The insurance industry is one of the most heavily regulated AI use cases in the United States, and the regulatory environment has tightened significantly since 2024. Carriers face two distinct compliance layers: insurance-specific AI governance requirements enacted by state insurance regulators, and general-purpose AI laws like Colorado's SB 205 that include insurance decisions as a category of consequential decisions subject to their full compliance requirements.
Colorado: Two Parallel Frameworks
Colorado is the most consequential state for insurance AI regulation, operating two distinct but related frameworks that apply simultaneously to carriers writing business in Colorado.
Framework 1: C.R.S. §10-3-1104.9 (Insurance-Specific AI Regulation)
Colorado's insurance-specific AI statute, C.R.S. §10-3-1104.9, predates the general AI Act by several years. It prohibits insurers from using external consumer data sources, external data analytics, algorithms, or predictive models that result in unfair discrimination based on protected characteristics—even when the model or data source is facially neutral. The core requirement is quantitative testing for disparate impact across protected classes, including cases where the model does not explicitly use a protected characteristic as an input.
Critical expansion effective October 15, 2025: The Division of Insurance expanded §10-3-1104.9's scope to cover private passenger automobile insurance and health benefit plans, in addition to life insurance (the original scope). Auto and health carriers writing in Colorado who have not yet implemented quantitative disparate impact testing are currently out of compliance—this is not a future-effective obligation. It is in effect now.
Framework 2: Colorado SB 205 (Effective June 30, 2026)
Colorado's AI Act (SB 24-205) covers insurance as a category of consequential decisions. Any AI system that makes or materially influences decisions about insurance coverage determinations, premium calculations, or claims processing is a high-risk AI system under SB 205. As a deployer of high-risk AI systems, an insurer subject to SB 205 must:
- Conduct impact assessments before deployment and annually thereafter
- Implement a risk management program aligned with NIST AI RMF or ISO/IEC 42001
- Provide pre-decision consumer notices when AI substantially influences a coverage or claims decision
- Offer human review of adverse AI-driven decisions (claim denials, premium surcharges)
- Maintain public website disclosures about high-risk AI use
- Retain documentation for three years
The Conditional SB 205 Exemption for Insurers
Carriers that are already in full compliance with §10-3-1104.9 may qualify for a partial exemption from SB 205's requirements for the insurance-specific portions of their AI operations. However, this exemption is conditional: the carrier must be actually compliant with §10-3-1104.9 (including the October 2025 auto and health expansion), and the exemption applies only to AI systems used in insurance contexts already covered by the Division's implementing rules. Carriers relying on this exemption without documented §10-3-1104.9 compliance are exposed under both frameworks.
What Insurers Must Do by June 30, 2026 (Colorado)
| Obligation | Legal Basis | Deadline |
|---|---|---|
| Quantitative disparate impact testing (life insurance) | C.R.S. §10-3-1104.9 | Already in effect |
| Quantitative disparate impact testing (auto + health) | C.R.S. §10-3-1104.9 (expanded) | Oct 15, 2025 (already past; currently required) |
| AI system inventory | SB 205 / §10-3-1104.9 | Before June 30, 2026 |
| Impact assessments for high-risk AI systems | SB 205 | Before June 30, 2026 |
| Consumer notices for AI-influenced coverage decisions | SB 205 | June 30, 2026 |
| Risk management program (NIST/ISO aligned) | SB 205 | June 30, 2026 |
New York: Auto Insurance AI Legislation
New York's legislature has advanced several bills targeting AI use in auto insurance underwriting and claims, including proposals requiring disclosure when AI is used in underwriting decisions, legislation requiring insurers to explain AI-based premium determinations to applicants, and proposals to prohibit certain data types as AI model inputs in underwriting. As of June 2026, specific New York insurance AI bills remain pending. Track current status on our New York AI law page.
NAIC Model Bulletin on AI
The National Association of Insurance Commissioners (NAIC) adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in 2023. Key elements include requirements to inventory AI systems, implement governance and risk management programs, conduct testing for bias and discrimination, and maintain third-party vendor oversight. The NAIC bulletin is not legally binding in itself, but adoption by state insurance commissioners creates enforceable obligations. Carriers should track which states have formally adopted NAIC AI guidance through their departments of insurance.
Specific High-Risk AI Use Cases in Insurance
Underwriting AI
AI systems that score applicants, determine eligibility, or set premiums are the most clearly covered category under both Colorado frameworks and NAIC guidance. Third-party predictive models, telematics data, credit-based insurance scoring, and property imagery analysis should all be reviewed for disparate impact compliance.
Claims AI
AI systems used to detect fraud, assess claim severity, or automate payment decisions are covered as "claims processing" under Colorado SB 205's consequential decision framework. Human review rights apply to adverse claims decisions influenced by AI.
Customer-Facing AI
Customer-facing AI systems that help policyholders understand coverage, file claims, or evaluate options trigger disclosure obligations under California AB 2905 (for companion-style interactions) and Colorado SB 205's consumer notice requirements.
Documentation as Compliance Asset
Under both Colorado frameworks, documentation functions as an affirmative defense. The compliance record a carrier builds—AI inventories, disparate impact test results, impact assessments, governance policies, vendor documentation—is what the carrier presents to demonstrate reasonable care if enforcement is initiated. For carriers that have not yet started building this record, the June 30, 2026 deadline for SB 205 represents a hard stop.
For state-by-state insurance AI compliance requirements, visit our AI in insurance regulations page and the Colorado and New York state pages.
This article is for informational purposes only and does not constitute legal advice. Insurance regulatory matters require advice from qualified insurance counsel admitted in your state(s) of operation.
Subscribe to the daily AI law digest →