From tracking every state AI bill introduced in 2026 legislative sessions, the pace of divergent enactment has outrun even the NAIC's efforts to create a unified evaluation framework. A carrier writing personal auto in Colorado, homeowners in Connecticut, and commercial lines in Texas now answers to three separate statutory regimes, plus the NAIC's examination-based oversight layer, each with different definitions of what counts as a "high-risk" AI system, different documentation requirements, and different enforcement mechanisms. The result is not just regulatory complexity; it is a fragmentation problem that scales linearly with every new state law and grows more expensive with each jurisdiction that chooses a slightly different approach.
On July 1, 2025, the U.S. Senate voted 99-1 to reject a proposed 10-year moratorium on state AI regulation that had been included in the administration's legislative package. The NAIC had formally opposed the moratorium, arguing it would prevent state insurance regulators from overseeing AI technologies used in insurance markets. That vote settled the question of whether federal preemption would simplify the landscape: it will not. States are now legislating freely, and the insurance industry faces a compliance environment that resembles the early years of state data privacy law proliferation, except that AI regulation touches underwriting, claims, pricing, and employment decisions simultaneously.
The Four Regimes: A Structural Comparison
Multi-state carriers now operate under four structurally distinct regulatory approaches to AI. These are not four versions of the same law. They differ in scope, mechanism, and enforcement architecture, requiring separate compliance workstreams rather than a single harmonized program.
Regime 1: Comprehensive State AI Statutes
Connecticut's SB 5, passed by the legislature on May 1, 2026, and expected to be signed by Governor Lamont, represents the most ambitious single-state approach. The 67-page law is not a single governance statute but a package of separate AI regulatory measures linked together. Texas's Responsible AI Governance Act (TRAIGA), signed in June 2025 and effective January 1, 2026, takes a similar comprehensive approach but with different scoping decisions.
Connecticut's SB 5 addresses at least six areas simultaneously: AI companion and chatbot safety requirements (with heightened protections for minors), synthetic content provenance and detection, subscription-based AI product disclosures, automated employment decision tools, employer AI-related layoff disclosure requirements, and a state AI regulatory sandbox program. For insurers, the most consequential provisions are the automated employment decision tool requirements, effective October 1, 2026, which amend Connecticut's anti-discrimination statutes to codify that automated decision-making is not a defense to a discrimination claim. Courts may consider proactive anti-bias testing as a mitigating factor, but testing does not eliminate liability. Any carrier using AI in hiring, promotion, or termination decisions for its Connecticut workforce faces direct exposure.
Texas TRAIGA covers "automated decision-making technology" used in consequential decisions across eight domains, including insurance. However, TRAIGA includes a critical carve-out: insurance companies subject to existing statutes regulating unfair discrimination are exempt from certain core provisions. The Act also explicitly prohibits any department other than the Texas Department of Insurance from regulating the business of insurance. Non-compliance penalties reach $200,000 per violation, giving TRAIGA enforcement teeth that many other state AI laws lack.
The compliance challenge for carriers operating in both states: Connecticut's employment-focused AI obligations apply to the carrier as an employer, while Texas's insurance-specific carve-out means the same carrier may be exempt from TRAIGA's core provisions for its insurance operations but not for its employment practices. A single AI system used in both underwriting and internal workforce management could be subject to Connecticut law in one application and Texas law in the other.
Regime 2: Insurance-Specific Algorithmic Fairness Laws
Colorado occupies a unique position as the only state with both a general AI statute and a separate, insurance-specific algorithmic discrimination framework. Understanding how these two layers interact is essential for carriers operating in the state.
The original Colorado AI Act (SB 24-205), passed in 2024, was the first comprehensive state AI law in the country. It required mandatory algorithmic impact assessments, risk management policies aligned with the NIST AI Risk Management Framework, and consumer disclosures when AI influenced consequential decisions across eight domains including insurance. Governor Polis signed the bill reluctantly, signaling that he expected revisions.
Those revisions arrived as SB 26-189, signed by Governor Polis on May 14, 2026. The rewrite fundamentally restructured the regulatory approach. SB 26-189 replaces "high-risk artificial intelligence systems" with "automated decision-making technology" (ADMT) as the operative term. More significantly for insurers, SB 26-189 creates a "deemed compliant" safe harbor: carriers subject to Colorado's existing algorithmic discrimination rules under Section 10-3-1104.9 are deemed compliant with the general ADMT requirements. The new effective date shifts to January 1, 2027, giving carriers additional runway.
