AI Risk Scoring in Underwriting: A 2026 Playbook for P&C Carriers

Why AI risk scoring matters in 2026 for P&C carriers

AI risk scoring underwriting is the use of machine-learning models to assign a quantitative risk grade to each submission before bind, refining or replacing static rating tables and broad underwriting guidelines. For a Chief Underwriting Officer, the question is not whether to score risks with AI - it is how to do it without inheriting three new problems: regulator scrutiny under the NAIC AI Model Bulletin, underwriter mistrust of the model output, and an adverse-selection death spiral if the score is wrong on the wrong segment.

In my 20 years working inside carriers - operations, underwriting transformation, and now advising boards on system modernization - I have watched the same pattern repeat. A carrier deploys a third-party AI risk scoring engine on commercial auto. Twelve months in, the loss ratio on the segment scored “preferred” is two points worse than the legacy book, because the model was trained on a competitor’s data and never re-fit to the carrier’s own portfolio mix. The board asks the CUO to explain. The CUO cannot, because the vendor will not share feature weights. That is the situation AI risk scoring is supposed to prevent - not create.

This article is the playbook I would write for a CUO sitting in front of that board. It covers what AI risk scoring actually does at quote, bind, and mid-term, where the regulatory exposure sits under the NAIC AI Bulletin, how rules engines and ML models work together (not against each other), and how to design override patterns that keep human judgment in the loop without slowing down straight-through processing on simple risks. It is vendor-neutral on purpose. The carriers I advise want to know which questions to ask, not which logo to pick.

The context for 2026 is concrete. Commercial P&C carriers are facing margin pressure: McKinsey’s research on commercial underwriting found that even leading insurers can capture loss-ratio improvements of three to five percentage points and new-business premium gains of 10 to 15% through digitized underwriting, but only with the right data and analytics maturity (McKinsey). At the same time, more than half of US states have now adopted the NAIC Model Bulletin or substantially similar guidance on AI use in underwriting and rating (NAIC). That combination - pressure to use AI for selection, plus formal regulator expectations on how it is governed - is what makes 2026 different from 2022.

Adverse selection - anatomy of bad risks slipping through quote

Adverse selection is what happens when a carrier’s pricing or eligibility rules let in risks the market knows are worse than average, while pushing out risks the market knows are better than average. It does not feel dramatic in the moment. It looks like one quote at a time, each priced reasonably under the rules in force, each issued by a competent underwriter. The damage shows up 18 to 36 months later in the loss triangle.

How a typical adverse-selection problem starts

I worked with a Mid-Atlantic specialty carrier writing professional liability for healthcare staffing firms. Their book was profitable for nine consecutive years on a 65% loss ratio. Then a new MGA partner started feeding them small home-health-aide agencies - a class their guidelines technically allowed but their rate adequacy never modeled separately. Two years later the loss ratio on that subsegment was 142%. Nothing in the workflow had changed. The underwriting guidelines still passed every audit. What had changed was the mix. The static rules treated home-health-aide agencies the same as registered-nurse staffing firms, when the underlying loss frequency was three times higher.

That is adverse selection in its purest form: a guideline that was correct on the average risk becomes wrong on the marginal risk because the marginal risk distribution has shifted. AI risk scoring exists, in part, to detect that shift before the loss triangle confirms it.

The four signals AI risk scoring is built to catch

A well-designed risk scoring model surfaces four things a static rate table cannot:

First, interaction effects between rating variables. A 12-year-old roof is a different risk in Houston than in Minneapolis, and the interaction with construction type matters. ML models capture those interactions natively; rate tables encode them only when an actuary explicitly files for them.

Second, non-linear risk gradients. The frequency curve for commercial auto loss does not move linearly with fleet size - it dips between 8 and 15 vehicles, then climbs sharply. Rate tables straighten that curve into bands; ML models follow the actual shape.

Third, emerging-class divergence. When a new sub-segment starts generating disproportionate loss frequency, an ML model retrained quarterly will catch it inside two quarters. A rate filing cycle is 12 to 18 months in most jurisdictions.

