Insurance regulators across the United States are taking a structured, hands-on approach to AI oversight that could reshape how insurers develop and deploy artificial intelligence systems. The National Association of Insurance Commissioners (NAIC) is running a pilot program through September 2026 that tests a new AI System Evaluation Tool with 12 state regulators and a select group of insurance companies. The goal is straightforward: help regulators understand how insurers actually use AI and machine learning models, and ensure those systems don't harm consumers through unfair discrimination or algorithmic bias .

This regulatory push marks a significant shift from general compliance checklists to practical, risk-based oversight. Since the NAIC adopted its Model Bulletin on AI use in December 2023, 24 states and Washington D.C. have embraced the guidance, and four additional states have created their own insurance-specific AI regulations. The movement reflects growing concern that AI systems in insurance, from underwriting to claims processing, need transparent governance frameworks .

What Risk Levels Are Regulators Actually Looking For?

The NAIC has proposed a four-tier risk taxonomy to help regulators prioritize which AI systems need the most scrutiny. This framework moves beyond one-size-fits-all compliance and instead focuses regulatory attention where it matters most. Understanding these risk categories is essential for insurers preparing for examinations and for consumers wondering what safeguards protect them .

• Unacceptable Risk: The highest category includes AI systems using subliminal manipulation or general social scoring, which regulators view as fundamentally incompatible with consumer protection standards.
• High Risk: Most regulated AI systems fall into this tier, including those with potential to cause significant harm if they fail or are misused, such as underwriting algorithms that determine eligibility or pricing.
• Medium Risk: Systems involving manipulation or deceit risk, such as chatbots or emotion recognition tools, require transparency so consumers know they are interacting with AI.
• Low Risk: All other AI systems, like spam filters, can be deployed without additional restrictions or oversight.

The NAIC staff emphasized that creating this taxonomy is critical for identifying which systems demand regulatory attention. Rather than treating all AI equally, regulators can now focus resources on high-risk applications where algorithmic failures or bias could directly harm policyholders .

How Are Insurers Demonstrating AI Compliance to Regulators?

The NAIC has proposed a standardized Compliance Report structure that insurance companies would complete to demonstrate they are following AI governance guidelines. This structured approach gives insurers a clear roadmap for documentation while giving regulators a consistent way to evaluate AI practices across the industry. The Compliance Report includes several key components designed to surface potential risks .

• Executive Summary and Report Authors: A high-level overview with credentials of the people responsible for AI governance, ensuring accountability at the leadership level.
• Models and Data Sources: Documentation of both internal and external data used to train AI systems, with attention to selection bias in internal data and undisclosed design constraints in external data.
• Risk Assessment Framework: A formal process for identifying and evaluating risks posed by each AI system, aligned with the four-tier risk taxonomy.
• Model Cards and Inventory: Standardized reporting tools that provide basic information about each AI model, including training data, evaluation metrics, intended use, and ethical considerations.
• Model Drift and Validation: Methods for detecting when an AI model's performance degrades over time due to changing data patterns, a critical safeguard against silent failures.
• Protected Class Inference and Bias Testing: Specific testing to ensure AI systems are not making decisions based on protected characteristics like race, gender, or age, even indirectly.
• Consumer Complaint Process: A mechanism for handling complaints about AI-driven decisions, ensuring consumers have recourse if they believe they were treated unfairly.

The NAIC staff highlighted a particular concern: confidentiality agreements that prevent companies from sharing external data with regulators can create blind spots in oversight. Regulators need visibility into the data sources and design constraints that shape AI behavior, even when those sources come from third-party vendors .

What Is Model Drift and Why Should You Care?

One of the most important concepts in the new regulatory framework is "model drift," a technical problem with real-world consequences. Model drift occurs when an AI system's performance degrades because the patterns in data change over time. For example, an underwriting model trained on historical data might make poor decisions if economic conditions shift or demographic patterns change. NAIC staff stressed that insurers must describe their methods for detecting and testing model drift in their compliance reports, and regulators are being encouraged to ask for detailed metrics .

This focus on model drift reflects a hard-won lesson from AI deployments across industries: systems that work perfectly on day one can silently fail months later if no one is monitoring them. In insurance, a drifting underwriting model could systematically deny coverage to certain groups or misprice risk in ways that harm both insurers and consumers. The regulatory push to make this visible is a practical safeguard.

How Will the Pilot Program Shape Future Oversight?

The AI System Evaluation Tool pilot, running from March through September 2026, involves 12 state insurance regulators testing the tool with insurance companies across property and casualty, life insurance, and other major product lines. The pilot has specific goals that will inform how AI oversight evolves nationwide .

• Tool Effectiveness: Determine whether the evaluation tool helps insurers clearly explain their AI governance systems and helps regulators better understand how companies apply standard governance practices.
• Regulatory Integration: Test how the tool fits into existing regulatory functions, including market conduct exams, financial exams, financial analyses, and general regulatory inquiries.
• Tool Refinement: Gather feedback to improve and develop the tool based on real-world use, ensuring it remains practical and relevant.
• Long-Term Recommendations: Create recommendations for how market conduct and financial risk assessment review processes should evolve to incorporate AI oversight.
• Regulator Training: Identify what additional training state insurance regulators need to effectively evaluate AI systems and governance practices.

The BDAI (Big Data and Artificial Intelligence) Working Group plans to provide frequent public updates as the pilot progresses. Once the pilot concludes, the working group will update the tool based on feedback, with the goal of having a refined version ready for adoption at the NAIC's Fall 2026 National Meeting .

This regulatory momentum reflects a broader recognition that AI in finance and insurance cannot be left to self-governance alone. By building transparent frameworks, standardized risk assessments, and practical evaluation tools, regulators are trying to ensure that AI systems serve consumers fairly while still allowing insurers to benefit from technological innovation. For policyholders, this means more visibility into how algorithms affect their coverage and pricing. For insurers, it means preparing now for a regulatory environment that will demand clear documentation and ongoing monitoring of AI systems.

" }