State insurance commissioners across North America are conducting detailed examinations of carrier underwriting algorithms. The questions are blunt: What variables does your algorithm use? How did you test for discrimination? Can you prove your pricing model doesn’t correlate with protected classes? If you can’t answer, you’re facing a market conduct examination—and possible exclusion from the state market.
Insurance regulators in 2026 have moved decisively from passive oversight to active algorithmic scrutiny. The shift is driven by four converging forces: advances in algorithmic bias detection, documented cases of AI pricing discrimination, state-level transparency laws, and political pressure to ensure fair access to insurance.
Carriers that deployed underwriting algorithms without rigorous bias testing, or without documenting their testing protocols, are now facing regulatory reckoning. This is the year the insurance industry’s relationship with AI changes fundamentally.
The Regulatory Scrutiny Accelerates
The New York Department of Financial Services, California Department of Insurance, and insurance regulators in Texas, Florida, and Colorado are all running examinations of how carriers use AI in underwriting and pricing. The common thread: they want evidence that the algorithms are not discriminatory.
Discrimination in insurance doesn’t have to be intentional. If an algorithm uses variables that proxy for protected classes—if it uses credit score as a proxy for race, or uses ZIP code as a proxy for income and family structure—the algorithm can produce disparate impact without ever explicitly using race, gender, or other protected classes in the decision logic.
Regulators are looking for: (1) documentation of the algorithm’s variables and decision logic; (2) testing for correlation with protected classes; (3) evidence that variables are actuarially justified (they genuinely predict risk, not just correlate with demographic groups); (4) appeal mechanisms when applicants challenge algorithmic decisions.
Carriers that can’t produce this documentation are facing enforcement actions. In Q1 2026 alone, three major carriers received formal inquiry letters demanding detailed algorithmic documentation. One carrier in California disclosed that it hadn’t tested its underwriting algorithm for racial correlation since deploying it three years earlier. That gap is now a regulatory matter.
The Underwriting Algorithm Governance Gap
Here’s where many carriers are vulnerable: they deployed underwriting algorithms that worked well—they reduced false positives, improved quote accuracy, accelerated underwriting—without building robust governance around algorithmic bias testing and documentation.
Typical carrier AI governance included: (1) model validation (does it predict what we want?); (2) accuracy testing (how often is it right?); but NOT (3) bias testing (does it discriminate?). Model validation and accuracy testing are technical questions. Bias testing is a regulatory question, and many carriers didn’t allocate resources to it.
Even carriers that did bias testing often didn’t document it. They ran analyses internally, saw no obvious correlation with race or gender, and called the algorithm fair. But when regulators ask “show me the testing,” these carriers can’t produce systematic documentation of bias testing protocols, sample sizes, statistical confidence intervals, or remediation steps taken when bias was detected.
That documentation gap is now the regulatory liability. Even if an algorithm is actually fair, the inability to prove it to regulators creates enforcement risk.
The specific areas of vulnerability:
Variable justification: Carriers must be able to prove that each variable in the underwriting algorithm is actuarially justified—it genuinely predicts risk difference. Credit score is heavily used in underwriting, but regulators are asking: does credit score predict insurance loss, or is it a demographic proxy? Some carriers can’t clearly separate the two.
Disparate impact testing: Carriers must test whether the algorithm produces systematically worse outcomes for protected classes. This requires demographic data on applicants and systematic analysis of approval rates, premium levels, and claim outcomes by demographic group. Many carriers haven’t done this. They assume the algorithm is fair because they didn’t build discrimination into the logic, but that’s not enough regulatorily.
Vendor algorithm risk: Some carriers use third-party AI underwriting vendors. Carriers are responsible for ensuring those vendor algorithms are non-discriminatory, but many carriers haven’t required vendors to provide bias testing documentation. Regulators now ask: did you require your vendors to test for bias? Many carriers answer: no, we didn’t think to ask.
Algorithmic drift: Algorithms change over time as they’re retrained on new data. A 2023 version of an underwriting algorithm might have been fairly tested; the 2026 version retrained on new data might have drift toward bias. Carriers need ongoing bias testing, not one-time validation.
Claims AI and Algorithmic Disclosure
Beyond underwriting, regulators are scrutinizing how carriers use AI in claims handling. States are asking: what percentage of claims are routed to automated claims handling? What percentage are adjudicated entirely by algorithm without human review? If a claim is denied by algorithm, can the insured appeal to a human?
