See how Forma Health supervises their AI
Insurance AI Governance

The NAIC AI Model Bulletin, made practical

A plain-language, state-by-state guide to the NAIC Model Bulletin on the Use of AI Systems by Insurers. Understand the AIS Program regulators expect, check your readiness, and get the evidence right before an examiner asks.

See state adoptionTalk to an expert
State Adoption Tracker

Where the NAIC model bulletin has been adopted

25 jurisdictions have adopted the model bulletin and 4 more have insurance-specific AI guidance. Hover a state for details. Status as of April 1, 2026; confirm with each state's department of insurance.

Adopted (25)
Insurance-specific guidance (4)
No state action
Alaska: AdoptedAlabama: No state actionArkansas: AdoptedArizona: No state actionCalifornia: Insurance-specific guidanceColorado: Insurance-specific guidanceConnecticut: AdoptedDelaware: AdoptedFlorida: No state actionGeorgia: No state actionHawaii: AdoptedIowa: AdoptedIdaho: No state actionIllinois: AdoptedIndiana: No state actionKansas: No state actionKentucky: AdoptedLouisiana: No state actionMassachusetts: AdoptedMaryland: AdoptedMaine: No state actionMichigan: AdoptedMinnesota: No state actionMissouri: No state actionMississippi: No state actionMontana: No state actionNorth Carolina: AdoptedNorth Dakota: No state actionNebraska: AdoptedNew Hampshire: AdoptedNew Jersey: AdoptedNew Mexico: No state actionNevada: AdoptedNew York: Insurance-specific guidanceOhio: No state actionOklahoma: AdoptedOregon: No state actionPennsylvania: AdoptedRhode Island: AdoptedSouth Carolina: No state actionSouth Dakota: No state actionTennessee: No state actionTexas: Insurance-specific guidanceUtah: No state actionVirginia: AdoptedVermont: AdoptedWashington: AdoptedWisconsin: AdoptedWest Virginia: AdoptedWyoming: No state actionDistrict of Columbia: Adopted

Adopted the model bulletin

  • Alaska, Bulletin B 24-01, Feb 1, 2024
  • Arkansas, Bulletin 13-2024, Jul 31, 2024
  • Connecticut, Bulletin No. MC-25, Feb 26, 2024
  • Delaware, Domestic and Foreign Bulletin No. 148, Feb 5, 2025
  • District of Columbia, Bulletin 24-IB-002-05/21, May 21, 2024
  • Hawaii, Insurance Commissioner Memorandum No. 2025-13A, Dec 10, 2025
  • Illinois, Company Bulletin 2024-08, Mar 13, 2024
  • Iowa, Insurance Division Bulletin 24-04, Nov 7, 2024
  • Kentucky, Bulletin No. 2024-02, Apr 16, 2024
  • Maryland, Bulletin No. 24-11, Apr 22, 2024
  • Massachusetts, Bulletin No. 2024-10, Dec 9, 2024
  • Michigan, Bulletin 2024-20-INS, Aug 7, 2024
  • Nebraska, Insurance Guidance Document No. IGD-H1, Jun 11, 2024
  • Nevada, Bulletin 24-001, Feb 23, 2024
  • New Hampshire, Bulletin Docket #INS 24-011-AB, Feb 20, 2024
  • New Jersey, Insurance Bulletin No. 25-03, Feb 11, 2025
  • North Carolina, Bulletin No. 24-B-19, Dec 18, 2024
  • Oklahoma, Bulletin No. 2024-11, Nov 14, 2024
  • Pennsylvania, Insurance Notice 2024-04, Apr 6, 2024
  • Rhode Island, Insurance Bulletin No. 2024-03, Mar 15, 2024
  • Vermont, Insurance Bulletin No. 229, Mar 12, 2024
  • Virginia, Administrative Letter 2024-01, Jul 22, 2024
  • Washington, Technical Assistance Advisory 2024-02, Apr 22, 2024
  • West Virginia, Insurance Bulletin No. 24-06, Aug 9, 2024
  • Wisconsin, Insurance Bulletin, Mar 18, 2025

Insurance-specific AI guidance

  • California, Bulletin 2022-5
  • Colorado, 3 CCR 702-10
  • New York, Insurance Circular Letter No. 7
  • Texas, Bulletin # B-0036-20

What the bulletin actually says

The NAIC adopted the model bulletin on December 4, 2023. It follows the same four-part structure in every state that adopts it.

1

Introduction, Background, and Legislative Authority

Establishes that decisions touching consumers must follow existing insurance law no matter what technology produced them, and grounds the bulletin in laws the department already enforces.

2

Definitions

Defines the terms that carry legal weight, including AI System, Adverse Consumer Outcome, Predictive Model, and Model Drift.

3

Regulatory Guidance and Expectations

Sets the expectation that every insurer maintain a written AIS Program covering governance, risk management, and third-party oversight.

4

Regulatory Oversight and Examination Considerations

Lists the documentation a department can request during an investigation or market conduct exam, which is what turns the program from policy into evidence.

The AIS Program

Four pillars an insurer has to operate

The bulletin asks every insurer to maintain a written AIS Program. These pillars are what it expects to find inside.

1

Governance

A written program with clear ownership. Senior management is accountable to the board, and a cross-functional body oversees AI across its whole life cycle.

  • Board-level accountability with named senior-management ownership
  • A committee spanning actuarial, data science, underwriting, claims, compliance, and legal
  • Documented chains of command, decision rights, and escalation paths
  • Ongoing training and supervision for the people who build and use the models
2

Risk Management & Internal Controls

Controls at every stage of the model life cycle, from data sourcing through retirement, sized to the potential harm to consumers.

