AI Governance for Insurance: NAIC Model Bulletin, FCRA Underwriting Rules, and Actuarial Fairness Requirements

The Insurance AI Governance Landscape in 2026

Insurance companies have deployed algorithmic decision systems in underwriting, rating, claims handling, fraud detection, and customer servicing for decades. What has changed is the character of those systems. Statistical regression models trained on actuarially defensible variables are giving way to large language models, gradient boosting engines trained on hundreds of behavioral features, and generative AI systems that draft policyholder communications and adjuster reports in real time.

The regulatory response has been substantial and is accelerating. The National Association of Insurance Commissioners adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. Colorado, Connecticut, and several other states have issued binding guidance or enacted statutes. The CFPB and FTC have both published enforcement guidance confirming that the Fair Credit Reporting Act's adverse action requirements attach fully to AI-assisted decisions. State insurance departments have updated their market conduct examination handbooks to include AI system reviews.

This guide provides a practitioner-level analysis of the core frameworks — the NAIC Model Bulletin, FCRA adverse action requirements, and actuarial fairness standards — and explains what governance infrastructure insurance organizations need to satisfy examination expectations. We also examine how CoreGuard addresses the specific documentation and audit trail requirements that examiners request.

NAIC Model Bulletin on the Use of AI Systems by Insurers

The NAIC Model Bulletin, formally titled "Model Bulletin on the Use of Artificial Intelligence Systems by Insurers," was adopted by the NAIC in December 2023 following several years of working group development. Unlike a model law or model regulation, a model bulletin is regulatory guidance — but in insurance regulation, model bulletins issued through the NAIC process carry significant weight and form the basis for state department examinations in adopting states.

Scope and Applicability

The Model Bulletin applies to insurers using AI systems in any of the following insurance activities:

• Underwriting: any AI system that influences whether or on what terms coverage is offered or renewed
• Rating: any AI system that influences the premium charged for coverage
• Claims: any AI system that influences claim approval, denial, valuation, or settlement
• Marketing: any AI system that influences which consumers receive offers or what offers they receive
• Fraud detection: AI systems used to identify suspicious claims or applications

The bulletin defines AI systems broadly to include machine learning models, neural networks, natural language processing systems, and large language models used in any covered activity. A rule-based system using only actuarially certified rating factors is generally outside scope, but the addition of ML-derived scores, LLM-generated outputs, or behavioral data signals brings a system within scope.

Core Governance Requirements

The Model Bulletin's governance requirements center on five obligations that insurers must satisfy:

FCRA Requirements for AI-Assisted Underwriting

The Fair Credit Reporting Act creates specific obligations when insurers use "consumer reports" in making coverage and rating decisions. AI systems complicate this analysis because they often incorporate consumer report data — including credit-based insurance scores — as features alongside many other inputs, making it less obvious when the FCRA's requirements have been triggered.

What Constitutes a Consumer Report for Insurance Purposes

A consumer report is any written, oral, or other communication of information by a consumer reporting agency bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living used in connection with an insurance transaction. Credit-based insurance scores purchased from LexisNexis, Verisk, or TransUnion are consumer reports. Certain behavioral data products — driving telematics histories, prescription drug databases, and prior claims data — may also constitute consumer reports depending on their source and content.

When an AI underwriting or rating model is trained on or uses consumer report data as an input feature, the model's outputs derive from that consumer report data, and the insurer's decisions based on those outputs are made "in whole or in part because of" the consumer report. This is the standard that triggers FCRA adverse action obligations.

Section 615 Adverse Action Requirements

FCRA Section 615(a) requires that when adverse action is taken in connection with an insurance transaction based in whole or in part on information contained in a consumer report, the person taking adverse action must provide the consumer with:

• Notice of the adverse action
• The name, address, and telephone number of the consumer reporting agency that furnished the report
• A statement that the consumer reporting agency did not make the decision and is unable to provide specific reasons for the adverse action
• Notice of the consumer's right to obtain a free copy of the consumer report
• Notice of the consumer's right to dispute the accuracy or completeness of information in the consumer report

In the AI context, "adverse action" in insurance includes: denial of coverage, cancellation of a policy, or charging a higher premium than the most favorable rate available. When an AI underwriting engine uses a credit-based insurance score and outputs a "deny" or "rate up" decision, Section 615 is triggered and the adverse action notice must be provided.

