Are there regulations on AI in insurance underwriting?
Answer
Yes. Colorado's AI Act (SB 26-189, which repealed and reenacted SB 24-205) treats insurance as a covered 'consequential decision' area: a carrier using automated decision-making technology in underwriting or claims must give interaction notice, disclose an adverse decision in plain language within 30 days, let consumers correct inaccurate personal data, and provide meaningful human review — replacing the prior high-risk impact-assessment model. The Colorado Division of Insurance has separately issued guidance requiring carriers to demonstrate that AI underwriting models do not produce unfairly discriminatory outcomes. Multiple other state insurance departments — including California, New York, and Illinois — have issued AI guidance bulletins, and the NAIC has adopted model AI governance principles that many states are incorporating into their regulatory frameworks.
Applicable Regulations
Colorado AI Act — Automated Decision-Making Technology (SB 26-189, repeal & reenactment of SB 24-205)
On 2026-05-14 Governor Polis signed SB 26-189, which repeals and reenacts the Colorado AI Act (originally SB 24-205). The new law abandons the risk-management / annual-impact-assessment model and replaces it with a disclosure-and-notice framework governing "automated decision-making technology" (ADMT) that makes or substantially influences "consequential decisions" (education, employment, housing, financial services, insurance, healthcare, government services). The statute formally takes effect 2026-08-12 (no safety clause), but all substantive compliance obligations — for both deployers and developers — begin 2027-01-01, which is the operative date for regulated businesses; the Attorney General's implementing rules are also due by 2027-01-01. The AG has stated he will not enforce until the mandatory rulemaking process concludes.
Key Requirements
Industry Context
Insurance Brokers
Insurance brokers and agents increasingly use AI for underwriting support, client risk assessment, claims triage, and policy recommendation — work that sits squarely inside their professional duty of care. The exposure runs two ways. First, the brokerage's own AI use creates errors-and-omissions (E&O) risk: an AI-suggested coverage gap, a misclassified risk, or a chatbot that misstates policy terms can become a negligence claim. Second, brokers must understand the AI exclusion endorsements now appearing in the policies they place — Verisk's CG 40 47 and Berkley's PC 51380 both apply broadly to AI-related claims, including unsanctioned "shadow AI" use that the insured may not even know about. The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted December 2023 and issued by many states since) sets the expectation of a documented AI governance program, while state unfair-trade-practices and rating laws constrain how AI may influence pricing, eligibility, and claims decisions.
Typical Compliance Gaps
Full State Analysis
Where this lands operationally
Gridex turns the compliance or coverage question into operated workflow controls: intake, review points, audit trails, and the places a person stays in the decision.
Discuss Broker Risk Intake
Use this research to identify the workflow, review points, and operating controls that would matter in your organization.
Discuss Broker Risk Intake →Related Questions
- Does Colorado require AI impact assessments? No longer. SB 26-189 (signed 2026-05-14) repealed and reenacted Colorado's AI Act, eliminating the impact-assessment requirement entirely. Colorado now instead requires deployers of automated decision-making technology (ADMT) to: give consumers clear interaction notice, disclose adverse consequential decisions within 30 days, allow correction of incorrect personal data, and provide meaningful human review and reconsideration. The statute formally takes effect 2026-08-12, but all compliance obligations — for deployers and developers alike — begin 2027-01-01.
- What AI rules apply to financial services in Colorado? Under Colorado's AI Act (reenacted by SB 26-189; obligations begin 2027-01-01), financial services is an enumerated consequential-decision category — meaning ADMT used in lending, credit underwriting, or insurance decisions triggers the full set of deployer duties: (1) interaction notice at the point of consumer contact; (2) adverse-outcome disclosure within 30 days of an adverse decision; (3) allow correction of factually incorrect personal data used by the ADMT; and (4) meaningful human review and reconsideration after an adverse decision. Impact assessments and 'high-risk AI system' classification from SB 24-205 no longer apply in Colorado.