- Life and health insurance pricing AI must meet full EU AI Act high-risk compliance by August 2, 2026. Fines reach €35 million or 7% of global turnover. Any insurer using AI for life or health underwriting affecting EU residents needs a conforming governance program in place — gap assessment should be underway now.
- Removing protected characteristics from model inputs doesn’t remove proxy discrimination. NY DFS Circular Letter No. 7 requires insurers to demonstrate the model doesn’t proxy for protected classes — testing against outcomes, not just inputs. ZIP codes, credit scores, and social media behavior can all carry protected class signal in your specific applicant population.
- EIOPA’s August 2025 Opinion makes explicit that the bias data governance obligation applies equally to third-party purchased data as to owned data. If a vendor can’t provide training data composition and bias assessment documentation, the insurer can’t satisfy EIOPA’s requirements.
- Adaptive underwriting AI — models that retrain on production data — carries heightened bias risk, per the IAIS Application Paper (July 2025). A model validated as unbiased at launch can develop disparate impact as it learns from live data. Bias re-testing must be triggered by every material model update.
- The IAIS Application Paper (July 2025) specifically calls out board-level understanding of AI underwriting as a governance requirement. A board that approves AI pricing models without understanding the proxy discrimination risk or the change control plan is not meeting it.
Insurance pricing has always used predictive models. Actuarial tables, credit scores, telematics data, satellite imagery for property assessment, medical records for life underwriting — the trend toward more data, more granular segmentation, and more complex models predates AI by decades. What AI adds is the capacity to find patterns across thousands of variables simultaneously, to update continuously from new data, and to price at an individual level rather than a pool level.
Those capabilities create governance problems that traditional actuarial oversight was not designed to catch. A gradient-boosted decision tree that uses 300 variables — including purchased consumer data feeds — can produce discriminatory pricing outcomes through interaction effects that are invisible in any individual variable. Testing the inputs for protected characteristics does not test the outputs for discriminatory effects. And an adaptive model that learns continuously from policyholder behavior may develop bias patterns that were not present at validation.
The regulatory response to this has hardened significantly in 2024–2025. This article covers the governance obligations for insurance underwriting AI across the major jurisdictions and the practical PM responsibilities that follow.
What Regulators Require: The Core Obligations
| Jurisdiction | Underwriting AI Governance Requirements |
|---|---|
| US (NAIC + State) | Written AIS Program; bias testing by protected class; proxy discrimination analysis; documentation of model inputs and assumptions; vendor audit rights; adverse outcome tracking; market conduct examination readiness. NY DFS: proxy testing required, vendor DFS review access. Colorado: prohibition on predictive models producing unfair discrimination. California: no solely algorithmic adverse benefit determination in health (SB 1120). |
| EU (AI Act + EIOPA) | Life/health pricing AI: full EU AI Act high-risk regime by August 2026 (technical documentation, risk management, bias per Article 10, transparency per Article 13, human oversight per Article 14, post-market monitoring, CE marking process). Non-life AI: Solvency II + IDD + DORA + EIOPA Opinion — risk-based data governance; bias assessment; explainability; vendor accountability under DORA. |
| United Kingdom | Consumer Duty: insurer must produce fair outcomes for all customer segments including vulnerable groups; bias testing to confirm AI does not systematically disadvantage protected characteristics. SM&CR: named SMF responsible for AI underwriting systems. No AI-specific rules; FCA will intervene in egregious failures. |
| Australia | APRA CPS 230: operational risk management of AI underwriting systems; third-party vendor risk governance. Privacy Act: AI using personal information must comply with Australian Privacy Principles. APRA supervisory engagement expected for larger insurers. |
| Singapore | MAS FEAT Principles: AI underwriting must be fair (no unfair discrimination), ethical (human-centric), accountable (clear responsibility), transparent (policyholders can understand how AI affects pricing). MAS AI Model Risk Management Paper (2025): validation, change management, vendor oversight best practices. |
| Global (IAIS) | IAIS Application Paper (July 2025): proportionality — supervisory expectations higher for AI affecting retail customers; data governance — training data must be representative and free of bias; adaptive AI risk — additional governance for self-updating models; board education — specifically required. |
The Proxy Discrimination Problem in Underwriting
The most consistently documented failure mode in insurance underwriting AI is proxy discrimination: models that achieve discriminatory outcomes by gender, race, ethnicity, or socioeconomic status through variables that appear facially neutral. The mechanism is straightforward: if a protected characteristic correlates with an observable variable, and that variable is included in the model, the model can achieve the discriminatory outcome without the protected characteristic ever appearing in the feature set.
