AI governance in insurance is the set of policies, controls, and accountability structures that make sure your use of artificial intelligence (AI) is fair, transparent, compliant, and auditable across underwriting, pricing, claims, fraud detection, and marketing. For executives and technology leaders, it has moved from a nice-to-have to a board-level obligation. Nearly half of U.S. states have adopted the National Association of Insurance Commissioners (NAIC) AI Model Bulletin, Colorado and New York have binding rules, and the European Union's AI Act classifies certain insurance AI, including life and health risk assessment and pricing, as high-risk.

This guide explains what AI governance means in an insurance context, why it matters to the business and to your technology organization, the regulations you have to meet in 2026, and how to build a framework that satisfies regulators without slowing your teams down.

Key takeaways

• AI governance is effectively mandatory. Nearly half of U.S. states follow the NAIC AI Model Bulletin, and Colorado, New York, and the EU impose binding requirements with hard deadlines.
• Adoption is already widespread. In the NAIC's private passenger auto survey, 88% of responding insurers said they use, plan to use, or plan to explore AI or machine learning. 
• You own the outcomes of vendor models. In that same survey, about 40% of models came from more than 70 third-party vendors, yet the carrier remains accountable for every regulated decision.
• A defensible program rests on five pillars: a model inventory, a cross-functional oversight structure, bias and fairness testing, transparency and explainability, and continuous monitoring with audit trails.

What is AI governance in insurance?

AI governance in insurance is the discipline of managing how AI and predictive models are built, deployed, monitored, and documented so that every AI-influenced decision can be explained, justified, and defended to a regulator, a board, or a policyholder.

It reaches further than model risk management and further than IT security. It covers the full lifecycle of every system that touches a regulated decision: how training data is sourced and validated, how models are tested for bias, who is accountable for outcomes, how human reviewers stay in the loop, and how you prove all of this after the fact. The obligation applies whether you built the model in-house or bought it. Outsourcing the AI doesn't outsource the compliance.

One of the big things our Insurance Product Lead Danny O’Lenic says is important to consider is this: 

“Is governance foundational — audit trails, explainability, editability — or bolted on? Insurance is a regulated industry and you don't want to find out the answers during the first audit.” — Danny O’Lenic, Insurance Product Lead at FurtherAI

The stakes are high because AI now sits inside decisions that are already heavily regulated: who gets coverage, at what price, and whether a claim gets paid. A flawed model isn't a technical defect. It can become unfair discrimination, a market-conduct finding, and reputational damage at the same time.

Why AI governance matters to the C-suite and IT

For executives and technology leaders, AI governance sits at the intersection of regulatory risk, operational scale, and credibility with regulators and partners. Three forces have pushed it onto the board agenda in 2026.

Regulatory exposure is concrete. A regulatory inquiry into an AI-assisted decision can take weeks to reconstruct if you're piecing together screenshots and email threads after the fact. Regulators increasingly expect a documented, board-acknowledged AI program and can ask for evidence of it during a market-conduct examination.

AI doesn't scale without governance. Adoption is already broad. In the NAIC's private passenger auto survey, 88% of responding insurers reported they use, plan to use, or plan to explore AI or machine learning, with claims and fraud detection leading the way. Moving from a handful of pilots to production across teams takes controls that leadership and compliance can trust.

Governance is a trust asset. An insurer that can demonstrate fair, explainable, well-governed AI earns faster yeses from regulators, reinsurers, and distribution partners. That's why the teams that get AI into permanent production treat governance as infrastructure from day one.

For technology and data leaders, governance defines the architecture: where models run, how data moves between systems like your policy administration platform, what gets logged automatically, and how access is controlled at the workflow level. Retrofitting these controls after deployment costs far more than designing them in.

"As AI adoption accelerates, agents will own the work while humans will own the judgment — the underwriter shifts from doing the busywork to managing a team of agents. That only works with governance underneath it: every output traces to source language, every action is logged, every workflow has human checkpoints. It's also how you catch bias — expert review surfaces skewed patterns before they compound across a book."  — Danny O’Lenic, Insurance Product Lead at FurtherAI

What regulations govern AI use in insurance?

There's no single federal AI insurance law in the United States. Instead, you face a layered landscape: an influential model framework from the NAIC, binding state rules led by Colorado and New York, and the EU AI Act for anyone operating in Europe. The table below summarizes the regimes that matter most in 2026.

