The NAIC AI Model Bulletin, formally the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, is principles-based regulatory guidance the NAIC adopted on December 4, 2023 that tells insurers to manage AI across underwriting, rating, claims, fraud, and marketing through a documented program. It is not a model law and it is not self-executing: it takes effect in a given state only after that state’s insurance department adopts it, and by mid-2026 more than 20 US jurisdictions had done so. The core requirement is a written AI Systems Program, the AIS Program, with senior-management and board accountability, risk controls, model validation and testing for errors, bias, and unfair discrimination, and oversight of third-party AI where the insurer remains responsible. This guide breaks the bulletin down component by component and shows the evidence a regulator can request in a market-conduct examination.
Translating the bulletin into an operating program is exactly what an AI governance for insurers engagement is built to deliver, and the rest of this guide is the map.
What the NAIC AI Model Bulletin is, and what it is not
The bulletin is a template. The NAIC drafts model laws, regulations, and bulletins so state insurance departments do not each write their own, and a model bulletin sits at the soft end of that spectrum: guidance that interprets and applies existing law rather than a new statute or rule. This bulletin does not invent new insurance law. It restates that the laws insurers already answer to, in particular the unfair trade practices and unfair discrimination statutes, apply with full force to decisions that AI makes or supports, and it sets out what regulators expect an insurer to do to manage that exposure.
That framing matters for two reasons. First, the bulletin is not self-executing. The NAIC has no authority to bind an insurer. Authority comes from the state, so the operative document for any insurer is the bulletin its own states have adopted, not the NAIC template in the abstract. Second, because the bulletin clarifies existing law rather than creating new obligations, it does not create a new private right of action. The legal exposure was already there in the unfair-practices statutes; the bulletin tells you how the regulator now expects you to demonstrate that your AI use stays inside those lines.
The single most useful primary source is the NAIC itself. The bulletin’s current status, the list of adopting states, and related workstreams live on the NAIC Artificial Intelligence topic page, the reference to check before relying on any adoption count, including the one here.
Does the NAIC AI Model Bulletin apply to your company?
It depends on where you are licensed, and you should not assume. Because the bulletin binds only through state adoption, an insurer writing in fifteen states may be subject to the AIS Program expectation in some and not others, and the adopted text can vary between a state that took the NAIC template verbatim and one that issued a substantially similar version.
By mid-2026, more than half of US jurisdictions, a count in the mid-twenties to low-thirties of states plus the District of Columbia, had adopted the bulletin in full or in substantially similar form. We do not pin a single exact number here, because the figure moves as more departments act and the precise count is best verified against the NAIC adoption map rather than taken from a guide. The practical takeaway: for most multistate insurers the bulletin is already live somewhere in your footprint, so the safe posture is to build one AIS Program that meets the expectation everywhere rather than a patchwork keyed to each state.
Insurance AI governance also does not sit alone; it is one regime among several a financial institution must reconcile, which is why we treat it as part of AI governance for financial services rather than an isolated topic.
NAIC AI Model Bulletin requirements: the AI Systems Program
The center of the bulletin is the expectation that an insurer maintains a written AI Systems Program governing the AI it uses across the lifecycle. The bulletin is principles-based, so it describes outcomes and disciplines rather than prescribing a checklist of mandatory clauses. Read in operational terms, the AIS Program is expected to cover the following, with each element scaled to the potential for consumer harm from the AI use in question.
Governance and accountability come first: a program that is documented, approved at a senior level, and overseen with real board or senior-management accountability, not a policy that lives in a drawer. Risk identification and controls follow, proportionate to each system’s stakes. Model validation, testing, and retesting are central, and the bulletin is specific that verification methods should detect errors, performance degradation, bias, and unfair discrimination, before deployment and on an ongoing basis. Data governance addresses the suitability and quality of the data feeding the models, including the risk that an input acts as a proxy for a protected characteristic. Third-party oversight extends the program to vendor and acquired AI, and documentation ties it together, because the bulletin expects records sufficient to show the program operates and to produce to regulators on request.
The table below is the part most insurers find hardest to assemble: not the policy language, but the mapping from each AIS Program component to what a regulator expects and the concrete evidence you should be able to hand over in a market-conduct examination.