Fourth, third-party data signals the underwriter has not formally codified. ISO, CLUE, satellite roof imagery, D&B financial stress indicators - these all carry predictive power that an ML model can weight, but a static guideline can only treat as eligibility flags.

What AI risk scoring will not fix

I want to be honest about this, because the vendor pitch usually is not. AI risk scoring will not fix a carrier whose loss data is bad. If your historical claims data is missing the cause-of-loss field for 30% of records, no model trained on it will tell you anything reliable. And it will not fix selection on a class your data does not contain. If you are launching cyber for the first time, your in-house data has nothing to score against - you are buying someone else’s model with someone else’s portfolio bias baked in. In both cases the right move is data work first, scoring second.

AI risk scoring at three stages - quote, bind, and mid-term

Most articles treat AI risk scoring as a single event: the moment a submission gets a number. In production, scoring happens at three different points in the policy lifecycle, with different data inputs, different latency budgets, and different decision implications.

Stage 1: Quote-stage scoring

This is the score most carriers think of first. A submission comes in, gets enriched with third-party data, and the model returns a score in seconds. The decision options at this stage are: auto-quote with rate, refer to underwriter, or decline. Latency budget is sub-second for personal lines, a few seconds for commercial.

Quote-stage scoring is where carriers achieve straight-through processing on simple risks and where the speed-to-bind advantage shows up. McKinsey’s commercial P&C underwriting research found that anywhere from 30 to 40% of underwriters’ time is spent on administrative tasks (McKinsey) - quote-stage automation is what claws that time back for substantive risk work.

Stage 2: Bind-stage scoring

Between quote and bind, conditions change. Inspection reports come in. The applicant updates their answer to a question. A motor-vehicle record refreshes. Bind-stage scoring re-runs the model with the updated data set and surfaces material deviations - for example, the score moved from 240 to 410 because the inspection found a flat roof on what was reported as pitched.

Bind-stage scoring is also where pre-bind fraud controls live. Before the policy is bound, the model checks the application against fraud signals: identity inconsistencies, application history across other carriers, suspicious patterns in the answer set. In auto insurance specifically, premium leakage from inaccurate driver, mileage, or garaging information adds up to roughly $35 billion annually in the US, before staged accidents and inflated damage claims are even added in (Coalition Against Insurance Fraud / III).

Stage 3: Mid-term and renewal scoring

The book moves while the policy is in force. Telematics shows new behavior. A property changes hands. A commercial auto fleet grows by six vehicles between renewals without notification. Mid-term scoring runs the model again on the live portfolio - not to re-rate every policy (regulators would take exception, and most jurisdictions do not allow mid-term re-rating outside specific triggers) but to flag policies whose risk has materially diverged from the bind-stage score. Those flags drive endorsement requests, mid-term inspections, or non-renewal decisions at the next anniversary.

The CUOs I advise consistently underestimate the value of stage 3. The largest loss-ratio recoveries I have seen came from mid-term scoring catching books that had drifted, not from quote-stage scoring catching bad new business.

Rules + ML hybrid architecture for risk scoring

A common mistake I see in carrier RFPs is treating “rules engine” and “ML model” as competing options. They are not. They are layers in the same scoring stack, and the carriers that get the best results run them together.

Why pure ML scoring fails the regulator test

A pure ML model that outputs a single risk score with no underlying rule layer creates a problem the moment a regulator asks: “Why was this applicant declined?” The carrier needs an answer that maps to filed rate factors and complies with state Unfair Trade Practices laws. SHAP values and feature attributions are technical artifacts, not regulatory artifacts - that distinction matters. The Bank for International Settlements has documented how regulators are increasingly demanding explanations that map model behavior to filed factors, not just feature-importance plots (BIS).

The CFA Institute’s 2025 report on explainable AI in finance reinforces the point: SHAP and LIME are widely used to justify decisions, but the explanation that lands with a regulator is a written narrative, not a chart (CFA Institute).