Carriers deploying AI claims handlers (chatbots, decisioning systems) without human appeal mechanisms are now facing questions about whether they’re violating claims handling standards that require “prompt investigation” and “fair settlement” practices.
This is driving carriers to implement disclosure protocols: when an applicant or claimant interacts with a carrier’s AI system, they should know they’re interacting with AI (not a human) and should have the right to escalate to human review.
The governance requirement: document which claims are handled by algorithm, which get human review, what appeal mechanism exists, and how often humans override algorithmic decisions. This transparency is becoming standard.
The Insurance Cyber Coverage Implication
Here’s a secondary effect worth noting: carriers are starting to clarify coverage for “AI system failure” and “algorithmic error.” A carrier’s underwriting algorithm fails (produces systematically wrong quotes). Does the carrier’s cyber insurance cover the financial impact? What about business interruption from system outages?
Standard cyber policies don’t clearly cover algorithmic discrimination liability. If a carrier’s algorithm produces discriminatory outcomes and results in regulatory fines, is that covered under E&O insurance? Cyber insurance? General liability? These questions aren’t settled, and carriers are now shopping for coverage clarity.
This creates an emerging market: cyber coverage specifically for algorithmic errors, AI system failures, and algorithmic discrimination liability. Carriers using AI in critical decisions should be evaluating this coverage gap.
Building Algorithmic Accountability: The 2026 Framework
Carriers that move decisively in 2026 on algorithmic governance will outpace competitors in regulatory confidence. Here’s the framework:
Algorithm Inventory and Documentation: Document every AI system used in underwriting and claims. For each: variable list, decision logic, training data date, accuracy metrics, bias testing protocols, bias testing results, and date of last bias retest.
Bias Testing Protocol: Establish a systematic protocol for testing underwriting algorithms for racial, gender, and age correlation. Test annually or after material model updates. Use statistical methods to test for disparate impact (do approval rates or premiums differ significantly by demographic group?). Document results.
Variable Actuarial Justification: For each variable in the underwriting algorithm, document actuarial justification: why does this variable predict loss? What’s the correlation with actual claim history? Is this correlation independent of demographic correlation? If a variable correlates with race/gender primarily through demographic proxy, remove it or rebuild it to isolate risk signal from demographic signal.
Appeal Mechanism Transparency: Clearly disclose to applicants and claimants: (1) that algorithmic decisions are being made; (2) what mechanism exists to appeal or escalate; (3) that human review is available. This isn’t optional—it’s becoming regulatory standard.
Vendor Governance: Require third-party AI vendors to provide bias testing documentation. Don’t accept vendor assurances that “the algorithm is fair”; demand statistical evidence. Include algorithm audit rights in vendor contracts.
Board and Audit Committee Oversight: Ensure algorithmic governance is elevated to board/audit level. Annual reporting on algorithmic inventory, bias testing results, regulatory inquiries, and remediation actions. This signals to regulators that the carrier is serious about algorithmic accountability.
The Regulatory Acceleration Timeline
In 2026, the regulatory scrutiny is accelerating. We expect:
Q2-Q3 2026: More state DOI examinations of carrier algorithms. Formal inquiry letters to carriers lacking bias testing documentation.
Q4 2026: Possible NAIC (National Association of Insurance Commissioners) model regulation on algorithmic transparency and bias testing, driving multi-state guidance.
2027: Likely state-level algorithmic transparency laws (similar to California’s AI Transparency Act) specifically targeting insurance underwriting and pricing.
Carriers building algorithmic governance now—establishing bias testing protocols, documenting all testing results, elevating oversight to the board—will move smoothly through future examinations. Carriers without this framework will face enforcement risk.
