- The NAIC’s own 2025 survey found nearly one-third of US health insurers don’t regularly test AI for bias, despite the Model Bulletin explicitly requiring it. Market conduct examinations and coverage litigation are now both asking for AIS Program documentation. The compliance gap is closing fast from both directions.
- Life and health insurance pricing AI is explicitly classified as high-risk under EU AI Act Annex III Section 5(c), with full compliance required by August 2, 2026 and fines up to €35 million or 7% of global turnover. This is an active planning obligation, not a future compliance item.
- EIOPA’s August 2025 Opinion confirmed that Solvency II, IDD, and DORA already impose data governance, bias assessment, explainability, and human oversight obligations for all EU insurance AI — not just high-risk AI. Ultimate responsibility always sits with the insurance undertaking, not the vendor.
- Lokken v. UnitedHealth didn’t just allow the class action to proceed — it granted full discovery into AI chat files, use policies, and oversight documentation. This applies to all insurance lines. Governance documentation is now discoverable in coverage litigation. Its absence is itself an argument.
- Insurance AI proxy discrimination is documented: ZIP codes encode residential segregation, credit scores encode wealth gaps, and the FCA found UK insurers using datasets correlated with race. Testing against protected characteristics — not merely removing them from inputs — is the required standard across NAIC, NY DFS, EIOPA, and IAIS.
Insurance is already the most quantitatively sophisticated industry in the world at using data to price risk. Machine learning and AI extend what insurers have always done — predictive modeling for underwriting, fraud detection in claims, segmentation for pricing — with more data, faster processing, and more complex models than were possible with traditional actuarial methods.
What has changed in 2024–2025 is the regulatory response. The US has moved from a single NAIC Model Bulletin to adoption by approximately 25 states and aggressive state-specific regulation in New York, California, and Colorado. The EU has enacted comprehensive hard law that explicitly designates life and health insurance underwriting AI as high-risk, with binding compliance requirements by August 2026 and fines in the tens of millions. EIOPA issued sector-specific governance guidance in August 2025. The International Association of Insurance Supervisors published a global Application Paper in July 2025. Australia’s APRA brought CPS 230 into force in July 2025. Courts in the US are allowing deep discovery into insurer AI systems.
The governance gap between what insurers are doing with AI and what regulators now require is closing fast, from both directions. This article maps the landscape.
Where AI Is Used in Insurance
| Function | AI Applications | Primary Governance Risk |
|---|---|---|
| Underwriting and pricing | Risk classification, premium calculation, external data integration, real-time pricing | Proxy discrimination; opacity of model factors; unfair differential pricing |
| Claims processing | First notice of loss automation, damage assessment AI, settlement recommendation, fraud scoring | Claims denial without human review; bad faith exposure; discovery into AI use |
| Fraud detection | Network analysis, behavioral anomaly detection, document verification AI | False positives affecting legitimate claimants; bias in fraud flags across demographic groups |
| Customer engagement | Chatbots for policy queries, automated underwriting decisions, virtual claims adjusters | Insufficient disclosure when AI is used; automation of decisions without human oversight |
| Actuarial and reserving | Predictive models for loss reserve estimation, catastrophe modeling | Model drift; explainability to regulator for reserving decisions |
| Distribution and marketing | Targeted marketing AI, AI-driven agent tools, personalized product recommendation | Unfair targeting or exclusion based on demographic proxies |
| Subrogation and recovery | AI-driven identification of recovery opportunities, litigation outcome prediction | Accuracy and bias in litigation scoring; vendor accountability |
The NAIC’s 2025 Big Data and AI Working Group survey found 84% of health insurers using AI, 92% overall with plans to use it. EIOPA’s 2024 Digitalisation survey found 50% of European non-life insurers and 24% of life insurers already deploying AI. Across Australia, Singapore, and the UK, AI adoption in insurance is similarly widespread. The governance infrastructure in most organizations is lagging the deployment rate.
