NAIC AI Rules Now Cover Half of US States as EO 14365 Threatens Override
Compliance New

NAIC AI Rules Now Cover Half of US States as EO 14365 Threatens Override

NAIC AI Model Bulletin now covers over half of US states. EO 14365 tasks a DOJ task force with challenging those laws. What US insurers must do now.

Patrice Dumont June 24, 2026 6 min read

NAIC AI Model Bulletin compliance is now live in over half of US states, yet the federal government’s December 2025 executive order has launched a direct legal challenge to state insurance AI oversight — leaving US insurers in a compliance bind that demands immediate action regardless of how the preemption fight resolves.

26 Jurisdictions In, More Coming: The State-by-State AI Compliance Map

The NAIC’s Model Bulletin on the Use of Artificial Intelligence Systems by Insurers was adopted by NAIC membership on December 4, 2023, at the Fall National Meeting in Orlando. Unlike a federal statute, it carries no single effective date. Adoption is a state-by-state decision, and that process has accelerated sharply. As of March 2025, 24 states had adopted the bulletin, with Alaska becoming the first adopter on February 1, 2024, and Wisconsin the 24th on March 18, 2025. By December 2025, the tally had crossed a critical threshold: over half of all US states had adopted this bulletin or similar guidance, with more following suit, according to the NAIC’s own statement. Additionally, four states have enacted insurance-specific AI regulation or guidance that goes beyond the bulletin itself.

The adoption pace matters operationally. Insurers writing business across multiple states — virtually every mid-size or large carrier — now face simultaneous regulatory obligations in a majority of US jurisdictions. The bulletin’s compliance demands are not aspirational. The NAIC Model Bulletin requires insurers to adopt, implement, and maintain a written AI governance program covering governance, documentation, testing, and third-party oversight. That written program — often called an AIS Program — must be defensible to state examiners on request. For context on how comparable mandatory AI governance frameworks are taking shape internationally, see our analysis of FSC Korea’s AI governance rules for insurers in the financial sector, which mirrors many of the same documentation and testing requirements now becoming standard in the US.

Executive Order 14365: A DOJ Task Force Aimed Squarely at State AI Laws

The compliance landscape shifted materially on December 11, 2025. Executive Order 14365, signed that day, established a national AI policy framework and directed the Attorney General to create an AI Litigation Task Force with the sole responsibility of challenging state AI laws. The language of the order is explicit: the resulting federal framework must forbid state laws that conflict with the policy set forth in the executive order. The White House has published the full text of EO 14365, which frames state AI regulation as an obstruction to national AI competitiveness.

The NAIC responded within days. The association expressed deep concern over EO 14365, warning that it would prevent regulators from addressing AI risks in rate setting, underwriting, and claims processing. More pointed still: the NAIC warned that the executive order would disrupt over 150 years of state insurance market oversight. The NAIC’s full statement on EO 14365 frames the preemption question as an existential challenge to the state-based regulatory model under the McCarran-Ferguson Act.

For insurers, the practical implication is uncertainty without relief. Whether or not federal preemption litigation succeeds — and outcomes could take years to litigate — state regulators in the 26-plus adopting jurisdictions are actively examining AI governance today. Delaying compliance pending legal resolution is not a defensible posture. The comparison with how UK regulators are approaching systemic AI model risk is instructive: our coverage of UK regulators warning that frontier AI cyber threats outpace human defenders illustrates why regulators on both sides of the Atlantic are unwilling to pause oversight pending political resolution.

The 12-State Pilot: How Regulators Are Actually Testing Insurer AI Programs

Parallel to the preemption fight, the NAIC is operationalizing its supervisory infrastructure. The NAIC AI Systems Evaluation Tool pilot began March 2, 2026, and runs through September 2026, with 12 participating states: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. This is not a theoretical exercise. Insurers in those states may receive examiner requests structured around the tool’s framework.

The evaluation tool includes four structured exhibits: Exhibit A quantifies AI usage across the enterprise, Exhibit B provides a governance risk assessment framework, Exhibit C requires details on high-risk AI systems specifically, and Exhibit D covers AI data details. The four-exhibit structure effectively maps onto what a mature AIS Program must already document. Carriers without that documentation infrastructure in place face acute examination risk in pilot states. For a sense of how similar supervisory tooling is developing in Asian markets, our report on Japan FSA’s AI cybersecurity working group for the insurance sector shows the same structured-disclosure approach emerging globally.

