NAIC Third-Party Vendor Registry for Insurance AI: What the Model Law Draft Means for Actuaries

The NAIC Third-Party Data and Models Working Group settled on a registry over licensure at its March 23, 2026 Spring National Meeting: vendors file disclosure information and update it on a cadence, regulators cannot approve or deny their right to operate, and signing actuaries retain full professional accountability regardless of a model’s registry status (NAIC TPDM Working Group, March 2026). Three unresolved questions will drive the framework’s Summer 2026 agenda: mandatory versus voluntary, framework versus model law, and whether states have the legal authority to require vendor registration at all.

The Three-Layer Accountability Architecture Most Actuaries Are Only Partially Tracking

The NAIC has been building its AI accountability architecture in three distinct layers. Most carrier actuaries have been tracking the carrier-facing tiers while the vendor-facing tier has advanced in a parallel working group with substantially less industry visibility.

Layer one is the December 2023 Model Bulletin, which required carriers to implement written AI governance programs covering risk management, documentation, third-party oversight, and consumer protection. Twenty-four states and the District of Columbia had adopted the bulletin as of the Spring 2026 meeting (Mayer Brown, April 2026), making it the most widely adopted NAIC AI governance instrument to date. The bulletin governs carriers, not vendors: it requires carriers to conduct due diligence on third-party models they use, but it has no direct mechanism for reaching the vendors who build those models.

Layer two is the evaluation tool pilot now running in 12 states across markets that account for a meaningful share of U.S. personal lines premium. The four-exhibit evaluation tool tests how carriers operationalize their governance programs when submitting predictive models in rate filings. Exhibit C specifically probes the carrier’s documentation of third-party model validation, but the examination subject is the carrier’s documentation, not the vendor’s underlying model governance.

Layer three is what the Third-Party Data and Models (H) Working Group is drafting: a framework that reaches vendors directly. When a carrier actuary certifies a rate indication built on a Verisk loss cost model, a LexisNexis risk score, or a Guidewire pricing output, the actuary is signing off on the result of a commercial process they did not design and cannot fully inspect. The registry is intended to give regulators a window into that process. What it cannot do, by its own explicit terms, is transfer the actuary’s certification responsibility to the vendor.

Registry Over Licensure: Why the Design Choice Shapes Enforcement

The working group’s most consequential decision at the March 23 session was choosing “registry” over “licensure” as the framework’s operative concept. The distinction determines what regulators can actually do to a non-compliant vendor.

A licensure regime allows regulators to approve or deny a vendor’s right to operate, condition market access on meeting technical standards, and revoke access on a finding of non-compliance. That is how state insurance departments regulate carriers: a company cannot write commercial lines in New York without a New York license, and that license can be suspended or revoked. Applied to AI vendors, licensure would give regulators the power to effectively bar a non-compliant platform from the market by denying or revoking registration.

The working group rejected that path. The NAIC documents describe the registry’s purpose as facilitating “transparency between regulators and third-party providers rather than creating a full licensure process” (NAIC TPDM Working Group, March 2026). Vendors file information. Regulators gain visibility. No vendor can be denied market access on the basis of registration non-compliance alone.

This design creates two enforcement gaps the Spring 2026 session did not resolve. First, what happens to a carrier that uses a non-registered vendor after the registry becomes operational? If registration is mandatory, a carrier using an unregistered vendor presumably faces a compliance violation, but that consequence runs against the carrier, not the vendor. Second, what happens to a vendor that files materially false registration information? False filings could expose a vendor to legal liability under general fraud or misrepresentation doctrines, but that remediation runs through courts rather than regulatory proceedings. These two questions will determine how seriously the market treats registration obligations once the framework goes live.

Scope Narrowed to Pricing and Underwriting: What Changed from the Original Proposal

The working group’s Spring 2026 session produced one significant scope decision: the framework’s initial focus was narrowed from six insurance functions to two. The original proposal covered pricing, underwriting, claims handling, utilization review, marketing, and fraud detection. The group reached consensus to limit the first phase to pricing and underwriting only (Mayer Brown, April 2026), acknowledging that applying uniform registration requirements across all six functions would produce a framework too broad to implement with credibility.

The narrowing is significant for actuaries because pricing and underwriting are exactly the functions where actuaries hold primary sign-off responsibility. Claims handling, fraud detection, and utilization review will be added in subsequent phases, but the first compliance cycle will sit squarely within the actuarial certification domain.

