As of August 2025, twenty-four jurisdictions had adopted some version of the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. Most carrier compliance teams have read the bulletin carefully, mapped it to their internal controls, and are working to satisfy every requirement in the text. They are working to the wrong standard.
The bulletin is the regulatory floor. Reinsurers will use it as the evidentiary baseline they hold cedents to at the next treaty placement. A carrier that meets the floor and stops there is preparing for the wrong audience.
We think this asymmetry is the single most underpriced element of AI governance budgets in the P&C market right now.
What the Bulletin Actually Requires
The NAIC adopted the model bulletin on December 4, 2023. It does not create new law. It articulates how state insurance departments will read existing unfair trade practices, market conduct, and corporate governance statutes when those statutes are applied to a carrier's use of AI systems. The substantive expectations cluster around four areas:
- A written AI Systems program owned by the board, including the testing, validation, and monitoring practices the carrier applies before and after deployment.
- A risk management framework calibrated to the carrier's specific use of AI in underwriting, rating, claims, marketing, and fraud detection.
- Governance of third-party AI, including data and models supplied by vendors, with documented diligence on the third party's own controls.
- Records sufficient for a regulator to reconstruct the AI's role in any specific consumer-facing decision under examination.
The bulletin is deliberately principles-based. It tells the carrier what the regulator expects to see without prescribing the form. That structure was the right call for a model document drafted to be adopted across jurisdictions, but it has a side effect at the carrier level: two carriers can both be "compliant" with very different evidentiary records.
The variance in evidentiary records is what reinsurers will read.
How a Reinsurer Reads the Same Document
A treaty underwriter sitting down at a June 1 placement does not enforce the NAIC bulletin, because the reinsurer's job is not regulatory. What the reinsurer does instead is form a view of whether the cedent's AI governance is reasonable for the market the cedent operates in, since the reinsurer is being asked to take exposure to the cedent's selection behavior over the next twelve months.
The bulletin gives the reinsurer something it did not have before December 2023. It gives them a published, regulator-blessed articulation of what the market considers a reasonable baseline for insurer AI governance. That published baseline becomes the reinsurer's anchor for what "good" looks like, and the carrier's position relative to it determines treatment at renewal: a cedent at the baseline is treated as "in the market," a cedent visibly above it gets credit as "above-market," and a cedent below it becomes a candidate for repricing or non-renewal.
There is a concept worth naming here. The NAIC bulletin functions as a market normalization document for reinsurance underwriters. It compresses what would otherwise be a state-by-state, carrier-by-carrier inquiry into a single shared reference point. The reinsurer reads it as a starting line, while the cedent that treats it as a ceiling for compliance investment is using the document for a purpose it was never designed to serve.
A Two-Cedent Comparison
Consider two regional homeowners carriers placing renewal in the same June 1 market.
Cedent A produces a 200-page AI governance manual that maps every paragraph of the model bulletin to a carrier policy and a control owner. It is internally consistent, it would survive a state market conduct exam, and the chief compliance officer can defend every page. The manual has not been audited by an external party. The model change history lives inside the data science team's version control. No specific document has been sent to the carrier's reinsurance panel describing the governance posture.
Cedent B produces the same manual. It also produces three additional artifacts: a quarterly external validation report from an independent firm, a model change log written for a non-technical audience and dated by deployment, and a contemporaneous letter to the lead reinsurer at each renewal walking through any material model changes since the prior placement.
Both carriers are NAIC-bulletin compliant. The reinsurer evaluates them differently. Cedent B's incremental artifacts function as evidence, not as regulatory deliverables, and they shift the reinsurer's mental model of the cession from "average market governance" to "above-market governance." The pricing differential at the next placement, and the willingness of the reinsurer to renew at all in a hardening market, often turns on exactly that kind of evidentiary lift.
We covered the broader architecture of this risk in the canonical post on why the reinsurance treaty is where AI risk becomes existential, and the specific contractual hinge in the post on the disclosure-warranty clause your AI strategy lives or dies on. The current post is about something narrower: the standard you are actually being measured against, regardless of what the regulator is asking for.