Key Factors in AI Adverse Action Notices

FCRA Section 615(a)(2) requires that when a credit score is used in the adverse action, the notice must include up to four key factors that adversely affected the score. This requirement creates a documentation challenge for complex AI systems: if the AI underwriting model uses a credit-based insurance score as one of 200 features, the system must be able to identify and communicate the principal factors that drove the adverse decision, including the specific contribution of the credit-based score.

// Minimum adverse action record for FCRA Section 615 compliance
// Required when AI system uses consumer report data in coverage decision
{
  "record_id": "cg-2026-05-05-uw-00192847",
  "timestamp_utc": "2026-05-05T14:23:11.847Z",
  "insurer_id": "acme_property_casualty",
  "applicant_id_hash": "sha256:a7f3c...",
  "product_line": "personal_auto",
  "decision_type": "underwriting_rating",
  "disposition": "MODIFY",
  "modification": "RATE_TIER_4",
  "adverse_action": true,
  "consumer_report_used": true,
  "consumer_reporting_agency": {
    "name": "LexisNexis Risk Solutions",
    "address": "1000 Alderman Drive, Alpharetta, GA 30005",
    "phone": "1-888-497-0011"
  },
  "key_factors": [
    { "factor": "credit_insurance_score", "value": 612, "impact": "adverse", "reason_code": "payment_history" },
    { "factor": "prior_claims_count_3yr", "value": 2, "impact": "adverse", "reason_code": "claims_frequency" },
    { "factor": "vehicle_age", "value": 15, "impact": "neutral", "reason_code": "vehicle_risk" }
  ],
  "human_readable_reason": "Credit-based insurance score (612) and claim frequency (2 claims in 3 years) resulted in rating tier 4 placement",
  "appeal_rights": "Consumer may request free copy of consumer report and dispute inaccuracies",
  "policy_set": "personal_auto_uw_v3.2",
  "policy_version_hash": "sha256:9f4a2...",
  "model_version": "xgb-auto-uw-v7.1.4",
  "signature": "hmac-sha256:8d2e1...",
  "retention_class": "FCRA_ADVERSE_ACTION_7YR"
}

This structure illustrates the documentation CoreGuard generates automatically for every AI underwriting evaluation. The signed record provides the foundation for adverse action notices and satisfies both FCRA documentation requirements and NAIC Model Bulletin audit trail requirements in a single pass.

Actuarial Fairness and Unfair Discrimination Standards

Insurance rate regulation has long distinguished between permissible actuarial differentiation — charging higher rates to higher-risk insureds — and impermissible unfair discrimination, which most state insurance codes define as treating risks with essentially the same expected loss experience differently, or using a factor that operates as a proxy for a protected characteristic.

AI systems create acute unfair discrimination risk because machine learning models can identify statistical correlations between observable features and loss outcomes that happen to correlate with race, national origin, or religion. The model never "sees" race — but the correlations it learns can effectively produce racially disparate outcomes. This is what regulators mean by "proxy discrimination."

What Unfair Discrimination Testing Must Cover

Colorado SB 21-169: The Strictest State Standard

Colorado enacted Senate Bill 21-169 — the "External Consumer Data and Information Sources; Insurance" law — which took effect in September 2023. It is the most prescriptive state AI fairness law in insurance. Key requirements include:

• Annual certification: Insurers must annually certify to the Colorado Commissioner that their external data sources and predictive models are not unfairly discriminatory. The certification must be signed by a responsible executive officer.
• Written program: Insurers must maintain a written program to establish, implement, maintain, and update reasonable data governance policies and procedures and an internal audit process to ensure AI systems do not produce unfairly discriminatory outcomes.
• Commissioner investigation: The Commissioner may investigate any insurer for compliance with SB 21-169. Insurers subject to investigation must provide access to the AI systems, training data, validation reports, and governance documentation on request.
• Corrective action: If the Commissioner finds an AI system produces unfairly discriminatory outcomes, the insurer must take corrective action within a specified timeframe, which may include suspending use of the system.