But the safe harbor has limits. Colorado DOI Regulation 10-3-1104.9 prohibits unfair discrimination in insurance practices based on protected characteristics and regulates the use of external consumer data sources, algorithms, and predictive models. The regulation requires a four-part bias testing methodology. The July 1, 2026 deadline for insurance-specific compliance under Regulation 10-1-1 remains in force regardless of the SB 26-189 rewrite. A carrier that satisfies the DOI requirements meets the general ADMT standard automatically, but a carrier that fails DOI compliance is exposed on both fronts.
The structural lesson from Colorado is that insurance-specific AI regulation can coexist with, and partially override, general AI statutes. Whether other states adopt this "deemed compliant" model or stack general and insurance-specific requirements cumulatively will determine how expensive multi-state compliance becomes over the next two years.
Regime 3: NAIC Examination-Based Oversight
The NAIC's approach differs from state legislation in both mechanism and scope. Rather than creating new statutory obligations, the NAIC operates through examination guidance, model bulletins, and coordination tools that shape how existing regulatory authority is exercised.
Three NAIC initiatives now overlap:
The Model Bulletin on the Use of AI Systems by Insurers (December 2023). Twenty-five states and the District of Columbia have adopted the bulletin or issued comparable guidance as of March 2026, with four states going beyond the bulletin to adopt AI-specific regulations. The bulletin establishes principles for AI governance but is guidance, not enforceable law. It sets expectations without creating compliance mandates that survive legal challenge.
The 12-state AI evaluation pilot (March to September 2026). California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin participate. The pilot uses a four-exhibit framework: Exhibit A quantifies AI system usage across operations; Exhibit B documents the insurer's governance and risk assessment framework; Exhibit C requires detailed information about high-risk AI systems, including design, training data, performance, and bias testing; and Exhibit D covers AI data inputs and reasonable accommodations. Participating states deploy the tool in market conduct exams, financial exams, financial analyses, and general regulatory inquiries. Monthly coordination calls among states ensure consistent application, and tool updates are planned for September and October 2026 with adoption expected at the NAIC Fall National Meeting in November 2026.
The Third-Party Data and Model Vendor Framework. At the Spring 2026 meeting, the NAIC narrowed this framework's scope to cover third-party vendors of data and models used in pricing and underwriting functions. Twenty-three comment letters were received during the exposure period. Open questions remain around whether vendor registration will be mandatory or voluntary, whether the framework will evolve into a formal model law, and whether a proposed NAIC registry will function as a centralized database for AI vendor oversight.
For carriers, the NAIC layer creates a distinct compliance challenge because it operates through examination rather than statute. A carrier may be fully compliant with Connecticut, Colorado, and Texas statutory requirements yet receive examination findings in a pilot state for insufficient documentation under the evaluation tool's Exhibit C. The NAIC framework functions as a de facto fourth regime because it imposes documentation and governance expectations that go beyond what any single state statute currently requires, particularly around vendor AI and data provenance.
Regime 4: Proliferating Cross-Sector AI Disclosure Laws
Beyond the three frameworks described above, a rapidly growing body of state AI laws creates obligations for carriers in their capacity as employers, consumer-facing entities, and data processors, regardless of insurance-specific exemptions.
In the last two weeks of March 2026, governors in seven states signed 19 new AI laws, bringing the year's total from 6 to 25 enacted statutes. Utah signed nine AI bills covering AI literacy, deepfake criminalization, health insurance AI disclosure, and government AI oversight. New York introduced the RAISE Act requiring frontier AI model developers to report safety incidents to the state within 72 hours. Multiple states now require disclosure when AI contributes to claims or coverage determinations.
These laws do not create a unified compliance framework. Each state defines AI differently, sets different thresholds for what triggers disclosure requirements, and establishes different enforcement mechanisms. A carrier operating in 15 states may face 15 different definitions of what constitutes an "automated decision" requiring consumer notification. The variation is not just semantic; it determines which AI systems fall within scope and what documentation must be maintained for each jurisdiction.
The failed Virginia HB 2094 illustrates both the momentum and the instability of this fourth regime. The bill, which would have made Virginia the second state after Colorado to enact a comprehensive AI law covering insurance among eight consequential decision domains, passed the legislature but was vetoed by Governor Youngkin on March 24, 2025. Youngkin argued the bill placed "an especially onerous burden on smaller firms and startups." A narrower version, likely focused on healthcare, is expected during the 2026 session under the new governor. The veto demonstrates that carriers cannot plan compliance based on introduced bills alone; legislative trajectories are unpredictable, and a bill that passes both chambers can still die at the governor's desk.