The Regulatory Landscape: Six Jurisdictions
United States — State-Led, Rapidly Tightening
Insurance regulation in the US is state-based, and the NAIC’s 2023 Model Bulletin has become the organizing framework. As of late 2025, approximately 25 states had adopted it, with enforcement through market conduct examinations. Three states have moved significantly beyond the model bulletin:
- New York DFS Circular Letter No. 7 (July 2024): Requires proxy discrimination testing demonstrating AI does not proxy for protected classes; insurer must allow DFS to review vendor tools; vendor audits required; explainability documentation for adverse outcomes.
- California SB 1120 (effective January 1, 2025): Prohibits health insurers from denying coverage for medically necessary treatment based solely on an algorithm or automated tool. Licensed clinician review required for all adverse benefit determinations affecting patient care.
- Colorado SB 169 / Colorado AI Act (May 2024): Prohibits external consumer data and predictive models resulting in unfair discrimination; governance and testing requirements; Colorado AG enforcement from June 2026.
The Trump administration’s December 2025 executive order directing the DOJ to create an AI Litigation Task Force to challenge state AI laws specifically named Colorado and California. The NAIC responded with explicit concern. The tension between federal deregulatory impulse and state consumer protection will shape the US insurance AI landscape through 2026.
European Union — Hard Law with Binding Deadlines
EU AI Act Annex III, Section 5(c) designates AI used for risk assessment and pricing in life and health insurance as high-risk. Full compliance is required by August 2, 2026 — with fines up to €35 million or 7% of global turnover. For non-high-risk insurance AI (non-life underwriting, claims, fraud detection, customer service), EIOPA’s August 2025 Opinion clarifies that Solvency II, IDD, and DORA already impose governance obligations. DORA, in force from January 2025, adds third-party ICT risk governance including mandatory contractual provisions for AI model vendors covering audit rights, incident reporting, and exit arrangements. The combination of EU AI Act, EIOPA Opinion, Solvency II, IDD, GDPR, and DORA creates the world’s most comprehensive insurance AI regulatory stack.
United Kingdom — Principles-Based, Outcomes-Focused
The FCA relies on existing frameworks rather than AI-specific rules: Consumer Duty (insurers must deliver good outcomes for customers, not just comply with process); SM&CR (named senior managers bear personal accountability for AI systems); SYSC (robust governance proportionate to AI risk). The FCA/BoE’s November 2024 joint survey found 75% of UK financial services firms using AI, but only 34% with complete understanding of their AI. The FCA launched AI Live Testing in October 2025 to allow firms to validate AI under regulatory oversight. No AI Bill expected before 2026. The FCA has stated it will not introduce AI-specific rules and will intervene in “egregious failures not dealt with.”
Australia — APRA CPS 230 and Supervisory Uplift
APRA’s CPS 230 (in force July 1, 2025) materially lifts operational risk management and third-party ICT risk oversight, directly applicable to insurers using AI vendors. APRA identified AI as an emerging risk in its 2025–26 Corporate Plan and flagged targeted supervisory engagement with larger entities. ASIC’s October 2024 “Beware the Gap” report urged governance to keep pace with AI adoption. Australia’s Voluntary AI Safety Standard identifies insurance as a high-risk sector. APRA CPS 234 (cybersecurity) and the Privacy Act Australian Privacy Principles also apply to AI insurance data processing.
Singapore — MAS FEAT Principles
Singapore’s insurance AI governance is anchored in the Monetary Authority of Singapore’s FEAT Principles — Fairness, Ethics, Accountability, Transparency — and the 2025 MAS Information Paper on AI Model Risk Management. MAS expects insurers to validate AI models before deployment, monitor for drift, govern third-party AI vendors, and ensure AI does not produce unfairly discriminatory outcomes. Singapore’s Insurance Act and fair dealing obligations apply to AI-driven underwriting and claims decisions.
Global — IAIS Application Paper (July 2025)
The International Association of Insurance Supervisors published its Application Paper on the Supervision of Artificial Intelligence in July 2025, providing the global supervisory consensus. Key elements: proportionality (expectations are higher for AI affecting retail customers and claims payouts than document retrieval); data governance (training data must be accurate, complete, unbiased, and representative); adaptive AI risk (models that recalibrate after deployment require additional governance to detect unintended bias); third-party accountability (insurers remain ultimately responsible regardless of AI vendor use); board education on AI is specifically called out as a governance requirement.
