governance decision you make.
The anchor document is the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted by the National Association of Insurance Commissioners in December 2023, with multi-state adoption continuing through 2024 as individual state insurance departments adopt it as guidance. The bulletin does not create a new statute. It tells insurers, in the supervisor's own words, that existing prohibitions on unfair trade practices, unfair discrimination, and unfair claims settlement apply in full when a decision is made or supported by an AI system. It expects a written AI Systems program, governance and risk-management controls proportionate to the use case, and documentation an examiner can review. Crucially, it makes the insurer accountable for AI sourced from a third party, which is the point most carriers underestimate.
On top of the NAIC bulletin sit state-specific obligations that bite harder. Colorado SB 21-169 restricts insurers from using external consumer data and the algorithms and predictive models built on that data in a way that results in unfair discrimination, and it puts the burden on the insurer to test for and correct that outcome rather than wait to be told. The NYDFS Circular Letter No. 1 (2019) set an early and demanding standard for the use of external consumer data and information sources in underwriting for life insurance, requiring insurers to establish that the data and models do not produce unlawful discrimination and that the insurer can explain the basis of an adverse decision. The California Department of Insurance has its own bulletins and a long-standing posture against discriminatory pricing and underwriting practices.
For carriers licensed in New York there is a second cybersecurity overlay that has nothing to do with underwriting and everything to do with how you run the systems themselves: NYDFS 23 NYCRR Part 500. The Second Amendment, effective November 1, 2023, introduced the heightened obligations for larger Class A companies, multi-factor authentication under section 500.12, encryption under section 500.15, the 72-hour cybersecurity-incident notification and 24-hour extortion-payment notification under section 500.17, the governance and CISO requirements under section 500.4, and the annual Certification of Material Compliance due by April 15. A 2024 NYDFS industry letter on AI-related cybersecurity risks went further still, advising firms to select authentication factors resilient to deepfakes, to move away from SMS text, voice, and video factors, and to prefer digital certificates and physical security keys.
Underneath all of it, the Gramm-Leach-Bliley Act still governs the policyholder PII and claims data your AI systems are trained on and reason over, and the NIST AI Risk Management Framework gives you a vendor-neutral structure, Govern, Map, Measure, and Manage, to organize the whole effort so one program answers many regulators. The challenge for an insurer is not finding a rule to follow. It is that the rules come from different bodies, point in slightly different directions, and all land on the same underwriting and claims models at once.
These are the recurring failure modes we see when a carrier first calls. None of them are theoretical. Each one is a finding waiting to surface in a market-conduct exam.
Algorithmic underwriting and pricing bias. A predictive model trained on historical data inherits the historical pattern, and in insurance that pattern can correlate with a protected class even when no protected attribute is an input. Without disparate-impact testing built into the model lifecycle, a carrier has no way to answer a regulator who asks whether its pricing produces unfair discrimination. We build the testing in rather than bolt it on after a complaint.
Claims-automation AI with no oversight. Automated triage, fraud-scoring, and settlement-recommendation models touch the unfair-claims-settlement-practices statutes that every state enforces. When an AI flags a claim for denial or extended review, the insurer needs to show the decision was reasonable, explainable, and consistently applied. Most carriers deploy these tools faster than their claims-compliance function can govern them.
The 50-state patchwork against one model. A national carrier runs one underwriting model but writes business in dozens of states, each with its own posture on algorithmic fairness, external-data use, and disclosure. The governance program has to be built to the most demanding state in your footprint and then defended everywhere, which is an architecture problem, not a checklist.
InsurTech and third-party model governance. Carriers increasingly buy rating, fraud, and risk-selection models from InsurTech vendors. The NAIC bulletin is explicit that the insurer governs its AI and cannot contract that obligation away. A vendor's marketing deck is not governance evidence, and a vendor SOC report is not a fairness test.
Market-conduct exams that now read your algorithms. State examiners have begun asking for AI governance documentation, model inventories, and bias-testing results inside routine market-conduct reviews. The carriers that struggle are the ones who first assemble this evidence after the exam letter arrives. The work is far cheaper, and far more defensible, when it is built ahead of the request.
The same five-step method runs every engagement, scaled to the tier. It is built to produce evidence a market-conduct examiner can review, not a binder nobody maintains.
Discovery. We start with the regulatory footprint: which states you write in, whether you are NY-licensed and therefore inside Part 500, and which lines of business carry the most algorithmic exposure. That scopes everything that follows. AI use-case inventory. We name every AI and predictive model in underwriting, pricing, claims, and fraud, including the InsurTech-sourced models and the shadow deployments nobody registered. Control mapping. We map each system onto the NAIC AI Model Bulletin expectations and, for NY carriers, Part 500, and we crosswalk that onto the controls you already run so one control set answers multiple regulators. Testing. We test the things regulators test: disparate-impact and bias on underwriting and pricing models, explainability and consistency on claims-automation models, and the cybersecurity controls Part 500 names. Remediation roadmap. We sequence the work so the highest-exposure gap, usually a pricing model with no bias testing, closes first, and you leave with a defensible picture of where you stand and what to fix in what order.
Most carriers start with a fixed-fee gap scan, then decide whether to design the controls or stand up the full program. You choose the depth.
A fixed-fee diagnostic against the NAIC AI Model Bulletin: an AI use-case inventory across underwriting, pricing, and claims, a readiness gap assessment, and a vendor AI governance attestation template you can send to every InsurTech model provider. You leave knowing exactly where the bulletin would find you short.