The Compliance Math: What Four Regimes Cost
Multi-state AI compliance is expensive, and the cost structure differs from traditional regulatory compliance because AI governance requires specialized expertise that most insurance compliance teams do not possess internally.
Estimates from TXAIMS, a compliance platform tracking multi-state AI obligations, place annual compliance costs for enterprises at $791,000 to $5,584,000 depending on scale, system count, and jurisdictional footprint. These costs encompass legal counsel, impact assessments, bias audits, governance documentation, and ongoing monitoring. Critically, costs scale linearly with the number of AI systems in scope: each new system triggers separate documentation, testing, and filing requirements across every applicable jurisdiction.
For insurance carriers specifically, the cost profile is shaped by several factors unique to the industry:
| Cost Driver | Single-State Carrier | Multi-State Carrier (15+ states) |
|---|---|---|
| AI system inventory and classification | One-time + annual refresh | Same, but must map systems to jurisdiction-specific definitions |
| Bias testing per Colorado DOI methodology | One framework | Colorado framework plus state-specific variations where required |
| NAIC evaluation pilot documentation | Only if domiciled in pilot state | May face evaluation in any of 12 pilot states |
| Employment AI disclosure (Connecticut SB 5) | Only if employing in CT | Each state's employment AI law applies to workers in that state |
| Consumer disclosure when AI affects decisions | One state's requirements | Varying requirements per state, different triggers and formats |
| Vendor model governance documentation | One set for regulator | Must satisfy multiple regulators with different expectations |
Forrester's 2026 insurance technology spending forecast identified AI governance and compliance as the fastest-growing category within insurance IT budgets, with 90% of insurers increasing AI spending year over year. The compliance portion of that spending is growing faster than the operational AI deployment portion, a dynamic that suggests regulatory friction is consuming resources that carriers would otherwise invest in AI capabilities.
Mapping the Divergences: Where Requirements Conflict
The compliance cost would be manageable if the four regimes required the same thing in slightly different formats. They do not. Several structural divergences create situations where compliance with one regime does not satisfy another.
Definition of "high-risk" AI. Colorado's SB 26-189 shifted to "automated decision-making technology" as the operative term, covering technology that "materially influences" consequential decisions. Connecticut SB 5 uses "automated employment decision tools" for its employment provisions but does not define a unified AI risk classification for other domains. Texas TRAIGA covers "high-impact AI systems" with its own threshold. The NAIC evaluation tool uses a proportionality principle, with regulators prioritizing "high-risk AI systems that could cause serious consumer or financial issues" but without a statutory definition of that threshold. A single underwriting model could be classified differently across all four frameworks.
Disclosure versus documentation. Colorado's SB 26-189 shifted from mandatory impact assessments to a disclosure-based approach: deployers must maintain publicly accessible disclosures describing how they deploy high-risk systems. The NAIC evaluation tool requires internal documentation for examination purposes, not public disclosure. Connecticut's employment provisions require notice to affected employees and applicants. Texas TRAIGA requires documentation for enforcement investigation but not proactive public disclosure. A carrier must maintain at least three distinct documentation formats for the same AI system depending on which jurisdiction's requirements apply.
Insurance-specific exemptions and carve-outs. Colorado deems insurers compliant with the general ADMT framework if they satisfy DOI Section 10-3-1104.9. Texas exempts insurance companies from certain TRAIGA provisions when existing insurance unfair discrimination statutes apply. Connecticut SB 5 contains no insurance-specific exemption; its employment and consumer provisions apply to insurers the same as any other employer. The NAIC framework applies exclusively to insurance. A carrier's compliance team must track which exemptions apply in which states and ensure that reliance on an exemption in one state does not create a gap in another.
Enforcement mechanisms. Colorado enforces through the DOI for insurance-specific violations and the Attorney General for general ADMT violations. Texas imposes penalties up to $200,000 per TRAIGA violation through the AG's office. Connecticut authorizes AG enforcement of SB 5's consumer provisions as unfair or deceptive trade practices. The NAIC pilot operates through examination findings that can trigger corrective action orders but not direct penalties. The enforcement variation means carriers face different risk profiles in each state: a documentation gap that produces an examination finding in a NAIC pilot state could produce a $200,000 penalty in Texas for the same AI system.
The Convergence Question: Will a Model Law Emerge?
