An AI Systems Program, almost always shortened to AIS Program, is the written program the NAIC Model Bulletin expects every insurer to maintain. When a regulator asks how you govern AI, the AIS Program is the answer they expect to read.
The bulletin is explicit that the program should be tailored and proportionate. An insurer running a handful of low-risk use cases is not held to the same depth as one using models to drive underwriting, pricing, and claims at scale. The yardstick is the potential harm to consumers, so the program grows with the stakes.
The four pillars
We describe the program as four working pillars. The first three come straight from the bulletin's guidelines; the fourth folds in the examination expectations, because that is how insurers actually have to operate.
1. Governance
Someone has to own this. The bulletin expects board-level accountability with a named senior leader responsible, and a cross-functional body, spanning actuarial, data science, underwriting, claims, compliance, and legal, that oversees AI across its life cycle. It also expects the people who build and use the models to receive ongoing training. This is the same discipline that underpins broader AI governance, applied to the insurance context.
2. Risk management and internal controls
This pillar is about controls at every stage of the model life cycle. It starts with an inventory of every model and AI system that can affect consumers, then layers on data practices (lineage, quality, bias analysis), validation that compares development performance to production behavior, and ongoing monitoring for model drift.
3. Third-party oversight
Insurers rarely build everything themselves, and the bulletin is clear that responsibility does not transfer to the vendor. The program needs due diligence on vendors and their data, contract terms that grant audit rights and require cooperation with regulators, and a way to confirm vendors are meeting their obligations.
4. Documentation and audit-readiness
The first three pillars are only as strong as the evidence behind them. Section 4 of the bulletin lists what a regulator can request: the written program and its adoption record, model documentation, data lineage and controls, and third-party diligence. Keeping that audit trail examination-ready is what makes the program defensible rather than aspirational.
From principles to proof
When the bulletin first appeared, regulators accepted intentions and policies. That window is closing. Examinations increasingly ask for evidence that controls were implemented, tested, and enforced, including version histories, change approvals, and a clear trail from data to model to decision. A program that exists only as a document, with no operational proof behind it, is increasingly exposed.
Getting started
A practical sequence is to write the program, build the model inventory, then close the documentation gaps the inventory reveals. Our Insurance AI Governance hub walks through where you stand against the four pillars, and the requirements line up directly with your state's bulletin.
Swept AI supervises models in production and generates the evidence each pillar depends on. See how it works for insurers building an audit-ready AIS Program.
What is FAQs
An AI Systems Program is the written program the NAIC Model Bulletin expects every insurer to develop, implement, and maintain. It governs how the insurer builds, buys, and uses AI systems across the insurance life cycle.
Governance, risk management and internal controls, third-party oversight, and documentation and audit-readiness. The first three describe how the program operates; the fourth is the evidence that proves it does.
No. The bulletin expects the program to be tailored and proportionate to how much the insurer relies on AI and the potential harm to consumers. A small book of low-risk use cases needs lighter controls than high-stakes underwriting or claims models.
Yes. The bulletin allows the program to stand alone or sit inside existing enterprise risk management, and it points to the NIST AI Risk Management Framework as an acceptable foundation.