Why pure rules-based scoring leaves loss ratio on the table

A pure rules-based scoring engine - even a sophisticated one with thousands of decision-table entries - cannot capture interaction effects between variables the way an ML model can. It also cannot retrain itself on new loss experience without an actuarial filing cycle. For carriers writing in soft markets, that lag is what hands the better risks to a faster competitor.

The hybrid pattern that works

The hybrid pattern I recommend is straightforward:

1. Rules layer first - handles eligibility, hard declines, regulatory exclusions, and any rule that must be deterministic for compliance. This is where the carrier’s filed rating logic lives, where state-specific rules are encoded, and where audit trails are clean.
2. ML layer second - runs only on submissions that cleared the rules layer, producing a refined risk score and pricing recommendation within the bands the actuarial team has filed.
3. Rules-based guardrails over the ML output - if the ML score recommends a price more than X% below or above the rules-engine technical price, the case routes to a human underwriter regardless. This catches model drift before it shows up in the loss triangle.

This is the architecture that powers our Higson rules engine when paired with an ML scoring service. Higson handles the deterministic, audit-friendly part - eligibility rules, declination logic, technical price bands - while the ML model produces the refinement inside those bands. Business users (actuaries, underwriting managers) update Higson rules in hours, without an IT release cycle, which is what turns a 4-month rule deployment into a same-day change. The tester mode lets the team simulate any rule change against historical book data before promoting it to production. None of that replaces the data scientists’ work on the ML model - it gives them the deterministic scaffolding they need to ship explainable scoring.

Fraud at quote - pre-bind controls that actually work

Most fraud detection conversations focus on the claims side, where it is most visible. The cheaper place to catch fraud is at quote, before the policy is bound and before any claim has to be denied. The math is straightforward: a quote denied costs nothing; a claim denied costs the legal review, the SIU referral, and the bad-faith exposure.

The Coalition Against Insurance Fraud’s most recent estimate puts total US insurance fraud at $308.6 billion annually, with property and casualty fraud accounting for roughly $45 billion of that figure (Insurance Information Institute). For a carrier writing $1 billion in premium, the implied fraud exposure is in the tens of millions per year, depending on line and geography.

What pre-bind fraud signals look like in production

A pre-bind fraud model does not look like the claims-side fraud models most carriers already have. It is checking different things:

• Identity coherence - does the applicant’s stated address match the geocoded property? Does the named insured match the registered business at the state corporate registry? Is the email domain less than 30 days old?
• Application history - has this VIN been quoted with three different garaging addresses in the past 90 days? Has this Tax ID been submitted to other carriers’ workers comp lines with conflicting payroll data?
• Behavioral signals on the quote session - was the application filled out in 38 seconds (suspiciously fast) or copy-pasted from another tab?
• Premium leakage indicators - is the stated annual mileage on this auto policy 7,500 when telematics-aggregated data for the same VIN shows 18,000?

None of these are smoking guns alone. The model assembles them into a fraud score that runs in parallel with the risk score. A high fraud score does not auto-decline - that is a regulatory minefield. It routes the case to a human investigator before bind.

The cross-link to claims-side anti-fraud

Pre-bind fraud scoring is most powerful when it shares signals with the claims-side anti-fraud system. A pattern that looks unremarkable at quote - say, a particular tow company appearing on three policies - becomes a flag once the same tow company is associated with two suspicious claims six months later. We have written more about how those signals connect on the claims side in our Decerto Anti-fraud Solution page and in our broader work on Claims AI. The carriers I have seen get the largest fraud reductions are the ones that share the underlying feature store across both.

External data signals - ISO, CLUE, D&B, telematics, weather

An AI risk scoring model is only as good as the data it sees. The internal claims and underwriting history a carrier has on a submission is necessary but not sufficient. The lift comes from external signals - and choosing which external signals to integrate is one of the most consequential decisions in the architecture.

The integration question

The data integrations a workbench supports determine which models the carrier can train. A workbench that pulls ISO, CLUE, D&B, MVR, and a geospatial provider is a very different platform than one that does not. This is where I push back on RFP language like “extensive data integrations” - that means nothing to me. The right RFP question is: “Which of these eight sources are pre-integrated, and what is your data refresh frequency on each?”