The NAIC's trajectory suggests movement toward a more unified framework, but the timeline and scope remain uncertain.
The Model Bulletin adopted in December 2023 has achieved significant uptake: 25 states plus DC have adopted or issued comparable guidance. But the bulletin is voluntary guidance, not a model law. The jump from bulletin to model law requires the NAIC to navigate fundamental disagreements about scope, vendor liability, and company-size thresholds. Thirty-three comment letters received during the model law consideration period revealed fault lines between large carriers (who generally support uniform national standards to reduce compliance fragmentation) and smaller carriers and consumer groups (who worry that national standards will be set at the lowest common denominator).
The Third-Party Vendor Framework offers a more likely path to early convergence. Vendor oversight is an area where state-by-state variation makes the least sense; AI vendors serve carriers across all 50 states, and requiring different vendor documentation formats for each jurisdiction creates administrative burden without improving consumer protection. If the NAIC adopts vendor registration or documentation standards, states that have adopted the Model Bulletin may incorporate those standards into their examination practices without requiring new legislation.
Federal preemption remains unlikely in the near term. The Trump administration's Executive Order challenging state AI laws has been met with resistance from state regulators, and the Senate's 99-1 vote against the moratorium in July 2025 demonstrated bipartisan opposition to displacing state authority. The NAIC's formal opposition to federal preemption cited the McCarran-Ferguson Act's delegation of insurance regulation to the states as a constitutional basis for maintaining state-level AI oversight. Insurance, unlike general consumer protection, has a strong tradition of state regulation that congressional action would need to overcome, and the political appetite for that fight does not currently exist.
The most probable trajectory is incremental convergence through NAIC coordination rather than federal action. As more states adopt the evaluation tool (the November 2026 adoption vote is the next milestone), the tool's requirements become the de facto national standard for examination purposes. State legislatures may continue passing divergent statutes, but the examination layer provides regulators with a consistent framework for evaluating carrier compliance regardless of the statutory variation.
Why This Matters for Actuaries
The four-regime patchwork creates specific operational challenges for actuarial functions across pricing, reserving, and model governance.
Rate filing documentation varies by state. When a carrier files rates in Colorado, the filing must demonstrate compliance with DOI Regulation 10-3-1104.9's bias testing requirements for any AI models used in the ratemaking process. The same carrier filing in a NAIC pilot state may need to produce Exhibit C documentation covering design, training data, performance metrics, and bias testing for those models. A filing in Connecticut may need to address whether AI models used in pricing also feed employment-related decisions covered by SB 5. The appointed actuary preparing Statements of Actuarial Opinion must understand which jurisdictional requirements apply to the models underlying the reserves and rates being opined upon.
ASOP No. 56 compliance grows more complex. Actuarial Standard of Practice No. 56 on modeling requires actuaries to understand and document the models they rely on for actuarial work. When state laws impose different documentation standards on those same models, the actuary faces a choice: maintain separate documentation packages for each jurisdiction, or build a single documentation framework that satisfies the most demanding jurisdiction and apply it everywhere. The latter approach is more efficient but requires identifying the "high-water mark" across all applicable regimes, a determination that shifts every time a new state law takes effect.
Vendor model governance requires jurisdiction-specific review. A vendor-built underwriting model deployed in Colorado, Connecticut, and Texas is subject to three different oversight regimes. Colorado's DOI requires the carrier to demonstrate that vendor models do not produce unfairly discriminatory outcomes. The NAIC evaluation tool's Exhibit C requires detailed vendor model documentation for examination purposes. Texas TRAIGA's insurance carve-out may exempt the model's insurance applications but not its use in the carrier's employment decisions. The reserving actuary relying on vendor model outputs needs to know which jurisdiction's documentation standards the vendor can satisfy, because a vendor that meets Colorado's requirements may not produce the documentation format the NAIC evaluation tool requires.
Compliance fragmentation affects expense ratios. The $800,000 to $5.6 million annual compliance cost estimate translates directly to the expense ratio for carriers operating across many states. Smaller regional carriers with limited AI deployments may absorb these costs in their general compliance budgets, but large multi-state carriers with dozens of AI systems face expense pressure that affects pricing competitiveness. The actuarial question is whether compliance costs should be allocated to the jurisdictions that generate them (increasing filed rates in high-regulation states) or spread across the entire book (socializing the cost but potentially creating adverse selection in states where competitors operate with lighter regulatory burden).
