# What is an AIS Program?

_An AI Systems Program (AIS Program) is the written program the NAIC Model Bulletin expects every insurer to maintain. Here are its four pillars and what each one requires._

An AI Systems Program, almost always shortened to AIS Program, is the written program the [NAIC Model Bulletin](/naic-model-bulletin-ai) expects every insurer to maintain. When a regulator asks how you govern AI, the AIS Program is the answer they expect to read.

The bulletin is explicit that the program should be tailored and proportionate. An insurer running a handful of low-risk use cases is not held to the same depth as one using models to drive underwriting, pricing, and claims at scale. The yardstick is the potential harm to consumers, so the program grows with the stakes.

## The four pillars

We describe the program as four working pillars. The first three come straight from the bulletin's guidelines; the fourth folds in the examination expectations, because that is how insurers actually have to operate.

### 1. Governance

Someone has to own this. The bulletin expects board-level accountability with a named senior leader responsible, and a cross-functional body, spanning actuarial, data science, underwriting, claims, compliance, and legal, that oversees AI across its life cycle. It also expects the people who build and use the models to receive ongoing training. This is the same discipline that underpins broader [AI governance](/ai-governance), applied to the insurance context.

### 2. Risk management and internal controls

This pillar is about controls at every stage of the model life cycle. It starts with an inventory of every model and AI system that can affect consumers, then layers on data practices (lineage, quality, bias analysis), validation that compares development performance to production behavior, and ongoing monitoring for [model drift](/ai-model-drift).

### 3. Third-party oversight

Insurers rarely build everything themselves, and the bulletin is clear that responsibility does not transfer to the vendor. The program needs due diligence on vendors and their data, contract terms that grant audit rights and require cooperation with regulators, and a way to confirm vendors are meeting their obligations.

### 4. Documentation and audit-readiness

The first three pillars are only as strong as the evidence behind them. Section 4 of the bulletin lists what a regulator can request: the written program and its adoption record, model documentation, data lineage and controls, and third-party diligence. Keeping that [audit trail](/ai-audit-trail) examination-ready is what makes the program defensible rather than aspirational.

## From principles to proof

When the bulletin first appeared, regulators accepted intentions and policies. That window is closing. Examinations increasingly ask for evidence that controls were implemented, tested, and enforced, including version histories, change approvals, and a clear trail from data to model to decision. A program that exists only as a document, with no operational proof behind it, is increasingly exposed.

## Getting started

A practical sequence is to write the program, build the model inventory, then close the documentation gaps the inventory reveals. Our [Insurance AI Governance hub](/insurance-ai-governance) walks through where you stand against the four pillars, and the requirements line up directly with your [state's bulletin](/insurance-ai-governance/michigan).

Swept AI supervises models in production and generates the evidence each pillar depends on. [See how it works](/offering/governance-and-certification) for insurers building an audit-ready AIS Program.