AI Compliance for Insurance: Regulatory Requirements 2026
Insurance is one of the sectors most explicitly targeted by AI regulation. NAIC Model Bulletin guidance, EU AI Act high-risk classification for insurance AI, GDPR automated decision rules, and state-level insurance AI requirements create a dense compliance environment for underwriters, claims processors, and insurtechs.
Insurance AI Use Cases: Risk Classification
AI underwriting — auto, home, life
High-RiskKey concern: Proxy discrimination: AI models trained on ZIP code, credit score, or telematics may produce racially disparate underwriting decisions even without using protected characteristics directly.
AI claims processing and fraud detection
High-RiskKey concern: Automated claim denials are consequential decisions affecting policyholders' rights. Art.22 rights apply. US state unfair claims practices acts may require explanation of denial.
AI pricing and rating
High-RiskKey concern: Insurance pricing is heavily regulated at state level. AI-derived rates must be filed with and approved by state insurance departments. Many states require explainability for pricing factors.
AI chatbots for customer service
Limited RiskKey concern: EU AI Act requires disclosure that the user is interacting with an AI system. Insurance chatbots providing coverage advice may trigger licencing requirements in some states.
AI for financial crime / AML screening
High-RiskKey concern: AI-driven AML flags that lead to account termination or reporting to authorities have significant individual impact. Human review required before adverse action.
NAIC Model Bulletin: What US Insurers Must Implement
The National Association of Insurance Commissioners (NAIC) adopted its AI Model Bulletin in December 2023. While the Model Bulletin itself is not binding — individual states must adopt it — more than 15 states have issued guidance aligned with or directly incorporating the Model Bulletin as of 2026.
Insurers using AI/ML models in underwriting, rating, claims, or marketing must demonstrate models do not produce unfairly discriminatory results
Model risk management framework required: model inventory, validation, testing, and governance
Third-party vendor models are subject to the same oversight as internally developed models — "we bought it" is not a defence
Explainability: insurers should be able to explain at the individual level why AI decisions were made
Data governance: training data must be documented, validated, and tested for proxy discrimination
Ongoing monitoring: models must be monitored for drift and bias after deployment, not just at initial validation
State adoption status (2026)
Colorado (insurance-specific AI rules under SB 21-169 and SB 24-205), California (DOI bulletin 2023-8), Texas (TDI guidance 2024), New York (DFS circular letters), Illinois, and Washington state have all issued AI-specific insurance guidance. Check your state DOI for current status.
EU AI Act: Insurance Is Explicitly High-Risk
EU AI Act Annex III paragraph 5 includes AI systems used in insurance, specifically:
Annex III, para.5(b) — Insurance AI (High-Risk)
“AI systems intended to be used for the purpose of making or assisting in making decisions on the eligibility of natural persons for insurance and for establishing the price and conditions of insurance contracts with natural persons.”
For EU-facing insurance AI, full high-risk requirements apply from August 2, 2026:
Adverse Action Notice Requirements for AI-Driven Insurance Decisions
US Federal (ECOA / FCRA)
Adverse action notice required when credit is denied or insurance terms are made less favourable based on a consumer report or AI model. Must state the principal reasons (FCRA requires up to 4 specific reasons).
Format
Written notice; specific factors listed; reference to right to obtain free credit report
EU (GDPR Art.22)
Right to meaningful information about the logic of solely automated decisions. Right to request human review. Right to contest the decision.
Format
Can be provided in privacy notice and on request; must be specific to the individual's case — generic AI description not sufficient
State insurance regulations (US)
Most states require notice to policyholders when adverse underwriting actions are taken. AI-driven decisions must be explainable under unfair trade practices standards.
Format
State-specific; check state DOI guidance for AI-specific notice requirements
DORA and AI: Digital Operational Resilience for Insurers
EU insurers are also subject to DORA (Digital Operational Resilience Act), which came into force in January 2025. DORA applies to insurers under Solvency II — including insurtechs operating in the EU.
ICT risk management
AI systems are ICT systems under DORA. Insurers must include AI in their ICT risk framework, covering availability, integrity, and confidentiality of AI-driven insurance systems.
Third-party ICT providers
AI vendors providing AI-as-a-service to insurers qualify as "critical ICT third-party service providers" if the insurer is materially dependent on them. DORA requires contractual provisions and exit strategies.
ICT incident reporting
Major AI incidents (e.g., widespread model failure causing incorrect claims processing) qualify as major ICT incidents under DORA — reportable to supervisory authorities.
Digital resilience testing
DORA requires penetration testing and resilience testing. For AI-driven insurance systems, this includes adversarial testing for model manipulation and data poisoning attacks.
Map Your Insurance AI Obligations
ComplianceIQ identifies which insurance AI regulations apply to your jurisdiction and use case — with compliance task lists and evidence collection for NAIC, EU AI Act, and GDPR.
Run a Free Risk Assessment