The NAIC's 2023 Model Bulletin on AI by Insurers has seeded a compliance paper trail that plaintiffs' counsel can exploit — but the real litigation leverage lies in disparate impact doctrine and state unfair-discrimination statutes.
I. The Transformation of Insurance Underwriting
The actuarial model of insurance underwriting — in which human professionals applied documented rating factors to individual risk profiles — has been substantially displaced by machine learning models trained on large datasets. These models may incorporate thousands of input variables, including behavioral data, social media activity, credit proxies, and telematics, to predict risk and price coverage. The outputs are often accurate in aggregate; the discriminatory effects, less visible in aggregate, can be devastating for individuals in protected classes.
The National Association of Insurance Commissioners' Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted December 2023, represents the most systematic attempt to date to establish minimum governance expectations for AI-assisted insurance decisions. More than two dozen states have now adopted the bulletin. For practitioners, the bulletin does not create express private rights of action — but it creates something nearly as useful: a documented framework against which insurers' AI governance practices can be measured, and a paper trail that discovery can reach.
II. The NAIC Model Bulletin: Structure and Requirements
A. Scope
The NAIC Model Bulletin applies to "AI Systems" used by insurers to make, or support, regulated insurance decisions — including underwriting, pricing, claims handling, marketing, and fraud detection. The bulletin does not apply to all AI uses; it is targeted at systems where decisions made or supported by AI affect consumers.
B. Written AIS Program Requirements
The centerpiece of the bulletin is the requirement that insurers develop, implement, and maintain a written "AIS Program" (Artificial Intelligence System Program) for the responsible use of AI systems. The program must:
- Address governance: a documented accountability structure with senior management or board responsibility for AI strategy and oversight;
- Address risk management and internal controls: validation, testing, and retesting processes to identify errors, bias, and unfair discrimination in AI models;
- Address third-party vendor oversight: written standards for acquiring, using, and relying on AI systems or data from third parties, including contract terms allowing audit rights;
- Address consumer notice: notification procedures when AI systems affect consumer-facing decisions, along with a process for consumers to understand and, where applicable, appeal those decisions;
- Be proportionate to the risk: controls must be commensurate with the "Degree of Potential Harm to Consumers" from each AI system use case.
The bulletin emphasizes that the AIS Program must ensure that AI-assisted insurance decisions comply with all applicable laws, including unfair trade practice and unfair discrimination statutes.
C. Regulatory Oversight
Insurers adopting the AIS Program are advised to anticipate regulatory inquiries and market conduct examinations requesting: (1) the written AIS program itself; (2) documentation on AI system development and validation; (3) evidence of bias testing and fairness review; (4) vendor contracts and diligence records; and (5) consumer notice procedures. The NAIC's AI Systems Evaluation Tool, piloted beginning January 2026, gives examiners a standardized examination framework for reviewing AI governance programs.
III. State Adoption
As of mid-2025, over two dozen states have adopted the NAIC Model Bulletin with minimal or no customization. Early adopters include Alaska, Connecticut, Illinois, Kentucky, Maryland, Nevada, New Hampshire, Pennsylvania, Rhode Island, Vermont, and Washington. Colorado and New York represent significant jurisdictions with their own approaches that go beyond the baseline bulletin.
Colorado: Colorado adopted the NAIC bulletin and pairs it with S.B. 24-205's impact assessment requirements for high-risk AI systems, creating a layered compliance obligation for insurers operating in Colorado. An insurer who deploys an AI underwriting system in Colorado must comply with both the impact assessment and disclosure requirements of the AI Act and the governance program requirements of the NAIC bulletin.
New York (NYDFS): The New York Department of Financial Services has issued guidance requiring life insurers to ensure that any external data sources and algorithms used in underwriting are not proxies for race and do not result in unlawful discrimination. The NYDFS guidance preceded the NAIC bulletin and takes a more explicitly anti-discrimination posture.
IV. Disparate Impact Liability
The NAIC bulletin frames AI governance in terms of regulatory compliance; the litigation framework of greatest practical consequence is disparate impact.
A. The Fair Housing Act
Section 3604 of the Fair Housing Act (42 U.S.C. § 3604) prohibits discrimination in the terms, conditions, or privileges of the sale or rental of a dwelling based on race, color, religion, sex, national origin, familial status, or disability. The Supreme Court in Texas Department of Housing & Community Affairs v. Inclusive Communities Project, Inc., 576 U.S. 519 (2015) confirmed that disparate impact claims are cognizable under the FHA. For AI-assisted homeowner's insurance and mortgage insurance, this is the primary federal vehicle.
