How an Underwriting Workbench Strengthens Regulatory Compliance: The 2026 NAIC AI Bulletin Playbook

Why NAIC AI Bulletin compliance matters in 2026

I had a conversation last quarter with the Chief Underwriting Officer of a Northeast specialty lines carrier - about $400M in written premium, mostly commercial. He told me his board had just received a letter from the state insurance department requesting documentation on every AI or predictive model used in underwriting and pricing. The letter cited the carrier’s domiciliary state’s adoption of the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. His team had 30 days to respond. The internal answer was that the model documentation was scattered across a data science Confluence wiki, two underwriter spreadsheets, and a vendor’s PDF. That carrier is not unusual. That is what the 2026 underwriting workbench regulatory compliance conversation actually looks like at most U.S. P&C carriers - and the cost of getting it wrong shows up directly in combined ratio, loss ratio volatility, and the regulatory penalties that follow a poorly defended examination finding.

The NAIC AI Bulletin underwriting compliance question is no longer hypothetical. As of March 2026, 25 states have adopted the NAIC Model Bulletin or substantially similar guidance, and 12 states are actively running the NAIC AI Systems Evaluation Tool pilot - the structured framework state examiners now use to review insurer AI governance during market conduct exams. In my experience working with CUOs, the gap that gets carriers in trouble is not the absence of governance; it is the absence of a documentation system that can produce the right evidence on the timeline a regulator demands. An underwriting workbench, integrated with a rules engine and a data store, is the operational layer that closes that gap.

This guide is a practical 2026 NAIC AI Bulletin underwriting compliance playbook for U.S. P&C and specialty lines CUOs. It is not legal advice, and it is not a survey of legal commentary - there is plenty of that already. It is the operational view: what documentation regulators want, how a workbench produces it, what bias testing actually looks like for protected classes, how to structure a decision audit trail, and where state-level mandates (New York, Colorado, California) diverge from the NAIC framework. If you need the broader context on what an underwriting workbench is and the eight pain points it addresses for U.S. P&C CUOs, start with the complete 2026 underwriting workbench guide and come back here for the regulatory layer.

NAIC AI Model Bulletin status as of 2026 - the adoption tracker

The NAIC AI Bulletin underwriting compliance picture has moved fast since adoption. The NAIC adopted the Model Bulletin on the Use of Artificial Intelligence Systems by Insurers on December 4, 2023.  The bulletin itself does not create new law. It articulates how state insurance departments will read existing unfair trade practices, market conduct, and corporate governance statutes when those statutes are applied to a carrier’s use of AI systems. The bulletin’s substantive expectations cluster around four areas: a written AI Systems (AIS) Program, a risk management framework, third-party AI governance, and records sufficient to reconstruct any specific consumer-facing decision under examination.

State adoption - where the bulletin has regulatory force

State-by-state adoption matters because the bulletin only has examination authority where a state has formally adopted it (or substantially similar guidance). Below is the working set of NAIC Model Bulletin adoption dates I track for client conversations, drawn from the NAIC’s own implementation map.

Pennsylvania, Wisconsin, and additional states have adopted the bulletin or are in the process of adopting it; the NAIC tracks 25 states in total as of March 2026.  In my experience working with multi-state carriers, the practical implication is that if you write business across a standard regional or national footprint, the majority of your written premium will sit in adopted states. That is the regulatory floor - and the NAIC AI Systems Evaluation Tool, currently in a 12-state pilot running March through September 2026 (California, Colorado, Connecticut, Florida, Iowa, Louisiana, Maryland, Pennsylvania, Rhode Island, Vermont, Virginia, Wisconsin), is the structured way examiners are now requesting evidence.  For carriers building or upgrading the underlying workbench layer, the Decerto Underwriting Workbench is designed around the four-exhibit documentation pattern this section unpacks.

What state regulators actually want in your AIS Program documentation

This is where I see the most expensive misunderstandings. CUOs ask me, “What documentation do we need?” and the honest answer is that the NAIC AI Bulletin is principles-based - it tells the carrier what regulators expect to see without prescribing the form. That means two carriers can both be “compliant” with very different evidentiary records. The variance in those records is what regulators read at examination time.