Related Reading:
- Insurance Regulatory Technology: AI Underwriting
- Cyber Insurance Market Evolution 2026
- Insurance Underwriting: Complete Guide 2026
- AI Governance as an ESG Imperative
- AI Dependency as a Business Continuity Risk
AI Governance in Insurance Underwriting: The 2026 Regulatory Landscape
AI and algorithmic underwriting is legal in the United States and the EU, but it is now actively governed: insurers must test models for unfair discrimination, document a board-level governance framework, ensure explainability, and remain accountable for third-party vendor AI. As of 2026, 24 U.S. states have adopted the NAIC Model Bulletin on the Use of AI Systems by Insurers, Colorado enforces binding bias-testing rules under SB21-169, New York requires actuarial validity and discrimination analysis under Circular Letter No. 7, and the EU AI Act classifies AI used for life and health insurance pricing as “high-risk.”
| Framework / Regulation | Jurisdiction | What It Requires | Status (2026) |
|---|---|---|---|
| NAIC Model Bulletin on the Use of AI Systems by Insurers | United States (model adopted state-by-state) | A written AI Systems (AIS) program, board/senior-management accountability, testing for unfair discrimination, third-party vendor oversight, and documentation regulators can examine. | Guidance (non-statutory). Adopted by 24 states plus D.C. as of 2025; Alaska first (Feb 2024), Wisconsin most recent in that wave (Mar 2025). NAIC AI Systems Evaluation Tool in a 12-state pilot running March-September 2026. |
| SB21-169 and Regulation 10-1-1 (governance, risk management, and quantitative testing) | Colorado | Risk-based governance framework plus quantitative testing of external data, algorithms, and predictive models for unfair discrimination across protected classes; progress and annual compliance reporting. | Binding law. SB21-169 signed July 6, 2021. Life-insurer rule effective Nov 14, 2023; amended rule extending to private passenger auto and health plans effective Oct 15, 2025; auto/health testing rulemaking active in 2026. Faces litigation but remains in force. |
| Insurance Circular Letter No. 7 (2024) | New York (NYDFS) | Analysis of AI systems and external consumer data (ECDIS) for unfair/unlawful discrimination, demonstrated actuarial validity, a governance framework, transparency, and oversight of third-party vendors. | Final guidance, issued July 11, 2024. Applies to authorized insurers, Article 43 corporations, and HMOs using AI or ECDIS in underwriting or pricing. |
| EU Artificial Intelligence Act (Annex III, point 5(c)) | European Union | Classifies AI used for risk assessment and pricing in life and health insurance as “high-risk,” triggering risk management, data governance, human oversight, transparency, logging, and a Fundamental Rights Impact Assessment (FRIA). | In force. High-risk obligations apply from Aug 2, 2026; a May 2026 provisional agreement could postpone some Annex III obligations to Dec 2027 if formally adopted. |
| State adoption tracking (related AI guidance / regulation) | United States (additional states) | Insurer AI guidance or regulation addressing unfair discrimination and governance without adopting the NAIC bulletin text verbatim. | Active. The NAIC separately tracks states with their own AI-specific insurance guidance or rules beyond the 24 bulletin adopters. |
Core Governance Requirements for AI Underwriting
Across the NAIC bulletin, Colorado, New York, and the EU AI Act, the same four pillars recur. Insurers that build to these requirements are positioned to pass a market conduct examination regardless of which framework applies.
- Bias and unfair-discrimination testing. Insurers must quantitatively test models for disparate impact, including facially neutral data and models. The four-fifths rule (a disparate-impact ratio below 0.8 signals potential discrimination) is the common shorthand. Because modern models rarely include race or gender directly, testing focuses on the “proxy network” of correlated variables such as ZIP code, occupation, vehicle type, education, and credit-based attributes. The obligation applies even when the insurer does not believe discrimination is occurring.
- Explainability and transparency. Regulators expect insurers to explain how an AI system reaches an underwriting or pricing outcome, demonstrate the model’s actuarial validity, and provide appropriate disclosure to consumers and examiners. Opaque “black box” decisions that cannot be explained are a regulatory red flag.
- Third-party and vendor AI oversight. The carrier remains accountable for outputs of vendor-built models used in regulated decisions. That requires vendor due-diligence records, contracts preserving audit rights, documentation that the vendor model was validated for the insurer’s specific use case, and evidence of ongoing monitoring.
- Governance framework. A defensible program rests on a model inventory (every AI/predictive model cataloged with its function, data inputs, owner, vendor, and review cadence), a cross-functional oversight structure spanning actuarial, data science, underwriting, legal, and compliance, and accountability resting with senior management or a committee answerable to the board. A written AIS program with board acknowledgment is the documentation regulators ask for first.