Common Proxy Variables and Their Associated Protected Characteristics
| Variable | Protected Characteristic Risk | Documented Context |
|---|---|---|
| ZIP code or postal code | Race and ethnicity (residential segregation), socioeconomic status | FCA found UK insurers using location data that correlated with race/ethnicity. NAIC survey cited ZIP code as a proxy concern in auto and home insurance. |
| Credit score | Race, income (credit score correlates with wealth accumulation patterns shaped by historical discrimination) | Colorado SB 169 specifically targets predictive models that use credit and similar data to produce unfair discrimination. NY DFS Circular Letter 7 addresses proxy testing for these variables. |
| Social media and digital behavior data | Age, political affiliation, socioeconomic status, national origin | EU AI Act Article 10 requires bias assessment for training data including behavioral data. EIOPA Opinion flags behavioral data as requiring data governance scrutiny. |
| Occupation and employment type | Race, national origin, socioeconomic status | Traditional actuarial classification may replicate historical labor market discrimination through AI at scale. |
| Educational attainment | Race, socioeconomic status, national origin | Used in some life insurance underwriting; correlates with race-linked socioeconomic patterns. |
| Telematics driving behavior | Occupation and commute pattern (correlates with race and income in segregated cities), time-of-day driving | Telematics AI requires bias testing for whether driving behavior variables proxy for protected characteristics in the deployment population. |
Removing these variables from the model input does not eliminate the proxy risk. If the training data contains the correlation between the variable and the outcome, the model will find another pathway to the same discriminatory output. The only test that matters is an outcome-level test: does the AI produce materially different outcomes for applicants who share protected characteristics, controlling for legitimate risk factors?
Governance Design for Underwriting AI
Step 1: Data Governance and Training Data Assessment
- Document all training data sources: owned data, purchased external data, partner data. For each source, assess demographic composition and known biases. EIOPA’s August 2025 Opinion explicitly states that third-party data carries the same bias assessment obligation as owned data.
- For external consumer data: require the data vendor to provide documentation of demographic composition, known biases, and exclusion methods. If the vendor cannot provide this documentation, the insurer cannot meet EIOPA or NAIC bias assessment obligations.
- Assess correlation between model features and protected characteristics in the deployment population. This is the proxy identification step — it must happen before model training, not after deployment.
Step 2: Bias Testing Before Deployment
- Test AI outputs against protected characteristics using the deployment population’s demographic data. The test question: do applicants from protected groups receive materially different outcomes (higher premiums, lower coverage limits, higher denial rates) than applicants with comparable risk profiles from non-protected groups?
- Set acceptable performance thresholds before testing. Define what constitutes an acceptable disparity — there are actuarial methods for doing this that balance risk segmentation against discrimination prohibition. Document the threshold-setting rationale and obtain senior management or board approval.
- Investigate disparities before deployment. A disparity finding is not a deployment decision — it is a governance event requiring investigation, explanation, and either remediation or documented justification.
Step 3: Adaptive AI Change Control
For underwriting AI that updates after deployment — including models that retrain on new policyholder data, pricing models that adjust to market conditions, or telematics models that update continuously — change control is a core governance obligation:
- Define what constitutes a material model update: architecture change, significant new training data, feature addition or removal, parameter updates beyond defined bounds.
- Require bias re-testing after each material update before the updated model goes live in production. The IAIS Application Paper specifically identifies adaptive AI as a heightened risk for unintended bias.
- Maintain a change log documenting all model updates, testing performed, and governance approvals. This is the audit trail for regulatory examination and litigation discovery.
Step 4: Explainability for Adverse Outcomes
- When the underwriting AI produces an adverse outcome — coverage declined, premium elevated, terms restricted — the insurer must be able to produce an explanation that is specific (identifies the factors that drove the outcome), accurate (reflects the actual model logic), and comprehensible to the affected policyholder.
