AI Insight Lab — The Deployment MemoMay 30, 2026

The Algorithmic Underwriting Audit

Colorado mandates external AI audits. California CDI challenged AI property risk scores. Your claims and underwriting AI is already in scope — and most carriers haven't built the documentation regulators are asking for.

The Deployment Memo — AI Insight Lab | May 30, 2026

Background

How insurer AI adoption outran state regulatory frameworks — and how those frameworks are now catching up, retroactively.

01 — Background

38 states. One external audit law. Most carriers aren't ready.

•NAIC Model Bulletin on AI (Dec 2023): adopted or under active consideration in 38+ states. Requires insurers to have AI governance frameworks, fairness testing, documentation, and the ability to respond to regulatory inquiries about specific AI deployments.
•Colorado SB 21-169 (effective Jan 1, 2023): the first state law mandating external algorithmic audits for life insurers using AI in underwriting. Annual audit required. Most carriers did not comply before the deadline.
•California CDI (2023): issued inquiry letters to carriers using ZestyAI property risk scores in homeowners underwriting, challenging whether those scores were tested for proxy discrimination. Carriers could not produce the documentation.
•In production: Lemonade AI "Jim" (40%+ of property/renters claims autonomous in seconds), Tractable (auto damage assessment at Allstate, Covéa), CCC Intelligent Solutions (~70% of US auto claims), Shift Technology (fraud detection at 100+ carriers).
•Structural gap: vendor AI deployed through procurement. Regulatory compliance obligation — governance, fairness testing, documentation — belongs to the insurer, not the vendor.

Decision Required

The compliance question your legal team has not yet answered for every state where you write business.

02 — Decision Required

For each AI tool in claims and underwriting: which state requirements apply — and do you have the documentation they demand?

Most carriers deployed AI through a procurement process that reviewed capabilities and cost. The regulatory assessment — which state statutes and department bulletins apply, what testing is required, what documentation must exist — was deferred or delegated to the vendor.

State regulators are now asking for that documentation in market conduct examinations and rate filing reviews. Carriers without it are discovering the gap under regulatory pressure, not in advance of it.

The Colorado external audit obligation is not a future requirement. It applied January 1, 2023. If your carrier writes life insurance in Colorado and uses algorithmic underwriting, that obligation has been running for over two years.

03 — Options

Four compliance postures.

Option A

Continue current deployments — assess requirements only if challenged

Reactive posture. Colorado SB 21-169 has an explicit audit requirement with an effective date. California CDI has demonstrated willingness to challenge specific deployments. Retroactive regulatory findings cost more to remediate than proactive compliance.

Option BRecommended

Apply NAIC Model Bulletin governance framework to all AI in underwriting, pricing, and claims

Full AI system inventory, fairness testing, documentation, monitoring. Colorado external audit commissioned. California rate filing documentation completed. Defensible compliance posture under current regulatory guidance.

Option C

Pause AI in regulated categories pending state-by-state legal review

Suspend AI in underwriting and pricing while legal completes a jurisdiction assessment. Appropriate for carriers not yet deeply embedded in AI underwriting. Operationally difficult where AI is already core to workflow.

Option D

Commission external AI auditor before next rate filing in states with active algorithmic scrutiny

External fairness audit before next Colorado, California, or Illinois rate filing. Addresses the highest near-term regulatory risk — a rate challenge that surfaces an unaudited AI system — without full NAIC governance buildout.

04 — Recommendation

Build the inventory before the regulator asks for it. The Colorado audit is not optional.

✓Build the AI system inventory across underwriting, pricing, and claims. For each tool: document governance framework, conduct or commission fairness testing, establish monitoring, build the documentation that would respond to a state inquiry in 72 hours.
✓Colorado SB 21-169: if your carrier writes life insurance in Colorado and uses algorithmic underwriting, the annual external audit requirement has applied since January 1, 2023. Commission an accredited algorithmic auditor. The compliance gap is running.
✓California CDI ZestyAI precedent: if your homeowners underwriting uses AI-generated property risk scores, commission the fairness analysis before CDI asks for it. Document that scores do not function as proxies for prohibited characteristics under California Insurance Code Section 1861.05.
✓Do not rely on vendor documentation to satisfy your regulatory obligation. The regulator asks what the carrier knows about the AI's outputs and how the carrier tested them. A vendor data sheet is not a carrier compliance document.
✓Assign a named AI governance owner with authority over underwriting and claims — with the power to require documentation before AI tools go live and to halt a deployment pending regulatory assessment.

05 — Risks

Five material risks.

1.Rate filing challenges triggered by undocumented AI

A filing built on AI-generated risk scores, without algorithmic fairness documentation, is increasingly subject to CDI or state department challenge. California has demonstrated it will make this inquiry. Carriers without the documentation face filing delays, regulatory findings, and a public record of an undocumented AI deployment.

2.Colorado SB 21-169 retroactive exposure — two years of missed audit obligations

The annual external audit requirement has applied since January 1, 2023. Carriers with algorithmic underwriting in Colorado life insurance that have not completed the required audits have accumulated multiple years of retroactive non-compliance — documented in state records.

3.Third-party vendor liability gap — insurer bears regulatory obligation for vendor outputs

Tractable, CCC, ZestyAI, and Shift Technology are not regulated insurance entities. The insurer deploying their tools is. When a state regulator challenges the fairness of a claims assessment or property risk score, the carrier is the respondent — and cannot substitute the vendor's documentation for its own.

4.Proxy discrimination exposure compounds with each unreviewed model update

Vendor AI tools update continuously. Fairness testing done on version 1.0 does not carry forward to version 2.0. A carrier that accepted vendor model updates without revalidation has an invisible gap between its documented compliance posture and the actual behavior of the tool in production.

