Problem How It Works Assess Glossary Blog Book a Call

Is your AI monitoring ready for regulators?

13 questions. 5 minutes. Find out where your organization stands on AI behavioral compliance, and what gaps regulators will notice first.

Take the Assessment

Answer 13 questions about your organization's AI monitoring practices. You'll get an instant readiness scorecard with insights for each area. Takes about 5 minutes.

AI Inventory and Governance

Do you know what AI you have, and who's responsible for it?

How many AI or machine learning systems are currently in production at your organization?
Do you maintain a centralized inventory of AI systems with documented use cases and risk classifications?
Who is accountable for AI system behavior after deployment?

Monitoring Practices

Are you watching how your AI systems behave in production?

How do you currently monitor AI system behavior in production?
What does your monitoring cover?
How quickly would you detect if an AI system started producing unfair, inaccurate, or non-compliant outputs?

Compliance Evidence

Can you prove your AI systems are compliant right now?

If a regulator asked today for evidence of continuous AI monitoring, could you produce it?
How familiar is your organization with the regulatory framework that applies to your AI systems?
Do your compliance evidence packages map monitoring results to specific regulatory requirements?
Do you maintain documentation of the data sources, training data, and third-party models or vendors used by your AI systems?

Incident Readiness

What happens when your AI produces something it shouldn't?

Do you have a documented escalation process for AI behavioral issues?
Have your AI systems produced unexpected or non-compliant outputs in the past 12 months?

Organizational Readiness

Are AI, compliance, and risk teams working together?

How would you describe the collaboration between your AI/ML teams, compliance teams, and risk management?
Please answer all questions and select your industry before viewing results.

Your Readiness Results

Why behavioral monitoring matters for regulated AI

Most organizations deploying AI in production focus their monitoring on data drift: statistical changes in model inputs compared to training data. Tools like Evidently AI, Arize, WhyLabs, and Fiddler do this well. They alert data science teams when input distributions shift, which can signal the need for model retraining.

But regulators in insurance, banking, and healthcare aren't asking whether your input data has changed. They're asking whether your AI is still producing fair, accurate, and compliant outputs.

That's a different question. And it requires a different type of monitoring.

Behavioral monitoring evaluates what AI systems actually do: the tone, accuracy, fairness, and compliance of their outputs over time. It catches problems that data drift tools miss entirely, like an AI claims triage system that starts routing certain demographic groups to slower queues, or a credit decisioning model that gradually shifts its approval thresholds without any change in input data.

The gap between data monitoring and behavioral monitoring is where regulatory risk lives. An AI system can show stable inputs and strong performance metrics while its outputs slowly drift out of compliance. Without behavioral monitoring, that drift goes undetected until a customer complains or a regulator finds it during an exam.

What regulators require for AI monitoring

The NAIC Model Bulletin, OCC SR 11-7, the EU AI Act, and the NIST AI Risk Management Framework all require or strongly recommend continuous monitoring of AI systems in production. The common expectation: organizations must monitor AI behavior after deployment, not just validate before it.

Insurance: NAIC Model Bulletin and ASET Pilot

The NAIC Model Bulletin on the Use of AI Systems by Insurers has been adopted in 25 states as of March 2026. It requires insurers to maintain governance and risk management frameworks over their AI systems, including ongoing monitoring to ensure AI decisions remain fair, accurate, and compliant with state insurance regulations.

The NAIC AI Systems Evaluation Tool (ASET) pilot is now live in 12 states: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. The pilot runs from March through September 2026. Participating states are using the tool during market conduct exams and financial examinations.

The ASET has 4 exhibits. Exhibit A quantifies AI usage across lines of business. Exhibit B is a governance risk assessment framework. Exhibit C asks detailed questions about high-risk AI systems. Exhibit D covers AI data details. Regulators will focus on domestic insurers and apply proportionality, spending more time on high-risk consumer-facing AI.

The ASET asks specifically about ongoing monitoring practices, not just pre-deployment validation. Regulators want to know if you can demonstrate continuous compliance.

The ASET pilot runs through September 2026. Based on pilot results, the tool will be updated, re-exposed for public comment, and considered for broader adoption at the NAIC fall meeting in November 2026. For insurers not yet in pilot states, the question isn't whether this tool will be used in your state's examinations. It's when. 25 states have already adopted the Model Bulletin. The ASET gives regulators a structured way to enforce it.

Banking: SR 11-7 and OCC Guidance

The OCC's Supervisory Guidance on Model Risk Management (SR 11-7) requires banks to validate models on an ongoing basis. For AI systems used in credit decisioning, fraud detection, and customer interaction, this means continuous monitoring of model behavior and performance. The guidance specifically addresses the risk of model degradation over time.

The OCC has increased scrutiny of AI-specific risks in recent examination cycles. Banks using AI for consumer-facing decisions face the same behavioral monitoring gap that insurers do: strong validation at deployment followed by limited ongoing behavioral oversight.