The four documentation domains regulators evaluate

In my experience working with CUOs preparing for market conduct exams, the AIS Program documentation packet needs to answer four questions in writing, end-to-end, for every AI system used in regulated insurance practices (underwriting, rating, claims, fraud detection, marketing). These map directly to the NAIC AI Systems Evaluation Tool’s four exhibits:

• ‍Exhibit A - Quantify AI usage. What AI and predictive models do you use, in which line of business, at which stage of the lifecycle? “We use a vendor scoring tool for commercial auto” is not enough; the regulator wants the model name, the vendor, the use case, the date of deployment, and the volume of decisions affected.‍
• Exhibit B - Governance framework. Who owns the AIS Program at board level? What committee structure governs it? What is the approval workflow before a new model goes into production? Risk management and internal control documentation lives here.‍
• Exhibit C - High-risk AI systems. For each system that materially affects consumer outcomes (underwriting eligibility, rating, claims denial), what are the validation and bias-testing protocols, what is the model card, and what compensating controls (human-in-the-loop review, override patterns) exist?‍
• Exhibit D - Data details. What data feeds each model? Where does it come from? Are external consumer data and information sources (ECDIS) used, and have they been tested for proxy correlations with protected classes?

How an underwriting workbench produces this documentation continuously

The breaking point of traditional underwriting is that this documentation is reconstructed under deadline pressure during an examination. An underwriting workbench produces it as a byproduct of operations. Every model invocation, every rule fire, every manual override, and every external data call is logged with a timestamp, a user identity, a model version, and a decision rationale. When the examiner asks for the AI usage inventory across 2025, the workbench query returns it; the data science team is not chasing version-control history in Git.

I worked with a Midwest commercial lines carrier whose CUO was facing a pilot-state examination request and had 45 days to respond. The carrier had a workbench in production but had not turned on the audit log retention features. The team got the evidence assembled in time, but only because of two weekend war-rooms. I recommend turning the audit log on before the regulatory request arrives. The cost of doing it during an exam is a multiple of doing it as part of normal operations.

For carriers building this from scratch, Higson - Decerto’s rules engine and product configurator - is the layer that makes the AIS Program operational rather than aspirational. Rules, decisions, and data calls are configured by business users and persisted with full version history, which is the form regulators want to read.

Model card design for underwriting AI

A model card is a short, structured document that describes one AI or predictive model - its purpose, inputs, outputs, training data, validation results, known limitations, and intended use cases. Model cards originated in the academic ML community but are now a de facto regulatory expectation in U.S. insurance. The NAIC AI Bulletin does not use the phrase “model card,” but the documentation it requires for high-risk AI systems is functionally identical.

What goes into a model card for a P&C underwriting model

Based on the systems I have helped review and the NY DFS Circular Letter 2024-7 documentation expectations, a workable model card for an underwriting AI system has eight sections.

• ‍Model identification. Name, version, owner, date of deployment, line of business, and stage of the lifecycle (e.g., “submission triage,” “auto-decline screening,” “rating factor adjustment”).‍
• Intended use. What the model is supposed to do. What it is not supposed to do (this matters more than carriers usually realize - regulators read the intended-use statement and then check whether the system is being used outside that scope).‍
• Inputs. Every input feature, with a flag for any external consumer data and information source. ECDIS features get extra scrutiny.‍
• Outputs. What the model produces - a score, a recommendation, a decision - and how downstream systems consume it.
• ‍Training data. Provenance, time period, sample size, and any known representativeness limitations.‍
• Validation results. Performance metrics, fairness metrics across protected classes, and the cadence of revalidation. For models where regulators expect explainable AI evidence, this section also documents the explainability technique used - SHAP values, LIME local approximations, surrogate models - and how the resulting explanations are surfaced to underwriters and to consumers in adverse action notices.‍
• Known limitations. Where the model is known to perform poorly. Carriers frequently skip this section. I’d recommend always including it, because the alternative is the regulator finding the limitation first.‍
• Human oversight protocol. Who reviews model outputs, when, and under what conditions a decision is escalated or overridden.

The intended-use trap

The single most common defect I see in model cards is misalignment between the documented intended use and the actual production use. A model trained for submission triage gets quietly repurposed by an actuary for rating-factor adjustment, without an updated model card. That is the kind of finding that ends up in an examination report. In my experience working with CUOs, embedding model card review into the rules engine deployment workflow - so that any rule that calls a model also references the current model card - is the durable fix.

Bias testing and proxy discrimination - what NY DFS Step 1 / Step 2 looks like in practice

The bias testing underwriting AI conversation gets technical fast. The clearest operational framework I have seen is the two-step proxy assessment in New York DFS Insurance Circular Letter No. 7, adopted July 11, 2024.  Even if you don’t write business in New York, the Circular Letter is worth reading because the methodology is portable to any state’s anti-discrimination regime.

