The NAIC Model Bulletin on the Use of AI Systems by Insurers now carries some form of adoption in more than 25 states and the District of Columbia. None of those adoptions include penalty provisions. Colorado's algorithmic discrimination regulation under C.R.S. Section 10-3-1104.9, which expanded to private passenger auto and health benefit plans in October 2025, carries enforceable statutory obligations with annual reporting requirements and senior management governance mandates carrying a July 2026 compliance deadline. Texas TRAIGA, effective January 1, 2026, sets penalties of up to $200,000 per violation for AI governance failures in consequential decision contexts. Reviewing model governance documentation at mid-to-large carriers over the past year, the gap between NAIC bulletin compliance and state statutory AI compliance is wider than most actuarial teams currently recognize, and the gap is sharpest in adverse action notice documentation, the one area where regulatory enforcement produces consumer-facing consequences rather than examination findings.

The distinction between advisory guidance and enacted law changes the cost of non-compliance by an order of magnitude. A deficiency in examination documentation produces an examination finding in the 12 states running the NAIC AI evaluation pilot through September 2026. A deficiency in statutory compliance produces enforcement action: in Texas, penalties reaching $200,000 per violation through the Attorney General's office; in Colorado, exposure on both the insurance-specific algorithmic fairness statute and, starting January 1, 2027, the broader automated decision-making technology framework under SB 26-189. The category of regulatory obligation determines not just who enforces it, but what it costs to get it wrong. Most actuarial AI governance programs were built for the examination era. That era is not over, but a statutory compliance layer has now been placed above it.

This article maps the statutory compliance architecture for actuaries: what Colorado and Texas require that the NAIC bulletin does not, how adverse action notice documentation must change when AI influences an underwriting or claims decision, where the EU AI Act sets the global benchmark that multinationals now treat as the documentation ceiling, and what the anticipated NAIC third-party data and models framework will extend into vendor relationships.

Colorado's Two-Layer Statutory Architecture

Colorado operates two overlapping statutory frameworks for insurance AI simultaneously: an insurance-specific algorithmic fairness statute rooted in its Unfair Trade Practices Act, and a revised general AI law that creates a deemed-compliant safe harbor for carriers satisfying the insurance-specific standard. Understanding which obligations flow from which source, and what each requires from actuarial documentation programs, is where a Colorado compliance program must start.

The insurance-specific foundation is C.R.S. Section 10-3-1104.9, which prohibits carriers from using external consumer data sources, algorithms, or predictive models that unfairly discriminate based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. That prohibition predates the broader AI governance conversation and has been on the books in some form since 2021. What changed in October 2025 was scope: the Colorado DOI expanded coverage from life insurance to encompass private passenger auto and health benefit plans, roughly tripling the number of in-scope models at a typical carrier operating in the state. The July 1, 2026 compliance deadline for the DOI's implementing regulation requires carriers to have a documented bias testing methodology in place and operational, not a plan to develop one.

The bias testing methodology the DOI's implementing rules require is a four-part analysis. First, a statistical test for disparate impact across protected characteristics in model outputs, using approved metrics that measure whether the model's predictions or decisions generate materially different outcomes for protected versus non-protected groups. Second, a causal analysis of whether external data sources feeding the model carry proxies for protected characteristics, even when those characteristics are not directly observable in the data. Third, documentation of the training data provenance and preprocessing decisions that might introduce bias at the feature engineering stage, before the model ever sees a protected characteristic that needs to be excluded. Fourth, an assessment of whether any identified disparate impact can be defended on actuarially sound principles, the standard that Colorado's statute borrows from existing unfair trade practices law. That fourth element is where the actuary's role in the compliance program becomes direct rather than advisory: the actuarial sign-off on whether observed disparity has an actuarial justification is not a legal conclusion; it is an actuarial one, and it must appear in the documented methodology under the officer's name.

The governance structure that sits above the methodology requirements is equally specific. The DOI's implementing rules require oversight at a senior management level with named accountability, not a delegated compliance function operating below the officer tier. Annual reporting to the Division must address model changes since the prior report, bias testing results for each in-scope model, and updates to the governance program itself. That reporting obligation runs on a calendar cycle independent of whether any examination is scheduled or any complaint has been filed. It is a proactive, recurring statutory obligation. The NAIC bulletin, by contrast, establishes governance expectations that manifest in examination documentation when examiners request it. The two obligations use different trigger mechanisms: one is calendar-driven, the other is examiner-driven. An actuarial team that has built its AI governance around examination readiness has built for the second trigger only.

