In December 2023, the National Association of Insurance Commissioners adopted the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. Fourteen months later, it's no longer a model. Twenty-four states have adopted the bulletin, and an additional four states have enacted related regulations or guidance addressing similar topics. The NAIC itself reported in December 2025 that over half of all states have adopted this or similar guidance.
The bulletin is now the de facto national standard for how insurers govern AI. But there's a gap between knowing the bulletin exists and understanding what it actually requires your organization to do - particularly around the continuous monitoring obligations that most insurers have not yet operationalized.
This article breaks down the bulletin's core requirements, maps them to the monitoring capabilities insurers need, and identifies the enforcement timeline that makes this urgent in 2026.
What the NAIC bulletin actually says
The bulletin's central mandate is that insurers must develop, implement, and maintain a written AI program - called an AIS Program - governing the responsible use of AI systems, particularly when those systems make or support decisions affecting consumers.
The bulletin is principle-based rather than prescriptive about specific technologies, but it's clear about what outcomes the AIS Program must achieve. Decisions made by insurers using AI systems must not be inaccurate, arbitrary, capricious, or unfairly discriminatory, regardless of the tools and methods used to make those decisions.
That "regardless of tools and methods" language is critical. It means the same compliance standards that apply to human-made decisions apply to AI-assisted decisions. An AI system can't be a shield against accountability - it needs to be as auditable and demonstrably fair as any other decision-making process.
The five pillars of the AIS Program
The bulletin organizes its expectations around five core areas. Each one has direct implications for how insurers monitor their AI systems in production.
The AIS Program must include controls that mitigate the risk of adverse outcomes for consumers. This means insurers need evidence that their AI systems are producing fair, accurate decisions - not just at deployment, but on an ongoing basis.
→ Monitoring implication: Continuous behavioral evaluation showing AI outputs remain within approved accuracy and fairness thresholds over time. Point-in-time testing at deployment is necessary but not sufficient.
Insurers must maintain a clear governance structure with defined accountability, escalation paths, and oversight. Controls should be commensurate with both the risk of adverse consumer outcomes and the degree of potential harm to consumers. Higher-risk AI systems (claims decisioning, underwriting, pricing) require more rigorous controls than lower-risk applications.
→ Monitoring implication: Configuration audit trails showing who approved monitoring settings, when thresholds were set, and how alert escalation is structured. Governance must be documented and demonstrable, not assumed.
The AIS Program should include validation, testing, and retesting to assess AI system outputs. The program should evaluate the suitability of data used for developing, training, validating, and auditing the model, and establish accountability procedures that ensure data quality, integrity, and bias minimization. The word "retesting" is key - it implies ongoing validation, not just pre-deployment assessment.
→ Monitoring implication: A defined testing methodology with documented execution history, scoring criteria, and statistical rigor. The bulletin expects you to explain not just what you tested, but how you tested it, how often, and what the results showed.
Insurers must be able to explain how their AI systems reach decisions, particularly adverse ones. This is about providing consumers and regulators with clear reasoning behind AI-driven outcomes.
→ Monitoring implication: Per-evaluation scoring rationale that can be traced from a specific AI output to the behavioral dimensions that were assessed, the scores assigned, and the criteria used. When a regulator asks "why did your AI make this decision?" - you need a documented answer.
Insurers are responsible for the AI systems they use, even when those systems are built or operated by third parties. The bulletin makes clear that outsourcing AI does not outsource accountability. Insurers must have visibility into and governance over third-party AI systems that affect consumer outcomes.
→ Monitoring implication: Independent behavioral monitoring of third-party AI systems. You cannot rely on the vendor's own reporting to satisfy regulatory expectations - regulators will expect insurer-controlled validation of vendor AI performance.
The common thread: Every pillar of the AIS Program assumes the insurer has ongoing visibility into how their AI systems behave in production. Governance requires evidence. Testing requires execution history. Transparency requires scoring rationale. Third-party oversight requires independent monitoring. The bulletin assumes continuous monitoring infrastructure exists. For most insurers, it doesn't.
The enforcement timeline is accelerating
For the first two years after adoption, the NAIC bulletin existed primarily as guidance. That's changing. There does not yet appear to be significant enforcement in the states that have adopted the bulletin, but insurers must continue to anticipate regulatory oversight. Multiple developments signal that the examination phase is arriving.
December 2023 - Bulletin adopted
NAIC membership adopts the Model Bulletin on AI, establishing the AIS Program framework.
2024 - State adoption accelerates
States begin adopting the bulletin. Connecticut was first in February 2024. By year-end, over a dozen states had adopted it.