5.NAIC Model Bulletin governance documentation gap across 38 states

A market conduct examination in any of the 38+ states that have adopted the bulletin can include a request for AI governance documentation. Most carriers cannot respond within a reasonable timeframe. The gap is not regulatory ambiguity — it is an operationalized documentation obligation that has not been built.

06 — Questions Your Team Should Be Answering

If your team cannot answer these, that is your first deliverable.

1.For every state where your carrier writes business: has legal mapped which NAIC Model Bulletin adoptions and state AI statutes apply to your AI tools in underwriting, pricing, and claims?
2.For Colorado: has an external algorithmic audit been completed for in-scope life underwriting AI under SB 21-169? If not, how many years of retroactive compliance gap are you carrying?
3.For California: can you produce algorithmic fairness documentation for AI-generated property or auto risk scores used in rate filings — demonstrating scores do not function as proxies for prohibited characteristics?
4.For each third-party AI vendor (CCC, Tractable, ZestyAI, Shift Technology): does your vendor agreement require fairness audit documentation and model update notification? Who at your carrier tracks when the vendor AI version changes?
5.Can your carrier produce an AI system inventory for underwriting and claims — with governance documentation — within 72 hours of a state regulator inquiry?
6.Who owns AI governance at your carrier — with authority to require documentation before an AI tool goes live and to halt a deployment pending regulatory assessment?

AI Insight Lab

The Deployment Memo

One enterprise AI deployment, dissected every Tuesday. Written for executives who have to decide, not just read.

Subscribe at aiinsightlab.cloud — free during beta.

38 states. One external audit law. Most carriers aren't ready.

•NAIC Model Bulletin on AI (Dec 2023): adopted or under active consideration in 38+ states. Requires insurers to have AI governance frameworks, fairness testing, documentation, and the ability to respond to regulatory inquiries about specific AI deployments.

•Colorado SB 21-169 (effective Jan 1, 2023): the first state law mandating external algorithmic audits for life insurers using AI in underwriting. Annual audit required. Most carriers did not comply before the deadline.

•California CDI (2023): issued inquiry letters to carriers using ZestyAI property risk scores in homeowners underwriting, challenging whether those scores were tested for proxy discrimination. Carriers could not produce the documentation.

•In production: Lemonade AI "Jim" (40%+ of property/renters claims autonomous in seconds), Tractable (auto damage assessment at Allstate, Covéa), CCC Intelligent Solutions (~70% of US auto claims), Shift Technology (fraud detection at 100+ carriers).

•Structural gap: vendor AI deployed through procurement. Regulatory compliance obligation — governance, fairness testing, documentation — belongs to the insurer, not the vendor.

For each AI tool in claims and underwriting: which state requirements apply — and do you have the documentation they demand?

Four compliance postures.

Option A

Continue current deployments — assess requirements only if challenged

Option BRecommended

Apply NAIC Model Bulletin governance framework to all AI in underwriting, pricing, and claims

Option C

Pause AI in regulated categories pending state-by-state legal review

Option D

Commission external AI auditor before next rate filing in states with active algorithmic scrutiny

Build the inventory before the regulator asks for it. The Colorado audit is not optional.

✓Build the AI system inventory across underwriting, pricing, and claims. For each tool: document governance framework, conduct or commission fairness testing, establish monitoring, build the documentation that would respond to a state inquiry in 72 hours.

✓Colorado SB 21-169: if your carrier writes life insurance in Colorado and uses algorithmic underwriting, the annual external audit requirement has applied since January 1, 2023. Commission an accredited algorithmic auditor. The compliance gap is running.

✓California CDI ZestyAI precedent: if your homeowners underwriting uses AI-generated property risk scores, commission the fairness analysis before CDI asks for it. Document that scores do not function as proxies for prohibited characteristics under California Insurance Code Section 1861.05.

✓Do not rely on vendor documentation to satisfy your regulatory obligation. The regulator asks what the carrier knows about the AI's outputs and how the carrier tested them. A vendor data sheet is not a carrier compliance document.

✓Assign a named AI governance owner with authority over underwriting and claims — with the power to require documentation before AI tools go live and to halt a deployment pending regulatory assessment.

Five material risks.

1.Rate filing challenges triggered by undocumented AI

2.Colorado SB 21-169 retroactive exposure — two years of missed audit obligations

3.Third-party vendor liability gap — insurer bears regulatory obligation for vendor outputs

4.Proxy discrimination exposure compounds with each unreviewed model update

5.NAIC Model Bulletin governance documentation gap across 38 states

If your team cannot answer these, that is your first deliverable.

1.For every state where your carrier writes business: has legal mapped which NAIC Model Bulletin adoptions and state AI statutes apply to your AI tools in underwriting, pricing, and claims?

2.For Colorado: has an external algorithmic audit been completed for in-scope life underwriting AI under SB 21-169? If not, how many years of retroactive compliance gap are you carrying?

3.For California: can you produce algorithmic fairness documentation for AI-generated property or auto risk scores used in rate filings — demonstrating scores do not function as proxies for prohibited characteristics?

4.For each third-party AI vendor (CCC, Tractable, ZestyAI, Shift Technology): does your vendor agreement require fairness audit documentation and model update notification? Who at your carrier tracks when the vendor AI version changes?

5.Can your carrier produce an AI system inventory for underwriting and claims — with governance documentation — within 72 hours of a state regulator inquiry?

6.Who owns AI governance at your carrier — with authority to require documentation before an AI tool goes live and to halt a deployment pending regulatory assessment?