From March 22–25, the National Association of Insurance Commissioners (“NAIC”) held its 2026 Spring National Meeting in San Diego, California. During the meeting, the Innovation, Cybersecurity, and Technology Committee, along with its working groups on Third-Party Data and Models, Big Data and Artificial Intelligence, and Cybersecurity, addressed key developments regarding oversight of third-party data and models, insurer use of artificial intelligence, cybersecurity preparedness, and consumer privacy.
Increased Focus on Third-Party AI and Data Oversight. The NAIC is advancing a proposal to create a registry for vendors that provide AI models and datasets to insurers. The purpose of the registry is to provide regulators with visibility into the third-party models and datasets used by insurers and to ensure that third parties who provide these resources maintain appropriate governance practices to protect insurers and consumers. The registry is not intended to relieve insurers of their existing vendor diligence and management obligations. While the registry is not designed to function as a licensure regime, it signals heightened regulatory attention to vendor governance, particularly where third‑party models and datasets are used in underwriting and pricing insurance products.
AI Evaluation Pilot Programs Underway. Several states have launched, or are expected to launch, pilot programs using a tool designed by the NAIC to assess how insurers use artificial intelligence across business functions. The tool includes questions regarding insurers’ AI systems, the sources and types of data used, and related governance practices, with a focus on high‑risk use cases. The NAIC intends to update the tool based on the pilot results and adopt it at the Fall National Meeting.
State regulators have selected participating insurers based on factors such as market share, lines of business, and anticipated reliance on AI. To date, the pilots have mostly focused on insurers who provide property and casualty and life insurance products.
Operationalizing the NAIC AI Model Bulletin and Governance Best Practices. The Senior Behavioral Data Scientist and Actuary in NAIC’s Research and Actuary Department presented on operationalizing the NAIC AI model bulletin. Noting that the model bulletin generally addresses adverse consumer outcomes, she explained how the use of a risk-taxonomy with varying levels of risk could help regulators prioritize high-risk use cases. Her presentation was followed by a discussion about best practices for AI governance, including cross-functional AI governance committees, enterprise AI inventories, vendor risk management, and pilot testing before scaling AI systems.
Agentic AI in Insurance. Attendees heard a presentation on insurers’ use of agentic AI, which highlighted the wide variation in AI maturity across insurers and the material risks associated with agentic systems. These risks include challenges related to assigning accountability, cascading errors across multiple agents, and data and technological limitations that may inhibit agentic performance. Participants discussed strategies to mitigate these risks, including monitoring the use of agents, establishing clear accountability, redesigning governance frameworks for agentic AI, and implementing human in the loop escalation for high risk use cases or known issues.
Event Notification and Artificial Intelligence as a Driver of Cybersecurity Threats. The Cybersecurity Working Group discussed the continued development of a centralized cybersecurity event notification portal for licensees subject to the Insurance Data Security Model Law (MDL 668). Participants also examined how artificial intelligence is accelerating both the speed and scale of cyberattacks, underscoring the importance of business continuity and resilience planning, and not just breach containment, in light of the likelihood of successful attacks.
Continued Work on Draft Insurance Privacy Law. The Privacy Protections Working Group continues its efforts to update the Privacy of Consumer Financial and Health Information Model Law (MDL 672). Privacy Protections expects to release a draft for public comment later this year.
Key Takeaways for Insurers
Insurance regulators are increasingly moving toward more structured oversight of AI development and use, as well as the governance of third‑party models and datasets. Insurers should anticipate heightened scrutiny of AI governance frameworks, third‑party risk management practices, agentic systems, and cybersecurity preparedness.
We will continue to monitor privacy, cybersecurity, and AI developments related to the NAIC and the insurance industry. Please contact Alston & Bird’s Privacy, Cyber & Data Strategy Team if you have questions or would like to discuss these developments further.
