Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers’ Use of AI

As of March 2025, 24 states have adopted the National Association of Insurance Commissioners (NAIC) Model Bulletin on the Use of Artificial Intelligence (AI) Systems by insurers with little to no material changes. As we predicted, almost a majority of states have adopted the Model Bulletin since the NAIC adopted it in December 2023. With nearly a majority of Insurance Commissioners adopting the AI standards, insurers throughout the country should be prepared to meet the NAIC Model Bulletin’s standards as best practice, including implementing a formalized, written AI program that addresses governance, consumer notice, risk management and internal controls, vendor management, and responding to regulatory inquiries.

In March, the Wisconsin Office of the Commissioner of Insurance (WI OCI) became the latest state to adopt the NAIC Model Bulletin without material change. WI OCI highlighted its expectations for development, acquisition, and use of AI technologies throughout all stages of the insurance life cycle, including product development, marketing, sales and distribution, underwiring and pricing, policy servicing, claim management, and fraud detection. Expectations include compliance with applicable insurance laws and regulations, including laws addressing unfair trade practices and unfair discrimination. WI OCI also outlined the type of information and documentation it will expect during an investigation or examination of an insurer. Like other states, WI OCI’s bulletin is meant to promote compliance with state insurance laws and regulations.

What Does the Model Bulletin Require?

The NAIC model bulletin is prescriptive and outlines principles that are becoming best practice in developing AI law and industry guidance, including:

• Written AI program required

Insurers must develop, implement, and maintain a written program for responsible use of AI systems that make or support decisions related to regulated insurance practices, including mitigating adverse consumer outcomes and addressing governance, risk management, and internal audit functions.

Robust governance, risk management controls, internal audit functions, and written policies and procedures are core elements of an AI governance program in mitigating risk and managing oversight at each stage of an AI system’s lifecycle.

• Clear governance framework driven by transparency, fairness, and accountability

Insurers should have a clear governance accountability structure comprised of representatives from appropriate disciplines and units (e.g., business units, product specialists, actuarial, data science and analytics, underwriting, claims, compliance, and legal), each with scope of responsibility and authority, chains of command, and decisional hierarchies.

• Consumer notice

Consumers should receive notice that AI systems are in use and should have access to appropriate levels of information based on the phase of the insurance life cycle in which the AI systems are deployed.

• Risk management and internal controls

Controls and processes in the AI program should be reflective of, and commensurate with, insurers’ assessment of the degree and nature of risk posed to consumers by the AI systems considering: (1) the nature of the decisions being made, informed, or supported using the AI system; (2) the type and degree of potential harm to consumers resulting from the use of AI systems; (3) the extent to which humans are involved in the final decision-making process; (4) the transparency and explainability of outcomes to the impacted consumer; and (5) the extent and scope of the insurer’s use or reliance on data, predictive models, and AI systems from third parties.

Controls should address: (1) oversight and approval process for development, adoption, or acquisition of AI systems and identification of considerations and controls; (2) data practices and accountability, including data currency, lineage, quality, integrity, bias, minimization, and suitability; (3) validating, testing, and retesting to assess generalization of outputs upon implementation; (4) privacy of non-public information; and (5) data and record retention.

• Third-party vendor management

Insurers are responsible for vendor diligence including processes to assess acquiring, using, and relying on: (1) third-party data to develop AI systems and (2) AI systems developed by third parties. Insurers should implement contract terms in third-party agreements allowing audit rights and requiring cooperating with regulatory inquiries when appropriate. Regulators may request information on insurers’ vendor diligence as part of regulatory oversight.

• Prepare for regulatory inquiry about AI program

The model bulletin notes that insurers may be asked – including document production – about development and use of AI, including governance, risk management, and internal controls in the context of an investigation or market conduct action.

What States Have Adopted the Model Bulletin?

As of writing, the following states have adopted the NAIC Model Bulletin in full or without material customization:

• Alaska, adopted February 1, 2024
• Arkansas, adopted July 31, 2024
• Connecticut, adopted February 26, 2024
• Delaware, adopted February 5, 2025
• District of Columbia, adopted May 21, 2024
• Illinois, adopted March 13, 2024
• Iowa, adopted November 7, 2024
• Kentucky, adopted April 16, 2024
• Maryland, adopted April 22, 2024
• Massachusetts, adopted December 9, 2024
• Michigan, adopted August 7, 2024
• Nebraska, adopted February 23, 2024
• Nevada, adopted February 23,
• New Hampshire, adopted February 20, 2024
• New Jersey, adopted February 11, 2025
• North Carolina, adopted December 18, 2024
• Oklahoma, adopted November 14, 2024
• Pennsylvania, adopted April 6, 2024
• Rhode Island, adopted March 15, 2025
• Vermont, adopted March 12, 2024
• Virginia, adopted July 22, 2024
• Washington, adopted April 22, 2024
• West Virginia, adopted August 9, 2024
• Wisconsin, adopted March 18, 2025

In addition to the NAIC Model Bulletin, certain states have adopted legislation and targeted guidance regarding insurers’ use of AI, including addressing bias and discrimination, vendor management, board and management oversight, data accuracy (including in rating, underwiring, and claims handling), and documentation. Insurance commissioners are joining the health care industry as the first U.S. industries to issue specific, prescriptive requirements for operationalizing AI in business processes.

Insurers operating in any of these states should prioritize developing a written AI program that addresses Model Bulletin requirements as well as FTC guidance and applicable state law, including insurance regulation as well data privacy laws in any of the 21 states with comprehensive privacy laws or consumer health privacy laws.

Quarles is continuing to track adoption of the NAIC Model Bulletin and AI legislation generally. While it is being adopted in a near majority of states, remember that certain states have existing AI regulatory approaches in place pre-bulletin. Insurers operating in multiple states should be prepared for varying requirements, and all insurers should be prepared for evolving requirements as AI laws and regulations continue to develop.

To join our AI email list, sign up here. For inquiries about developing an AI governance program or the specific requirements under your state insurance requirements, please contact your Quarles AI attorney or:

• Meghan O'Connor: 414-277-5423 / meghan.oconnor@quarles.com