If you are implementing AI in workers’ compensation and you are not thinking about regulation, you are already behind.
The regulatory landscape around AI in insurance has moved faster in the past two years than most organizations anticipated. What started as broad principles and voluntary guidance is hardening into enforceable requirements, state-by-state adoption mandates, and examination frameworks that regulators will use to evaluate your AI governance. And the pace is accelerating.
For workers’ comp carriers, TPAs, self-insured groups, and MGAs, the challenge is navigating this landscape without either overreacting (paralysis by compliance) or underreacting (deploying AI without adequate governance and getting caught in an examination). The path forward requires understanding what is required now, what is coming next, and how to build compliance into your AI strategy from day one.
The NAIC Model Bulletin: Where We Stand
The NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. By late 2025, 23 states plus Washington, D.C. had adopted it, with some variations. Several additional states have enacted related regulations or issued their own guidance (Fenwick, February 2026).
The Model Bulletin is principle-based, not prescriptive. It requires insurers to establish written AI governance programs (called AIS Programs), implement documentation and audit procedures, and ensure that any AI-driven decisions comply with existing insurance laws, including unfair trade practice statutes and consumer protection laws (Holland & Knight, May 2025).
The core requirements include: governance frameworks with clear accountability, risk management controls tailored to AI-specific risks, transparency and consumer notification when AI systems influence decisions, bias auditing and testing procedures, and third-party vendor management and oversight.
This is not optional guidance. In states that have adopted the bulletin, these are regulatory expectations. Organizations that cannot demonstrate compliance during an examination face enforcement risk.
What Is Coming in 2026
The regulatory trajectory is toward more structure, not less. Several developments are anticipated in 2026:
The AI Systems Evaluation Tool: The NAIC’s Big Data and Artificial Intelligence Working Group has been developing an evaluation tool consisting of questionnaires and checklists to standardize assessments of insurers’ AI governance, risk management, and use. While adoption is voluntary at the state level, regulators who choose to apply the tool will use it during examinations (Fenwick, February 2026). This tool will make examinations more specific and more consistent across states.
A draft model law on third-party data and models: The NAIC formed the Third-Party Data and Models (H) Working Group, which adopted a broad definition of encompassing any nongovernmental entity providing data, models, or outputs for insurance activities. A model law on third-party oversight is anticipated in 2026, potentially including licensing requirements for vendors (Fenwick, February 2026). This matters because most organizations using AI in workers’ comp are using third-party tools and models. Your vendor’s compliance posture directly affects yours.
State-level initiatives: Colorado’s Artificial Intelligence Act, passed in May 2024, requires insurers to follow governance and testing procedures to prevent unfair discrimination. California has enacted multiple AI-related laws effective in 2025-2026 that expand the definition of personal information under the CCPA to include data within AI systems. Other states are moving independently, which adds complexity for multi-state operators.
Federal pressure: The NAIC issued a statement in December 2025 expressing concern over a federal Executive Order on AI that could affect state regulatory authority. The tension between federal and state AI regulation is real, and it introduces additional uncertainty for organizations operating across jurisdictions (NAIC, December 2025).
Bias Auditing: Not Optional
One of the most scrutinized areas of AI regulation in insurance is bias. The NAIC’s surveys revealed that nearly one-third of health insurers still do not regularly test their AI models for bias or discrimination, even though the Model Bulletin recommends such practices (Fenwick, February 2026). That gap is a regulatory target.
AI models trained on historical data can perpetuate and amplify existing biases. In workers’ compensation, this could manifest as disparities in claims handling, settlement offers, return-to-work recommendations, or underwriting decisions based on demographic factors. Whether intentional or not, disparate outcomes create legal, regulatory, and reputational risk.
Bias auditing is not a one-time exercise. Models need to be tested at deployment, monitored continuously, and retested when data inputs change, when models are updated, or when regulatory requirements evolve. Organizations need documented processes for identifying, measuring, and mitigating bias, and they need to be prepared to show that documentation during an examination.
