Summary

Insurance is one of the most regulated places to deploy AI in the US, and governance is now a board-level topic. The NAIC Model Bulletin on the use of AI systems, adopted in 2023, sets expectations that most states are now enforcing: documented governance, risk management, and controls against unfair discrimination. Carriers face proxy-bias risk when a model uses a variable that stands in for a protected class, exposure in rate filings that must be actuarially justified, and DOI market-conduct exams that increasingly ask for model documentation. The carriers that treat governance as a design constraint, not a compliance afterthought, ship faster and defend better.

Context

The regulatory floor has been set, and states are building on it

The NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023, and by 2025 a majority of states had adopted it or issued their own guidance modeled on it. The bulletin does not ban techniques; it requires that insurers using AI have a documented AI systems program covering governance, risk management, and third-party model oversight, with specific attention to unfair discrimination.

This lands on top of existing law. Unfair trade practice statutes and rate-filing requirements already prohibit unfairly discriminatory rates, and those apply to a model output just as they apply to a manual rating factor. The practical effect is that a carrier deploying AI in underwriting or pricing must be able to explain, in writing and on demand, what the model does, what data it uses, how it was tested for disparate impact, and who is accountable for it.

The framework

Five governance obligations and how to satisfy each

Translate the regulatory expectations into concrete controls that a DOI examiner would accept. Each obligation below maps to a specific artifact your program should produce.

ObligationWhat regulators expectEvidence artifact
Governance and accountabilityNamed owner, board or senior oversight, written AI systems programAI governance policy and RACI
Unfair discrimination testingDisparate-impact analysis, including proxy-variable reviewBias test report per model, per state
Rate justificationActuarial support for any factor affecting a filed rateActuarial memorandum tied to the model
ExplainabilityDocumented model logic, inputs, and reason codesModel card and adverse-action reasons
Third-party oversightDue diligence on vendor and external-data modelsVendor risk assessment and contract terms
Recommended actions

Build governance into the model lifecycle

  • Adopt a written AI systems program aligned to the NAIC Model Bulletin, with a named accountable executive and documented senior oversight, before your next model goes live.
  • Run disparate-impact testing on every model that touches underwriting, pricing, or claims, and explicitly test for proxy variables that correlate with protected classes such as race, religion, or national origin.
  • Require an actuarial memorandum for any model output that feeds a filed rate, so the rate filing and the model documentation tell the same story.
  • Generate reason codes and adverse-action explanations for every automated decline or adverse decision, meeting both fair-credit and state notice requirements.
  • Maintain an examiner-ready evidence package per model per state, because a market-conduct exam can request it with little notice.
Common pitfalls

How carriers get caught in exams

  • Removing protected attributes from the model but leaving in a proxy such as ZIP-level data that reintroduces disparate impact through the back door.
  • Treating a vendor model as a black box and having no documentation when an examiner asks how it works.
  • Filing a rate whose supporting actuarial memo does not match the variables the production model actually uses.
  • Building governance for a launch state only, then rolling out to states with different bulletins and testing expectations without re-papering.
Metrics that matter

Governance is measurable

  • Share of production models with a completed disparate-impact test in the last review cycle.
  • Number of models with a current, examiner-ready documentation package versus total in production.
  • Adverse-action decisions issued with a valid reason code, as a percentage of automated declines.
  • Time to produce a full model evidence package on examiner request, targeting days not weeks.
FAQ

Frequently asked questions

Does the NAIC AI Model Bulletin have the force of law?

The bulletin itself is guidance, but it becomes enforceable when a state adopts it, and most states have. It also restates obligations already in unfair trade practice and rate law, so its core expectations were enforceable regardless of the bulletin.

How do we avoid proxy bias if we already removed protected attributes?

Removing the protected attribute is not enough because other variables can correlate with it. Run disparate-impact testing on model outcomes and inspect high-weight variables like geographic or credit-based inputs for proxy effects, then constrain or drop those that reintroduce bias.

What will a DOI examiner ask for during a market-conduct exam?

Expect requests for the model documentation, the data inputs, the disparate-impact testing, the actuarial support for any rated variable, adverse-action reason codes, and evidence of governance and vendor oversight. Keep this package current per model and per state.