From reviewing NAIC working group agendas and insurer AI governance disclosures across a dozen carriers, the disconnect between vendor dependence and vendor oversight surfaces as a pattern that predates this survey by at least two years. What the AM Best data does is attach numbers to a dynamic that actuaries working in model validation and regulatory compliance have observed since carriers began integrating vendor-built predictive models into underwriting and claims workflows without building corresponding oversight infrastructure. The survey, published on May 21, 2026, and drawn from responses collected in November 2025, provides the first industry-wide quantification of a governance blind spot that sits at the intersection of procurement, compliance, and actuarial accountability.

The insurance industry's relationship with third-party AI is structurally different from other regulated sectors. Banks have operated under the OCC's SR 11-7 model risk management guidance since 2011, which explicitly holds institutions responsible for validating vendor models to the same standard as internally developed ones. Insurance has no equivalent framework. The NAIC's December 2023 Model Bulletin established principles but not enforceable requirements. And the 12-state AI Evaluation Tool pilot running through September 2026 is still determining how much vendor model documentation carriers should be required to produce. Carriers have been operating in a regulatory gap, treating vendor AI as a procurement decision rather than a governance obligation, and the AM Best data suggests that most of them are not preparing for the day that gap closes.

The 68/18 Gap: What the AM Best Survey Actually Found

The survey results, published by AM Best in an April 27, 2026 special report titled "Artificial Intelligence Appears to Be Ready, But Most Insurers Are Not," drew responses from approximately 150 rated P&C carriers and managing general agents. The methodology targeted decision-makers in technology, underwriting, and operations across a range of carrier sizes. The field period was November 2025, meaning the responses reflect pre-deployment attitudes rather than operational experience in many cases.

The headline finding is the structural mismatch between two data points that should be correlated but are not. Sixty-eight percent of respondents identified third-party solutions as a source of their AI development. That figure includes vendors providing full model solutions, cloud-based AI services, and embedded analytics within core system platforms. Only 18% of those same respondents flagged third-party model risk as a challenge they considered significant.

The gap is striking because it inverts the expected relationship. When two-thirds of an industry depends on external systems for a critical operational function, risk management attention to those external systems should be proportionally high, not historically low. The 18% figure suggests that most carriers have mentally categorized vendor AI alongside other purchased software, subject to procurement review and contract negotiation, rather than alongside internal actuarial models subject to validation, documentation, and ongoing monitoring requirements.

Several supporting findings from the survey reinforce this interpretation:

  • Only 13% feel confident measuring AI ROI accurately. If carriers cannot determine whether vendor models outperform internal alternatives, they lack the baseline data to evaluate vendor value, let alone vendor risk.
  • Approximately 60% expect AI to significantly transform their business model within one to three years. This forward-looking optimism, combined with the 18% vendor risk awareness, suggests carriers are accelerating vendor AI adoption without corresponding acceleration of vendor oversight.
  • 45% cite data readiness as their top challenge; 43% cite security and privacy; 41% cite legacy system integration. Vendor model risk did not rank among the top concerns, falling well below technical and infrastructure challenges.
  • 53% self-describe as "cautious pacesetters" rather than first movers. The self-assessment suggests carriers believe they are managing AI adoption responsibly, even as the vendor risk data indicates otherwise.
  • 63% report small workforce productivity improvements from AI; only 11% report significant improvements. The modest returns make the lack of vendor oversight more concerning. Carriers are not yet seeing transformative value, yet they are already deeply embedded in vendor dependencies.

Edin Imsirovic of AM Best framed the broader finding: "For insurers, AI readiness is not a one-time milestone. It is a moving target that will require governance, data infrastructure, workforce capabilities, and risk controls that can evolve as quickly as the technology itself." The vendor risk dimension is where that evolution has been slowest.

What Third-Party Model Risk Actually Means in Insurance Operations

The phrase "third-party model risk" is abstract enough to be dismissed. In operational terms, it covers a set of specific failure modes that are already producing real consequences across the industry.

Vendor model drift. AI models degrade over time as the data distributions they were trained on diverge from current conditions. When a carrier builds its own model, it controls retraining schedules and can monitor performance metrics continuously. When a vendor controls the model, the carrier may not know when retraining occurs, what data is used, or whether the retrained model behaves differently on the carrier's specific book of business. A vendor-built fraud detection model trained on national claims data may perform well in aggregate but systematically underperform on a carrier's regional book because of loss distribution differences the carrier cannot see inside the vendor's training pipeline.

Undisclosed training data changes. Vendors routinely update training datasets as they onboard new clients and ingest new data sources. These updates can alter model behavior without any visible change to the carrier. A pricing model vendor that adds data from a new geographic market can shift the model's learned relationships in ways that affect every carrier using it, with no notification, version control, or changelog shared with clients.

Opaque model updates. Most vendor contracts permit the vendor to update models unilaterally. From the carrier's perspective, the model they validated during procurement may no longer be the model producing predictions in production. This creates a continuous gap between the model that was tested and the model that is operating, a gap that widens with every undisclosed update.

Rate filing documentation gaps. When a carrier files rates with a state regulator, the filing must document the models used in the ratemaking process. If those models are vendor-built, the carrier must be able to explain the model's methodology, inputs, and assumptions. Many vendor contracts include proprietary information restrictions that prevent carriers from disclosing model internals to regulators. The carrier is caught between a vendor who will not share and a regulator who requires transparency.

Bias and fairness accountability. The carrier, not the vendor, is the regulated entity. When a vendor-built underwriting model produces disparate impact across protected classes, the carrier bears the regulatory and legal liability. The 2024 Mobley v. Workday ruling established that AI vendors can be held liable as "agents" of their clients, but this does not reduce the carrier's own exposure. It adds a second layer of risk: the carrier faces both direct regulatory action and the possibility of contractual disputes with vendors over indemnification.

The Banking Comparison: Why Insurance Lags 15 Years Behind

The Federal Reserve and OCC issued SR 11-7, their model risk management guidance for banks, in April 2011. The 15-year head start banking has over insurance in formal vendor model oversight is not simply a matter of timing. It reflects fundamentally different regulatory postures that the NAIC is only now beginning to address.

SR 11-7 established several principles that have no insurance equivalent:

  • Equal validation standards. SR 11-7 requires banks to validate vendor models to the same standard as internally developed models. Using a vendor does not reduce the institution's validation obligations. Insurance regulation contains no comparable requirement.
  • The "bought, not built" fallacy. The guidance explicitly identifies the assumption that vendor models are already validated as one of the most common gaps regulators find during examinations. Insurance carriers routinely operate under exactly this assumption.
  • Ongoing monitoring requirements. SR 11-7 requires continuous monitoring of model performance, including vendor models. Insurance examination processes have historically focused on point-in-time reviews rather than continuous oversight.
  • Board-level accountability. The guidance makes bank boards responsible for establishing a culture of model risk management that covers vendor models. While some insurance carriers have adopted board-level AI policies (61% in the Grant Thornton 2026 survey), these policies rarely extend to vendor model governance specifically.

The OCC revised its model risk management guidance in April 2026, replacing SR 11-7 with OCC Bulletin 2026-13. The revision narrowed the primary applicability to banks with $30 billion or more in total assets and shifted toward principles-based rather than prescriptive requirements. Notably, the revised guidance explicitly excluded generative AI and agentic AI from scope, stating that these technologies are "novel and rapidly evolving" and therefore outside the framework's coverage.

The exclusion creates a paradox for insurance. Even as the OCC acknowledges that its banking framework cannot keep pace with AI developments, insurance regulation has not yet reached the baseline that banking established in 2011. Carriers adopting generative AI from vendors operate in a space that neither banking regulation (which explicitly excludes gen AI) nor insurance regulation (which has no comprehensive model risk framework) covers with enforceable requirements.

NAIC Regulatory Trajectory: From Bulletin to Enforceable Standards

The NAIC's approach to third-party AI vendor oversight has evolved through three distinct phases, each progressively more concrete. Understanding this trajectory matters because it determines the timeline carriers have to build governance infrastructure before compliance becomes mandatory rather than aspirational.

Phase 1: The Model Bulletin (December 2023). The NAIC's Model Bulletin on the Use of AI Systems by Insurers established principles for AI governance, including vendor oversight. Twenty-four states and the District of Columbia have adopted the bulletin or issued comparable guidance. Four states have adopted AI-specific regulations that go beyond the bulletin. The bulletin is guidance, not law; it sets expectations without creating enforceable requirements.

Phase 2: The AI Evaluation Tool Pilot (March 2026 to September 2026). Twelve states are participating in the pilot: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. The tool uses a four-exhibit framework that directly implicates vendor AI governance:

  • Exhibit A quantifies the extent of AI system usage across operations, requiring carriers to inventory all AI systems, including vendor-provided ones.
  • Exhibit B documents the insurer's governance risk assessment framework, including how it manages third-party AI dependencies.
  • Exhibit C requires detailed information about high-risk AI systems, covering design, training data, performance, and bias testing. Carriers using vendor AI must answer these questions about vendor models; they cannot punt accountability to the vendor.
  • Exhibit D covers AI data details, including a new field for "Reasonable Accommodations or Policy Modifications."

The pilot is being deployed in market conduct exams, financial exams, financial analyses, and general regulatory inquiries. Monthly coordination calls among participating states ensure consistent application. Tool updates are planned for September and October 2026, with adoption expected at the NAIC Fall National Meeting in November 2026.

Phase 3: The Third-Party Data and Model Vendor Framework. The NAIC narrowed the framework's scope at the Spring 2026 meeting to cover "third-party vendors of data and models used in pricing and underwriting functions." Twenty-three comment letters were received during the exposure period, and several open questions remain: whether vendor registration will be mandatory or voluntary, whether the framework will evolve into a formal model law, and whether the proposed NAIC registry will function as a centralized database comparable to the NAIC Quarterly Listing of Alien Insurers.

Crowell & Moring's analysis of the Spring 2026 developments identified five operational requirements the framework is expected to mandate: inventory of all AI systems operated by third-party vendors, audit rights in vendor agreements, cooperation obligations for regulatory inquiries, data governance terms, and recurring risk assessments ensuring AI systems comply with anti-discrimination and consumer protection laws.

Industry pushback has been significant. Trade groups filed a joint letter on December 5, 2025, raising five objections: the pilot is "one-sided, voluntary for regulators while compulsory for companies"; the pilot lacks a defined duration; the tool can be deployed in both financial and market conduct examinations; companies can be "penalized for any 'negative' findings based on the data gathered"; and the pilot may begin before the final version of the tool is exposed for comments. Iowa Insurance Commissioner Doug Ommen responded that refinements would follow the pilot's conclusion, but the objections underscore the industry's discomfort with structured vendor AI oversight.

Cross-Survey Benchmarking: The 68/18 Gap in Context

The AM Best vendor risk data gains additional significance when benchmarked against other 2026 surveys that measure adjacent governance dimensions.

Survey Sample Key Finding Vendor Risk Implication
AM Best (Nov 2025) ~150 carriers/MGAs 68% use third-party AI; 18% flag vendor risk 50-point vendor governance gap
Grant Thornton (Feb-Mar 2026) 100 insurance execs 52% claim AI revenue growth; 24% audit-ready If 68% of AI is vendor-built, audit readiness must cover vendor models
IA Capital (2026) Carrier AI stacks OpenAI appears in 90%+ of carrier AI stacks Concentration risk multiplies vendor risk; single-vendor failure cascades
Datos Insights / ILTF (2026) 61% carrier production 82% adoption rate; 7% at full scale Scale-up phase will expose vendor governance gaps during examination

The Grant Thornton finding that 68% of insurance respondents say AI controls exist but evidence is "fragmented across teams and tools" directly parallels the vendor risk problem. When controls for vendor-built models are scattered between procurement files, IT security reviews, and actuarial validation records, no single process aggregates that evidence into a form a regulator can examine. The fragmentation is structural, not accidental: most carriers manage vendor AI through procurement workflows that were designed for software licensing, not model risk governance.

The IA Capital data showing OpenAI's presence in more than 90% of carrier AI stacks adds a concentration dimension. Vendor risk is not just about individual vendor models performing poorly. It is about systemic correlated risk from a single upstream provider. If OpenAI modifies its base models in ways that affect insurance-specific fine-tuning, every carrier using those models could experience simultaneous performance shifts. This is the vendor equivalent of catastrophe correlation, and the 18% awareness figure suggests almost no carrier is modeling it.

What Vendor AI Governance Failures Look Like in Practice

The governance gap described by the 68/18 data is not hypothetical. Several high-profile cases illustrate what happens when regulated entities rely on vendor-built AI without adequate oversight frameworks.

UnitedHealth and the nH Predict algorithm. naviHealth's nH Predict algorithm, used in Medicare Advantage claims decisions, routinely overrode physicians' recommendations for post-acute care length of stay. A STAT investigation found that UnitedHealth pressured employees to keep patient rehabilitation stays within 1% of the algorithm's predictions. When patients appealed denials to federal administrative law judges, approximately 90% of the denials were reversed, but only about 0.2% of policyholders actually filed appeals. In March 2026, U.S. District Judge John R. Tunheim ordered UnitedHealth to produce internal documents about the algorithm's design and function, including records from the naviHealth acquisition that linked cost savings to AI use. The case illustrates how a vendor-built algorithm, deployed without independent validation by the carrier, can produce systematic harm that persists because the appeals process is inadequate as a detection mechanism.

Cigna and the PxDx algorithm. ProPublica reported that Cigna's PxDx system was used to deny more than 300,000 claims in a two-month period, with physician review averaging approximately 1.2 seconds per claim. Patients filed class action litigation alleging bulk automated denials without meaningful human review. Whether or not PxDx technically qualifies as AI, the operational dynamic is identical to vendor model risk: a system making high-volume decisions without the governance infrastructure to detect and correct systematic errors.

Mobley v. Workday and vendor liability precedent. In July 2024, a federal court allowed a discrimination lawsuit to proceed against Workday as an "agent" of companies using its automated screening tools, the first application of agency theory to hold an AI vendor directly liable. A nationwide class was certified in May 2025, covering all applicants over age 40 rejected by Workday's screening. Jones Walker's analysis of standard vendor contracts found that 88% of AI vendors impose liability caps on themselves, and only 17% provide warranties for regulatory compliance. Broad indemnification clauses routinely require the customer, not the vendor, to defend against discrimination claims. For carriers, this means vendor AI contracts may not provide the liability protection that procurement teams assume they do.

Building a Carrier Third-Party AI Governance Framework

The transition from treating vendor AI as a procurement decision to managing it as a governance obligation requires specific operational changes. Based on the NAIC's emerging requirements, the OCC's SR 11-7 principles, and the failure patterns documented in recent litigation, a carrier framework for third-party AI governance should include six components.

1. Contractual audit rights. Vendor agreements must include the carrier's right to audit model performance, training data composition, and model update history. This is the most basic requirement and the one most frequently absent from current contracts. Audit rights should extend to regulators as well, giving examiners the ability to request vendor documentation through the carrier.

2. Model change control protocols. The carrier must know when a vendor model changes, what changed, and why. This requires contractual commitments to pre-notification of material model updates, version control documentation, and the carrier's right to reject or delay updates that affect regulated functions. Without change control, the model the carrier validated during onboarding may bear no resemblance to the model running in production six months later.

3. Incident reporting requirements. Vendors should be contractually obligated to report performance anomalies, data breaches affecting training data, and material accuracy degradations within defined timeframes. The carrier cannot manage risk it does not know about, and vendor self-reporting is the first line of detection for model failures that the carrier's internal monitoring may not catch.