| AIS Program component | What regulators expect | Evidence to produce in a market-conduct exam |
|---|---|---|
| Governance and board accountability | A written AIS Program approved at a senior level, with named accountability and board or senior-management oversight of AI use across the lifecycle | Board or committee minutes approving the AIS Program; the program document itself; a current accountability map naming the senior owner for AI risk |
| Risk identification and controls | A documented process to identify, assess, and mitigate the risks of each AI system, proportionate to its potential for consumer harm | A risk-tiering standard; per-system risk assessments; a control inventory tied to each AI use in underwriting, rating, claims, fraud, and marketing |
| Model validation, testing, retesting | Verification methods that detect errors, performance drift, bias, and unfair discrimination, applied before deployment and on an ongoing basis | Validation reports; pre-deployment test results; ongoing-monitoring and retesting records with thresholds and outcomes |
| Data governance | Controls over the data used to build and run AI, covering suitability, quality, and detection of proxies for protected characteristics | Data lineage and source documentation; data-quality controls; proxy and disparate-impact testing records |
| Third-party AI oversight | Due diligence and ongoing oversight of vendor AI, with the insurer remaining responsible; obligations do not transfer to the vendor | Vendor due-diligence files; contract terms covering audit rights and data use; vendor-monitoring records; an inventory of third-party AI dependencies |
| Documentation and recordkeeping | Documentation sufficient to show the program operates, produceable to regulators on request | A document register mapped to each AIS Program element; a retention schedule; an exam-response pack that can be produced without scrambling |
| Consumer transparency and remediation | Processes to handle consumer inquiries, adverse-action context, and correction of AI-driven errors. This expectation flows from existing unfair-trade-practices and consumer-protection obligations rather than a new standalone bulletin mandate | Consumer-inquiry and adverse-action procedures; remediation logs; records of corrections to AI-driven decisions |
A program built to fill that third column is in far better shape than one built only to satisfy the second, because supervision happens through evidence. The structural discipline behind a defensible program, the committee design, the named owners, and the reporting cadence, is the same scaffolding we describe for banks in the AI governance operating model and committee charter; the insurance context changes the regulator and the vocabulary, not the mechanics.
Third-party AI: where the insurer stays responsible
The bulletin is pointed about vendor AI, and it is the provision insurers most often underweight. When an insurer uses a third-party AI system, a vendor scoring model, an AI-enabled claims tool, or a data product built on someone else’s model, the bulletin expects due diligence and ongoing oversight, and it is explicit that the insurer remains responsible for the outcomes. Buying AI does not transfer the obligation to the seller.
In practice an insurer cannot treat a vendor attestation as coverage of its own deployment. A vendor’s certifications and control descriptions speak to the vendor’s product, not to how the insurer configured, fed, and relied on that product in a real underwriting or claims decision. The AIS Program has to extend to these dependencies: an inventory of third-party AI in use, due-diligence files on the providers, contract terms that secure audit rights and govern data use, and ongoing monitoring rather than a one-time check at procurement. The disciplines map closely to the broader vendor-AI pattern we lay out in our third-party AI vendor risk assessment, applied here through the insurance lens of a regulator who will hold the insurer, not the vendor, to account.
Unfair discrimination and existing insurance law
The bulletin’s treatment of bias is best understood as an application of existing law, not a new mandate. Every state has unfair trade practices and unfair discrimination statutes governing how insurers classify and price risk, and they apply whether a human or an algorithm makes the call. What the bulletin adds is the regulator’s expectation that an insurer can show its AI was tested for errors, bias, and unfair discrimination, with verification methods documented and repeated over time.
Two precision points matter for a sophisticated reader. First, insurance unfair discrimination is its own body of law, distinct from lending fair-lending regimes such as the Equal Credit Opportunity Act and Regulation B; an insurer should reason about its obligations through the insurance statutes its states enforce, not by importing the lending framework wholesale. The model-validation discipline, testing for disparate outcomes and proxy effects, carries over even though the governing law differs, which is why the methods in our AI fair lending model validation framework are a useful reference even for insurers. Second, the bulletin does not expand liability beyond those existing statutes and does not create a private right of action. It tells you the regulator now expects evidence; the underlying legal standard was already in force.
How the bulletin differs from SR 26-2 and bank model risk
It is easy to conflate the NAIC bulletin with federal bank model-risk guidance, and the two should be kept separate. They govern different industries, through different regulators, with different instruments. The NAIC bulletin is state-adopted insurance guidance, enforced through market-conduct examination by state insurance departments. SR 26-2, the federal interagency model-risk guidance issued in April 2026, applies to banks, is most relevant to institutions above thirty billion dollars in assets, and explicitly excludes generative and agentic AI from its scope.
An insurer follows the NAIC bulletin in the states that adopted it and does not answer to SR 26-2; a bank answers to SR 26-2 and the rest of its prudential framework, not to the NAIC bulletin. The distinction matters because the two regimes treat AI differently: the NAIC bulletin reaches generative and operational AI across the insurance lifecycle, while the federal bank guidance carves generative and agentic AI out of its model-risk definition entirely. If you also operate on the banking side, our analysis of how SR 26-2 changed bank model risk management covers that regime on its own terms.