- For EU operations: EU AI Act Article 86 (effective August 2026 for high-risk AI) gives applicants the right to request a plain-language explanation of the AI’s role in the decision. EIOPA’s Opinion requires explainability to both supervisors (technical level) and clients (comprehensible language) for all insurance AI.
- Explainability must be built into the model selection process. Models that cannot produce factor-level explanations for individual decisions may not satisfy regulatory explanation requirements.
Step 5: Vendor Accountability Framework
- For AI pricing or underwriting tools procured from vendors: require bias testing documentation for the vendor’s model, demographic performance data from comparable deployments, audit access rights, and notification obligations for material model changes.
- Under DORA (EU, in force January 2025): mandatory contractual provisions for critical ICT providers including AI underwriting vendors covering audit rights, incident reporting, exit arrangements, and data portability. This is a hard legal obligation for EU insurers, not a procurement best practice.
- Insurer accountability for vendor AI is consistent across all jurisdictions: the insurer remains responsible for outcomes produced by AI it deploys, regardless of whether that AI was built in-house or purchased.
PM Responsibilities for Underwriting AI
- Determine the regulatory classification of underwriting AI before procurement: EU high-risk (life/health pricing), NAIC Model Bulletin scope (US), FCA Consumer Duty scope (UK), APRA CPS 230 third-party scope (Australia). Regulatory classification determines the evidence and governance standard required.
- Scope bias testing as a formal project workstream with dedicated resources, data access, statistical analysis, and governance review — not as a quality checklist item assigned to the model team.
- Establish the change control plan for adaptive AI before deployment. Define the update governance process, the re-testing trigger, and the documentation requirements. Build this into the vendor contract where AI is procured externally.
- Prepare for regulatory examination. The AIS Program, bias testing results, training data assessments, change logs, and explainability documentation should be organized and accessible. A market conduct examiner asking for this documentation should receive it within days, not months.
Right-Sizing Your AI Governance Approach
Proxy discrimination fundamentals; external consumer data bias assessment; minimum bias testing methodology; AIS Program basics; EU AI Act Annex III Section 5(c) high-risk scope assessment.
Comprehensive proxy discrimination testing framework; adaptive AI change control design; multi-jurisdiction requirements (NAIC, NY DFS, Colorado, EU AI Act, EIOPA, UK FCA); vendor data governance program; explainability design for underwriting AI.
EU AI Act high-risk compliance program (August 2026 deadline); enterprise-wide underwriting AI governance; DORA vendor governance for EU operations; market conduct examination readiness; board governance education program for underwriting AI.
The AI Governance Advisor can help you map regulatory obligations to your underwriting AI use cases and identify gaps in your current governance program — start with a free Essential account.
Framework References
EU AI Act (Reg. (EU) 2024/1689) Annex III Section 5(c) — Life and health insurance risk assessment and pricing AI: high-risk classification; full compliance August 2, 2026. Article 10 (data governance and bias), Article 13 (transparency), Article 14 (human oversight), Article 86 (right to explanation).
EIOPA Opinion on AI Governance and Risk Management (August 6, 2025) — Data governance obligation including third-party data bias assessment; explainability to supervisors and clients; human oversight; redress mechanisms; ultimate insurer accountability.
IAIS Application Paper on the Supervision of Artificial Intelligence (July 2, 2025) — Adaptive AI heightened risk; training data representativeness; board education requirement; proportionality principle; third-party accountability.
NAIC Model Bulletin: Use of Artificial Intelligence Systems by Insurers (December 2023) — AIS Program; bias testing and documentation; vendor management; adverse outcome tracking.
New York DFS Insurance Circular Letter No. 7 (July 11, 2024) — Proxy discrimination testing; demonstration that AI does not proxy for protected classes; vendor DFS review access.
Colorado SB 169 (2023) / Colorado AI Act (May 2024) — Prohibition on external data and predictive models producing unfair discrimination; AG enforcement from June 2026.
DORA (Reg. (EU) 2022/2554, in force January 17, 2025) — Third-party ICT risk governance for EU insurers including AI model vendors; mandatory audit rights; incident reporting; exit provisions.
This article is part of AIPMO’s Insurance series. See also: AI Governance in Insurance | GenAI in Insurance | AI Governance in Healthcare