The Second Sector-Specific AI Governance Regime Is Forming at the NAIC. The Vendor's Registration Filing Is a Disclosure Input to Carrier Diligence, Not a Substitute.
The second sector-specific AI governance regime in the United States is taking shape at the National Association of Insurance Commissioners, and it differs from the first one in exactly one load-bearing way. The Third-Party Data and Models (H) Working Group, chaired by Jason Lapham of the Colorado Division of Insurance, used its March 23, 2026 Spring Meeting session to advance a state-by-state AI vendor registration framework that would require pricing, underwriting, claims, utilization-review, marketing, and fraud-detection vendors to file model descriptions, training-data sources, bias-testing methodology, known limitations, change-management practices, and a regulator-inquiry contact in each state where their tools are used. Adoption is targeted for the Fall National Meeting following further tool refinement, with a 12-state pilot of the AI Evaluation Tool already running January through September 2026 across Colorado, Maryland, Louisiana, Virginia, Connecticut, Pennsylvania, Wisconsin, Florida, Rhode Island, Iowa, Vermont, and California, with ten insurers participating.
The procurement signal here is not the registration framework itself. It is that the framework is the second sector regime in two months to write AI governance obligations into a sector-specific enforcement mechanism, and the enforcement mechanism is different from the first. The mortgage GSE version routes through loan-level repurchase liability. The NAIC version routes through state market-conduct exam look-back, and that difference changes what carrier procurement teams have to ship in 2026 to survive an exam in 2028 or 2029.
The Mortgage Regime: Repurchase Mechanics
The Fannie Mae and Freddie Mac AI governance rules I covered in the GSE mandate post attach AI governance violations to the existing Selling Guide repurchase pathway. A Lender Contract breach on AI governance triggers the same machinery as any other Lender Contract breach: a repurchase demand, a make-whole demand, or both. The enforcement is loan-level, the financial exposure is calculable per file, and the audit moment is the day the GSE asks the lender to demonstrate which AI-assisted decisions touched a specific loan. The vendor row in that audit either reconstructs the model-by-model history or it does not, and a repurchase demand follows from the gap.
The mortgage regime is therefore primarily a contract-and-audit-trail problem. The lender's obligation is to keep its own records and its vendor's records in a state where, on demand, they reconstruct the chain. Failures show up as financial liability tied to specific loans.
The Insurance Regime: Market-Conduct Exam Look-Back
The NAIC framework writes the obligation through a different door. The registry itself, per the working group's stated intent and the ICT Committee's plain-language statement, "is not intended to relieve insurers of their existing vendor diligence and management obligations" and "is not designed to function as a licensure regime." The enforcement layer sits underneath the registry, in the state market-conduct exam, and it operates on a multi-year look-back. As Swept AI's analysis of the framework puts it, "State market conduct exams in Colorado, Connecticut, New York, and the bulletin-adopting states routinely look back two to three years," and the questions examiners ask are not whether the vendor filed a registration, but whether the carrier has documented "the insurer's governance program applied to the vendor, model validation before deployment, post-deployment monitoring, remediation pathways for biased outcomes, and contractual rights to testing artifacts."
Lapham framed the regulatory problem the registry is meant to solve in three parts at the March 23 session: regulators' inability to assess fairness of insurers' data and model use, limited governance and oversight of how third-party models and data are tested and monitored, and inability to determine whether rates are excessive, inadequate, or unfairly discriminatory when third-party data or models drive them. The Carlton Fields summary of the framework reaches the same conclusion the ICT Committee did: "Insurers are still responsible for carrying the accountability tune," and the registration filing supplements rather than replaces the carrier's own diligence binder.
The insurance regime is therefore primarily an evidence-preservation problem with a multi-year horizon. The carrier's obligation is to retain a documented governance trail that survives a 2-3 year look-back, and failures show up as market-conduct findings that compound across rate filings, consent orders, and the next-cycle exam.