The working group adopted a broad entity definition: any nongovernmental entity providing data, models, or outputs for insurance activities. That sweeps in rating agencies, data aggregators, AI platform providers, telematics scoring vendors, aerial imagery services, and the expanding category of insurtech platforms that deliver AI-generated underwriting recommendations. The breadth generated substantial trade secret objections in the comment period: a vendor required to disclose training data sources and date ranges, documented testing methodology including bias testing, known limitations, and change-management practices is disclosing the operational blueprint of a commercial product. Industry commenters specifically challenged “whether confidentiality and trade secret protections would be adequate” (NAIC comment letters, February 2026), and the framework as currently drafted does not fully resolve that concern.

Five Disclosure Requirements in the Current Framework Draft

The framework as currently drafted includes five substantive obligations for registered vendors (NAIC TPDM Working Group framework draft, January 2026):

Vendor registration -- initial enrollment in a centralized NAIC database, with documentation of model purpose, training data provenance, testing methodology, known limitations, and a designated regulatory contact.
Annual attestations -- yearly certifications that filed information remains accurate and that the vendor’s governance practices continue to meet framework requirements.
Regulatory access requirements -- authority for state insurance departments to inspect vendor records and request supplemental documentation when investigating carrier compliance.
Material change notifications -- mandatory disclosure when a vendor substantially modifies a registered model’s architecture, training data, or intended application scope.
State-specific model filings -- at individual state discretion, additional submission requirements beyond the national baseline.

The material change notification requirement creates a direct intersection with actuarial rate-filing practice that the framework has not yet addressed. Carriers build rate indications on specific model versions. When a vendor pushes a material update, altering feature weighting, retraining on a new data window, or adjusting output calibration, the framework requires the vendor to notify regulators. But it does not specify the timeframe, the recipient (the carrier, the state department, or both), or what the carrier’s actuarial certification obligation is once a notified update has been received. That gap sits squarely in the actuary’s lap.

The Accountability Framework Does Not Transfer, and What That Means in Practice

The framework states explicitly that “insurer accountability does not transfer to the registered vendor” (NAIC TPDM Working Group, March 2026). A complementary line from the January 2026 framework exposure draft puts it more bluntly: “insurers are still responsible for carrying the accountability tune” (NAIC framework exposure draft, January 2026). For actuaries, those two sentences are the most consequential language in the entire document.

The accountability architecture in U.S. insurance regulation has always placed the signing actuary at the terminal point of the chain. Whatever models, data, or outputs a carrier uses to construct a rate indication, the actuarial certification attached to the rate filing is the actuary’s professional responsibility. Registry enrollment by a vendor does not alter that structure. A pricing actuary who certifies a rate indication built on a registered Verisk model is not insulated by Verisk’s registration status any more than they would be by a vendor’s ISO certification or SOC 2 attestation.

But registry status may shift litigation dynamics in ways the framework does not address. Consider a scenario where a carrier faces a regulatory challenge or a coverage dispute that implicates model adequacy. Plaintiffs’ counsel or state regulators might argue that using a non-registered vendor, when a registry exists and is accessible, represents a governance failure that contributed to the disputed outcome. Conversely, a carrier might argue that use of a registered vendor demonstrates reasonable diligence. Neither inference is grounded in the framework’s language, but the registry creates a factual marker that future arguments will reference. A registry record is an artifact a regulator can point to in examination; its absence is a gap they can flag.

The practical guidance for actuaries follows directly from the framework’s explicit terms: document vendor governance independently of registry status. Registration in the centralized NAIC database should appear in the carrier’s vendor due diligence file as one input among several, alongside the carrier’s own validation testing, performance monitoring, and change-management procedures. Treating registry enrollment as a substitute for that documentation would misread both the framework’s language and its intended scope.

The Alien Insurer Analogy: What It Reveals About the Registry’s Intended Market Function

The working group’s most revealing design signal was its comparison of the registry to the NAIC Quarterly Listing of Alien Insurers, a centralized database maintained by the NAIC’s International Insurers Department that lists non-U.S.-domiciled nonadmitted insurers that have met NAIC qualification standards (NAIC International Insurers Department). Cedents and brokers use the listing to verify that a nonadmitted reinsurer is eligible for reinsurance credit on Schedule F and Schedule S of the annual statement. State departments accept the listing as a baseline: if a reinsurer appears on it, carriers generally do not face additional scrutiny of that specific credit claim during examination.

The vendor registry is designed to function identically. A carrier using a registered vendor can point to that registry status when a market conduct exam questions its vendor governance documentation. The registry becomes a market baseline, not a vendor performance standard it has cleared. Using this specific analogy was a deliberate choice by the working group, one that signals an intent to build on a tool the industry already trusts and uses operationally rather than creating genuinely new oversight infrastructure.