The NY DFS Step 1 / Step 2 proxy assessment

What carriers actually do for Step 1

For P&C lines, protected class membership is often not directly observable in carrier data - race, ethnicity, and national origin are not collected fields. Carriers run inference using accepted statistical methods (Bayesian Improved Surname Geocoding for race, geographic inference for ethnicity, etc.) and then test for disparate impact using metrics like the four-fifths rule or equalized odds. The output is a fairness report per protected class per model.

I worked with a Northeast specialty carrier whose first Step 1 run flagged three submission-triage models for disparate impact on a single protected class. Two of the three turned out to have a legitimate and lawful rationale tied to documented loss experience; the third did not, and the model was retired. The carrier kept the documentation of the assessment in the workbench audit trail. When the state DOI requested evidence eight months later, the response was a single export. That kind of preparation is the difference between a finding and no finding.

The vendor obligation does not transfer

Both the NAIC Model Bulletin and the NY DFS Circular Letter are explicit that when a carrier uses a third-party AI system or external consumer data source, the compliance obligation does not transfer to the vendor. The carrier retains full responsibility for understanding the tool, validating it, and demonstrating that it does not produce unfairly discriminatory outcomes. “The vendor said it was tested” is not a defense. Vendor contracts now need audit rights, cooperation obligations during regulatory inquiries, and access to validation and bias-testing documentation.

The decision audit trail - answering the regulator in two clicks

The single most operational compliance capability an underwriting workbench provides is the audit trail underwriting decisions framework. If a regulator asks why a specific applicant was declined nine months ago, the carrier needs to reproduce, on demand, the full decision: the inputs received, the rules fired, the model invoked, the score produced, the human reviews and overrides, and the final disposition.

What “two clicks” means

I use “two clicks” as shorthand with CUOs because it captures the practical bar. Click one: filter the workbench to the policy or quote. Click two: export the decision lineage. That export needs to include eleven specific elements that show up consistently in regulator inquiries:

1. Submission timestamp and identifier.
2. All input data with provenance flags (internal vs. external, vendor name where ECDIS is used).
3. The version of every rule that fired, with rule text and decision parameters at the time of execution.
4. The model version invoked, the model card reference, and the score produced.
5. Any external data calls (ISO, MVR, CLUE, D&B, telematics), with response payloads and timestamps.
6. Every human review event with reviewer identity and rationale.
7. Every override of a model output or rule decision.
8. The final disposition and the reason code.
9. The consumer notice generated, if any.
10. The retention metadata.
11. Any subsequent reopening events.

The 15-day adverse decision notice

The NY DFS Circular Letter No. 7 establishes a specific operational deadline that CUOs underestimate: when an adverse underwriting decision is made using an AI system or external consumer data, the insurer must provide written notice to the applicant within 15 days, including the source of the specific data and a process for the applicant to review the data for accuracy.  That is not a 30-day notice. It is a 15-day notice, calendar-based, and it requires the workbench to surface the ECDIS source per decision automatically. Carriers that build the consumer notice as a manual back-office task discover the deadline is unworkable at volume.

Where this connects to fraud detection and adverse selection

The audit trail mechanics that satisfy NAIC AI Bulletin documentation also satisfy the documentation needs for anti-fraud at the point of quote and for the broader AI risk scoring used to prevent adverse selection. The same workbench-level decision lineage is the evidentiary basis for both regulatory compliance and SIU referral packages. CUOs sometimes treat these as separate workstreams; in production, they share the same data layer - and the same AI for Insurance infrastructure handles model serving, monitoring, and retraining for fraud, adverse selection, and regulator-facing explainability in one place.

State variations - NY, Colorado, California, and the NCOIL alternative

State DOI underwriting examination practices diverge meaningfully from the NAIC Model Bulletin baseline. CUOs writing across multiple states need to track three categories of state-level mandates: (1) states that adopted the NAIC bulletin substantially as-is, (2) states with their own framework, and (3) states with active legislation that may diverge further.