Decerto’s underwriting workbench is built to make those integrations a configuration problem rather than a custom-development problem, which matters for the time-to-deployment math. The point is not that we have every data source integrated out of the box (no vendor does, honestly). The point is that the integration framework treats new data sources as configurable connectors, not custom code. For the architecture details, see our Pillar Main on the underwriting workbench.

A note on third-party model risk

Several states are moving from “did you test your AI model?” to “did you also test the third-party AI models you bought from a vendor?” The NAIC has formed a working group specifically focused on third-party data and model regulatory frameworks (NAIC). New York’s DFS Circular Letter 2024-7 already requires insurers to allow the Department to review vendor tools and to audit them (Buchanan Ingersoll & Rooney). If a carrier outsources its AI risk score to a vendor, the vendor’s bias-test documentation is now the carrier’s regulatory exposure.

Confidence intervals and underwriter override patterns

A risk score without a confidence interval is a number pretending to be a decision. In production, the score should always come with a measure of how certain the model is - and the override pattern should depend on that certainty.

What confidence intervals actually mean here

The model produces not a single score but a distribution. A risk that scores 380 with a tight interval of ±15 is a different decision than a risk that scores 380 with an interval of ±90. The first is a confident prediction the carrier can act on. The second is the model saying “I have not seen many risks like this - get a human involved.”

Carriers who do not surface confidence in the underwriter UI end up with two failure modes. First, underwriters trust a low-confidence score the same as a high-confidence one, and the loss ratio takes a hit on the segments the model knows least well. Second, underwriters distrust every score equally, and the straight-through-processing benefit collapses because everything gets manually reviewed.

Override patterns that scale

The override patterns I recommend are:

Auto-bind band. Score in the auto-bind range AND confidence interval narrow → policy binds with no human touch. For a typical personal auto book, this might be 30 to 60% of submissions. The carriers I have advised who successfully push this past 60% usually have to walk it back inside 18 months because adverse selection creeps in at the band edges.

Underwriter review band. Score in any range BUT confidence interval wide → routes to human review with the model’s uncertainty surfaced. The UI shows the underwriter what the model saw, what features drove the score, and where the uncertainty came from.

Hard refer band. Score in the high-risk range OR confidence interval extreme → mandatory referral to senior underwriter or specialty desk, regardless of how the rules engine would have routed it.

Override-back loop. When an underwriter overrides the model - accepts a score the model declined, or declines one the model accepted - that decision feeds back into the training data with the underwriter’s reasoning code. This is what closes the loop between codified expertise and ML retraining. We have written about this institutional-knowledge codification problem in our companion piece on why AI augments rather than replaces underwriters.

What I would require in any AI risk scoring deployment

If I were sitting on the carrier side of the table reviewing a vendor’s proposal, the non-negotiables for me would be:

1. Confidence intervals surfaced in the underwriter UI on every score.
2. Override reasoning codes captured in structured form, not free text.
3. A retraining cadence with a documented model lifecycle (every 90 days minimum, retire on documented criteria).
4. SHAP or equivalent feature attributions stored alongside every decision for the regulatory audit trail.
5. A bias-testing report by line of business, refreshed each retraining cycle.

That last point is where we cross into the regulatory section.

NAIC AI Model Bulletin compliance for risk scoring

If you operate in 24 or more US jurisdictions, your AI risk scoring is now subject to the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers - adopted in full or substantially similar form by 24 states as of mid-2025, with adoption continuing through 2026 (Holland & Knight; Quarles).

What the bulletin actually requires

The bulletin sets a documentation expectation, not a prescriptive technical standard. Carriers are expected to implement a written AI Systems (AIS) Program that addresses:

• Governance - a defined accountability structure with senior management or board oversight, covering business, actuarial, data science, underwriting, claims, legal, and compliance (NAIC).
• Risk management and internal controls - validation, testing, and retesting processes for AI outputs, with attention to bias and unfair discrimination.
• Third-party vendor oversight - vendor models are the carrier’s responsibility, not the vendor’s.
• Documentation and audit readiness - the regulator should be able to review the model’s logic, decisions, and validation evidence on request.

