The National Council of Insurance Legislators shelved its AI model act in March 2026 after its own sponsor concluded the votes weren’t there, leaving carriers to navigate AI compliance across four mismatched regimes at once: 24 states plus D.C. that adopted the NAIC Model Bulletin, states with no AI-specific guidance at all, states running their own statutes (Colorado, Illinois), and EU AI Act exposure for carriers with European-facing operations.

Reviewing AI governance documentation carriers have submitted to regulators across eight states this year, the packages built to satisfy Colorado’s disclosure regime do not automatically satisfy the NAIC Model Bulletin’s governance-program requirements, and neither one addresses what the NAIC’s own AI Systems Evaluation Tool is actually probing for in its 12-state pilot. That gap is not a documentation nuisance. It is the compliance architecture problem facing every appointed actuary and chief actuary whose sign-off now functions as a certification against overlapping, non-identical legal standards with different enforcement clocks.

Why NCOIL Couldn’t Get to Yes

NCOIL sponsor Erik Dilan introduced a model act on insurers’ use of AI to the Financial Services and Multi-Lines Issues Committee, built around a core requirement: a "qualified human professional" must make final claims and underwriting decisions, insurers must maintain action records, and consumers must be told when AI touched their outcome. At the March 2026 meeting, Dilan told the committee it had become clear that reaching the consensus needed to adopt the model was unlikely, and the group paused development rather than force a vote it would lose (Repairer Driven News, March 2026).

The three-way split was structural, not cosmetic. Insurers argued the human-final-decision requirement would slow straight-through claims processing that carriers have spent two years building. Consumer advocates argued the draft's disclosure language was too easy to satisfy with boilerplate. Legislators from states that had already adopted the NAIC Model Bulletin questioned whether a separate NCOIL model would create yet another layer for carriers to reconcile against, rather than one they could adopt in place of existing guidance. Instead of the model act, the Joint State-Federal Relations and International Insurance Issues Committee advanced a resolution favoring state-based AI oversight over federal preemption, a narrower and less controversial ask that could clear the room. The practical result: NCOIL, the body best positioned to produce a single, adoptable legislative template that states could pass instead of layering statutes on top of the NAIC bulletin, is not going to produce one in 2026. States are left to write their own.

The Four Regimes an Actuary Signs Against

With no NCOIL alternative, the compliance landscape a multi-state carrier's actuarial and compliance functions must satisfy simultaneously breaks into four distinct regimes, each with its own legal basis, documentation format, and enforcement mechanism.

Regime Legal Basis Core Requirement Enforcement Path
NAIC Model Bulletin adopters State regulatory bulletin, 24 states + D.C. Written AI governance program: risk management, documentation, third-party oversight Market conduct exam, financial exam
Non-adopter states No AI-specific guidance General unfair trade practices and rating statutes only Case-by-case, existing rate/claims review
Independent state statutes Colorado SB 26-189; Illinois AI Systems Use in Health Insurance Act Consumer notice and disclosure when AI drives a consequential decision State AG (Colorado) or Dept. of Insurance (Illinois), private right of action varies
EU AI Act exposure EU Regulation 2024/1689, Annex III high-risk systems Conformity assessment, technical documentation, human oversight design EU market surveillance authorities, fines up to 7% of global turnover

The four regimes do not nest inside one another. Twenty-four states plus D.C. have adopted the NAIC Model Bulletin (NAIC, as of Spring 2026), and four states have layered their own insurance-specific AI regulation on top of it (Mayer Brown, April 2026). Colorado is one of those four, but Colorado itself changed shape mid-year: Governor Polis signed SB 26-189 on May 14, 2026, replacing the original algorithmic-discrimination duty (which would have required insurers to actively test for and prevent unfair bias) with a narrower notice-and-disclosure regime that gives consumers 30 days of explanation after an adverse automated decision (Mintz, June 2026). A carrier that spent 18 months building bias-testing infrastructure to satisfy the version of Colorado law that existed in early 2025 built the wrong artifact.