Where the Floor Sits Higher
The NAIC bulletin is the federated baseline. Two state regimes already sit meaningfully above it, and the reinsurer's mental map of "reasonable practice" updates with both.
New York's DFS issued Insurance Circular Letter No. 7 on July 11, 2024. Its scope is narrower than the NAIC bulletin (focused on the use of AI and external consumer data in underwriting and pricing), and its expectations are more specific. New York treats the use of material AI elements in pricing without adequate disclosure as a potential unfair trade practice. The circular letter expects insurers to be able to demonstrate that their use of external consumer data and AI does not produce unfairly discriminatory outcomes, with documented testing and ongoing monitoring. For a carrier writing in New York, the operating standard is the DFS letter, not the NAIC bulletin. For a carrier writing nationally, the DFS letter is one of the markers a reinsurer uses to calibrate what serious AI governance looks like in the most demanding US jurisdiction.
Colorado went further still under SB21-169, which directed the state insurance commissioner to write algorithm and external data regulations across lines. The life insurance regulation under Reg 10-1-1 took effect in November 2023, and the auto and health regulations took effect October 15, 2025. The Colorado regime moves past disclosure into substantive performance: carriers using external consumer data and algorithms in covered lines must run quantitative testing for unfair discrimination across protected classes, document the testing, and report results to the regulator.
For a reinsurer's purposes, Colorado is now part of the texture of "what good looks like." A cedent writing in Colorado that already has a quantitative bias-testing program operational has, by definition, gone beyond the NAIC bulletin's process expectations. A cedent without one, even in states where the NAIC bulletin is the only adopted instrument, is now visibly behind a portion of its peer group on a dimension the reinsurer can name.
The European AI Act adds a further data point. High-risk AI system violations under the Act carry administrative fines of up to seven percent of global annual turnover. Few US P&C carriers have direct EU exposure. The regime nonetheless registers in reinsurer-side analytics because most large reinsurers carry European exposure of their own and have built internal frameworks to evaluate AI risk against the Act's standards. Those frameworks travel back into how the reinsurer evaluates US cedents.
What the CEO Should Be Asking
The bulletin-as-floor framing produces a single useful question for the next board meeting. Are we pricing our AI risk to the regulatory floor or to our treaty's actual expectation?
The honest answer at most regional and specialty carriers right now is the first one. AI governance budgets have been built around what the state insurance department will examine. Treaty renewal is a less salient deadline than the next market conduct cycle, and the artifacts a reinsurer would value at renewal do not appear in a regulator's checklist.
Three operational shifts move a carrier from the first answer to the second.
The first is producing the AI governance materials in two registers, one for each audience. The regulator-facing register maps to the bulletin's process expectations paragraph by paragraph, suitable for a market conduct exam, while the reinsurer-facing register documents operational performance over time across model accuracy and stability, bias-testing results, external validation findings, and the cadence of model changes with the disclosures that accompanied them. Both registers draw on shared underlying evidence, written up for different readers asking different questions.
The second is treating treaty placement as a governance event, not just a financial event. A renewal that closes without the cedent walking the reinsurance panel through what changed in the model stack since the prior placement misses the moment when the disclosure register becomes most defensible. Producing a model-change letter at renewal is operationally cheap. The downside of not producing one shows up three years later, when a developed loss puts the disclosure question in front of a coverage attorney and the carrier's defense has no contemporaneous record to anchor on.
The third is benchmarking carrier governance against Colorado and New York rather than against the NAIC bulletin alone. A program that would hold up under DFS Circular Letter No. 7 and Colorado Reg 10-1-1 operates above the federated floor in ways the reinsurer can see and price, whereas a program anchored only to the NAIC text sits at a standard the most demanding regulators in the industry have already declined to accept. The reinsurer's analytics will eventually note the gap.
None of this is a regulatory complaint about the NAIC bulletin. The bulletin is a serious piece of work and the right floor for the industry. The narrower point is that the floor and the standard the carrier's reinsurer is using are different documents, and carriers that read the bulletin as their finish line are budgeting against the easier of the two deadlines. The harder one is the renewal meeting, where the carrier finds out whether its governance posture earned it terms it can survive on.
