NAIC Model Bulletin: what insurers must prove in 2026
In December 2023 the National Association of Insurance Commissioners adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. By mid-2026 a substantial majority of states have issued it — most verbatim, some with edits. If you write regulated business in those states, the Bulletin is the clearest statement yet of what your AI governance has to look like, and market-conduct examiners are beginning to ask for the artifacts it describes.
The single most important thing to understand about the Bulletin is what it is not. It is not a new statute, and it does not create a private right of action. It is regulatory guidance that maps existing legal authority — principally each state's Unfair Trade Practices Act (modeled on NAIC Model #880) and Unfair Claims Settlement Practices Act (Model #900) — onto decisions that are now made, in whole or in part, by AI systems. The Bulletin's own framing is blunt: outcomes produced by an AI system are subject to the same legal standards as any other insurer decision. Using a model does not dilute the duty; it raises the evidentiary bar for showing you met it.
The AIS Program is the load-bearing requirement
The Bulletin's central expectation is that each insurer maintain a written Artificial Intelligence Systems (AIS) Program governing the development, acquisition, and use of AI across the insurance lifecycle. The Program is expected to be proportionate to risk — a model that triages low-dollar first-notice-of-loss does not need the same controls as one that drives underwriting eligibility or claims denial — but the structural elements are consistent. An examiner reading your AIS Program will look for several things.
- Governance and accountability: named senior individuals responsible for the AIS Program, board or committee oversight, and a clear escalation path.
- A risk-management framework covering the full lifecycle — design, data, training, validation, deployment, ongoing monitoring, and decommissioning — with the Bulletin explicitly referencing the NIST AI Risk Management Framework and the NAIC AI Principles as touchstones.
- An inventory of AI systems that captures purpose, the decisions each system informs, and a risk classification.
- Testing and validation evidence, including analysis directed specifically at unfair discrimination against protected classes.
- Third-party and vendor management, because the Bulletin makes the insurer responsible for AI it acquires from third parties, not just AI it builds.
Why "we bought it from a vendor" is not a defense
Section 4 of the Bulletin addresses third-party AI directly: insurers are expected to establish standards, conduct due diligence, and maintain oversight of AI systems and data acquired from third parties, including the right to audit or to obtain audit reports. A regulator's position is that you cannot outsource accountability for an adverse decision to your model vendor. If a rating or denial decision is challenged, the burden of producing the governance and testing record falls on the insurer of record.
Unfair discrimination is the sharp edge
The Bulletin repeatedly returns to a single substantive concern: that AI systems must not produce unfair discrimination, including proxy discrimination, where a facially neutral variable correlates with a protected characteristic and reproduces a prohibited disparity. This is where abstract governance language becomes a concrete measurement problem. "We do not use prohibited variables" is not a sufficient answer, because the entire point of proxy discrimination is that prohibited disparities can emerge from permitted inputs. The defensible posture is to measure outcomes across protected classes on an ongoing basis and to retain the results.
The metrics regulators and plaintiffs reach for are well established. The disparate-impact ratio — the selection rate for a protected group divided by the rate for the most-favored group, evaluated against the four-fifths (80%) rule of thumb from the EEOC's Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607) — is the most widely cited screen, and although it originates in employment law, it is the lingua franca regulators apply to algorithmic fairness generally. Statistical-parity difference and equal-opportunity difference add nuance, and a chi-squared test indicates whether an observed disparity is statistically significant rather than sampling noise. For health-benefit decisions specifically, ACA Section 1557 (45 CFR Part 92), as amended by the 2024 final rule, prohibits discrimination through patient-care decision-support tools and obligates covered entities to make reasonable efforts to identify and mitigate discrimination risk — which means a payer running utilization-management AI needs the same fairness evidence the NAIC Bulletin contemplates, under a second independent authority.
What an examiner actually asks for
When the Bulletin moves from principle to practice, it does so through the lens of the market-conduct examination. Section 5 puts insurers on notice that regulators may request information about the AIS Program and the specific systems used in a transaction under review. In practice that translates to a fairly predictable document request.
- 1The written AIS Program and its governance structure, including who owns it.
- 2The inventory entry for the specific model implicated in the matter under exam — purpose, version, training-data lineage, and risk tier.
- 3Pre-deployment validation and bias-testing results for that model, plus the ongoing monitoring record since deployment.
- 4Evidence of third-party due diligence where the model or data was acquired externally.
- 5For an adverse decision, the record showing how the decision was made and reviewed, including any human oversight.
The through-line is that none of this can be reconstructed after the request arrives. A bias analysis run for the first time in response to an exam invites the question of what you were measuring during the eighteen months the model was live. The Bulletin's implicit standard is contemporaneous evidence — governance, testing, and monitoring records created in the ordinary course and retained, not assembled under deadline.
Documentation, retention, and the lifecycle the Bulletin assumes
The Bulletin frames AI governance as a lifecycle obligation, not a point-in-time approval. Its risk-management expectations track a system from data sourcing through development, validation, deployment, ongoing monitoring, updating, and retirement — and at each stage it presumes a documentary record exists. That presumption is where many programs are thinnest. A model that was validated thoroughly at launch but has been silently retrained twice since, with no record of what changed or how the new version was re-tested, fails the lifecycle standard even though its launch documentation is excellent. The artifacts the Bulletin contemplates accumulate over time: a versioned model record, a re-validation note each time the model materially changes, and a monitoring trail that runs continuously rather than in annual bursts.
Retention is the quiet corollary. The Bulletin does not itself set a numeric retention period, but it operates against the backdrop of state record-retention rules and the practical reality of market-conduct exam cycles, which routinely look back several years. The defensible planning posture is that AI governance records — the AIS Program and its revisions, model inventory entries, validation and bias-testing results, monitoring output, and the decision-level record for adverse actions — are retained for a horizon that comfortably spans an exam look-back, with the integrity of those records demonstrable rather than asserted. An examiner who is handed a monitoring report has a reasonable next question: how do I know this wasn't generated last week? A record whose tamper-evidence can be shown answers that question before it is asked.
The consumer-recourse thread
Running underneath the Bulletin is the NAIC's broader work on consumer protection in AI — including transparency about the use of AI in decisions and the consumer's ability to seek review. Where AI contributes to an adverse decision affecting a consumer, the insurer should be able to explain the decision in terms the consumer can understand and to support a human review of it. This connects the governance record to a member-facing obligation: the same decision-level evidence that satisfies an examiner also has to be legible enough to underpin an individualized explanation and a meaningful appeal.
How Pratvi helps
Pratvi AI is built to produce exactly the artifacts a market-conduct examiner requests under the Model Bulletin. The AI Model Inventory maintains the system-of-record the Bulletin's inventory expectation calls for — purpose, ownership, lifecycle state, risk classification, version history, and dependency lineage per model — so the lifecycle and re-validation trail accumulates in one place rather than scattered across teams. The Bias & Fairness Monitor measures disparate-impact ratio against the four-fifths rule, statistical-parity and equal-opportunity differences, and chi-squared significance continuously, so the protected-class analysis exists as a contemporaneous record rather than a fire drill. The Compliance Engine maps each model to the Bulletin's governance, testing, and third-party-oversight obligations and surfaces gaps. And the Immutable Audit Trail hash-chains the decision and human-override record with configurable retention, so the evidence you hand an examiner is tamper-evident, retained across the exam look-back, and tied to the specific transaction under review.
This article is educational and does not constitute legal advice. Regulatory requirements change and apply differently by jurisdiction and facts — confirm specifics with qualified counsel. References to Pratvi AI modules describe platform capability and do not imply certification.