But the analogy also exposes the framework’s operational limits. The Quarterly Listing of Alien Insurers works because its use case is crisp: it addresses a single annual statement line item (reinsurance credit), the stakes are financial and well-defined, and state departments have a clear examination procedure for using the database. The vendor registry’s use case is less precisely bounded. When a market conduct examiner reviews a carrier’s pricing model adequacy, how exactly does vendor registry status factor into the examination finding? Whether a registered model passed or failed the carrier’s own validation? Whether the carrier received material change notifications and acted on them? The operational procedures for using registry data in examination work have not been developed, and the framework’s effectiveness as a regulatory instrument will depend heavily on how state departments integrate registry information into their standard examination protocols.

The State Authority Question That Could Fragment Adoption

Several industry comments raised a challenge that could materially slow state adoption: whether state insurance departments have legal authority to mandate vendor registration at all. The argument is straightforward. State insurance codes license insurers and insurance-related entities. Verisk is not an insurer. LexisNexis is not an insurer. A telematics scoring platform is not an insurer. If a state’s insurance code does not extend jurisdictional reach to unaffiliated data vendors, the state department may lack authority to enforce registration requirements directly against those vendors.

Commenters specifically challenged “whether state insurance departments have sufficient legal authority to regulate third-party vendors directly, since those vendors are not licensed entities under state insurance codes” (NAIC comment letters, February 2026). This is a practical administrative law question, not an abstract constitutional argument, and it would require either statutory amendments to existing insurance codes or a creative jurisdictional theory to resolve in departments’ favor.

The most workable structural response is indirect regulation: require carriers, who are clearly within the department’s jurisdiction, to use only vendors that have enrolled in the registry, making a vendor’s registration a prerequisite for carrier compliance rather than a direct vendor mandate. That approach avoids the jurisdictional problem, but it changes the framework’s character. Instead of directly requiring Verisk or Guidewire to register, the state requires carriers to ensure their vendors are registered, creating market pressure for enrollment without asserting direct authority over non-licensed entities. Whether that indirect structure is sufficient to drive meaningful vendor compliance, or whether vendors can simply decline to register and continue serving carriers that then bear the compliance burden, is a question the framework’s drafters have not yet resolved.

The jurisdictional answer will also drive which states adopt the framework first and which wait. States with broader insurance code authority, or legislatures willing to amend their codes to extend reach to vendors, will move faster. States where the insurance commissioner’s authority is construed narrowly may wait for court validation or legislative action. The result could be a state-by-state patchwork that mirrors the current Model Bulletin adoption pattern: the 25 adopting jurisdictions move ahead while major commercial markets, New York, California, Texas, and Florida chief among them, deliberate.

Three Open Questions Before the Summer 2026 Meeting

The NAIC Summer National Meeting runs August 11 through 14, 2026 in Columbus. The Third-Party Data and Models Working Group will use that session to address the unresolved questions that emerged from the March 23 meeting: whether registration should be mandatory or voluntary, whether the guidance should take the form of a framework document or a model law for state adoption, and how a centralized NAIC registry would interact with state-level registration requirements that already exist in some jurisdictions (Mayer Brown, April 2026).

The mandatory-versus-voluntary question is the axis the rest of the framework turns on. A voluntary registry where large vendors choose to enroll creates a market signal: carriers using non-enrolled vendors face a heightened documentation burden during market conduct exams, and competitive dynamics push enrollment upward over time without a mandate. A mandatory registry that makes enrollment a condition for carrier compliance with insurance codes raises the jurisdictional questions above more sharply, but also creates a stronger compliance baseline.

The model law question matters because a framework document provides guidance with no enforcement mechanism: departments can use it as an examination reference, but there is no statutory authority behind it. A model law, once adopted by states, creates statutory obligations that departments can enforce against carriers through existing market conduct authority. The 25 jurisdictions that adopted the AI Model Bulletin are the natural early-adopter pool for any model law that follows. Whether major commercial markets join that group will determine whether the vendor registry becomes a national market expectation or a compliance layer in a subset of states.

For actuaries, the monitoring question before the summer meeting is how the drafters resolve the material change notification gap. When a registered vendor updates a model materially, the framework requires notification. But the timeframe, the specific recipient, and the carrier’s certification obligation once a notified update is received remain unspecified. That resolution will determine how the framework interfaces with actuarial rate-filing procedures and how much additional review work actuaries can expect each time a vendor cycles a model version. The three-layer governance architecture the NAIC has been building since 2023 is converging on exactly the point where actuarial sign-off meets vendor black box. The vendor registry is the instrument the NAIC is building to make that intersection visible to regulators. Whether it also makes it safer for actuaries to navigate is a different question, and the framework as currently drafted answers it only in the negative.