Colorado's May 2026 revision, SB 26-189, restructured the general AI Act framework without eliminating the insurance-specific obligations. The original Colorado AI Act (SB 24-205, signed May 2024) was the first enacted state AI law in the country and applied to high-risk AI systems across consequential decision domains including insurance. SB 26-189 replaces the operative term "high-risk artificial intelligence systems" with "automated decision-making technology" and shifts the general effective date to January 1, 2027, giving carriers additional preparation time for the broader framework. More consequentially for carriers, SB 26-189 creates a deemed-compliant safe harbor: insurers that are subject to and satisfy Section 10-3-1104.9 are deemed compliant with the general automated decision-making technology requirements. A carrier that meets the DOI's insurance-specific standard satisfies both layers. A carrier that fails DOI compliance loses the safe harbor and faces exposure under both frameworks simultaneously. The revision created a relief valve for compliant carriers; it tightened the compliance stakes for those that are not.

Texas TRAIGA's Parallel Statutory Track

The Texas Responsible AI Governance Act, signed in June 2025 and effective January 1, 2026, creates a separate statutory compliance track for carriers writing Texas business. TRAIGA covers "high-impact artificial intelligence systems" used in "consequential decisions" across eight explicitly named domains, with insurance among them. For any AI system that makes or substantially influences coverage decisions, claims determinations, or pricing outputs for Texas policyholders, TRAIGA triggers three categories of obligation: impact assessments before deployment, consumer notification when AI contributes to a consequential decision, and governance programs with documented ongoing oversight.

The Act includes an insurance-specific carve-out: carriers subject to existing Texas Insurance Code unfair discrimination statutes are exempt from certain core high-impact AI system provisions, because the Legislature concluded that the Texas Department of Insurance already regulates the same conduct through existing authority. The carve-out is narrower than it appears on first reading. It applies only to the carrier's insurance operations, not to the carrier in its capacity as an employer. A carrier using AI in hiring, scheduling, workflow management, or claims adjuster performance evaluation in Texas faces TRAIGA's employment decision provisions fully, without the insurance exemption. Second, asserting the carve-out requires the carrier to demonstrate active compliance with the Insurance Code's underlying unfair discrimination statutes, which means the exemption is conditional on the same documentation program that the exemption is supposed to reduce. A carrier that cannot show compliance with TDI requirements cannot claim the exemption from AG enforcement.

Non-compliance with TRAIGA carries penalties of up to $200,000 per violation, enforced through the Texas AG's office rather than TDI. The per-violation penalty structure leaves the exposure calculation ambiguous: the AG has not published guidance defining whether a single undocumented model constitutes one violation or one violation per affected consumer or one violation per product line in which the model is deployed. That ambiguity is not an abstraction for a carrier running the same predictive model across commercial auto, personal auto, and homeowners in Texas. The conservative compliance posture treats each deployment context as a separate obligation, which is what the statute's language supports.

The dual-regulator dynamic TRAIGA creates is structurally different from what most carrier compliance programs are built to manage. A Texas carrier must satisfy TDI requirements to assert the TRAIGA exemption, but TRAIGA enforcement runs through the AG. A gap in the documentation supporting the exemption claim exposes the carrier to AG enforcement action even if TDI has not raised concerns about the same models in any recent examination. Actuarial teams responsible for model documentation in Texas need to track obligations to both regulators simultaneously and maintain documentation that satisfies each regulator's distinct evidentiary expectations, not a single unified record that one regulator would accept.

The Adverse Action Notice Documentation Chain

When an AI model influences an adverse underwriting decision, a claims denial, or a coverage modification in a state with statutory AI disclosure obligations, the carrier must provide a notice that explains the decision in terms the affected consumer can understand, contest, and act on. That requirement is straightforward in principle and technically demanding in practice: predictive model outputs are not consumer-accessible documents, and the features most predictive of an adverse outcome are often encoded in a way that resists plain-language translation.

Colorado's statutory framework requires disclosure of what external consumer data and information sources contributed to a decision made using an algorithm or predictive model, with enough specificity to enable the consumer to understand the basis for the decision and identify what data to contest. Texas TRAIGA requires notification that an AI system contributed to a consequential decision and the reasoning behind that decision in terms sufficient to allow the consumer to appeal or request human review. The EU AI Act, applicable to carriers with European operations or European reinsurance counterparties, requires explanation of AI-influenced consequential decisions in terms of the specific factors that drove the individual outcome, not just the general model methodology. These requirements converge on a single technical problem: the actuarial documentation program must be structured to produce a consumer-facing explanation, not just a regulator-facing one.