Three Incidents That Defined 2024–2025
Lokken v. UnitedHealth: AI Claims Denial Litigation and the Discovery Standard
In February 2025, a federal court in Minnesota allowed the Lokken class action against UnitedHealth to proceed, alleging that the nH Predict algorithm systematically denied post-acute rehabilitative care for Medicare Advantage patients at rates inconsistent with individual clinical review. The court also allowed — and a later motion confirmed — discovery into UnitedHealth’s AI use, including AI chat files, use policies, and oversight documentation. This is a landmark procedural development: discovery into AI decision-making is now a standard element of insurance coverage disputes, not just health insurance. Any insurer using AI in claims processing should expect that AI governance documentation will be discoverable. Its absence will be used to argue bad faith.
California SB 1120: The First Solo-Algorithm Prohibition
California SB 1120, effective January 1, 2025, is the first US law to explicitly prohibit insurers from denying, delaying, or modifying coverage for medically necessary health care based solely on an algorithm or automated tool. Licensed clinician review is required for every adverse benefit determination. This mirrors the standard courts applied in Lokken, but as hard law rather than litigation outcome. The pattern is clear: AI that rations care without human clinical review creates both legislative and litigation exposure.
NAIC Survey: The Governance Gap in Numbers
The NAIC’s 2025 survey across 16 states found 84% of health insurers using AI and machine learning — but nearly one-third still do not regularly test their models for bias or discrimination, despite the NAIC Model Bulletin’s explicit recommendation. This is the most important data point in US insurance AI governance in 2025: the majority of US health insurers have deployed AI in decisions affecting consumers, but a material fraction are operating without the bias testing that regulators, and increasingly courts, expect.
The Core Governance Obligations
| Obligation | US (NAIC + States) | EU (AI Act + EIOPA) | UK (FCA) | Australia (APRA) |
|---|---|---|---|---|
| Written AI governance program | Required (AIS Program): governance structure, bias testing, vendor management, documentation | Required: risk management system, technical documentation, quality management system | Expected under Consumer Duty and SM&CR: proportionate governance; no standalone requirement | Required under CPS 230: operational risk management; board governance |
| Bias testing | Required: testing for bias, discrimination, unfair treatment; results documented for examination | Required for high-risk AI (life/health pricing): data governance per Article 10; bias assessment for all AI per EIOPA Opinion | Required under Consumer Duty: fair outcomes for all customer groups | Expected under APRA CPS 234 and supervisory guidance; voluntary standard guardrails |
| Human oversight | Required: human decision in adverse outcomes; no fully autonomous coverage denial (California) | Required for high-risk AI: genuine human oversight with override capability per Article 14 | Required under Consumer Duty: AI must deliver real outcomes; automation without accountability challenged | Required: human oversight in critical operational processes under CPS 230 |
| Explainability | Required: documentation of how AI functions, inputs, assumptions; explanation for adverse decisions | Required for high-risk AI: transparency to deployer and affected persons (Articles 13, 86); explanation to customers per EIOPA Opinion | Required under Consumer Duty: clear communications; customers must be able to make informed decisions | Expected under APRA guidance and voluntary standard |
| Vendor accountability | Required: third-party vendor management program; audit rights; insurer responsible for vendor AI | Required under DORA: mandatory audit rights, incident reporting, exit provisions for ICT vendors | Expected under SM&CR and SYSC: third-party risk proportionate to materiality | Required under CPS 230: third-party provider oversight; concentration risk |
PM Governance Responsibilities
Planning
- Map AI use cases across the insurance value chain before scoping governance. Underwriting AI, claims AI, fraud detection AI, and GenAI for customer service have different regulatory profiles. The EU high-risk designation applies specifically to life and health risk assessment and pricing AI.
- For US operations: confirm which states require NAIC Model Bulletin compliance and whether state-specific requirements (NY DFS, Colorado, California) apply. Build a state-by-state requirements register for each AI use case.
- For EU operations: confirm whether AI falls within EU AI Act Annex III Section 5(c) high-risk designation. If so, full compliance is required by August 2, 2026. Begin gap assessment now.