What Carriers Should Build Now
Waiting for regulatory convergence is not a viable strategy. The compliance deadlines are immediate: Colorado DOI bias testing by July 1, 2026; Connecticut SB 5 employment provisions by October 1, 2026; NAIC pilot evaluation tool deployment already active. Carriers that build modular compliance infrastructure now can adapt as the regulatory landscape evolves. Those that build point solutions for each jurisdiction will face escalating costs with every new enactment.
A modular approach requires three foundational elements: a comprehensive AI system inventory that maps each system to every jurisdiction where it operates, a documentation framework designed to the "high-water mark" standard (currently the NAIC Exhibit C framework, which demands the most granular detail), and vendor contract provisions that ensure third-party AI providers can produce jurisdiction-specific documentation on demand. These three elements, inventory, documentation, and vendor contracts, are prerequisites for compliance across all four regimes and will remain relevant regardless of how the regulatory landscape evolves.
Key Dates and Milestones
| Date | Event | Impact |
|---|---|---|
| January 1, 2026 | Texas TRAIGA effective | Insurance carve-out limits direct impact, but employment and consumer AI provisions apply to carriers as employers |
| March 2026 | NAIC 12-state pilot begins | Evaluation tool deployed in market conduct and financial exams; carriers in pilot states face documentation requests |
| May 14, 2026 | Colorado SB 26-189 signed | Revises AI Act; creates "deemed compliant" insurance safe harbor; shifts general effective date to January 1, 2027 |
| July 1, 2026 | Colorado DOI Reg 10-1-1 bias testing deadline | Insurance-specific algorithmic fairness testing required regardless of SB 26-189 rewrite |
| September 2026 | NAIC pilot concludes | Results inform tool refinements and potential model law development |
| October 1, 2026 | Connecticut SB 5 employment provisions effective | Automated employment decision tool requirements apply to carriers as employers in Connecticut |
| November 2026 | NAIC Fall National Meeting | Expected adoption of refined evaluation tool; advancement of Third-Party Vendor Framework |
| January 1, 2027 | Colorado SB 26-189 general provisions effective | Full ADMT framework takes effect; "deemed compliant" safe harbor for insurers meeting DOI standards |
Further Reading
- Colorado Insurance Bias Audits: The July 1 Deadline Stands: The four-part bias testing methodology under DOI Regulation 10-1-1 and why the insurance-specific deadline holds despite the SB 26-189 rewrite.
- Colorado Rewrites Its AI Bias Law With SB 26-189: How Colorado shifted from mandatory algorithmic impact assessments to a disclosure-based approach and what the "deemed compliant" insurance safe harbor means in practice.
- NAIC AI Evaluation Pilot Launches Amid Industry Pushback: The 12-state pilot framework, the four-exhibit evaluation tool, and the trade group objections that shaped the pilot's design.
- From Voluntary Bulletin to Binding Model Law: The 33 comment letters and fault lines around scope, vendor liability, and company-size thresholds shaping the NAIC's model law trajectory.
- EU AI Act and Insurance Compliance: The international parallel to the U.S. state patchwork, with Annex III high-risk classification and the emerging compliance actuary role.
Sources
- DLA Piper: Unpacking SB5, Connecticut's New AI Law (May 2026)
- Freshfields: Connecticut Poised to Enact Comprehensive AI Law (May 2026)
- CT Mirror: Connecticut Passes AI Regulations After Years in Development (May 1, 2026)
- Holland & Knight: Colorado Governor Signs SB 189, Significantly Amending the State's AI Law (May 2026)
- Consumer Finance Monitor: Colorado Rewrites Its Landmark AI Law (May 12, 2026)
- Troutman Pepper: Proposed State AI Law Update, May 4, 2026
- Wiley: 2026 State AI Bills That Could Expand Liability and Insurance Risk
- Fenwick: Tracking the Evolution of AI Insurance Regulation (2026)
- Fenwick: NAIC Expands AI Evaluation Tool Pilot to 12 States (March 2026)
- Latham & Watkins: Texas Signs Responsible AI Governance Act Into Law (2025)
- Swept AI: 19 State AI Laws in Two Weeks (March 2026)
- TXAIMS: The True Cost of AI Compliance for Multi-State Enterprises (2026)
- IAPP: US Senate Abandons Proposed State AI Law Moratorium (July 2025)
- Captive.com: NAIC Opposes Federal Moratorium on AI Regulation in Insurance Sector (2025)
- Kelley Drye: AI Regulatory Roundup, Colorado, Connecticut, and California (2026)