  • An inventory and description of every predictive model and AI system in use
  • Data practices covering lineage, quality, integrity, bias analysis, and currency
  • Validation and testing that compares development performance against production behavior
  • Monitoring for model drift and protection of non-public consumer information
3

Third-Party AI Systems & Data

The insurer stays responsible for AI it did not build. Vendor relationships need diligence, contract rights, and the ability to produce evidence.

  • Due diligence on vendors, their data, and their models before adoption
  • Contract terms granting audit rights and audit-report access
  • Cooperation clauses so vendors support regulatory inquiries
  • Ongoing confirmation that vendors meet their contractual and regulatory obligations
4

Documentation & Audit-Readiness

Section 4 spells out what an examiner can ask for. Treating that list as a standing requirement is what keeps a program defensible.

  • The written program, adoption record, and evidence of how it is tailored
  • Model documentation: goals, development, validation, and oversight decisions
  • Records of data sources, techniques, thresholds, and controls per model
  • Validation, testing, and audit records, including model-drift evaluation

How strong do the controls have to be?

The bulletin scales expectations to risk. Controls should be commensurate with five factors:

  • The nature of the decision the AI supports
  • The degree of potential harm to the consumer
  • How much a human is involved in the final decision
  • How transparent and explainable the system is
  • How much the insurer relies on third-party data, models, and systems
The foundation

The NAIC AI Principles

Adopted in August 2020, these five principles sit under every bulletin and explain why each requirement exists. Together they spell FACTS.

F

Fair and Ethical

AI should respect the rule of law and avoid proxy discrimination against protected classes, and it should be built to avoid and correct harm.

A

Accountable

The people and organizations behind an AI system are responsible for how it behaves, including outcomes they did not intend.

C

Compliant

AI systems must follow the insurance laws of every jurisdiction they touch, whether a violation is intentional or not.

T

Transparent

Stakeholders and regulators should be able to inquire about and seek recourse for AI-driven decisions, with explanations they can understand.

S

Secure, Safe, and Robust

Systems should be traceable and resilient across their life cycle, with continuous, systematic risk management.

Learn the basics

Free resources

Start with these plain-language explainers and field guides.

Guide

What is the NAIC Model Bulletin on AI?

The NAIC Model Bulletin on the Use of AI Systems by Insurers is the template most states use to set AI governance expectations. Here is what it says and why it matters.

Guide

What is an AIS Program?

An AI Systems Program (AIS Program) is the written program the NAIC Model Bulletin expects every insurer to maintain. Here are its four pillars and what each one requires.

Guide

What are the NAIC AI Principles?

The NAIC AI Principles, adopted in 2020, are the foundation beneath every state AI bulletin. The five principles spell FACTS: Fair, Accountable, Compliant, Transparent, and Secure.

Guide

AI in Insurance: Key Regulatory Definitions

The NAIC Model Bulletin defines the terms that carry legal weight, from AI System to Adverse Consumer Outcome to Model Drift. Here is what each one means for insurers.

Article

AI Is a Catalyst for Insurance. Governance Needs to Keep Pace.

The insurance industry is adopting AI as a catalyst for transformation. But catalysts without governance create uncontrolled reactions. Insurance needs AI governance that leads adoption, not governance that chases it.

Article

AI in Financial Examinations: What Regulators Will Ask and What Carriers Must Produce

State insurance examiners are adding AI-specific inquiries to financial and market conduct examinations. Continuous supervision generates examination-ready evidence as a byproduct of normal operations.

Article

Insurance AI Governance Demands More Than a Checklist

Insurance carriers approve AI at one speed and govern it at another. Until governance becomes infrastructure, that gap will keep producing the failures policies were designed to prevent.

Frequently asked questions

What is the NAIC Model Bulletin on the use of AI?
It is a template the National Association of Insurance Commissioners adopted in December 2023 for state regulators to issue. It does not create new law. It tells insurers that existing laws apply to any decision an AI system touches, and it expects each insurer to maintain a written AIS Program.
What is an AIS Program?
An AI Systems Program is the written program the bulletin expects every insurer to develop, implement, and maintain. It covers governance, risk management and internal controls, third-party oversight, and the documentation that proves all of it, sized to the potential harm a model could cause a consumer.
Does the bulletin create new legal requirements?
No. It rests on laws regulators already enforce, including unfair trade practice acts, unfair discrimination standards, rating laws, and corporate governance disclosure acts. The bulletin clarifies how those existing standards apply to AI-driven decisions.
Which states have adopted it?
As of April 1, 2026, 25 jurisdictions have adopted the model bulletin and 4 more (California, Colorado, New York, and Texas) have issued insurance-specific AI guidance instead. Michigan adopted it verbatim. Adoption keeps expanding, so confirm the current status with the relevant state department of insurance.
What documentation can a regulator request?
Section 4 of the bulletin lists it: the written program and its adoption record, a model inventory, model-level documentation of goals and validation, data lineage and controls, and third-party diligence and contracts. Keeping that evidence examination-ready is what makes a program defensible.
How is regulatory scrutiny changing?
Examinations are shifting from principles to proof. Regulators increasingly want evidence that controls were implemented, tested, and enforced, including version histories, change approvals, and a clear data-to-decision trail. Cybersecurity maturity is becoming a proxy for AI governance maturity.

Turn your AIS Program into evidence

Swept AI supervises your models in production and produces the audit trail the bulletin asks for. See how it works for insurers.

Book a demoExplore the platform