Healthcare: CMS and State Requirements

CMS and state regulators are increasingly examining AI used in prior authorization and claims processing. Connecticut has proposed legislation requiring human review of AI-driven claim denials. Several states are exploring similar requirements.

The scrutiny focuses on whether AI decisions are fair, accurate, and consistent: behavioral qualities that can't be measured through input data monitoring alone.

EU AI Act

The EU AI Act establishes explicit post-market monitoring requirements for high-risk AI systems. Providers and deployers must implement monitoring systems that detect changes in AI behavior affecting compliance. The Act's enforcement timeline is active, making this a current obligation for organizations operating in EU markets.

Governance documentation vs. compliance evidence

Governance documentation tells regulators your AI was validated. Compliance evidence tells regulators your AI is still performing correctly. Most organizations have the first but not the second.

Model cards, fairness assessments, validation reports, and policy documents are necessary. But they answer a different question than what regulators are increasingly asking.

Documentation tells a regulator that your AI system was validated and approved. Compliance evidence tells a regulator that your AI system is still operating within those approved parameters right now.

This is the compliance evidence gap. An EY survey of 500 technology executives in early 2026 found that 78% say AI adoption is outpacing their organization's ability to manage the associated business risks. A separate EY study of 975 C-suite leaders found that while 72% of organizations have integrated and scaled AI, only a third have responsible controls in place across all governance dimensions.

The gap is widest in ongoing behavioral monitoring. Organizations invest heavily in pre-deployment validation (model cards, bias testing, fairness assessments) but have limited capabilities for continuous post-deployment monitoring of AI output quality.

For regulated industries, closing this gap means moving from periodic manual reviews to continuous automated monitoring that generates regulator-ready evidence packages. Point-in-time evaluation tells regulators the model was good. Continuous monitoring with documented evidence tells regulators the model is still good.