Mid-2025 - AI Systems Evaluation Tool developed
The NAIC exposed the AI Systems Evaluation Tool to interested parties for an extended public comment period. Edits and feedback were discussed extensively during the fall 2025 meeting. This tool standardizes how state examiners assess insurer AI compliance during market conduct examinations.
Early 2026 - Pilot examinations begin
Pilot programs for the AI Systems Evaluation Tool are expected in early 2026. State regulators are preparing to actively use the tool during examinations - moving from guidance to enforcement.
2026 - Third-party model law anticipated
A model law on third-party data and models is anticipated in 2026, potentially including licensing requirements for vendors. This would extend regulatory oversight beyond insurers to the AI vendors they depend on.
The pattern is clear: 2024 was adoption. 2025 was tool development. 2026 is examination readiness. Insurers who haven't built the monitoring infrastructure the AIS Program requires are facing a rapidly narrowing window.
The monitoring gap most insurers haven't closed
NAIC surveys reveal an uncomfortable reality about the state of AI governance in insurance. AI adoption rates are high: 92% of health insurers, 88% of auto insurers, 70% of home insurers, and 58% of life insurers report current or planned AI usage. But adoption of monitoring practices lags far behind. Nearly one-third of health insurers still do not regularly test their models for bias or discrimination, even though the NAIC's bulletin recommends such practices.
If a third of health insurers aren't even doing periodic bias testing, the percentage conducting continuous behavioral monitoring - which the bulletin's testing and retesting requirements imply - is almost certainly lower.
This creates a specific problem: insurers know they need AI governance, have written AI governance policies, and may have even documented an AIS Program. But the gap between having a policy and having operational monitoring infrastructure is enormous. A written policy that says "we will continuously monitor our AI systems" doesn't satisfy a regulator who asks to see the monitoring results from the last six months.
What examiners will actually ask for
Based on the bulletin's structure and the AI Systems Evaluation Tool development, insurers should prepare a "regulator-ready" package for each high-impact AI system that includes validation reports, bias testing results, oversight documentation, vendor audits, and explanatory logic. More specifically, during an examination, insurers should expect regulators to request documentation of which AI systems are in production and what decisions they influence, evidence of ongoing testing and validation - not just pre-deployment assessment, monitoring results showing behavioral consistency over the reporting period, incident records showing how drift events or anomalies were detected and resolved, and third-party vendor governance documentation.
The gap isn't in documentation strategy. Most compliance teams know what they should have. The gap is in the operational infrastructure to generate that evidence continuously. When the examiner arrives, the question isn't whether you have a policy - it's whether you can produce six months of monitoring data, drift detection results, and incident resolution records.
State-level variation adds complexity
While the NAIC bulletin provides a national framework, individual states are layering additional requirements on top of it. Insurers operating across multiple states face a patchwork of obligations.
Colorado's AI Act requires insurers to follow governance and testing procedures to prevent unfair discrimination, with quantitative testing requirements already in effect for life insurers and expanding to auto and health insurance. New York's DFS Circular Letter requires insurers to demonstrate that AI systems do not proxy for protected classes. California restricts sole reliance on automated tools in health care coverage decisions.
Each of these state-level requirements demands specific monitoring capabilities - quantitative bias testing (Colorado), proxy analysis (New York), human oversight verification (California). The common denominator is continuous evidence generation. An insurer operating in all three states needs monitoring infrastructure that can produce different compliance evidence packages mapped to each state's specific requirements, all from the same underlying behavioral monitoring data.
What this means for insurers in 2026
The practical takeaway: the regulatory environment for AI in insurance has moved from principles to enforcement. The bulletin is adopted. The examination tool is being piloted. State-specific requirements are active. Insurers need to close the gap between having an AI governance policy and having operational monitoring that generates the evidence those policies promise.
That means establishing quantitative behavioral baselines for every AI system in production, implementing continuous evaluation that runs on a defined schedule - not just annual reviews, deploying statistical methods that can distinguish genuine behavioral drift from normal AI output variation, building evidence generation capabilities that produce audit-ready compliance packages mapped to specific regulatory frameworks, and maintaining complete incident audit trails from detection through resolution.
The insurers who build this infrastructure before the examination cycle reaches them will have a significant advantage - not just in compliance readiness, but in the operational confidence to deploy AI more aggressively knowing they have the monitoring in place to catch problems early.
Build your examination-ready AI monitoring
AnchorDrift provides continuous AI behavioral monitoring for insurance carriers, with compliance evidence packages mapped to NAIC Model Bulletin requirements, state-specific regulations, and the upcoming AI Systems Evaluation Tool framework.
Book a Discovery CallRelated reading: What Is AI Behavioral Drift? · What Is AI Behavioral Assurance? · AI Behavioral Monitoring Glossary