NAIC compliance, designed in — not retrofitted.
The NAIC AI Model Bulletin sets governance, risk management, and documentation expectations for AI use in insurance. Most US state insurance regulators have adopted it. We design every insurance AI deployment against the bulletin's six pillars from the start.
Adverse decisions get reviewed twice. By regulators, then by plaintiffs.
Insurance AI lives at an unusual intersection of consumer- protection regulation, fair-lending-equivalent principles, and direct class-action exposure. An AI-driven adverse decision can trigger a state DOI market-conduct exam, a class-action complaint, or both, in roughly the same week.
The fix is not a clever model. It's documented architecture, bias testing as a continuous program, and a paper trail that lets both the DOI and your defense counsel reconstruct any decision. We build that trail into the system before the first production decision.
What the NAIC bulletin asks for, mapped to architecture.
Governance program
Written AI governance, accountability assigned, board/management reporting, periodic review. Documented organizational ownership for every AI system in production.
Risk management framework
Risk identification, assessment, mitigation, monitoring across the AI lifecycle. Risk-tiering by use case (high/medium/low) drives the control set.
Validation & testing
Pre-deployment validation against representative test data. Bias testing across protected classes. Performance monitoring continuously, with documented thresholds for human review.
Vendor / third-party management
Due diligence on AI vendors (model providers, vector DBs, observability), contractual security and audit rights, ongoing monitoring of vendor performance and compliance posture.
Consumer transparency & disclosure
Where adverse decisions touch consumers (declined coverage, denied claims, rate changes), explanation rights and documentation that supports the explanation.
Documentation & record-keeping
Model documentation per system: design, training data, validation results, change history, performance over time. Sufficient for state DOI exam and class-action discovery.
Bias testing is a system property, not a one-off study.
The carriers we work with want bias testing they can defend in a DOI exam and in court. That requires testing built into the deployment as a continuous program:
- Pre-deployment validation across protected classes on representative test data
- Continuous monitoring with thresholds that trigger investigation
- Decision-explanation generation tied to each model output
- Human-in-the-loop for adverse decisions, with the human seeing the explanation
- Audit-log fields that support post-hoc class-impact analysis
- Quarterly bias-testing reports filed in your model-risk inventory
The same architecture supports state-specific fair-discrimination regimes — California, Colorado, New York all have specific expectations that overlap with the NAIC framework.
Frequently asked questions
Is the NAIC bulletin mandatory or guidance?
The bulletin itself is a model — the binding force comes from each state's DOI adopting some version of it. As of 2026, the majority of US state insurance regulators have adopted it (often with state-specific additions). For multi-state carriers, the safe assumption is that all states will converge on the bulletin's core expectations; we design to that.
What's different about insurance AI vs general enterprise AI?
Insurance AI sits at the intersection of consumer-protection regulation, fair-lending-equivalent principles, and contract law. Unlike most enterprise AI, insurance AI decisions are directly subject to regulatory review (rate filings, market-conduct exams) and class-action exposure on adverse decisions. The governance overhead is proportionally heavier than in most verticals.
Do we need separate bias testing for AI in underwriting versus AI in claims?
Yes. The data shape, decision context, and regulatory expectations are different. Underwriting bias testing focuses on rate impact across protected classes during pricing. Claims AI testing focuses on adjudication parity (similarly-situated claimants getting similar outcomes) and adverse-action documentation. We design both, but they're distinct programs within a single carrier.
OSFI E-23 for Canadian carriers — how does it interact?
OSFI E-23 (the Canadian federal model risk management guideline, extended to AI) shares principles with NAIC: governance, validation, monitoring. The differences are around documentation expectations (more prescriptive than NAIC), supervisor notification, and integration with broader OSFI risk-management requirements. For Canadian carriers, we map E-23 obligations explicitly; for US-Canada multi-jurisdictional carriers, we produce a unified control set.