New York - DFS Circular Letter 2024-7

New York did not adopt the NAIC framework. DFS issued its own Insurance Circular Letter No. 7 on July 11, 2024, rooted in existing New York anti-discrimination statutes (Insurance Law Article 26 protected classes). The letter applies to all insurers authorized to write insurance in New York and covers AI systems and external consumer data used in underwriting and pricing - but explicitly excludes claims adjusting, marketing, and fraud detection from scope. The fairness principle is more direct than NAIC’s: an insurer should not use ECDIS or AIS for underwriting or pricing unless the insurer can establish that the data source or model is not based in any way on a class protected under New York Insurance Law Article 26.

Colorado - §10-3-1104.9 and the auto/health expansion

Colorado was the first state with an enforceable insurance AI fairness regulation. C.R.S. §10-3-1104.9 prohibits insurers from using external consumer data sources, algorithms, or predictive models that result in unfair discrimination based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression.  The implementing regulation - 3 CCR 702-10 - initially applied only to life insurers and required quantitative disparate impact testing. The critical 2025 development is that effective October 15, 2025, the framework expanded to private passenger automobile insurance and health benefit plans. P&C personal auto carriers that previously treated Colorado as a watch-list jurisdiction now have an active testing obligation.

California - health code restrictions and pending state activity

California Health & Safety Code §1367.01 and California Insurance Code §10123.135 restrict health care service plans and disability insurers from relying solely on automated tools in health care decisions; any adverse determination must be reviewed by a licensed clinician. California’s Department of Insurance has additional active regulatory activity on AI in P&C lines, and CUOs writing in the state should track DOI bulletins quarterly.

NCOIL - the alternative regulatory track

The National Council of Insurance Legislators (NCOIL) advanced a Model Act Regarding Insurers’ Use of Artificial Intelligence in 2025. NCOIL’s model is a legislative framework, not a regulatory bulletin; states that adopt it will give it the force of statute rather than examination authority. The NCOIL model has not been finalized, but in my experience working with carriers in states with active NCOIL members, it is worth tracking on the same cadence as the NAIC bulletin. The two frameworks may diverge on specific obligations, particularly around vendor disclosure and consumer notice timing.

Governance framework - model lifecycle from design to retirement

The NAIC AI Bulletin underwriting compliance expectation is that the AIS Program governs the full lifecycle of any AI or predictive model in use, from design and development to retirement. This is where I see the largest gap between AIS Program documentation and operational reality.

The five-stage model lifecycle

In a workbench-based architecture, each stage of the lifecycle has a documentation artifact and an approval workflow.

• ‍Design. Business case, intended use statement, fairness considerations, candidate input features.
• ‍Development. Training data documentation, validation methodology, fairness metrics, model card v1.‍
• Deployment approval. Cross-functional review (actuarial, data science, underwriting, compliance, legal), board or committee approval if material, deployment date.‍
• Production monitoring. Performance metrics tracked over time, drift detection, periodic revalidation, fairness re-testing on a documented cadence.‍
• Retirement. Documented decision to retire, transition plan, retention of historical decisions and audit trail per state record-retention rules.

Drift, retraining, and version control

A model in production will drift. That is not a failure; it is the nature of statistical systems. The compliance question is whether the carrier knows when drift exceeds tolerance, has a documented protocol for retraining or retirement, and retains the version history. Every retraining event creates a new model version, which gets a new model card, which goes through deployment approval, which gets logged in the audit trail. The version history is what allows the carrier to answer “which model version made this decision in May 2025” three years later.

This sounds heavy. In my experience working with carriers building this from scratch, the workbench layer is what makes it sustainable rather than aspirational. Without a system of record for rules and models, governance documentation drifts apart from production reality within twelve months - and the same governance discipline is what allows carriers to expand straight-through underwriting for simple risks without losing regulator-facing auditability.

The codification dimension - connecting governance to senior underwriter retention

There is a separate operational reason CUOs invest in this layer. The same governance infrastructure that satisfies NAIC AI Bulletin underwriting compliance also supports codifying senior underwriter expertise into executable rules and model parameters before key personnel retire. I worked with a specialty lines carrier whose CUO had two senior underwriters retiring within 18 months - between them, 47 years of judgment on a specific niche line. The carrier ran a structured codification project that translated their decisioning into roughly 800 executable rules in the workbench. The same audit trail that documents rule deployment for the regulator also documents the institutional knowledge transfer for internal continuity. From a NAIC AI Bulletin underwriting compliance perspective, the institutional-knowledge rules are inside the governance perimeter just like the predictive models - and the AIS Program covers both consistently.

FAQ

What does the NAIC AI Bulletin require for underwriting compliance specifically?