The documentation chain runs from raw model inputs through the feature transformation layer, through the model prediction, through the decision rule that translates the prediction into an underwriting or claims action, and out the other end as a plain-language statement of why the specific consumer received the specific outcome in that specific transaction. Each step in that chain is a documentation obligation under statutory AI law. Most carriers can produce the raw model output and reconstruct the decision rule that applied. What most cannot produce on demand is the middle layer: a statement of which specific inputs to the model, expressed in terms the affected consumer can understand, drove the adverse outcome in that consumer's individual case. SHAP values and partial dependence plots are actuarially meaningful explanations; they are not adverse action notices. The gap between what the actuary needs to understand the model's behavior and what the statute requires be communicated to the consumer is exactly the translation layer that most current documentation programs do not have.

An additional layer applies when the model inputs include consumer report data. The Fair Credit Reporting Act's adverse action notice requirements under Section 615(a) overlay the state AI disclosure obligations: a carrier that relies on a consumer report in an adverse decision must provide a notice citing the principal reasons for the decision. When a predictive model uses credit data as one of multiple inputs, the carrier must identify how the credit component contributed to the outcome separately from the other model inputs. Colorado's Section 10-3-1104.9 extends the same attribution logic to any external consumer data source feeding an in-scope model, not just consumer report data governed by FCRA. The practical effect is that carriers using third-party data in underwriting or claims models need an attribution methodology that can isolate individual data source contributions to individual decisions. Aggregate model performance statistics and feature importance rankings do not answer the regulatory question. The question the statutes ask is: in this specific case, for this specific consumer, what did this specific data source contribute to this specific adverse outcome?

Building that attribution capability requires changes at the model infrastructure level, not just the documentation level. The model serving layer must capture, for every scored transaction, the feature values that drove the prediction and the mapping from those feature values to the decision rule outcome. That transaction-level record must be retained for the statutory limitation period, which varies by state but is typically three years under Colorado's framework. And the record must be structured so that the adverse action notice drafting process can query it by transaction, not just by model version or population segment. Carriers that did not build this capability into their model serving infrastructure at deployment will need to retrofit it, which for models in production across multiple product lines is not a trivial operational exercise.

The EU AI Act as Global Documentation Benchmark

The EU Artificial Intelligence Act reached its first major enforcement milestone for high-risk AI system providers in August 2026. Under Annex III of the Act, insurance underwriting, life and health insurance risk assessment and pricing, and claims assessment AI are classified as high-risk systems requiring rigorous documentation, human oversight, and explainability architecture. For carriers with European operations, this is a current compliance obligation. For U.S.-only carriers, the EU framework is a benchmark: the documentation standards it mandates are more comprehensive than any current U.S. state statutory requirement, and they are shaping what sophisticated buyers of carrier AI services, including reinsurers, institutional investors, and large commercial insureds, expect from a carrier's AI governance program.

Annex III classification triggers obligations with no precise parallel in U.S. state law. An immutable audit log must capture timestamps, model versions, input values, output values, validation status, and human override decisions for every consequential AI output, maintained in a form that cannot be altered retroactively and can be retrieved for any individual decision on demand. A risk management system must run on a continuous monitoring cycle, not an annual reporting cycle; performance degradation, data drift, and bias metric changes must trigger documented review processes rather than waiting for the next calendar-year filing. Before any significant model update is deployed, the carrier must complete testing against real-world performance data from the prior deployment period and document the comparison between the new model's behavior and its predecessor's. The explainability standard is operational rather than documentary: the system must be capable of generating a regulator-ready dossier for any individual decision on demand, with the specific inputs, their values, and their contribution to the outcome expressed in terms that a regulator or a court could evaluate.

U.S. carriers writing no European business should treat the EU framework as a planning tool rather than a foreign compliance burden. A large multinational reinsurer, a global commercial insurer, or a Lloyd's syndicate that uses a carrier as a fronting vehicle will increasingly expect EU-aligned documentation as a condition of underwriting capacity or investment. A carrier whose AI documentation program satisfies EU Annex III standards satisfies every current U.S. state statutory requirement by definition, because the EU standard is the more stringent one at every point of comparison. Actuarial teams that use the EU documentation ceiling as their program design target rather than their minimum threshold will find their programs hold up across regulatory environments without requiring state-by-state customization.