To establish a prima facie disparate impact case, plaintiff must demonstrate that a facially neutral AI policy produces a statistically significant disparity in outcomes for protected-class members. The burden then shifts to the defendant to demonstrate that the challenged policy is necessary to achieve a valid, substantial, legitimate, nondiscriminatory interest. The plaintiff may then show that a less discriminatory alternative policy exists that would achieve the same legitimate interest with less disparate impact.
The AI-underwriting plaintiff's structural challenge is obtaining the model. An insurer will argue that its model is a trade secret. The FHA does not, however, exempt discriminatory trade secrets from scrutiny; courts routinely permit discovery of proprietary model parameters under appropriate protective orders.
B. State Unfair Discrimination Statutes
Insurance statutes in virtually every state prohibit "unfair discrimination" between insureds with substantially equal risks. These statutes typically codify the principle that risk classification must be actuarially justified. An AI underwriting model that produces disparate outcomes for protected classes without actuarial justification may violate state unfair discrimination statutes irrespective of whether a federal disparate impact framework applies.
Colorado's insurance unfair practices statute and Alabama's Ala. Code § 27-12-1 et seq. (Alabama's Unfair Trade Practices in Insurance Act) both prohibit unfair discrimination. Florida's Fla. Stat. § 626.9541 similarly prohibits unfair methods of competition and unfair and deceptive acts. The state administrative enforcement scheme typically runs through the Department of Insurance, not private litigation — but administrative findings of unfair discrimination can be used as evidence in subsequent common law bad faith or consumer protection claims.
V. Practice Notes: Discovery of Algorithmic Underwriting Models
Discovery in AI-underwriting disparate impact cases presents challenges that differ materially from conventional insurance bad faith litigation. The following practice points apply.
Document the business processes first. Before targeting the model, understand through corporate representative deposition and document requests how the AI system is incorporated into underwriting decisions: Is AI the final decision-maker, or a risk-score input to a human reviewer? This matters both for causation and for the scope of FHA analysis.
Target the AIS Program. The NAIC bulletin requires insurers to maintain a written AIS Program with validation records, bias testing results, and consumer notice procedures. These documents are not privileged. In any state that has adopted the NAIC bulletin, the AIS Program is a regulatory compliance record subject to production. Any gap between what the bulletin requires and what the insurer produced is potential evidence of governance failure.
Engage a statistical expert early. Statistical analysis of underwriting outcomes by protected class — controlling for actuarially legitimate risk factors — is the core of a disparate impact case. The expert must access the input data, not merely the outputs. Negotiate for model access under a protective order rather than simply output-level statistics.
Probe the training data for biased inputs. AI models trained on historical underwriting data that encoded prior discriminatory practices will replicate those practices. Discovery should target the composition and sources of training data, and any bias audit or fairness review performed on that data. Colorado A.B. 2013's training-data disclosure requirements may create a state-law basis for production in Colorado proceedings.
Preservation demands. AI models are periodically retrained and version-controlled. A preservation demand should specify: all versions of the AI system used in the relevant underwriting period; all validation and bias testing records for each version; all training data documentation; and all consumer notices and adverse-action letters generated by the system.
VI. Open Questions
The AI-insurance disparate impact space has several unresolved questions that will shape litigation strategy over the coming years:
- Whether the use of external behavioral data (social media signals, consumer purchase histories) as AI model inputs constitutes a per se unfair rating factor under state insurance law, irrespective of actuarial correlation with risk.
- Whether AI models that encode "fairness through unawareness" (excluding protected class as a direct variable) satisfy FHA requirements when the model's other variables function as effective proxies.
- Whether the NAIC bulletin's AIS Program requirements can supply the standard of care in a negligence or bad faith action, even in states that have adopted the bulletin as guidance rather than regulation.
- The availability of class certification in insurance disparate impact cases where the AI model applies uniformly to all class members but individual damages require individual inquiry.
VII. Closing
The NAIC Model Bulletin is not a plaintiffs' statute. It does not create a private right of action, and its requirements are calibrated to regulatory examination rather than civil litigation. What it creates — particularly in the twenty-plus states that have adopted it — is an expectation of documentation and process that most insurers are nowhere near meeting. The gap between required and actual AI governance practices is, in litigated cases, the measure of the defendant's exposure. For practitioners pursuing insurance fairness claims, the NAIC bulletin is the map.
Talk to Yates Anderson
If you are litigating a matter in this area — or weighing whether to — the working analysis above only goes so far. Request a case evaluation and a Yates Anderson attorney will respond within one business day.
Informational only. Not legal advice. No attorney-client relationship is created by reading this post. Consult a licensed attorney in your jurisdiction.