What is still in development
Two NAIC workstreams are advancing and should not be presented as adopted requirements. The first is the AI Systems Evaluation Tool, a structured instrument intended to help regulators assess insurer AI practices in a consistent way. It has been piloted, with broader adoption expected at the 2026 Fall National Meeting, but until that happens it is a tool in development rather than a standard you are measured against. The second is ongoing NAIC discussion of a possible model law on third-party data and predictive models, which, if it advanced and states adopted it, would sit above the bulletin as binding rather than guidance. Neither is in force today. The prudent move is to build the AIS Program the current bulletin describes, designed to absorb a more formal evaluation tool or a future model law without a rebuild.
What this guide is / What it is not
What it is: A practitioner breakdown of the NAIC AI Model Bulletin and the AI Systems Program it expects, for the Chief Compliance Officer, Chief Risk Officer, or AI governance owner at a US insurer. It maps each AIS Program component to what regulators expect and the evidence to produce, and places the bulletin accurately against existing insurance law and federal bank model-risk guidance.
What it is not: It is not legal advice, and it is not a statement of any one state’s adopted text. The operative requirement for any insurer is the bulletin its own states have adopted, which you should confirm against the NAIC adoption map. DSE prepares insurers for market-conduct examination and audit; we do not certify, and we do not guarantee any examination or audit outcome. A vendor that promises a guaranteed regulatory result is selling certainty that does not exist.
FAQ
What is the NAIC AI Model Bulletin? The NAIC AI Model Bulletin, formally the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, is principles-based regulatory guidance the NAIC adopted on December 4, 2023. It reminds insurers that existing insurance laws apply to AI-driven decisions and sets out the NAIC expectation that insurers manage AI across underwriting, rating, claims, fraud, and marketing through a written AI Systems Program. It is guidance, not a model law, and it is not self-executing.
Does the NAIC AI Model Bulletin apply to my company? It applies in a given state only after the relevant state insurance department adopts it. The bulletin is a template the NAIC published for state regulators, and by mid-2026 more than 20 US jurisdictions had adopted it in full or in substantially similar form. To confirm coverage, check the NAIC adoption map for the states where you are licensed, because the operative document is the bulletin each state adopts.
What does an AI Systems Program have to include? The bulletin expects a written program covering the full AI lifecycle with senior-management and board accountability, risk identification and controls, model validation and testing and retesting using methods that detect errors, bias, and unfair discrimination, data governance, and oversight of third-party AI. It also expects documentation that an insurer can produce to regulators during a market-conduct examination. The program should be proportionate to the potential for consumer harm from each AI use.
Does the NAIC AI Model Bulletin create new legal liability? No. The bulletin does not create a new private right of action. It clarifies that existing insurance laws, including unfair trade practices and unfair discrimination statutes, already apply to decisions made or supported by AI. The legal exposure comes from those existing laws, and the bulletin sets out how regulators now expect insurers to demonstrate that AI-driven decisions meet the same standards as any other.
How is the NAIC AI Model Bulletin different from SR 26-2? They govern different industries through different regulators. The NAIC bulletin is state-adopted insurance guidance for insurers, supervised through market-conduct examination. SR 26-2 is federal model-risk guidance for banks, most relevant to institutions above thirty billion dollars in assets, and it explicitly excludes generative and agentic AI from its scope. An insurer follows the NAIC bulletin in the states that adopted it, not SR 26-2.
The Bottom Line
The NAIC AI Model Bulletin does not change insurance law; it tells insurers how regulators now expect them to prove that AI-driven underwriting, rating, claims, fraud, and marketing stay inside the law already on the books. The requirement that matters is a written AI Systems Program with real governance, model validation and testing for errors, bias, and unfair discrimination, third-party oversight where the insurer stays responsible, and documentation an examiner can request. It is principles-based and state-adopted, so the operative version is the bulletin your own states have enacted, and by mid-2026 that already covers more than 20 US jurisdictions.
The practical work is turning those principles into evidence. Build the AIS Program around the third column of the table above, the artifacts a market-conduct examination can ask for, and design it to absorb the AI Systems Evaluation Tool and any future model law without a rebuild. Done that way, the bulletin becomes a structured readiness exercise rather than a scramble, and it produces a posture your regulators, your board, and your underwriters can all stand behind.
If you are turning the NAIC bulletin into a working program, start with the AI Governance Checklist for the inventory fields, risk-tiering criteria, and validation evidence an AIS Program needs. When you want a senior team to build that program against the states you write in and prepare it for market-conduct examination, the AI governance readiness engagement does exactly that.
Key facts
- The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers was adopted by the NAIC on December 4, 2023 as principles-based guidance that is not a model law and takes effect in a state only when that state's insurance department adopts it (DSE, 2026).
- By mid-2026, more than 20 US jurisdictions had adopted the NAIC AI Model Bulletin in full or in substantially similar form, and the bulletin expects each adopting insurer to maintain a written AI Systems Program covering the AI lifecycle with documented governance, model validation, and third-party oversight (DSE, 2026).