The Anticipated NAIC Third-Party Data and Models Framework

The NAIC's Third-Party Data and Model Vendor Framework received 23 comment letters following its spring 2026 exposure period and is expected to advance through the remainder of the year toward adoption at the Fall National Meeting in November 2026. The current draft concentrates on third-party vendors of data and predictive models used in pricing and underwriting functions. If adopted as a formal model law rather than guidance, it would extend statutory compliance obligations directly into vendor relationships in a way that no current state statute reaches.

The framework reshapes the build-versus-buy calculus for carrier actuarial teams in a specific way. A carrier that builds its own pricing model holds all documentation obligations directly: it owns the training data provenance, the validation methodology, the bias testing results, and the adverse action attribution capability. A carrier that licenses a third-party predictive model and uses it in underwriting decisions holds the same documentation obligations if the model falls within the framework's scope, but depends on the vendor to produce the underlying documentation that the carrier cannot independently generate. Vendors who cannot supply regulator-ready documentation for their models become liability exposures rather than competitive capabilities. The framework formalizes that dynamic: it would require vendors to maintain and provide documentation that satisfies the same standards applicable to the carrier's own systems, making vendor documentation capacity a term of the procurement decision rather than an afterthought.

The framework's anticipated treatment of managing general agents raises a compliance coordination question that the current draft has not fully addressed. An MGA using a licensed predictive model in underwriting decisions on behalf of a carrier holds some portion of the documentation obligations, but the statutory allocation of responsibility between the carrier and the MGA depends on how binding authority is structured and which entity made the consequential decision. A carrier that delegates underwriting authority to an MGA using an undocumented third-party model could find itself holding the statutory compliance obligation for a model it did not build, did not validate, and cannot document, because the adverse decision reached the consumer through its policy. Actuarial teams need to trace the full decision authority chain before concluding that their direct model documentation programs satisfy statutory obligations that may run through distribution intermediaries.

What Actuarial Teams Need to Rebuild

The compliance posture adequate for NAIC bulletin readiness differs from statutory compliance in ways that are not cosmetic. Reviewing model governance documentation at mid-to-large carriers, the actuarial documentation files most frequently missing are adverse action notice attribution records, external data source inventory logs, and annual bias testing methodology sign-offs by named senior officers. Those gaps do not surface in examination preparation because examination findings about them generate corrective action plans. They surface in statutory enforcement because they generate penalties, and in litigation because adverse action notice failures create private rights of action in some states that examination findings never produce.

Three categories of work distinguish statutory compliance from examination readiness. First, the model documentation structure must be rebuilt to support consumer-facing explanation, not just regulator-facing examination responses. That means adding an attribution layer to every model whose outputs influence adverse decisions: a transaction-level record of which inputs, expressed in terms a consumer can understand, drove the outcome in a specific case. The actuary's role here is to define the attribution methodology and validate that it produces explanations that are both technically accurate and legally sufficient, which requires understanding the statutory language about what the notice must convey in each applicable jurisdiction. Second, the bias testing program must shift from periodic validation exercises to a documented annual cycle with a specific four-part methodology, a sign-off by a named senior officer, and results that can be reported to the Colorado DOI or produced in response to a Texas AG inquiry. Third, the external data source inventory must be expanded to cover every third-party feed into every in-scope model, with provenance documentation sufficient to identify what protected-characteristic proxies the data source might carry and what testing was done to detect them before the data source was incorporated into a production model.

The actuarial standards most directly relevant are ASOP No. 56 on modeling, which requires documentation of model purpose, limitations, assumptions, and governance processes, and ASOP No. 23 on data quality, which requires analysis of data reasonableness and appropriate reliance on data supplied by others. Both standards, as currently written, speak to the examiner-era documentation obligation. Neither directly contemplates the statutory adverse action notice attribution chain or the annual-cycle bias testing with regulatory reporting that Colorado's DOI regulation now requires. The gap between what ASOP compliance produces and what statutory AI compliance requires is where most actuarial governance programs will find their documentation is structurally insufficient rather than simply incomplete. Filling that gap requires building documentation components that no ASOP currently specifies, which means the profession's standards are running behind the regulatory requirements that practitioners already face.

The NAIC model bulletin remains a useful baseline for examination preparation and a credible signal of what regulators across most states regard as reasonable AI governance practice. It is not, in the jurisdictions where enacted law has arrived, a substitute for statutory compliance. Carriers writing Colorado personal auto and health, Texas business of any line, or any EU-registered risk carry enacted statutory obligations that examination-era documentation programs were not designed to satisfy. The actuarial teams that treat Colorado's July 2026 bias testing deadline as an administrative box to check will find out what tier of obligation they missed when enforcement action, not examination findings, is what their next regulatory communication turns out to be.

Further Reading

Sources