Current 2026 Facts: Adoption and Enforcement
- 24 states plus the District of Columbia have adopted the NAIC Model Bulletin, covering roughly half the country; the NAIC maintains a live adoption map.
- The NAIC AI Systems Evaluation Tool moved from concept to practice in 2026: a pilot runs March through September 2026 across 12 states (CA, CO, CT, FL, IA, LA, MD, PA, RI, VT, VA, WI), embedding AI reviews into market conduct and financial examinations. It structures requests into four exhibits: AI usage inventory, governance framework, high-risk AI detail, and data sources and quality controls. Broader adoption is expected at the NAIC Fall National Meeting in November 2026.
- Colorado’s amended Regulation 10-1-1, effective October 15, 2025, extended the governance-and-testing framework beyond life insurers toward private passenger auto and health benefit plans, with the detailed testing rules for those lines in active rulemaking in 2026. The framework remains in force despite a pending legal challenge to state-level AI regulation.
- The EU AI Act’s high-risk obligations for life and health insurance pricing AI are scheduled to apply from August 2, 2026, though a provisional agreement reached in May 2026 could shift some Annex III deadlines to December 2027 if formally enacted.
- Enforcement is shifting from “do you have a policy” to “show your evidence.” Examiners increasingly want the disparate-impact ratio for each protected class, the composition of the test data that produced it, the proxy variables identified, the remediation history, and the date and methodology of the most recent retest.
Frequently Asked Questions
Is AI underwriting legal?
Yes. Using AI and algorithmic models in insurance underwriting and pricing is legal in both the United States and the European Union. It is, however, increasingly regulated: insurers must test models for unfair discrimination, maintain a documented governance framework, ensure decisions are explainable, and stay accountable for third-party vendor AI. In Colorado the requirements are binding law; in most other states and at the NAIC they take the form of guidance that examiners enforce through market conduct exams.
What is the NAIC AI Model Bulletin?
The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, first adopted by the NAIC in December 2023, sets regulator expectations for how insurers govern, develop, acquire, and use AI. It calls for a written AI Systems program, board or senior-management accountability, testing for unfair discrimination, oversight of third-party AI vendors, and documentation that regulators can review. As of 2026 it has been adopted by 24 states plus the District of Columbia, making it the de facto national baseline for AI governance in insurance.
Does the EU AI Act cover insurance?
Yes. Annex III, point 5(c) of the EU AI Act classifies AI systems used for “risk assessment and pricing in relation to natural persons in the case of life and health insurance” as high-risk. That triggers obligations including risk management, data governance, human oversight, transparency, record-keeping, and a Fundamental Rights Impact Assessment before deployment. The high-risk obligations are scheduled to apply from August 2, 2026, though a May 2026 provisional agreement could postpone some Annex III deadlines to December 2027.
How do insurers test AI for bias?
Insurers run quantitative disparate-impact testing on any model that affects eligibility or price. A common benchmark is the four-fifths rule: a disparate-impact ratio below 0.8 between a protected class and the reference group signals potential unfair discrimination. Because models rarely use race or gender directly, the testing concentrates on proxy variables such as ZIP code, occupation, education, vehicle type, and credit-based attributes that can correlate with protected characteristics. Insurers document the ratio for each protected class, the test data behind it, the proxies identified, and any remediation, then retest on a defined cadence.
What does Colorado’s SB21-169 require?
SB21-169, signed in 2021, protects Colorado consumers from insurance practices that produce unfair discrimination on the basis of race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. Its implementing rule, Regulation 10-1-1, requires insurers to build a risk-based governance and risk-management framework and to quantitatively test external data, algorithms, and predictive models for unfair discrimination, with progress and annual compliance reporting. It first applied to life insurers (effective November 2023) and, under an amended rule effective October 15, 2025, is being extended to private passenger auto and health benefit plans.
Who is accountable when a third-party AI vendor’s model discriminates?
The insurer. Under the NAIC bulletin, NYDFS Circular Letter No. 7, and Colorado’s rules, the carrier remains accountable for the outputs of vendor-built models used in regulated underwriting or pricing decisions. That means insurers must conduct vendor due diligence, secure contractual audit rights, document that the vendor model was validated for their specific use case, and maintain evidence of ongoing oversight. “The vendor built it” is not a defense in a market conduct examination.