Loading...

The regulatory implications of AI and ML for the insurance industry | Baker Tilly

AI governance in palm of man's hand

Article

The regulatory implications of AI and ML for the insurance industry

Aug. 27, 2025 · Authored by Dave DuVarney, Phil Schmoyer, John Romano, Jordan Anderson

Since January 2024, artificial intelligence (AI) and machine learning (ML) have become integral across the insurance value chain, from underwriting and claims to customer engagement and fraud detection. With more than 70% of U.S. insurers now using or planning to use AI/ML, regulators have accelerated action to ensure industry modernization does not compromise consumer protection or fairness.

State insurance regulators, coordinated through the NAIC’s Innovation, Cybersecurity and Technology Committee and its Big Data and AI Working Group, continue to lead in crafting principles and oversight grounded in the core tenets of Fairness, Accountability, Compliance, Transparency and Security (FACTS).

Key pillars of the 2025 regulatory landscape

1. NAIC’s 2025 road map: Cementing state oversight

The NAIC’s “Securing Tomorrow” agenda underscores protection of state-based regulation and welcomes AI as a 2025 priority. It calls for enhancing board-engagement, global coordination and insurance-market integrity through AI governance.

2. FACTS: NAIC’s AI principles (Adopted 2020)

The FACTS central doctrine remains current policy, emphasizing:

Fairness and Ethics: Avoiding bias based on protected attributes
Accountability: Documenting decision paths and executive oversight
Compliance: Adherence to all applicable state and federal laws
Transparency: Informing consumers and examiners how AI systems work
Safety and Robustness: Strong data, cyber and model management practices

Although not statutorily binding, FACTS continues to underpin state expectations for responsible AI deployment.

NAIC Model Bulletin (December 2023): Implementation as of 2025

Dave DuVarney

Dave DuVarney

Principal

Baker Tilly Professional Phil Schmoyer

Phil Schmoyer

Principal

John Romano

John Romano

Principal

Baker Tilly Professional

Jordan Anderson

Director

Related sections

Article Tags

artificial intelligence

Core AIS Program expectations

Include (NAIC summary):

A written AIS Program approved by senior management and board
A governance structure with clear roles, escalation paths and independence
Consumer notice obligations when AI influences decisions
Risk management controls appropriate to system risk (bias testing, drift detection, transparency)
Third party AI management policies, including audit rights and vendor diligence
Preparedness to support regulatory exam and investigation inquiries (documentation, testing, protocols)

Regulators have already begun market conduct exams and civil exam inquiries, assessing insurers on AIS Program compliance and fair decision-making practices.

2025 state-level AI regulation and legislative trends

Many states are now introducing sector-specific AI laws targeting insurers:

Colorado: Passed SB 24-205, the Colorado AI Act. Applies broadly to “high risk” AI (e.g. underwriting, claims). Requires consume disclosure, bias prevention and board-approved risk management policies. Will take effect on Feb. 1, 2026.
Virginia: Enacted HB 2094, closely mirroring Colorado’s AI Act. Awaiting gubernatorial signature.
Connecticut: Senator Anwar introduced legislation restricting insurers from using AI to deny healthcare claims automatically triggered by a ProPublica investigation. Focuses on ensuring human review in prior authorization.
Pennsylvania: Proposed HB 1663 requires state licensed health insurers to publicly disclose and define AI tools used in claim decisions

At least 17 states have introduced or advanced AI bills in 2025 targeting insurance, pushing for oversight of bias, vendor practices and AI explainability.

Federal oversight: CFPB and existing laws apply to AI

The Senate overwhelmingly voted 99–1 to strike a proposed moratorium on state and federal AI regulation, and the provision was officially removed before President Trump signed the bill into law on July 4, 2025. As a result, state and local governments retain their authority to continue crafting AI guardrails in the evolving legal landscape.

While there is no federal insurance-specific AI law yet, financial regulators, including the Consumer Financial Protection Bureau (CFPB), have made it clear that existing consumer protection laws fully apply to AI and algorithmic models:

On fair lending, CFPB’s August 2024 comment to Treasury emphasized prohibited bases and urged lenders to implement Less Discriminatory Alternatives (LDAs) if models have disparate impacts.
Its January 2025 supervisory report directed institutions using credit-scored AI to validate adverse action notices and proactively search for LDAs, even persuading examiners to flag models that use excessive alternative data.
In June 2024, CFPB finalized a rule governing AI-based home appraisals, reinforcing the need for accuracy, fairness and adverse-action explanation, relevant for insurers relying on automated valuation models.

Insurance entities offering finance-related products (credit scoring, payment plans, auto title lending) must ensure AI tools comply with ECOA, Regulation B, and the Consumer Financial Protection Act, just as human systems must.

International input: IAIS application paper (July 2025)

In July 2025, the International Association of Insurance Supervisors (IAIS) released an Application Paper clarifying how its existing Insurance Core Principles (ICPs) apply to AI, emphasizing supervisory expectations for:

Proportionality in controls
Board-level oversight
Human-in-loop decision making
Vendor and third party management
Audit trails and traceability

These principles align closely with the NAIC model and global best practices.

Revised AIS Program blueprint – 2025 best practices

Based on recent regulatory activity, here's a checklist of updated components insurers should integrate into their AI governance:

Board approved AI strategy aligned with insurer’s risk appetite and state law
AI inventory and consumer notice registry triaging high risk models
Data governance framework: Lineage, bias detection, data minimization and suitability metrics
Model validation and bias testing, including search for LDAs, drift monitoring and fairness metrics reviewed quarterly
Explainability radar: Tiered disclosure to consumers when AI affects decisions
Transparent governance documents: Clear delegation, escalation, independence and audit paths
Third party vendor oversight protocols: Due diligence, audit rights and contract terms
Audit trail and record retention that support regulatory exam demands, including versioned data, testing logs and board materials
Exception and appeal process when AI decisions fail to meet human acceptable thresholds
Scenario review and incident response plan for emerging risk, show-stopping bias or public scrutiny

The regulatory environment surrounding AI/ML in insurance has evolved rapidly since early 2024. The NAIC’s Model Bulletin is now state law in nearly half the country, and legislative action from Colorado, Virginia, Connecticut and Pennsylvania signals more rigorous, specialized regulation ahead.

For U.S. insurers, whether P&C, life or health, these developments necessitate tightening of AI governance frameworks, operationalizing FACTS-based principles and ensuring robust audit-ready compliance for third party, data and decision-making components.

Insurers operating across multiple states must monitor both model bulletin adoption schedules and new state-specific AI laws, especially in sectors involving underlying credit or health determinations. Meanwhile, there is growing international alignment on AI supervision via IAIS and an emphasis on proportional, risk-based oversight.

Maintaining alignment with these updated regulatory guardrails can allow insurers to continue leveraging AI's potential securely, equitably and with consumer trust intact.