State Insurance AI Governance Requirements: Key Jurisdictions

The insurance AI regulatory landscape is fragmented across 50+ jurisdictions. The following grid summarizes the current posture of key states. All insurers should monitor their primary state regulators and engage with NAIC working groups, which continue to develop additional model guidance.

Beyond these featured states, the NAIC's Innovation, Cybersecurity, and Technology (H) Committee continues to develop additional model laws and bulletins addressing AI transparency, accountability, and consumer protection. Insurers should monitor NAIC working group outputs and engage through industry associations.

AI in Claims: Additional Governance Obligations

AI systems in claims handling — including AI-assisted damage assessment, AI-driven fraud scoring, and LLM-generated claim correspondence — carry their own governance obligations distinct from underwriting.

Unfair Claims Settlement Practice Acts

Every state has an Unfair Claims Settlement Practices Act (UCSPA), modeled on the NAIC model, that prohibits a range of improper claims practices including: failing to acknowledge communications, not maintaining standards for prompt investigation, not offering reasonable payment when liability is clear, and compelling insureds to litigate by making unreasonably low offers. When AI systems are used to estimate damages, score settlement values, or recommend reserves, the insurer is fully responsible for any resulting UCSPA violations that emerge from AI outputs.

The governance implication: AI claims systems must be governed to ensure they do not produce systematically low estimates or denial recommendations that could constitute unfair claims practices. Market conduct examiners reviewing claims handling will look for AI governance documentation just as they look for it in underwriting.

LLM-Generated Claims Correspondence

Large language models used to generate denial letters, coverage explanation documents, and claim status communications must be governed to ensure the communications are accurate, do not misrepresent coverage, and comply with state prompt-payment laws. Key governance requirements for LLM claims correspondence:

• Pre-execution review of LLM prompts and output templates by qualified claims and legal personnel
• Policy set enforcement ensuring LLM outputs cannot misrepresent policy terms or coverage positions
• Audit trail documenting the LLM system version, prompt, policy set used, and final output for every generated communication
• Human review for any denial or reservation-of-rights communications before transmission
• Retention of all LLM-generated claim communications in the insurer's claims system of record

How CoreGuard Satisfies Insurance AI Governance Requirements

CoreGuard is a deterministic pre-execution AI governance API that evaluates AI system decisions before they are acted on and returns a signed ALLOW, BLOCK, or MODIFY disposition with an HMAC-SHA256 signed decision certificate. For insurance organizations, CoreGuard's architecture directly addresses the most demanding governance documentation requirements.

Insurance Policy Pack Structure

CoreGuard's insurance policy packs encode the specific governance rules applicable to each insurance product line and decision type. A personal auto underwriting policy pack, for example, encodes:

// CoreGuard insurance policy pack evaluation — personal auto underwriting
{
  "policy_set": "personal_auto_uw_v3.2",
  "jurisdiction": "multi_state",
  "frameworks": ["NAIC_MODEL_BULLETIN_2023", "FCRA_615", "CO_SB21169"],
  "checks_run": [
    {
      "rule": "prohibited_factor_use",
      "check": "No protected characteristic used directly in rating",
      "result": true,
      "details": "Race, religion, national origin fields absent from feature vector"
    },
    {
      "rule": "adverse_action_notice_required",
      "check": "Consumer report used and adverse decision reached",
      "result": true,
      "trigger": "FCRA_615_NOTICE_REQUIRED",
      "cra_disclosure_required": true
    },
    {
      "rule": "key_factor_extraction",
      "check": "Principal adverse factors extracted for notice",
      "result": true,
      "factors_count": 3
    },
    {
      "rule": "colorado_sb21169_logging",
      "check": "Decision logged to SB 21-169 annual audit store",
      "result": true,
      "audit_store": "co_annual_certification_2026"
    },
    {
      "rule": "proxy_discrimination_safeguard",
      "check": "ZIP code use flagged for annual disparate impact review",
      "result": true,
      "flag_type": "GEOGRAPHIC_PROXY_MONITORING"
    }
  ],
  "final_disposition": "MODIFY",
  "modification": "RATE_TIER_4_WITH_ADVERSE_ACTION_NOTICE",
  "signature": "hmac-sha256:e7f4b..."
}

Market Conduct Examination Readiness Checklist

Insurance organizations preparing for market conduct examinations that include AI system reviews should ensure the following documentation is available, organized, and current: