NAIC Third-Party AI Framework Keeps Carrier Accountability: What Actuaries Must Build Before State Adoption

At its March 23, 2026 Spring National Meeting, the NAIC's Third-Party Data and Models (H) Working Group held firm on one provision despite objections from 23 comment-letter authors: insurer accountability for AI-driven consumer decisions does not transfer to a registered vendor (NAIC Spring 2026 National Meeting Materials, March 2026). A carrier that uses a Verisk pricing model in a way that produces biased outcomes is still the responsible party. That single clause turns what looks like a vendor compliance exercise into a carrier actuarial governance obligation.

The broader proposal, first exposed in December 2025 with a 60-day comment period closing February 6, 2026, would require third-party data and model vendors to register with state insurance departments before carriers can use their products in consumer-facing pricing and underwriting functions. The prior actuary.info article on this topic, NAIC Proposes Third-Party AI Vendor Registry for Insurers, traced the registry structure and industry opposition. This article focuses on a different question: given that carriers remain accountable regardless of vendor registration, what processes must actuarial teams build to independently validate and audit models they did not construct?

The Accountability Clause and What It Requires of Carriers

The Working Group's accountability-nontransfer language traces directly to the 2023 NAIC AI Model Bulletin, which by early 2026 had been adopted by more than 25 states, and requires carriers to apply the same governance rigor to third-party models as to internally developed ones (NAIC Model Bulletin Adoption Tracker, 2026). The Third-Party Data and Model Regulatory Framework does not soften that standard; it adds a new regulatory surface by requiring vendors to register, but it explicitly states that registration does not redistribute liability from carrier to vendor.

State insurance departments have confirmed the logic. "Registration is intended to provide regulators with information they need from third parties without requiring each party to undergo an extensive licensure process," the Working Group stated in its framework materials (NAIC, March 2026). The registry tells regulators who is selling models and what governance those vendors maintain. Whether a carrier's deployment of those models produces fair, accurate outcomes for its specific policyholders remains the carrier's problem.

The practical consequence is that examiners now have two independent information sources to cross-reference: the vendor's registry filing and the carrier's internal governance documentation. State examiners routinely review two to three years of lookback documentation in AI governance examinations (swept.ai, 2026). A carrier whose internal file consists of vendor marketing materials, rather than its own independent validation record, will have no defense when examiners notice the discrepancy between what the vendor attested to and what the carrier can demonstrate it independently verified.

The Five Documentation Requirements, Translated to Carrier Obligations

The framework defines five categories of documentation that vendors must submit at registration: model purpose and intended use; training data sources and date ranges; bias testing methodology; known limitations; and change management practices (NAIC Third-Party Data and Model Regulatory Framework, March 2026). Each category defines what a vendor must disclose. It also defines, by implication, what an actuarial team at a carrier must independently assess against its own book of business.

Purpose and intended use. Vendors write purpose statements for a general market. A vendor-supplied personal auto pricing model might document its intended use as "risk stratification for standard auto insurers in ISO member states." A carrier deploying that model in a nonstandard or specialty segment, or concentrating it on a regionally skewed portfolio, faces an intended-use mismatch that the registry filing will not resolve. The actuarial team must assess and document whether the stated purpose aligns with the carrier's specific deployment context, and flag any gap.

Training data sources and date ranges. A typical vendor disclosure reads: "trained on personal auto loss data from ISO member companies, years 2015 through 2023." That disclosure carries real information about what the model can and cannot do. It raises three actuarial questions the registry filing does not answer: How does the training data's geographic and demographic distribution compare to the carrier's own book? If the training vintage ends in 2023, does the model adequately capture post-pandemic frequency and severity patterns? For a carrier writing a state-specific or specialty book, does the multi-state, multi-company training cohort produce a model that generalizes reliably to that portfolio? Model validation work at the carrier level requires at least a structured comparison of vendor-disclosed data characteristics against the carrier's own portfolio characteristics, with documented conclusions about any gaps.

Bias testing methodology. This is the category most directly tied to the accountability clause. A vendor that documents completion of bias testing against a set of protected class proxy variables has met its registry obligation. It has not demonstrated that the model produces non-biased outcomes in the carrier's specific deployment context. Disparate impact depends on the population being scored: a model that passes national-cohort bias testing can fail at a carrier whose geographic or demographic concentration produces materially different input distributions. Independent bias testing on the carrier's own policyholder data, or at minimum a documented review of whether the vendor's testing methodology addresses the carrier's specific exposure profile, is the actuarial implication of accountability nontransfer.

Known limitations. Vendor-disclosed limitations follow the same incentive structure as any self-reported document: vendors minimize apparent scope. The actuarial standard is not to accept the vendor's list but to assess whether the disclosed limitations are material to the specific use case. A limitation described as "reduced accuracy in high-theft ZIP codes" is material for a carrier writing urban personal auto at scale. For a rural specialty carrier, it may be immaterial. The carrier's actuarial file needs to document that assessment explicitly, not just cross-reference the vendor's disclosure.

Change management practices. Vendor model updates introduce a persistent governance gap at carriers. When a vendor pushes a sub-major update to a deployed pricing or underwriting model, the carrier's rating plan or risk selection behavior can change without any internal action by the carrier. Annual contract renewals and major version releases are standard review triggers, but minor updates and recalibrations can introduce material changes in model behavior that fall below those thresholds. The registry's change management requirement signals that regulators will hold carriers accountable for staying current on vendor changes, not just for the initial deployment decision.

Scope: Pricing and Underwriting as the First Registration Perimeter

One structural change emerged from the March 23 session: the Working Group reached consensus to narrow the framework's initial scope from six covered functions to two. Pricing and underwriting are in; claims handling, utilization review, marketing, and fraud detection are deferred to a subsequent phase (NAIC Spring 2026 National Meeting Materials, March 23, 2026). The narrowing was a direct response to industry objections that definitions of "data," "model," "third-party vendor," and "direct consumer impact" were too broad in the December 2025 draft.

The scope reduction matters for compliance sequencing. Carriers can concentrate vendor AI governance work on their pricing and underwriting model inventory rather than building simultaneously across the full value chain. Models used in claims triage, reserve estimation, and fraud detection remain outside the initial registration requirement, though the 2023 Model Bulletin's governance expectations continue to apply to them independently.

The narrowing also captures the highest-concentration segment of the vendor market. Pricing and underwriting are where the most systemically consequential third-party AI models currently sit. ISO loss cost and classification systems from Verisk underpin rate filings at hundreds of carriers across personal and commercial lines simultaneously. A single vendor update to an ISO loss cost model propagates across dozens of carrier rate plans in the same filing cycle. That cross-carrier concentration is precisely the systemic risk factor that motivated the registry concept: individual carrier examinations cannot detect it, but a registry can.

Contract Rights at Vendor Renewal

The accountability clause reshapes the leverage dynamic at vendor contract renewal. A carrier cannot maintain an independent validation record for a vendor model unless it holds contractual rights to the documentation needed to perform that validation. Examiners who find that a carrier's vendor governance file is built on marketing summaries rather than technical documentation will not accept "the vendor did not share it" as a compliance defense.

The documentation a carrier's actuarial team needs at minimum: access to the training data provenance disclosure (source institutions, vintage, geographic scope, line-of-business composition); the bias testing results by protected class proxy, not just a certification that testing was performed; model performance metrics on hold-out samples comparable to the carrier's specific book; version history for the current deployment and the prior two versions; and a notification commitment for future updates with defined lead time before production deployment.

For major vendors, some version of this documentation already exists internally. Verisk's Synergy Studio platform, launched in 2026, is designed to let carriers integrate their own data with Verisk datasets in ways that produce auditable, carrier-specific model performance records. EXL's enterprise governance architecture, reflected in its patent filings, includes a Governance Hub component built for compliance workflows. But documentation held within a vendor's internal systems is not the same as a carrier having contractual access to that documentation on demand. The contractual access provision is what most standard vendor agreements currently lack, and the contract renewal cycle is the window to fix it.

Carriers renewing pricing or underwriting model agreements with Verisk, Guidewire, or EXL in 2026 should treat the Spring 2026 draft as the effective compliance specification and negotiate the documentation-access requirements into the renewed contract. Once the framework reaches first state adoption in late 2026 or early 2027, carriers in those states will face immediate examination exposure on vendor AI governance. Contracts signed after adoption without documentation-access provisions will be structurally deficient from the first examination cycle.

Three Capabilities Actuarial Teams Need Before Adoption

Three practical capabilities need to be in place before state adoption begins. None requires building a full model risk management function from scratch.

A vendor model inventory with governance status. The inventory maps every third-party model deployed in pricing and underwriting to its vendor, its current version, its most recent independent validation date, the documentation held by the carrier, and any known limitations that have been assessed against the carrier's specific book. Most carriers maintain informal inventories of the models in production. Very few have the governance-status column: the record of what independent assessment has been performed, by whom, and when. That column is what makes an inventory useful for examination preparation. It is also the column that examiners will ask to see first.

A carrier-side bias monitoring program for vendor models. The vendor's annual attestation to the registry confirms that the vendor conducted bias testing. It does not confirm that the model produces unbiased outcomes in the carrier's deployment. Carriers need at minimum a periodic review process, running on the same cadence as internal model monitoring, that checks vendor model outputs for disparate impact against the carrier's own policyholder data. The process does not need to replicate the vendor's methodology in full. It does need to exist, produce documented results, and be signed off by a named accountable person in the carrier's governance structure.

A change management trigger list for every vendor model in scope. Every pricing and underwriting model supplied by a third party should have a defined set of conditions that automatically trigger a formal re-validation review: major version releases, changes to training data vintage, changes to the input variable set, any vendor-disclosed change to model architecture, and any carrier-side change to how the model's outputs are used in the rating plan or underwriting rules. Without a trigger list, version updates flow silently into production and the carrier's validation record becomes stale without anyone noticing. Examiners reviewing a two-to-three-year lookback will cross-reference the vendor's version history against the carrier's validation dates; gaps without documented rationale are a finding.

Why the Compliance Timeline Is Tighter Than It Appears

The framework's published timeline runs from Q3 2026 exposure to consideration at the November 2026 Fall Meeting, with first state implementations in late 2026 or early 2027 (NAIC, March 2026). That cadence gives carriers roughly six to twelve months before regulatory exposure begins in the first adopting states. Six months is enough time to build a vendor model inventory, negotiate documentation-access language into upcoming contract renewals, and stand up a rudimentary bias monitoring program. It is not enough time to do that work reactively, starting only after first-state adoption is announced.

Reviewing NAIC working group sessions from December 2025 through March 2026, the accountability-nontransfer provision produced the most sustained industry pushback of any element in the framework. Twenty-three comment letters raised objections spanning legal authority, operational burden, trade secret exposure, and scope breadth. The Working Group narrowed the scope to pricing and underwriting in response, but it did not modify the accountability clause. That asymmetry in the outcome tells actuaries something specific: the Working Group views vendor registration as a transparency mechanism and carrier accountability as a separate, non-negotiable structural principle. The compliance program actuaries build today will be evaluated against that principle, not against whatever the vendor attests to in its registry filing.

Carriers that treat the Spring 2026 draft as the effective compliance design specification, begin vendor contract negotiations now, and complete their governance inventory before the first adoption wave will be positioned to demonstrate a mature program on a two-to-three-year lookback when examination cycles begin. Carriers that wait for final state-level adoption before starting will be building their compliance records in real time under active examination scrutiny.