Illinois runs a parallel but different statute: the Artificial Intelligence Systems Use in Health Insurance Act puts the Department of Insurance in charge of reviewing how carriers use AI to make or support adverse determinations, and it bars insurers from denying, reducing, or terminating benefits based solely on an AI system's output (National Law Review, 2026). That "solely" standard has no direct analog in either the NAIC bulletin or Colorado's disclosure rule, meaning documentation built to satisfy one does not automatically demonstrate compliance with the other. For carriers with any European book, whether direct writing, reinsurance cessions, or EU-domiciled subsidiaries, high-risk AI systems under Annex III of the EU AI Act face conformity-assessment and technical-documentation duties with an August 2, 2026 enforcement date, a fourth standard layered on top (see our analysis of the EU AI Act's compliance-actuary implications).

The Federal Preemption Fight Nobody Has Resolved

The federal layer is where the most consequential uncertainty sits, and it is more tangled than a single bill. Senator Cruz's proposed 10-year moratorium on state AI enforcement was stripped from the reconciliation package that became the One Big Beautiful Bill Act in a 99-1 Senate vote in July 2025, killing that specific vehicle. But the preemption push did not die with it. On December 11, 2025, the administration signed Executive Order 14365, "Ensuring a National Policy Framework for Artificial Intelligence," asserting federal authority over AI regulation broadly enough that, per legal analysis, it could reach "routine analytical tools insurers use every day," not just generative AI (Swept AI, 2026). The NAIC opposed the order within days, formally asking the administration to "reconsider this Executive Order and, at a minimum, affirm state regulation of AI in the business of insurance" (NAIC, December 2025), warning the order "introduces legal uncertainty, which may weaken the insurance market by delaying business decisions, deterring investment, and postponing essential consumer protections."

Congress has since produced competing legislative attempts to codify some version of preemption: the bipartisan Great American AI Act (Reps. Obernolte and Trahan, introduced June 2026) would preempt state regulation targeting AI model development specifically, but only for three years and only for development-stage rules, leaving states' general-applicability laws, including most insurance rating and claims statutes, untouched; a competing and broader TRUMP AMERICA AI Act (Sen. Blackburn, March 2026) seeks a wider preemption sweep (Washington Legal Foundation, June 2026). Neither has passed. McCarran-Ferguson's reverse-preemption doctrine, which has shielded state insurance regulation from generally applicable federal statutes since 1945, is not explicitly addressed in EO 14365, and carriers' counsel are expected to argue it should still control. Until a court or Congress resolves that question, carriers operate under both regimes simultaneously, with the NAIC AI Systems Evaluation Tool pilot, Q3 2026 state filing deadlines, and existing bulletin attestations all continuing on their current schedules regardless of the federal fight's outcome.

The Compliance Investment Cliff

This is where the practical risk to actuarial and compliance budgets concentrates. Carriers spent 2024 through 2026 building state-specific AI governance infrastructure: bias-testing pipelines for Colorado's original algorithmic-discrimination duty, adverse-determination review workflows for Illinois, Exhibit B and C narratives for the NAIC bulletin. If a future preemption bill passes with even the narrower three-year, development-stage scope of the Great American AI Act, some of that state-specific documentation becomes legally unnecessary in the states it preempts, while carriers still cannot risk non-compliance today on the chance a bill that hasn't cleared committee eventually does. The rational actuarial response is not to bet on preemption. It is to build documentation that satisfies the strictest applicable regime in each line of business, since that documentation is also the version most likely to remain defensible if the federal picture consolidates around a narrower standard rather than a broad one.

What the NAIC Evaluation Tool Actually Tests

Separate from the legislative fights, the NAIC's own examination instrument is advancing on a fixed schedule that does not wait for Congress or NCOIL. The AI Systems Evaluation Tool pilot launched March 2, 2026, across 12 states (California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin) and runs through September 2026, with regulators updating the tool based on pilot feedback in September and October and formal adoption expected at the Fall 2026 National Meeting in November (Fenwick, 2026). Unlike the bulletin, which asks for a governance narrative, the evaluation tool is a structured examiner questionnaire built to be scored, and it is explicitly designed to feed into market conduct and financial examinations rather than sit as a standalone filing.