Control design around your underwriting and claims systems, aligned to the NAIC bulletin and, for NY-licensed carriers, NYDFS Part 500: disparate-impact testing built into the model lifecycle, claims-automation oversight controls, and the cybersecurity controls Part 500 names, all crosswalked onto your existing program.
An enterprise AI model governance program for multi-line carriers writing across many states: a governed model inventory, a fairness-testing standard applied across lines, a third-party model governance regime that holds your InsurTech vendors accountable, and the documentation a market-conduct exam expects.
A small firm of senior practitioners, established 2026, that builds the tools it governs with.
Engagements run on a senior-only bench. There is no junior hand-off. The person who scopes the work is the person testing your models and the person in the room with your actuarial and compliance committees. In a regulated setting the quality of the answer to a hard examiner question depends entirely on who is answering it.
The firm also ships authored open-source IP. mcp-warden is DSE's public supply-chain integrity gate for AI tooling: it pins a model or tool surface, fails on drift, and inspects what a third-party tool actually returns at runtime. That is precisely the discipline an insurer needs for the InsurTech model surface it does not build but is still accountable for. We govern AI by building the controls that govern AI, not by reselling someone else's framework. Established 2026, operator-led, and accountable on paper under a signed SOW or MSA.
Does the NAIC AI Model Bulletin apply to surplus lines carriers? The bulletin is adopted state by state, and each state's insurance department decides its scope, so the precise answer depends on the states you write in. As a working rule, the underlying prohibitions the bulletin restates, unfair trade practices, unfair discrimination, and unfair claims settlement, apply to insurers broadly, and surplus lines writers are not exempt from those underlying statutes simply because the line is non-admitted. We scope this against your specific state footprint in discovery and treat the most demanding adopting state as the bar.
How does Colorado SB 21-169 interact with the NAIC bulletin? They reinforce each other but are not the same instrument. The NAIC bulletin is supervisory guidance that restates existing duties and asks for a governance program. Colorado SB 21-169 is a statute with a specific, testable obligation: do not let external consumer data and the models built on it produce unfair discrimination, and prove you tested for it. If you write in Colorado, the statute sets the harder, more concrete standard, and a program built to satisfy it generally satisfies the bulletin's fairness expectations as well.
Are claims-automation models in scope for a market-conduct exam? Yes. Market-conduct exams examine claims handling, and the unfair-claims-settlement-practices statutes apply regardless of whether a human or a model recommended the action. When an AI triages, scores, or recommends a settlement, the examiner can ask how the decision was made, whether it was applied consistently, and whether the insurer can explain an adverse outcome. Claims-automation models belong in your AI inventory and need oversight controls, not just an accuracy metric.
Can we delegate AI governance to our InsurTech vendor? No, and this is the single most common and most expensive misunderstanding. The NAIC bulletin is explicit that the insurer must govern its AI and cannot contract the obligation away to a vendor. You can buy a model. You cannot buy out of the duty to govern it. We build a third-party model governance regime, including the vendor attestation template in the Beachhead tier, that holds your vendors accountable while keeping the regulatory responsibility where it legally sits, with you.
We are not licensed in New York. Does NYDFS Part 500 matter to us? Part 500 applies to entities licensed or required to be licensed under New York banking, insurance, or financial-services law, so if you do not write business in New York it does not bind you directly. It is still worth understanding, because it is the most demanding state cybersecurity regime in the country and its requirements, multi-factor authentication, encryption, incident notification, and a named CISO, are a strong template for the controls other states are moving toward. We scope Part 500 in only when your license footprint requires it.
What does a typical engagement actually look like? A typical Anchor engagement for a mid-sized property-and-casualty insurer would start with a use-case inventory across rating, underwriting, and claims, identify two or three models with material fairness or oversight exposure, build disparate-impact testing into the pricing model lifecycle and explainability controls around the claims-triage model, and deliver a remediation roadmap and a vendor attestation pack for the carrier's InsurTech providers. That illustration is hypothetical and meant to show shape and sequence, not a specific client.
A compliance guide for insurance carriers and agencies navigating both the GLBA Safeguards Rule and the NYDFS Part 500 cybersecurity regulation, including the overlap and the gaps between them. Enter your work email and we will send the PDF.
Where the GLBA Safeguards Rule and NYDFS Part 500 overlap, where they diverge, and what a NY-licensed insurer has to satisfy in both.
More workbooks in the full Financial Services Compliance Resource Library →
Regulatory content last reviewed: June 2026 · Maintained by DSE · Next review on material change to the NAIC AI Model Bulletin.
DSE provides AI governance and compliance readiness consulting and AI security testing for insurers. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify NAIC AI Model Bulletin, NYDFS Part 500, or NIST AI RMF compliance. Only the relevant regulator or an accredited certification body can attest to that.
We cannot guarantee passing a market-conduct or cybersecurity exam or avoiding enforcement, and we do not provide legal advice. We work alongside your counsel and your appointed actuary. Where we describe mapping to the NAIC AI Model Bulletin, Colorado SB 21-169, NYDFS Part 500, NYDFS Circular Letter No. 1, GLBA, or the NIST AI RMF, that means advisory alignment, not certification.
All engagements are governed by a signed SOW / MSA that includes a limitation of liability.