‍

‍

The NAIC AI Model Bulletin

The NAIC released its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. It's principles-based, organized around transparency, fairness, accountability, and risk management, and it reminds insurers that any decision supported by AI must comply with existing insurance laws, including unfair trade practice and unfair discrimination statutes. 

As of 2026, nearly half of U.S. states (roughly 30) have adopted the bulletin or substantially similar guidance. The bulletin also details the information a department of insurance may request during an investigation or examination, which works as a useful checklist of what your governance program should be able to produce on demand.

The biggest 2026 development is the NAIC AI Systems Evaluation Tool, a standardized framework that gives examiners a consistent way to review insurer AI governance programs. It's running as a multistate pilot across 12 states through much of 2026, and in March 2026 the NAIC published an issue brief setting out its position on AI regulation. The direction is clear: principles are hardening into examinable expectations.

Colorado SB21-169: The strictest U.S. regime

Colorado remains the state that matters most for insurance AI. SB21-169 prohibits insurers from using external consumer data and information sources (ECDIS), and the algorithms and predictive models built on them, in ways that result in unfair discrimination based on protected characteristics such as race, color, national origin, religion, sex, sexual orientation, disability, and gender identity.

The implementing regulation first required life insurers to stand up a risk-based governance framework and to quantitatively test models for disparate impact. An amended regulation effective October 15, 2025 extends that framework toward private passenger auto and health benefit plans. Colorado matters because it doesn't stop at principles; it requires documented governance and statistical bias testing, and expects you to prove the absence of unfair discrimination.

A separate Colorado development is worth watching. In May 2026, the state repealed its broad Colorado Artificial Intelligence Act before it took effect and replaced it with the narrower Automated Decision-Making Technology Act (ADMTA), which takes effect January 1, 2027 pending the attorney general's rulemaking. The ADMTA lists insurance among its covered domains and centers on transparency and adverse-outcome disclosures rather than discrimination obligations. It doesn't replace SB21-169, so Colorado insurers should plan for both the existing anti-discrimination rules and the coming transparency layer.

New York and other states

On July 11, 2024, the New York Department of Financial Services adopted Insurance Circular Letter No. 7, setting expectations for how insurers use AI systems and external consumer data in underwriting and pricing. It calls for analysis of unfair or unlawful discrimination, demonstration of actuarial validity, and a governance framework for oversight of outcomes.

The broader direction of state AI regulation is being actively contested. Some states are moving from the NAIC bulletin toward Colorado- and New York-style requirements, while others are scaling back amid industry and federal pushback, including a December 2025 federal executive order targeting state AI laws, as per Skadden. Rather than assume one trajectory, track the specific states you operate in.

The EU AI Act

Any insurer operating in the EU faces the AI Act. Systems used for risk assessment and pricing in life and health insurance are classified as high-risk under Annex III, which triggers the Act's most demanding obligations: risk management, data governance, technical documentation, logging, human oversight, transparency, and post-market monitoring.

Under current law, the core high-risk obligations apply from August 2, 2026, though proposed changes could shift some deadlines later if formally adopted. One obligation is already in force: the AI literacy requirement, which means underwriters, claims handlers, compliance staff, and senior managers need to understand how their AI systems work. Even U.S.-only insurers should track the Act, because it's shaping global expectations for responsible insurance AI.

How to build an AI governance framework for an insurance company

A defensible framework answers the question every regulator and board ultimately asks: how do you know your AI is fair, and can you prove it? These five components form the backbone.