What documentation a regulator will actually ask for

In examinations I have observed since the bulletin’s adoption, the documents most consistently requested are:

• Model card - a written description of the model’s purpose, inputs, outputs, training data, validation results, known limitations, and retirement criteria.
• Bias and fairness testing results - disparate-impact testing across protected classes and proxies, by line of business.
• Decision-level audit trail - for any individual policy, the carrier needs to produce the score, the features that drove it, and the rules logic that applied.
• Governance minutes - board or committee oversight of AI model deployment and ongoing review.
• Vendor due diligence file - for any third-party model, the vendor’s bias testing, validation, and update history.

State variations to know about

Three states have moved beyond the NAIC bulletin’s principle-based approach:

Colorado has implemented quantitative testing requirements for insurance algorithms under C.R.S. §10-3-1104.9, with implementing regulations expanded to private passenger auto and health benefit plans effective October 2025 (Buchanan Ingersoll & Rooney).

New York issued DFS Circular Letter 2024-7 requiring insurers to demonstrate that AI and external data systems do not proxy for protected classes, with documented internal logs, vendor audits, and explainability for adverse outcomes.

California restricts solely-automated tools in health-related coverage decisions and requires disclosure when AI contributes to a determination.

A national carrier writing across these jurisdictions cannot meet the strictest requirement only in the strictest state - operationally, the strictest standard becomes the de facto standard for the whole book. The NAIC has also issued formal concern about federal preemption that could complicate this state-by-state approach further in 2026 (NAIC statement, December 2025).

How an underwriting workbench supports compliance

A workbench’s role in NAIC compliance is to make the documentation a byproduct of operations, not a separate project. Specifically:

• Every scoring decision is logged with inputs, score, confidence interval, feature attributions, and rule path - so the audit trail is automatic.
• Every rule change in the rules engine is versioned with date, author, and reason - so a regulator’s “what rule was in force on this date” question takes two clicks.
• Bias testing artifacts are stored as model assets, not as ad-hoc spreadsheets - so the testing cadence is enforceable.
• Underwriter overrides are captured with structured reasoning codes - so the model’s blind spots are documented.

For carriers building this from scratch, that is months of work. For carriers using a workbench designed around the bulletin’s expectations, it is configuration. Our Decerto Underwriting Workbench is built on that assumption - that examination readiness should be a continuous state, not a fire drill.

FAQ - AI risk scoring in P&C underwriting

How does AI score risks in underwriting compared to traditional rate tables?

A traditional rate table assigns a price based on a fixed set of filed rating factors with linear interactions. An AI risk score uses a machine-learning model trained on historical loss data to capture non-linear relationships and interaction effects between variables - for example, how roof age interacts with hail exposure differently in different climate zones. The output is a refined risk score that sits within the actuarially-filed price bands, not a replacement for filed rates.

What is predictive underwriting and how does it differ from descriptive analytics?

Predictive underwriting uses statistical models to estimate the future loss potential of a submission, rather than describing the historical loss experience of a similar segment. Descriptive analytics tells you what your current book looks like; predictive underwriting tells you what a new submission’s expected loss ratio is, with a confidence interval, before you bind it. Both matter - most carriers run them in parallel.

How can a carrier prevent adverse selection with AI risk scoring?

Adverse selection prevention with AI requires three things working together: a model retrained frequently enough to catch sub-segment drift (typically every 90 days), confidence intervals surfaced to underwriters so low-confidence cases get human review, and a rules-engine guardrail that flags any case where the ML score and the rules-engine technical price diverge by more than a defined threshold. None of the three works alone.

What external data sources should feed an AI risk model in P&C?

The standard external data stack for US P&C is ISO ClaimSearch (cross-carrier claims), LexisNexis CLUE (auto and property loss history), Dun & Bradstreet (commercial firmographics), state MVRs (driving records), telematics for usage-based products, geospatial imagery for property, and weather/catastrophe models for forward-looking peril. The right stack depends on the lines written; specialty lines often need additional sector-specific sources.