Frequently Asked Questions

What kind of AI monitoring does the NAIC Model Bulletin require?
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers requires ongoing monitoring of AI systems, not just pre-deployment validation. Insurers must monitor AI outputs for accuracy, fairness, and compliance on a continuous basis, and must be able to demonstrate that monitoring to regulators. This goes beyond traditional model validation, which typically happens once before deployment. The Bulletin has been adopted in 25 states, and the NAIC is now piloting the AI Systems Evaluation Tool (ASET) in 12 states to enforce these requirements through regulatory examinations. The monitoring expectation applies to all AI systems that affect consumer outcomes, including underwriting, claims, rating, and marketing.
How many states have adopted the NAIC Model Bulletin on AI?
As of early 2026, 25 states have adopted the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. The Model Bulletin establishes requirements for AI governance, risk management, and ongoing monitoring for insurers. Separately, the NAIC is piloting the AI Systems Evaluation Tool (ASET) in 12 states: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. The ASET pilot runs from March through September 2026. The Model Bulletin is the regulation; the ASET is the enforcement mechanism regulators use during examinations to evaluate compliance. Based on pilot results, the ASET will be updated and considered for broader adoption at the NAIC fall meeting in November 2026.
What is the difference between the NAIC Model Bulletin and the NAIC ASET?
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers is the regulation. It establishes the requirements: insurers must implement AI governance frameworks, conduct ongoing monitoring, and manage risks associated with AI systems affecting consumers. 25 states have adopted it. The NAIC AI Systems Evaluation Tool (ASET) is the enforcement mechanism. It is a structured examination tool that state regulators use to evaluate whether insurers are actually meeting the Model Bulletin requirements. The ASET has 4 exhibits covering AI inventory, governance frameworks, high-risk AI system oversight, and data governance. The ASET pilot is running from March through September 2026 in 12 states, with broader adoption expected to be considered at the NAIC fall meeting in November 2026. In short: the Model Bulletin says what you must do; the ASET is how regulators check whether you are doing it.
What does the NAIC ASET pilot evaluate?
The NAIC AI Systems Evaluation Tool (ASET) pilot is running from March through September 2026 in 12 states: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. The tool has 4 exhibits: Exhibit A quantifies AI usage across business lines, Exhibit B evaluates governance risk assessment frameworks, Exhibit C asks detailed questions about high-risk AI systems, and Exhibit D covers AI data details. States focus on domestic insurers and apply proportionality, prioritizing high-risk consumer-facing AI. The tool will be updated based on pilot feedback and considered for broader adoption at the NAIC fall meeting in November 2026.
How do I prepare for the NAIC ASET pilot examination?
The ASET has 4 exhibits that regulators use during examinations. Exhibit A asks you to quantify AI usage across all lines of business, including systems operated by third-party vendors. Exhibit B evaluates your governance risk assessment framework: who is responsible for AI behavior, how you monitor systems in production, and how you escalate issues. Exhibit C goes deep on high-risk AI systems that affect consumer outcomes, including your monitoring coverage, detection speed, and ability to produce evidence. Exhibit D covers data governance and third-party model oversight. The most important thing to understand: the ASET asks about ongoing monitoring, not just pre-deployment validation. If your AI governance program consists of model cards and annual reviews, you will have gaps in Exhibits B and C. Practical preparation steps: build a comprehensive AI inventory (Exhibit A), document your monitoring processes with evidence of continuous oversight (Exhibits B and C), map your evidence to the specific questions in each exhibit, and document your data sources and third-party vendor relationships (Exhibit D).
What will NAIC examiners ask about AI monitoring?
NAIC examiners using the ASET will focus on 4 areas during AI examinations. Under Exhibit A, they will ask how many AI systems you operate, across which lines of business, and whether your inventory includes third-party vendor systems. Under Exhibit B, they will evaluate your governance framework: who is accountable for AI behavior after deployment, what monitoring processes are in place, and how issues are escalated. Under Exhibit C, they will go deep on high-risk AI systems affecting consumer outcomes: what you monitor (inputs, outputs, or both), how quickly you can detect behavioral changes, and whether you can produce evidence of continuous monitoring. Under Exhibit D, they will ask about data governance, training data provenance, and oversight of third-party models and vendors. The critical distinction: examiners are asking about ongoing monitoring in production, not just what you tested before deployment.
What regulatory frameworks require continuous AI monitoring?
Several major frameworks require or strongly imply continuous monitoring. The NAIC Model Bulletin (adopted in 25 states) requires ongoing monitoring of AI systems, not just pre-deployment validation. The OCC SR 11-7 guidance requires banks to validate models on an ongoing basis, including monitoring for model degradation. The EU AI Act requires post-market monitoring for high-risk AI systems. Colorado SB 21-169 requires deployers of high-risk AI to implement risk management programs including ongoing monitoring. The NIST AI Risk Management Framework recommends continuous monitoring as part of its GOVERN and MEASURE functions. The common thread across all frameworks is a shift from point-in-time validation to continuous behavioral oversight.
What evidence do regulators need for continuous AI monitoring?
Regulators across insurance, banking, and healthcare are moving beyond asking whether AI systems were validated before deployment. They want evidence that AI systems are still performing within approved parameters in production. This typically includes: a current inventory of all AI systems with risk classifications and accountable owners, documented monitoring processes showing what is being tracked and how often, timestamped records of AI output evaluations (not just input data monitoring), evidence of how behavioral changes are detected and how quickly, incident response documentation showing how AI issues were identified, escalated, and resolved, and records of third-party AI vendor oversight. The key shift: regulators want ongoing evidence, not point-in-time reports. A model card from 18 months ago does not demonstrate that the AI system is behaving correctly today.
Is AI governance documentation enough for regulatory compliance?
AI governance documentation like model cards, fairness assessments, validation reports, and policy documents is necessary but no longer sufficient. These documents tell a regulator that your AI system was validated and approved. They do not tell a regulator that your AI system is still operating within those approved parameters right now. This is the gap regulators are increasingly focused on. The NAIC Model Bulletin, SR 11-7, and the EU AI Act all require or strongly imply ongoing behavioral monitoring, not just pre-deployment validation. Closing this gap means moving from periodic manual reviews to continuous monitoring that generates documented evidence of AI output quality, fairness, and compliance over time. An EY survey of 500 technology executives in early 2026 found that 78% say AI adoption is outpacing their ability to manage associated risks, and a separate study found that while 72% of organizations have integrated and scaled AI, only a third have responsible controls across all governance dimensions.
How do I know if my organization is ready for an AI regulatory exam?
AI regulatory readiness covers 5 key areas. First, AI inventory and governance: whether you know what AI systems you have, what each one does, and who is accountable for its behavior. Second, monitoring practices: whether you are watching what your AI does in production, not just checking in quarterly or after complaints. Third, compliance evidence: whether you can prove your AI is compliant right now, not just that it was compliant at deployment. Fourth, incident readiness: whether you have a defined process with assigned roles for handling AI behavioral issues. Fifth, organizational readiness: whether your AI, compliance, and risk teams are working together with shared objectives. Organizations with strong readiness can produce regulator-ready evidence packages within hours, not weeks, and have named individuals accountable for each AI system's ongoing behavior.
What is the difference between data drift detection and behavioral drift detection?
Data drift detection monitors whether the statistical distribution of inputs to your AI model has changed compared to training data. Tools like Evidently AI, Arize, WhyLabs, and Fiddler excel at this. Behavioral drift detection monitors whether your AI's outputs, its actual decisions, recommendations, and responses, are changing over time. These are different problems. Your input data can be stable while outputs drift out of compliance. Or your inputs can shift dramatically while outputs remain within acceptable bounds. Regulators in insurance, banking, and healthcare are asking about output behavior, not input distributions.

For a comparison of data drift detection tools, see our guide to AI drift detection tools.

More from AnchorDrift

The NAIC AI Bulletin: What It Requires 5 AI Drift Detection Tools Compared What Is Behavioral Drift? AI Compliance Glossary