AI and the insurance policy lifecycle

The evolution of AI — and the insurance industry’s adoption of AI in their business processes — forces in-house insurance company lawyers to confront this question: What is the North Star for in-house insurance lawyers as they navigate this sea of uncertainty?

Fortunately, our North Star has not changed. Insurance is regulated because it impacts the public interest, and the rules governing the business of insurance have not changed merely because of AI. With or without AI, “unfair discrimination,” which is the greatest risk to the use of AI in the insurance policy lifecycle, is not permitted in the availability or affordability of insurance or in the treatment of policyholders and claimants. The NAIC’s Unfair Trade Practices Act (and its adoption by the states) has and will continue to serve as our North Star on the use of AI in the insurance policy lifecycle.

While unfair discrimination is prohibited, fair discrimination remains central to the business of insurance. State statutes prohibit insurance prices that are excessive, inadequate or unfairly discriminatory. Actuarially, “[a] rate is reasonable and not excessive, inadequate, or unfairly discriminatory if it is an actuarially sound estimate of the expected value of all future costs associated with an individual risk transfer,” according to the Casualty Actuarial Society Statement of Principles Regarding Property and Casualty Insurance Ratemaking.

The NAIC grappled with the issue of fair versus unfair discrimination in its 2020 Principles on AI by stating, “[c]onsistent with the risk-based foundation of insurance, AI actors should proactively engage in responsible stewardship of trustworthy AI... to avoid proxy discrimination against protected classes.”

The NAIC Principles set out the following five guiding principles to inform and establish general expectations for AI actors and systems:

1. Fair and ethical;
2. Accountable;
3. Compliant;
4. Transparent; and
5. Safe, secure, and robust.

Once the NAIC adopted its Use of AI Systems by Insurers Model Bulletin, several states have put rules in place to govern the commercial use of AI. These all have several themes in common:

• An obligation of insurers to use new technologies responsibly and transparently;
• Internal testing;
• Governance frameworks;
• Risk management frameworks and ongoing monitoring;
• Written policies and procedures for testing;
• Officer certifications;
• Data used to build models or algorithms included in all rate, form, and underwriting filings; and
• Transparency, in that consumers must be provided the specific reason for any adverse decisions.

When insurance company business leaders seek legal advice concerning incorporation of AI into their business processes, the first question is, “What is the reason for this use of AI in these circumstances?” Once that question is answered, lawyers can help identify the material risks and benefits of an AI strategy to achieve the business’ objectives in a compliant way — transparently, ethically, fairly and safely. Some benefits might include:

• Reduced cost;
• Increased productivity;
• Process simplification;
• Improved risk selection;
• More accurate pricing;
• Improved claim adjudication;
• Improved policyholder experience;
• Improved customer engagement; and
• Better ability to compete.

Some risks might include:

• Lawsuits and regulatory intervention alleging the use of a particular AI system as an act of bad faith claims handling;
• Lack of insurance coverage for damages resulting from use of AI; and
• Use of AI in furtherance of conscious or inadvertent unfairly discriminatory risk selection, pricing, and/or marketing.

“Build or buy” commonly is an early question. For insurance, companies without the resources to build an AI system on their own, an in-house lawyer’s natural skepticism is especially helpful in vendor selection and engagement. Insurers cannot escape legal or regulatory responsibility by blaming their vendors. Some areas for due diligence might include:

• Does the vendor have production experience for the insurer’s use-case with similar types of insurers?
• What resources does the vendor have to support risk and compliance during product development?
• Has the vendor adopted global frameworks.
• What are the vendor’s practices, training and testing methods for mitigating ethical and moral risks?
• What options does the client have to control the activation of AI capabilities within applications?
• What control does the client have in accepting new versions?
• How does the vendor integrate data governance into sourcing, managing, and overseeing training data?
• Does the vendor have actual practices and measures for safeguarding an insurance company’s data?
• How does the vendor train the AI?
• Do they use customer data?

Implementing an AI system also necessitates the establishment of additional systems of corporate governance and internal control. This is especially likely where the AI system is high risk (i.e., makes, or is a substantial factor in making, a decision that has a material effect on the provision or cost of insurance). Consequently, directors will be expected to possess AI literacy, meaning skills, knowledge and understanding that allow AI actors to make informed deployment decisions of AI systems, as well as to gain awareness about the opportunities and risks of AI and the possible harm it can cause.

The NAIC Model Bulletin requires insurers to develop a written program (AIS program) for the responsible use of AI Systems that make or support decisions related to regulated insurance practices. In setting regulatory expectations, the NAIC Model Bulletin provides, “The AIS Program should vest responsibility for the development, implementation, monitoring, and oversight of the AIS Program and for setting the Insurer’s strategy for AI Systems with senior management accountable to the board or an appropriate committee of the board.”

How a given insurer will accomplish this will vary, but in all instances, boards will need a degree of AI literacy to discharge their responsibilities. Among the recommendations in the report of the National Association of Corporate Directors’ Blue-Ribbon Commission on Technology Leadership in the Boardroom are:

• Ensure trustworthy technology use by aligning it with the organization’s purpose and values;
• Evaluate, establish, and maintain necessary technology proficiency among the Board;
• Ensure appropriate and clear metrics for technology oversight; and
• Recognize technology as a core element of long-term strategy.

What should insurance companies be looking for on the horizon? The March 11, 2025 meeting of the NAIC AI Working Group provides insights into what might be coming next. Specifically, insurance regulators are considering establishing their authority concerning, and providing the following guidance to, insurance companies that use AI in the insurance policy lifecycle:

• Establishing authority to hold third parties accountable or perhaps establish a national list of approved vendors that have been vetted;
• Providing guidance on transparency disclosures, allowing for consumer recourse;
• Providing uniform standards on governance;
• Providing guidance on governance, including how to test for adverse outcomes and standardized practices on allowable data elements and when human involvement is required to mitigate adverse impact to consumers;
• Providing guidance on systems evaluations, including objective and specific questions consistent across lines of business and states, perhaps incorporating questions into annual statement filings, market conduct examinations, and/or financial examination reporting, and standardized questions based on model type.

What is the biggest takeaway?

AI is simply the latest step in the centuries-long march of advancement. Existing principles of insurance regulation that are in the public interest will help keep that march directed toward its North Star.

Fred Garsson, Kara Pike and William Latza are attorneys with the Insurance group at the law firm Saul Ewing.