Auto insurers and health benefit plan insurers in Colorado must begin submitting annual compliance reports on July 1, 2026. Colorado's insurance AI regulation, SB 21-169 and its implementing Regulation 10-1-1, represents the most prescriptive state-level AI regulation affecting insurance in the United States. It specifies what insurance deployers must do, when they must do it, and what evidence they must produce.
What follows is a compliance checklist: the specific obligations, the documentation regulators expect, a bias testing methodology, and a timeline for getting it done before the deadline.
The Four Core Obligations
The regulation applies to insurers using external consumer data and information sources (ECDIS), algorithms, and predictive models. In practice, that covers any AI system that materially influences decisions about coverage, pricing, claims, underwriting, or policy servicing. The threshold is broad: if a model's output shapes a decision affecting a consumer, it qualifies.
1. Impact assessments. Insurers must conduct and document algorithmic impact assessments for every AI system using ECDIS. Each assessment must identify the system's purpose, the data it uses, the decisions it influences, and the potential risks of discriminatory outcomes. These are not one-time exercises. They must be updated when the system changes materially or when new risks emerge.
2. Bias testing. The regulation requires insurers to evaluate AI systems for discriminatory outcomes across protected classes: race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, and gender expression. The testing must measure actual outcomes, not model design intent. A model built to be neutral but producing disparate impact across protected classes fails the test regardless of its architecture.
3. Consumer protections. When an AI system makes or substantially contributes to a consequential decision about a consumer, the insurer must notify the consumer that AI was used. For adverse decisions, the consumer must receive an explanation of the AI's role and an opportunity to correct inaccurate data or appeal.
4. Documentation and reporting. Auto insurers and health benefit plan insurers must submit annual compliance reports to the Colorado Division of Insurance beginning July 1, 2026. These reports must demonstrate compliance with the three requirements above.
Where Colorado Sits in the National Picture
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted on December 4, 2023, established a governance framework that 24 states and districts have now adopted in some form. Colorado's requirements align with and in several areas exceed that framework. The directional alignment matters: what Colorado requires today, other states will require soon. Building compliance infrastructure for Colorado creates a foundation for meeting obligations in other jurisdictions as they adopt similar standards.
Bias Testing: A Practical Methodology
The regulation requires bias testing but leaves room for methodological variation. Here is a four-part approach.
Disparate impact analysis. Compare model outcomes across protected classes using the four-fifths rule as a baseline. If the selection rate for any protected class falls below 80% of the rate for the most favored class, the model produces disparate impact. Apply this to approval rates, pricing tiers, claims decisions, and any other outcome the model influences. The four-fifths rule is a starting point. Some regulators and courts apply stricter standards.
Proxy variable auditing. Protected attributes rarely appear as direct inputs to insurance models. They appear as proxies: zip code correlates with race, occupation correlates with gender, credit score correlates with income and national origin. Proxy variable auditing identifies features that serve as statistical proxies for protected attributes and measures their influence on model outputs. Remove or constrain proxy variables that drive disparate impact without legitimate actuarial justification.
Intersectional testing. Single-axis testing (race alone, gender alone) misses discriminatory patterns that emerge at intersections. A model that treats women fairly overall and treats Black applicants fairly overall may still produce adverse outcomes for Black women specifically. While Colorado's current quantitative testing regulation focuses on race, the breadth of protected classes in SB 21-169 suggests intersectional analysis will become increasingly relevant as the regulatory framework matures.
Counterfactual analysis. For each decision the model makes, change the protected attribute and measure whether the outcome changes. If switching an applicant's race from white to Black changes a coverage decision while all other inputs remain constant, the model encodes racial bias. Counterfactual analysis is computationally intensive but produces the most direct evidence of discriminatory behavior.
What Documentation Regulators Expect
The Colorado Division of Insurance has indicated that it will evaluate both the substance and the rigor of submitted documentation. Carriers should prepare the following.
AI system inventory. A complete registry of every AI system influencing consumer-facing decisions. For each system: purpose, data inputs, decision scope, risk classification, deployment date, and responsible owner. This inventory must be current.
Impact assessment records. Documented assessments for each high-risk system, including methodology, findings, identified risks, and mitigation steps. Regulators will evaluate whether assessments reflect genuine analysis or boilerplate copied across systems.
Bias audit results. Quantitative test results showing outcomes across protected classes, methodology documentation, and remediation actions taken when testing reveals disparate impact. Include the specific statistical tests applied, the thresholds used, and the rationale for those thresholds.
Consumer notification logs. Records of when and how consumers were notified about AI involvement in their decisions. For adverse decisions, documentation of the explanation provided and any appeal processes initiated.
Monitoring evidence. Continuous monitoring data showing ongoing model performance, drift detection, and bias measurement. Quarterly batch reports do not satisfy the expectation for continuous oversight. Regulators want evidence that monitoring is operational, not ceremonial.
Incident records. Documentation of any AI-related incidents, including detection method, timeline, impact assessment, and remediation. The absence of incident records does not signal a clean program. It signals a program that lacks the infrastructure to detect incidents.
Compliance Timeline
Working backward from the July 1, 2026 deadline:
Now through April 2026: Foundation. Complete your AI system inventory. You cannot govern what you cannot see. Identify every model that touches consumer decisions, classify each by risk level, and assign ownership. Establish your impact assessment methodology and begin assessments for your highest-risk systems.
April through May 2026: Testing. Execute bias audits across all high-risk systems. Document results, identify gaps, and begin remediation for systems that produce disparate impact. Implement consumer notification procedures for AI-influenced decisions. Stand up continuous monitoring infrastructure if it does not already exist.
May through June 2026: Documentation and dry run. Compile all documentation into the format required for annual compliance reports. Run an internal review that simulates regulatory scrutiny: assign a team that did not build the compliance program to review it with skeptical eyes. Identify and close gaps before submission.
July 1, 2026: Submission. Submit initial compliance reports to the Colorado Division of Insurance. This is not the end of the compliance cycle. It is the beginning of ongoing reporting obligations.
Beyond Colorado
The 24 states and districts that have adopted elements of the NAIC Model Bulletin represent a clear trajectory. Carriers that build compliance infrastructure exclusively for Colorado will rebuild it for each new jurisdiction. Carriers that build governance as operational infrastructure, with centralized model registries, automated monitoring, systematic bias testing, and comprehensive audit trails, will adapt to new requirements by adjusting parameters rather than constructing new programs from scratch.
The deadline is July 1, 2026. The governance infrastructure it demands will serve carriers far beyond Colorado and far beyond that date.