1. Build and maintain a model inventory. Catalog every AI and predictive model in production, capturing its function, data inputs, the decision it supports, the business unit accountable, the vendor if it's third-party, and the review cadence. You can't govern or defend a model you don't know exists. Shadow AI adopted by individual teams is one of the most common gaps technology leaders find.
2. Establish a cross-functional governance structure. Regulators expect a documented, board-acknowledged program with clear accountability. The most effective approach is a committee spanning actuarial, data science, underwriting, claims, legal, compliance, and IT. That mix keeps governance from living entirely in IT, where it lacks regulatory context, or entirely in compliance, where it lacks technical depth.
3. Test for bias and fairness, and document it. Models can encode historical bias or drift into discriminatory patterns over time. Build in automated bias checks plus periodic, statistically rigorous fairness testing for any model that influences eligibility or price. Colorado already makes quantitative disparate-impact testing effectively mandatory, so treat that as the emerging baseline. Testing you can't evidence is testing that didn't happen as far as an examiner is concerned.
4. Ensure transparency, explainability, and human oversight. Every AI-influenced decision that affects a policyholder should be explainable in plain terms, and contested or high-stakes decisions need a documented human-review path. "The model decided" won't satisfy a regulator or a denied claimant. For technology leaders, that means choosing tooling where the reasoning can be surfaced and designing workflows where people can review, override, and record their decisions.
5. Monitor continuously and keep an audit trail. Governance is an ongoing process, not a one-time certification. Monitor models for performance degradation and drift, and log retraining events, recalibrations, and version changes. The most valuable governance asset is an automatic, timestamped decision trail that captures every AI action and every human-in-the-loop decision, tied to the specific workflow, so an audit response is already organized rather than reconstructed.

This is where governance and operational performance reinforce each other. One reinsurer using FurtherAI for underwriting audit cut audit time 45%, from 200 hours to 110 hours per MGA, while strengthening compliance and decision quality. On the claims side, a FurtherAI claim intake deployment reached 90% automation with $360,000 in savings and 10x faster processing, with the decision trail captured automatically as work runs. The governance layer and the throughput gains come from the same disciplined workflow design.

If you want to see what this governance layer looks like running inside live underwriting and claims workflows, with admin controls, workflow-level access, and automatic decision-trail logging, our companion piece goes deep: AI Governance for Insurance: Why It Can't Be an Afterthought.

Common AI governance pitfalls to avoid

The failure modes are predictable. Treating governance as a static document, so the policy exists but the controls never run. Assuming a vendor's model is the vendor's compliance problem, when the carrier owns the outcome. Concentrating governance in a single function instead of making it cross-functional. Deferring bias testing because it's hard. And bolting controls on after deployment, which costs more and works less reliably than designing them in from the start. The insurers that sidestep these don't move slower. They're the ones whose AI programs survive contact with a regulator and keep scaling.

‍

REFERENCES

^{Colorado Division of Insurance. "SB21-169 – Protecting Consumers from Unfair Discrimination in Insurance Practices." Colorado Department of Regulatory Agencies. doi.colorado.gov}

^{European Commission. "Regulatory Framework on Artificial Intelligence." Shaping Europe's Digital Future. digital-strategy.ec.europa.eu}

^{European Commission. "Annex III: High-Risk AI Systems." AI Act Service Desk. ai-act-service-desk.ec.europa.eu} 

^{Eversheds Sutherland. "NAIC Survey Finds That Overwhelming Majority of Private Passenger Auto Insurers Use or Plan to Use Artificial Intelligence/Machine Learning." Eversheds Sutherland. eversheds-sutherland.com}

^{FurtherAI. "Claims Processing." FurtherAI. furtherai.com}

^{FurtherAI. "Underwriting Audit." FurtherAI. furtherai.com}

^{National Association of Insurance Commissioners. "Artificial Intelligence." NAIC. content.naic.org}

^{National Association of Insurance Commissioners. "Artificial Intelligence and State Insurance Regulation." NAIC. content.naic.org}

^{National Association of Insurance Commissioners. "Use of Artificial Intelligence Systems by Insurers (Model Bulletin)." NAIC. content.naic.org}

^{New York State Department of Financial Services. "Insurance Circular Letter No. 7 (2024): Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing." NYDFS. dfs.ny.gov}

^{Plante Moran. "How the NAIC AI Model Bulletin Is Evolving and Why Insurers Should Prepare Now." Plante Moran. plantemoran.com}

^{Quarles & Brady LLP. "Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers' Use of AI." Quarles. quarles.com}

^{Skadden, Arps, Slate, Meagher & Flom LLP. "Colorado Repeals and Replaces Its AI Act." Skadden. skadden.com}

‍

DISCLAIMER 

This article is for general informational purposes only and does not constitute legal, regulatory, compliance, underwriting, or other professional advice. The content reflects information available as of the date of publication, and FurtherAI undertakes no obligation to update it as laws, regulations, or AI technologies evolve. 

‍