HomeShadow AIAI PlatformsAI AdoptionHealthcareBlogPodcastAboutContactFAQ Shadow AI Leaders Guide
Insurance Spoke

NAIC Model Bulletin on the Use of AI Systems by Insurers

The NAIC's first comprehensive guidance on AI in insurance, now adopted as binding by 24 states plus DC. The AIS Program is the centerpiece.

Free Shadow AI Risk Check Back to Insurance Hub

What the Bulletin Is

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers was adopted by NAIC membership at the 2023 Fall National Meeting on December 4, 2023.

It is the NAIC's first comprehensive guidance on AI in insurance and now serves as the template for state-level rules. The Model Bulletin is guidance, not law — it becomes binding when each state insurance department adopts it (most have adopted it verbatim or with minor edits).

Adoption Snapshot

The bulletin's reach as of late 2025

Dec 4, 2023
NAIC membership adoption at the Fall National Meeting
24 + DC
States that have adopted the bulletin as binding state-level guidance
AIS
AI Systems Program — the core requirement on every covered insurer
6–9 mo
Typical first-pass AIS Program build cycle

Who Is Subject to It

Every licensee using AI Systems in decisions affecting consumers. The bulletin defines AI System broadly enough to capture predictive models, generative AI, machine learning, and rules-based automation when used for consumer-facing decisions.

ECDIS (external consumer data sources) used in AI Systems is explicitly inside scope.

The Core Requirement — A Written AIS Program

The bulletin requires every covered insurer to establish a written AI Systems Program governing development, acquisition, and use of AI. The program must address six elements.

Element 1

Governance

Roles and responsibilities, board or executive oversight, an accountable owner for the program.

Element 2

Risk Identification & Management

Risk-tier classification of every AI System; risk-proportional governance (higher-risk systems get more scrutiny).

Element 3

Documentation

Every AI System has a record covering purpose, data sources, model approach, validation method, intended use, and human oversight design.

Element 4

Third-Party Vendor Oversight

Vendors providing AI Systems or ECDIS are inside the licensee's governance. Contractual data-handling terms, security assessments, and ongoing monitoring required.

Element 5

Testing for Unfair Discrimination

Pre-deployment and ongoing fairness testing for unlawful or unfair discrimination, with documentation that survives examination.

Element 6

Risk-Proportional Scope

The program's depth scales with the risk tier — life-affecting decisions get full rigor, low-stakes use cases get lighter governance.

State Adoption Snapshot (as of late 2025)

Adopters with verified bulletin issuance dates

Feb 26, 2024

Connecticut

Bulletin MC-25.

Mar 12, 2024

Vermont

Bulletin issued by VT DFR.

Mar 15, 2024

Rhode Island

RI DBR adoption.

Apr 6, 2024

Pennsylvania

PID notice.

Apr 16, 2024

Kentucky

KY DOI bulletin.

Apr 22, 2024

Maryland

MD MIA bulletin.

Jun 11, 2024

Nebraska

NE DOI bulletin.

Nov 14, 2024

Oklahoma

OK ID bulletin.

Dec 9, 2024

Massachusetts

MA DOI bulletin.

Dec 18, 2024

North Carolina

NC DOI bulletin.

Feb 5, 2025

Delaware

DE DOI bulletin.

Feb 11, 2025

New Jersey

NJ DOBI bulletin.

What Is in the Bulletin That Is Not in #668

A common source of confusion — NAIC Model #668 (Insurance Data Security Model Law, 2017) is sometimes referenced as covering AI. It does not.

Model #668 is a data security regime — written ISPs, risk assessments, breach notification, third-party oversight of nonpublic information. The Model Bulletin is the AI governance layer. The two are complementary: #668 governs how data is secured across the licensee's systems (including AI ones); the Model Bulletin governs how AI Systems are governed, with #668 sitting underneath as the data security baseline.

A carrier needs both. AI Systems handle nonpublic information, so they are in #668 scope. Those same systems make consumer-affecting decisions, so they are in Model Bulletin scope.

Building an AIS Program — Implementation Phases

Most carriers should expect a 6 to 9 month build cycle for a first-pass program

1

Months 1–2 — Discovery

AI System inventory — every model, every vendor, every ECDIS source. Risk-tier classification.

2

Months 2–4 — Documentation

Per-system documentation packets. Third-party vendor due diligence files. Initial fairness testing for in-scope systems.

3

Months 4–6 — Governance Structure

Written program document. Roles assigned. Board or executive sign-off. Training for governance owners.

4

Months 6–9 — Operationalize

Decision logs in production. Annual review cycle defined. Examination-readiness playbook in place.

NAIC Model Bulletin on AI — FAQ

When was the NAIC Model Bulletin on AI adopted?

NAIC membership adopted the Model Bulletin on the Use of AI Systems by Insurers at the 2023 Fall National Meeting on December 4, 2023. As of late 2025, 24 states plus DC have adopted it as binding state-level guidance.

What is an AIS Program?

An AI Systems (AIS) Program is the written governance program the NAIC Model Bulletin requires every covered insurer to establish. It covers AI development, acquisition, and use — governance roles, risk-tier classification of every AI System, documentation requirements, third-party vendor oversight, and fairness testing protocols.

Is the NAIC Model Bulletin the same as NAIC Model #668?

No. Model #668 is the Insurance Data Security Model Law, a cybersecurity regime adopted in 2017. The Model Bulletin is AI-specific governance adopted in December 2023. They are complementary — data security baseline (#668) plus AI governance (Model Bulletin).

Does the NAIC Model Bulletin apply to predictive models, or just generative AI?

Both. The bulletin defines AI System broadly enough to capture predictive models, machine learning, generative AI, and certain rules-based automation when used for consumer-facing decisions.

What does an AIS Program implementation timeline look like?

Most carriers should expect a 6 to 9 month build cycle — 1 to 2 months discovery (inventory plus risk tiering), 2 to 4 months documentation (per-system packets, vendor due diligence, initial fairness testing), 4 to 6 months governance structure (written program, roles, sign-off), 6 to 9 months operationalization (decision logs, annual review cycle).

Related Resources

Continue across the silo or bridge to a core hub

State Insurance AI Enforcement

What state regulators are doing with the Model Bulletin in active examinations

Read article →

Insurance Data Privacy and AI

How #668 (data security) sits alongside the Model Bulletin (AI governance)

Read article →

AI Underwriting Compliance

ECDIS scope under the Model Bulletin and the fairness-testing requirement

Read article →

The 90-Day Governance Path

A faster on-ramp than the 6–9 month AIS Program build for early-stage carriers

Read article →

Governed AI Platform Checklist

Platform features that map to AIS Program documentation requirements

Read article →

Build an AIS Program That Is Audit-Ready in Weeks

Free Shadow AI Risk Check is the discovery and documentation phase, compressed. AI inventory, vendor file, initial fairness review, and a written program draft.

Free Shadow AI Risk Check Shadow AI Leaders Guide

Concerned about Shadow AI in your organization?

3 Minutes. 16 Questions. No Fluff.

Quick Online Risk Check