Explainability and Auditability
Regulated industries require decisions to be explainable. When an AI model recommends denying a claim, adjusting a reserve, or pricing a policy, there needs to be a traceable rationale.
Gartner predicts that by 2028, the increasing criticality of explainable AI (XAI) will drive LLM observability investments to 50% of generative AI deployments, up from 15% today (Gartner, March 2026). Gartner warns that without robust XAI and observability foundations, generative AI initiatives will be restricted to low-risk, non-critical tasks, severely limiting their potential.
For workers’ comp organizations, explainability is both a regulatory requirement and a practical necessity. Claims adjusters need to understand why an AI tool flagged a claim. Underwriters need to understand the inputs driving a risk score. And when a regulator asks how a decision was made, the answer cannot be addressed with a shrug.
The Plante Moran analysis from March 2026 emphasized that AI governance is increasingly being viewed through a cybersecurity lens. Insurers will be expected to demonstrate that AI data is protected against unauthorized access, alteration, or loss throughout its lifecycle, with strong safeguards for sensitive information including PII and PHI (Plante Moran, March 2026).
Building a Compliant AI Governance Framework
A compliant AI governance framework does not need to be overwhelmingly complex. But it does need to be documented, enforced, and maintained. Here are the foundational components:
Written AIS Program: Document your organization’s policies for the responsible use of AI. Define which AI systems are in use, what decisions they inform, who has oversight, and how they are monitored.
Risk classification: Not all AI applications carry the same risk. Classify your AI use cases by risk level. An AI tool that auto-classifies incoming mail is a different risk profile than one that influences claims decisions or underwriting pricing.
Vendor management: Document your due diligence process for evaluating third-party AI vendors. Include contractual protections such as audit rights, data handling requirements, and cooperation with regulatory inquiries.
Bias testing and monitoring: Implement regular testing for disparate impact across protected classes. Document your methodology, results, and any remediation steps taken.
Audit trail and documentation: Maintain records of AI model versions, training data, validation results, and decision logs. If you cannot demonstrate how a decision was made, you cannot defend it.
Incident response: Define processes for handling AI failures, unexpected outputs, or discovered biases. Know who is responsible, what steps are taken, and how regulators are notified if required.
Practical Compliance for Multi-State Operators
Workers’ comp is a state-by-state line of business, and AI regulation is following the same pattern. Organizations operating across multiple jurisdictions face the challenge of varying requirements and timelines.
The practical approach is to build your governance framework to the highest standard currently required, then adapt as additional states adopt or diverge from the NAIC Model Bulletin. It is more efficient to over-comply in a few states than to maintain separate governance programs for each jurisdiction.
Monitor the NAIC’s published tracker of state adoption, which includes citations for each state’s version of the bulletin (NAIC, updated regularly). Stay connected to industry groups and legal counsel who specialize in insurance regulation. And work with technology vendors who build compliance features into their platforms rather than treating them as an afterthought.
Actionable Takeaways
- Establish a written AIS Program now. If you are using AI in any regulated insurance function and do not have a documented governance program, you have a compliance gap. Close it.
- Implement bias testing as a standard operating procedure. Test at deployment, monitor continuously, and document everything. One-third of insurers are not doing this. That is a regulatory vulnerability.
- Require explainability from your AI tools. If a vendor cannot explain how their model reaches a decision, that tool is not ready for a regulated environment.
- Prepare for third-party AI vendor regulation. A model law is coming. Start documenting your vendor diligence processes, data handling agreements, and contractual audit rights now.
- Build to the highest current standard. Multi-state operators should design their governance frameworks for the most stringent requirements and adapt downward. It is cheaper than maintaining parallel programs.
This post is part of a multiple-part series from True Insurtech Solutions exploring AI’s impact on workers’ compensation insurance. For a deeper dive into the data and trends shaping the industry, download the full State of AI in Workers’ Comp Report or reach out to Ryan Smith, Senior Solutions Advisor, to discuss strategies specific to your organization.