The NAIC AI Bulletin requires insurers to maintain a written AI Systems (AIS) Program governing every AI or predictive model used in underwriting, rating, claims, fraud detection, and marketing. The program must document governance, risk management, third-party vendor oversight, validation and bias testing, and records sufficient for a regulator to reconstruct any specific consumer-facing decision. The bulletin is principles-based, so the form of the documentation varies; the substance does not.

How do I comply with state DOI requirements for AI underwriting if I write in multiple states?

Track three layers. First, the NAIC Model Bulletin baseline, adopted in 25 states as of March 2026. Second, state-specific frameworks that diverge from NAIC - most notably New York DFS Circular Letter No. 7 and Colorado §10-3-1104.9. Third, state-level legislative activity (NCOIL model act, California DOI bulletins). Most CUOs maintain a state matrix updated quarterly, with documentation artifacts mapped to each state’s specific evidentiary expectations.

What is an AI model card in insurance and is it legally required?

A model card is a structured document describing one AI or predictive model - purpose, inputs, outputs, training data, validation results, known limitations, and intended use. The NAIC AI Bulletin does not use the phrase “model card,” but the documentation required for high-risk AI systems is functionally equivalent. Several state frameworks (notably NY DFS) expect the same content even when the label differs. In practice, treating model card production as a regulatory deliverable rather than an internal nicety simplifies examination response.

How does an underwriting workbench strengthen regulatory compliance compared with manual processes?

A workbench produces compliance documentation as a byproduct of operations rather than as a project under deadline pressure. Every model invocation, rule fire, external data call, human review, and override is logged with timestamps and identities. When an examiner requests the AI usage inventory or a specific decision lineage, the workbench query returns it within minutes, not weeks. Manual processes can produce the same evidence, but only at multiples of the cost and only after weekend rebuilds. For the broader feature comparison between manual underwriting tools and a unified workbench, see the complete 2026 underwriting workbench guide.

What data must insurers document for NAIC AI compliance examinations in 2026?

The NAIC AI Systems Evaluation Tool, currently piloted in 12 states, structures the request into four exhibits: AI usage inventory (Exhibit A), governance framework (Exhibit B), high-risk AI systems detail (Exhibit C), and data sources and quality controls (Exhibit D). Carriers should expect requests in this format and prepare documentation that maps cleanly onto the exhibits.

How long do I have to respond when a state DOI requests AI documentation under examination authority?

The response window varies by state and by examination type. Market conduct exam information requests typically allow 30 days, sometimes extended; targeted bulletin-state inquiries have used 30- to 45-day windows in 2025–2026. The 15-day deadline that catches CUOs by surprise is the NY DFS adverse decision consumer notice - that runs from the decision date, not the examination date.

Can I rely on my AI vendor’s compliance documentation for NAIC AI Bulletin purposes?

No. Both the NAIC Model Bulletin and NY DFS Circular Letter No. 7 are explicit: when a carrier uses a third-party AI system, the compliance obligation does not transfer to the vendor. Carriers retain full responsibility for validating the tool, documenting that it does not produce unfairly discriminatory outcomes, and producing audit-ready records. Vendor contracts should include audit rights and cooperation obligations during regulatory inquiries, but the regulatory accountability stays with the carrier.

Talk to Decerto - 30-minute compliance assessment

I’ll make the same offer I make to CUOs at trade conferences. If you are inside a 12-month window from a likely market conduct examination - or if your domiciliary state is in the NAIC AI Systems Evaluation Tool pilot, or if you have AI or predictive models in production without a current AIS Program documentation packet - the longer you wait, the more expensive the documentation rebuild becomes. I have seen carriers spend three months and seven figures reconstructing audit trails under deadline pressure that would have cost a fraction to maintain continuously.

The 30-minute portfolio assessment is structured as a working session, not a sales pitch. We review your current AI and predictive model inventory, your AIS Program documentation status, and the state-specific obligations for your written-premium footprint. The output is a written gap analysis that you can take to your board independent of any decision to work with Decerto. I run these calls personally with a senior architect from the Decerto team, under NDA, and the conversation is technical from minute one.

If a Higson rules engine sandbox would help you stress-test a specific compliance requirement - for example, building one of your underwriting eligibility rules with full audit trail and tester mode against historical data - that is included free as part of the assessment. There is no demo loop and no form-fill: book a calendar slot directly. Free downloadable companion material: the NAIC AI Model Bulletin Compliance Checklist (PDF).

Sources and citations

‍