- For Australia: confirm CPS 230 third-party risk obligations for AI vendors. Assess whether AI used in claims or underwriting requires APRA supervisory engagement.
Development and Procurement
- Write the AIS Program (NAIC) or equivalent governance framework before deploying AI, not after. The AIS Program documents governance structure, bias testing methodology, vendor management, and documentation practices. It is the first thing a market conduct examiner or litigant will request.
- For vendor AI: require bias testing results by demographic subgroup, documentation of model inputs and assumptions, audit access, incident reporting obligations, and data sovereignty provisions. Insurer accountability persists regardless of which entity built the AI.
- For adaptive AI that updates after deployment: establish the change control plan before deployment. Document what changes are pre-authorized, what changes require governance review, and what triggers model re-testing.
Deployment and Post-Deployment
- Brief product, underwriting, claims, and actuarial staff on their accountability for AI-assisted decisions. In all jurisdictions, the insurer (and its licensed professionals) bears ultimate responsibility for AI outputs.
- Establish post-deployment monitoring: model performance by demographic subgroup, adverse outcome rates, denial rates compared to human review baselines, appeal and complaint rates. These are the metrics examiners will request.
- Prepare for discovery. AI governance documentation — model documentation, bias testing results, oversight records, vendor audit findings — is discoverable in coverage disputes. Document as if a court will read it.
Right-Sizing Your AI Governance Approach
For PMs new to insurance AI governance. Covers NAIC Model Bulletin AIS Program basics; EU AI Act Annex III Section 5(c) high-risk designation; proxy discrimination fundamentals; human oversight design for claims AI; vendor accountability essentials.
For PMs building systematic programs. Comprehensive multi-jurisdiction compliance mapping (US states, EU AI Act, UK FCA, Australia, Singapore); AIS Program design; bias testing methodology; claims AI human oversight framework; EU EIOPA Opinion implementation; DORA vendor governance.
For PMs in mature organizations. EU AI Act high-risk compliance roadmap (August 2026 deadline); enterprise-wide AIS Program; multi-jurisdiction market conduct examination readiness; AI litigation discovery preparation; APRA CPS 230 AI vendor governance; GenAI insurance governance.
The AI Governance Advisor can help you identify which obligations apply to your AI use cases and map them to your governance program — start with a free Essential account.
Framework References
NAIC Model Bulletin: Use of Artificial Intelligence Systems by Insurers (December 2023, ~25 states by end 2025) — AIS Program requirements; governance structure; bias testing; vendor management; consumer notice; market conduct examination documentation.
New York DFS Insurance Circular Letter No. 7 (July 11, 2024) — Proxy discrimination testing; no proxying for protected classes; vendor audit rights; DFS review access; explainability documentation.
California SB 1120 (effective January 1, 2025) — Prohibition on solely algorithmic coverage denial for medically necessary health care; licensed clinician review requirement.
Colorado SB 169 (2023) / Colorado AI Act (May 2024) — Prohibition on predictive models producing unfair discrimination; governance and testing requirements; AG enforcement from June 2026.
EU AI Act (Reg. (EU) 2024/1689) Annex III Section 5(c) — Life and health insurance risk assessment and pricing AI designated high-risk; full compliance August 2, 2026; fines up to €35M or 7% of global turnover.
EIOPA Opinion on AI Governance and Risk Management (August 6, 2025) — Insurance sector AI governance for all non-high-risk AI; data governance; bias assessment; explainability; human oversight; redress mechanisms.
IAIS Application Paper on the Supervision of Artificial Intelligence (July 2, 2025) — Global supervisory standard; proportionality; training data representativeness; adaptive AI risk; board education; third-party accountability.
APRA CPS 230 (in force July 1, 2025) — Operational resilience; third-party ICT risk governance including AI vendors; board accountability; concentration risk.
Lokken v. UnitedHealth Group (D. Minn., February 2025) — AI claims denial class action; discovery into AI use in claims allowed; applicable to all insurance lines.
This article is part of AIPMO’s Insurance series. See also: AI in Insurance Underwriting | GenAI in Insurance | AI Governance in Financial Services | AI Governance in Healthcare