Your state regulator already has an AI bulletin. Most carriers are not ready.
The NAIC Model Bulletin on the Use of AI Systems by Insurers has been adopted by more than 20 states. Colorado, New York, and Connecticut have layered in carrier-specific rules. AI governance is now a market-conduct exam item.
State and model regulations now in force
Each item below is already in force or has a confirmed enforcement date. Sources are named so your compliance team can verify in minutes.
NAIC Model Bulletin on Use of AI Systems by Insurers
Sets governance, risk-management, and third-party oversight expectations for AI use in underwriting, pricing, marketing, and claims. Adopted by 20+ states.
Source: NAIC adopted December 4, 2023; state adoptions ongoing
Colorado Reg 10-1-1 (Algorithm and Predictive Model Governance)
Requires life insurers to establish governance and risk-management for use of external consumer data and algorithms; testing for unfair discrimination.
Source: Colorado Division of Insurance Reg 10-1-1 (effective Nov 14, 2023)
NYDFS Insurance Circular Letter No. 7 (2024)
Governance, risk management, and disclosure expectations for insurer use of external consumer data and AI systems in NY.
Source: NYDFS Insurance Circular Letter No. 7 (July 11, 2024)
EU AI Act — High-Risk: Life & Health Insurance Pricing
Annex III lists risk assessment and pricing for life and health insurance as high-risk; obligations apply from August 2, 2026.
Source: EU AI Act, Annex III
These dates are not theoretical
Two enforcement deadlines have already passed. The next major one — EU AI Act high-risk obligations — is live below.
The Regulatory Clock Is Running
Two EU AI Act deadlines have already passed. The next — August 2, 2026 — applies to High-Risk AI across healthcare, finance, HR, education, and insurance. Full enforcement begins that date.
Source: European Commission AI Act Service Desk
Next Enforcement Deadline
2 August 2026 — High-Risk AI Full Compliance
45
Days
00
Hours
18
Minutes
08
Seconds
2 February 2025
PassedProhibited AI practices banned + AI Literacy (Article 4) obligations began.
If you have not acted, you are already non-compliant.
2 August 2025
PassedGPAI model obligations + governance infrastructure required.
If you have not acted, you are already non-compliant.
2 August 2026
NextHigh-Risk AI systems (Annex III) must be fully compliant. Article 50 Transparency rules apply. Full enforcement begins.
2 August 2027
UpcomingHigh-Risk AI embedded in regulated products (medical devices, aviation).
November 14, 2023
Colorado Reg 10-1-1 effective
Governance and testing obligations for life insurer use of external consumer data and algorithms.
Source: Colorado DOI Reg 10-1-1
December 4, 2023
NAIC Model Bulletin adopted
Triggered an ongoing wave of state adoptions; 20+ states have followed.
Source: NAIC plenary adoption
July 11, 2024
NYDFS Circular Letter No. 7 issued
Established NY-specific AI and external consumer data expectations for insurers.
Source: NYDFS Insurance Circular Letter No. 7
August 2, 2026
EU AI Act high-risk insurance AI
Life and health insurance pricing AI must meet documentation, oversight, and accuracy obligations.
Source: EU AI Act, Article 113
The cost of getting this wrong is no longer theoretical
Real cases. Named parties. Public records. These are the precedents your board, your auditors, and your insurer will reference.
EU AI Act maximum penalty
€35M or 7% of global annual turnover
Top tier for prohibited AI; €15M / 3% for high-risk obligation breaches — including life/health pricing models.
Source: EU AI Act, Article 99
Cigna AI claims-denial litigation
Multi-jurisdiction class actions ongoing
Class actions allege algorithmic batch-denial of claims violated Cal. Insurance Code and ERISA — illustrating the personal-injury exposure of AI in claims.
Source: Kisting-Leung v. Cigna, 2:23-cv-01477 (E.D. Cal. 2023)
Market conduct exam findings (NAIC framework)
State-by-state penalties + remediation orders
Insurers without documented AI governance face market conduct findings; remediation costs typically exceed avoided governance investment by 5-10x.
Source: NAIC Market Conduct Examiners Handbook
Mapped to the NIST AI Risk Management Framework
Every engagement is structured around the four NIST AI RMF Core functions. Your auditors and clients already recognize this language.
NIST AI RMF — Govern
Board-approved AI governance program; senior officer accountability; written program documents per NAIC bulletin.
NIST AI RMF — Map
AI inventory by line of business, decision type (UW, pricing, claims), and external data source.
NIST AI RMF — Measure
Unfair discrimination testing per Colorado Reg 10-1-1; accuracy and drift monitoring; model validation.
NIST AI RMF — Manage
Third-party AI risk management; consumer disclosure; complaint handling tied to AI decisions.
AI Governance & Compliance Studio
Two ways to start. One clear path forward.
Whether you need a fast read on your exposure or a deeper conversation about your governance strategy, NeuralEdge gives you a structured next step — never a sales pitch.
Free AI Readiness Snapshot
A 5-minute interactive self-assessment scored against the NIST AI RMF Core. See your readiness level immediately.
Get Your Free AI Readiness Snapshot30-Minute Compliance Review
A working session with a NeuralEdge consultant. Bring your questions, leave with a clear action list.
Book a 30-Minute Compliance ReviewFrequently asked questions
Has my state adopted the NAIC Model Bulletin?
Likely yes — over 20 states have adopted or substantially adopted it as of 2025. We map your AI use to the specific state versions that apply to you and surface the gaps in writing.
Does Colorado Reg 10-1-1 apply to non-life lines?
Reg 10-1-1 currently applies to life insurers; the Division of Insurance has signaled intent to expand. Even if you are P&C or health today, NAIC bulletin obligations still apply.
What about vendor AI in claims?
You are accountable. NAIC and NYDFS guidance both require third-party oversight, with documented due diligence, contract terms, and ongoing monitoring of vendor AI.
How long to be exam-ready?
A defensible NAIC-aligned program (policy, inventory, testing protocol, vendor file, board reporting) typically takes 8–12 weeks for a multi-line carrier.