Third-Party Vendor Oversight: The Next Compliance Frontier

Among the bulletin’s most consequential requirements — and one that is rapidly becoming more demanding — is third-party AI vendor oversight. Insurers are responsible for managing risks associated with AI systems deployed on their behalf by third-party vendors, and must demonstrate to regulators that appropriate risk-based oversight mechanisms are in place. This is not a pass-through: if a vendor’s model discriminates in underwriting, the insurer bears regulatory liability.

The NAIC is now formalizing vendor accountability at the supply-chain level. The NAIC Third-Party Data and Models Working Group is developing a registration-based framework for AI model vendors spanning pricing, underwriting, claims, and fraud detection, with first state implementations expected in late 2026 or early 2027. Under the proposed framework, AI vendors would be required to disclose training data sources, testing methodology including bias testing, known limitations, and change-management practices before their products can be used by insurers. This shifts due diligence from a contractual private matter to a regulatory prerequisite. Carriers relying on off-the-shelf AI tools for underwriting — explored in depth in our piece on Sixfold AI’s underwriter point-solution automation and the third-party AI tools reshaping the market — will need to validate vendor compliance with the forthcoming registration framework well in advance of implementation.

What Insurers Must Operationalize Now

The preemption uncertainty does not pause state-level enforcement. Three operational priorities are non-negotiable for any carrier with multi-state exposure:

  • Written AIS Program: The bulletin requires a documented governance program covering governance, documentation, testing, and third-party oversight — this document must exist and be examiner-ready. Map it to the four exhibits of the NAIC evaluation tool to ensure alignment with the pilot’s supervisory framework.
  • Bias and error testing: The bulletin requires insurers to adopt verification and testing methods to identify errors, bias, and unfair discrimination in AI systems. Testing must be documented, periodic, and defensible — not a one-time pre-deployment check.
  • Vendor due diligence inventory: Given the forthcoming NAIC vendor registration framework, carriers should begin cataloguing every third-party model in production across pricing, underwriting, claims, and fraud — and requesting disclosure documentation from vendors now, before the framework imposes mandatory requirements.

Carriers operating in the 12 pilot states face the most immediate examination risk and should treat the evaluation tool’s four exhibits as a de facto audit checklist. Those outside pilot states should treat the framework as a preview of national standard practice by 2027.

Mini-FAQ

Does Executive Order 14365 mean insurers can ignore state AI compliance obligations?
No. EO 14365 directs the DOJ to challenge state AI laws through litigation, but those laws remain in force during any legal proceedings. Over half of US states have already adopted the NAIC AI Model Bulletin or similar guidance, and state insurance regulators in those jurisdictions are actively examining compliance. Insurers should maintain full compliance with adopted state requirements while monitoring the federal preemption litigation.
What is the NAIC AI Systems Evaluation Tool and which states are using it?
The NAIC AI Systems Evaluation Tool is a structured supervisory instrument organized into four exhibits covering AI usage volume, governance risk assessment, high-risk AI system details, and data details. A pilot running from March 2, 2026 through September 2026 involves 12 states: California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, and Wisconsin. Insurers in those states may receive examiner requests aligned to the tool’s framework during the pilot period.
How does the forthcoming NAIC vendor registration framework change insurer obligations?
The NAIC Third-Party Data and Models Working Group is developing a framework that would require AI model vendors serving insurers to register and disclose training data sources, bias testing methodology, known limitations, and change-management practices before their products can be deployed. For insurers, this means third-party AI vendor oversight — already required under the existing bulletin — will shift from internal contractual due diligence to a formal regulatory prerequisite. First state implementations are expected in late 2026 or early 2027.

Sources used

Filed under

Topics Compliance
Region North America
Line of business Commercial
Players Regulators
P

Patrice Dumont

InsuraBeat correspondent

Senior reporter at InsuraBeat leading coverage of insurance regulation, executive moves, and the insurtech landscape across EMEA and APAC. Fifteen years straddling regulation and trade journalism: began in the legal team of a French insurance industry body, advising members on Solvency II implementation and product approvals, then moved to specialised insurance media to cover EIOPA, NAIC and IAIS work and prudential reform. Graduate of the Pan-Asian School of Governance and Regulatory Affairs (Singapore), with an LL.M. in Insurance Prudential Law and Cross-Border Compliance from the Nihon-Siam Institute of Legal Studies (Bangkok). Writes from Brussels, on European afternoon markets.

All articles by Patrice Dumont →

Continue reading

Daily Beat newsletter

Never miss a beat in global insurance.

Get the day’s top deals, executive moves and regulatory shifts in your inbox every morning.

Free. No spam. Unsubscribe anytime.