The tool's four exhibits target different failure points than either the bulletin or the state statutes:

  • Exhibit A inventories every AI system in production, complaint volume tied to each, and forward deployment plans, giving examiners a baseline count before they ask a single governance question.
  • Exhibit B scores the governance and risk-management framework itself, in both narrative and checklist form, testing whether the program described in a Model Bulletin attestation actually operates as documented.
  • Exhibit C drills into specific high-risk systems (claims decisions, underwriting, pricing, fraud detection), requiring model design detail, training data description, validation procedures, and bias-testing results for each one individually rather than at the program level.
  • Exhibit D examines data provenance and quality controls, with particular attention to whether rating variables function as proxies for race or ethnicity, including scrutiny of social media and aerial-imagery data sources.

Exhibit C is the piece that most exposes the gap between a governance checklist and an actuarial validation file. A carrier can have a Model Bulletin-compliant governance program on paper, complete with a designated AI officer and a documented risk framework, and still fail Exhibit C if the underlying pricing model's validation file lacks per-model bias-testing results and specific training-data lineage. That is a different bar than "does a governance program exist," and it is the bar that determines whether a market conduct exam flags the carrier for a corrective action plan. Carriers treating the evaluation tool as a compliance-checklist exercise rather than a regulatory audit of their actual model validation files are underestimating what a scored exam requires.

A Minimum Viable Compliance Architecture

Building four separate documentation sets for four regimes is not a defensible use of actuarial or compliance staff time, and it is not necessary. A single documentation architecture, built once and reused across jurisdictions, can satisfy the overlapping requirements if it is structured around the strictest common elements rather than the lowest common denominator of any one regime. In practice, that means every high-risk model (claims triage, underwriting, pricing, fraud detection) needs a per-model file, not a program-level narrative, since Exhibit C and Illinois's adverse-determination standard both require model-specific evidence that a program-level Model Bulletin attestation does not provide. Bias-testing results need to be run and documented at a level of specificity that would satisfy Colorado's original algorithmic-discrimination standard even though the current SB 26-189 no longer requires it, because that evidentiary depth is also what Exhibit C and the EU AI Act's Annex III technical documentation demand, and testing to the lower current Colorado bar risks falling short if the evaluation tool's Exhibit C becomes the de facto national standard after Fall 2026 adoption. Data lineage documentation needs to trace each rating variable to its source and flag any variable correlated with protected class membership, since this single artifact answers Exhibit D, the EU AI Act's data governance requirements, and any state proxy-discrimination inquiry simultaneously. Consumer-facing disclosure language needs to be modular by jurisdiction (Colorado's 30-day post-decision explanation differs from Illinois's "not solely" standard) but built on a shared internal decision-log that captures what the model output, what a human reviewed, and what the final action was, since that decision-log is the artifact every regime's investigators ultimately ask for regardless of which statute they're enforcing.

This architecture does not eliminate jurisdiction-specific work. It reduces the marginal cost of each additional state or regime to a thinner customization layer on top of a validation file that already meets the strictest test in the set, rather than a full rebuild.

What This Means for Actuarial Sign-Off

For actuaries certifying rate filings or reserve opinions built on AI-assisted outputs, the model documentation package is no longer a single artifact reviewed once against one standard. It is a compliance object that multiple overlapping authorities, with different enforcement timelines and different substantive tests, can each independently examine. A pricing actuary who signs a rate indication generated with AI-assisted risk scoring is certifying against the NAIC Model Bulletin's governance requirements in bulletin-adopter states, against Exhibit C's per-model evidentiary standard if the carrier operates in a pilot state, against Colorado's or Illinois's specific statutory language if the business is written there, and potentially against EU AI Act conformity requirements if the exposure touches European risk. None of these regimes has deferred to the others, and NCOIL's stall means none will be harmonized by a single adoptable state model in the near term.

The practical discipline this demands is documenting the model, not the regime. A validation file built to explain what the model does, what data trained it, how it was tested for bias, and where a human reviews its output will satisfy most of what any of the four regimes asks, because all four are variations on the same underlying question: can the carrier show it understood and controlled what the AI system did. Actuaries who build to that standard, rather than to whichever single regime happens to apply in their primary state, will be better positioned whether the Fall 2026 evaluation tool adoption raises the bar nationally, a future preemption bill narrows the state landscape, or neither happens and the current four-regime patchwork simply persists into 2027.

Further Reading

Sources