The Pattern: One Substrate, Two Enforcement Mechanisms
Both regimes accept the same underlying premise: a sector-specific federal-or-quasi-federal body has decided that horizontal AI policy is moving too slowly, the consumer-facing harms are concentrated enough in their sector to act unilaterally, and the load-bearing accountability remains with the regulated entity rather than with the AI vendor. Both regimes also share the same vendor-substitution risk profile that surfaced when the FHFA-Anthropic termination at the GSEs and the China NDRC unwinding of the Meta-Manus deal demonstrated that a vendor's continuity can change inside a single news cycle for reasons that are entirely outside the regulated entity's control. A carrier whose pricing model depends on a third-party vendor in 2026 will be asked, in 2028, what its remediation pathway looked like the moment that vendor's governance posture changed; the registration filing does not answer that question, the carrier's own binder does.
The load-bearing difference between the two regimes is the enforcement clock. Mortgage liability lands per loan, on the date the loan is sampled. Insurance liability lands per market-conduct cycle, on the date the exam team picks up the file. A lender that fails the audit pays repurchase on identifiable loans. A carrier that fails the exam absorbs findings that influence the next rate filing, the next consent order, and the next exam, with the original procurement decision sitting two to three years upstream of the consequence.
The industry has already pushed back on the related AI Evaluation Tool pilot, with a joint letter from the life, health, P&C, mutual, and reinsurance trade groups objecting that "the Pilot is one-sided, voluntary for regulators while compulsory for companies," and that pushback is a useful signal about the direction of travel: the pilot covers ten insurers, the registration framework covers every consumer-facing AI use across every state that adopts it, and the enforcement substrate is the same set of state market-conduct examiners who already run the every-three-year cycle.
The Principle: The Filing Is a Disclosure Input, Not a Diligence Substitute
The principle that holds across both regimes, and that holds with extra force in the NAIC version, is that the vendor's regulatory filing is a disclosure input to the regulated entity's diligence, not a substitute for it. The Swept AI analysis stated the rule precisely: "The registry creates visibility. It does not create a safe harbor." The vendor files what the state requires, the state aggregates the filings, and the carrier still owes its own governance program on top of whatever the vendor disclosed.
The Colorado anchor for this approach is older than the federal-level conversation. The working group is built on Colorado's SB 21-169 and Insurance Regulation 10-1-1 "trust but verify" framework, and the principle in that framework is that a carrier may rely on a third-party model only to the extent that the carrier can independently verify the model's fairness, monitor its outputs, and remediate biased outcomes when they surface. A registration filing does not produce verification, monitoring, or remediation; it produces a regulator-accessible description of the model and its intended use, which is upstream of the actual diligence work.
For procurement teams sizing the 2026 calendar against a 2028 or 2029 exam, three concrete diligence-binder rows follow from the framework. First, contractual rights to testing artifacts: the carrier needs the right to obtain bias-test results, model documentation, and change-management records on demand and to share them with state examiners, because the vendor's registration filing is the abstract; the artifacts are the underlying evidence the exam will ask for. Second, post-deployment monitoring records: the carrier's own logs, sampling schedules, and outcome reviews need to demonstrate that monitoring happened on the carrier's clock, not the vendor's, and that biased outcomes triggered the remediation pathway the NAIC December 2023 Model Bulletin presupposes. Third, vendor-substitution evidence: the carrier needs a documented record that its diligence on the vendor did not stop at the registration filing, because the auditor-concentration failure mode I covered in the Delve SOC 2 post generalizes directly: a regulator-facing filing is only as substantive as the work behind it, and the carrier owns the consequence when the work behind it turns out to be insufficient.
Deloitte's recent survey of two hundred U.S. insurance executives found that 70% of P&C respondents have already implemented generative AI in one or more functions, and 76% have done so across insurance overall. The deployment curve is already past the point where a carrier could plausibly tell an examiner in 2028 that it did not have time to build a governance program in 2026. The framework has been on the table since the December 2023 Model Bulletin, the working group has been telegraphing the registration mechanism for most of a year, and the multi-year look-back means that procurement decisions made this year are the evidence the next exam cycle will evaluate. Carriers who treat the vendor's registration filing as the answer to their diligence question will find, in 2028, that the examiner is asking a different question entirely.