How does the NAIC AI Model Bulletin regulate AI underwriting in 2026?

The NAIC Model Bulletin, adopted by 24 or more states as of mid-2025, requires insurers using AI in underwriting to maintain a written AI Systems Program covering governance, risk management, third-party vendor oversight, and documentation. The bulletin is principle-based rather than prescriptive - it does not mandate specific testing methodologies, but it does require that carriers be able to document their model logic, validation, and bias testing on request from a state Department of Insurance.

What is fraud at quote and how is it different from claims fraud detection?

Fraud at quote refers to detecting fraudulent applications before the policy is bound, using identity coherence checks, application-history analysis across carriers, and behavioral signals during the quote session. Claims fraud detection happens after a loss is filed. Both matter, but pre-bind fraud detection is significantly cheaper because a denied quote has no legal cost, while a denied claim carries SIU and bad-faith exposure.

Can AI risk scoring replace senior underwriters on complex commercial risks?

No. AI risk scoring is highly effective for personal lines and small commercial submissions where data density is high and risks are relatively homogeneous. For large commercial, specialty lines, and complex risks, the model lacks the data depth to score well, and the regulatory posture in most jurisdictions still expects human underwriting judgment. McKinsey’s research projects that even by 2030, large commercial and specialty underwriting will not be fully automated (McKinsey). The realistic role of AI is to augment senior underwriters by removing administrative work and surfacing data signals - not to replace their judgment.

Talk to Decerto

If you are sitting with a board paper that asks how your carrier should approach AI risk scoring under the NAIC bulletin - and you want a straight answer that is not a vendor pitch - here is what I would suggest.

Every month a carrier delays modernizing its risk scoring is, on average, three to five basis points of loss ratio that did not improve. The NAIC AI Bulletin documentation expectations are not waiting. And the senior underwriters whose judgment encodes 25 years of institutional knowledge are not getting younger. The math compounds against carriers that wait.

What I am offering is a 30-minute portfolio assessment with the Decerto team. It is technical, not commercial. We will walk through your current rules-engine architecture, your data integrations, your bias-testing posture, and your NAIC documentation gaps. You leave with a written summary of what is working, what is not, and what we would do in the first 90 days. Vendor-neutral on the parts where another tool fits your stack better than ours.

If it is useful, the assessment includes free access to the Higson rules engine sandbox. You define one of your own underwriting rules, run it in tester mode against a sample of historical data, and see the audit trail it produces. No demo theater - your data, your rule, your output.

This is not a sales call. The first conversation is a technical Q&A with a senior architect. NDA-protected. We do not pitch.

If your timing is right for that conversation, the calendar slot is here: Talk to Decerto.

If you are still in the upstream research phase, the Pillar Guide on the underwriting workbench covers the broader architecture context, and our piece on end-to-end claims processing covers the cross-link between pre-bind fraud signals and claims-side detection.

Sources and citations

1. NAIC. “Insurance Topics: Artificial Intelligence.” Accessed 2026.
2. NAIC. “Statement on AI Executive Order.” December 16, 2025.
3. Holland & Knight. “The Implications and Scope of the NAIC Model Bulletin on the Use of AI by Insurers.” May 2025.
4. Quarles & Brady. “Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers’ Use of AI.” March 2025.
5. Buchanan Ingersoll & Rooney. “When Algorithms Underwrite: Insurance Regulators Demanding Explainable AI Systems.” October 2025.
6. McKinsey & Company. “From Art to Science: The Future of Underwriting in Commercial P&C Insurance.”
7. McKinsey & Company. “Insurance Productivity 2030: Reimagining the Insurer for the Future.”
8. Bank for International Settlements / FSI Papers. “Managing Explanations: How Regulators Can Address AI Explainability.”
9. CFA Institute Research Foundation. “Explainable AI in Finance: Addressing the Needs of Diverse Stakeholders.” August 2025.
10. Insurance Information Institute. “Facts + Statistics: Fraud.”