4. Data-use limitations and transparency. Carrier data shared with vendors for model training, calibration, or performance monitoring must be subject to explicit use limitations. Carriers should know whether their policyholder data is being used to train models that benefit competitors, and vendors should be required to disclose data aggregation practices that could affect model performance on the carrier's specific book.

5. Ongoing performance monitoring. The carrier must independently monitor vendor model performance against its own book, not just rely on vendor-provided performance metrics. This means maintaining internal benchmarks, tracking prediction accuracy over time, and comparing vendor model outputs against actuarial expectations. The monitoring infrastructure does not need to replicate the vendor's model. It needs to detect when the model's behavior changes in ways that affect the carrier's risk profile or regulatory obligations.

6. Regulatory examination readiness. With the NAIC's Exhibit C framework requiring carriers to provide detailed information about high-risk AI systems, including vendor-built ones, carriers need a documentation system that can produce vendor model information on demand. This means maintaining current records of model methodology summaries, training data descriptions, performance metrics, bias testing results, and model change histories, even when those records must be obtained from the vendor through contractual audit rights.

Why This Matters for Actuaries

The 68/18 gap is not solely a compliance or IT governance problem. It has direct implications for actuarial practice in at least four areas.

Model validation under ASOP No. 56. Actuarial Standard of Practice No. 56 on modeling requires actuaries to understand and document the models they rely on for actuarial work. When a vendor-built AI model feeds into pricing, reserving, or underwriting decisions that an actuary signs off on, the actuary's ASOP 56 obligations do not stop at the vendor's proprietary boundary. The actuary must assess whether the model is appropriate for its intended use, whether its limitations are understood, and whether its outputs are reasonable. The 82% of carriers who say their AI controls evidence is fragmented (Grant Thornton) are likely producing ASOP 56 compliance gaps that appointed actuaries may not recognize until examination.

Rate filing support. State regulators increasingly expect documentation of AI and predictive model usage in rate filings. When those models are vendor-built, the carrier's ability to explain model methodology, provide sensitivity analyses, and demonstrate that the model does not produce unfairly discriminatory outcomes depends entirely on the level of transparency the vendor contract provides. Carriers without contractual audit rights may find themselves unable to support their own rate filings.

Reserve adequacy. Vendor model drift can affect reserve estimates if the models feeding loss development or claim frequency projections change behavior without the reserving actuary's knowledge. A vendor model that was accurate at the time of adoption may introduce systematic bias over time as it is retrained on different data. The reserving actuary who relies on vendor model outputs without independent performance monitoring is accepting unknown model risk into the reserve estimate.

Appointed actuary responsibilities. The appointed actuary's statement of actuarial opinion covers the adequacy of reserves and the reasonableness of the methods used to establish them. If vendor AI models contribute to those methods, the appointed actuary needs sufficient understanding of and access to those models to form an independent opinion. The 68/18 gap suggests that most carriers have not established the information flows necessary for appointed actuaries to fulfill this responsibility with respect to vendor AI.

The Timeline: What Carriers Should Prepare For

The regulatory trajectory suggests the following timeline for vendor AI governance requirements becoming enforceable:

  • September 2026: NAIC AI Evaluation Tool pilot concludes. Results inform tool refinements.
  • November 2026: NAIC Fall National Meeting expected to adopt the refined evaluation tool and advance the Third-Party Vendor Framework.
  • July 2026: Colorado's AI Act compliance deadline for insurance, the first state-level enforcement milestone, which includes vendor AI obligations.
  • 2027 and beyond: Potential transition from NAIC Model Bulletin to model law status, which would create enforceable requirements in adopting states. The Third-Party Vendor Framework could introduce registration requirements, contractual mandates, and documentation standards for AI vendors serving the insurance industry.

Carriers that build vendor AI governance infrastructure now are positioning for compliance before it becomes mandatory. Carriers that wait for enforceable requirements will face compressed timelines, examination findings, and the operational disruption of retrofitting governance onto vendor relationships that were structured without it.

Further Reading

Sources