Regulators Are Fining Insurers Billions for AI They Can't Explain
The New York Department of Financial Services fined insurers over $82 million in January 2026 for AI compliance violations. Georgia hit 22 carriers with $25 million in penalties that same month. Colorado built its own regulatory framework that goes beyond what the National Association of Insurance Commissioners proposed.
These aren't isolated incidents. They signal a shift: regulators are moving fast, hitting hard, and doing it in 50 different ways.
If you're deploying AI and can't explain how it makes decisions, you're not innovating. You're building legal liability.
The Regulatory Patchwork Is Getting Worse
The NAIC released a Model Bulletin on AI in December 2023. Fifteen months later, only 24 of 50 states had adopted it-and most added their own modifications. There is no single standard.
Colorado requires annual testing of AI systems for unfair discrimination. Virginia changed one word in the NAIC's guidance from "mitigating risk" to "eliminating risk," turning a best-effort standard into an absolute mandate. New York requires insurers to prove their algorithms aren't producing discriminatory outcomes with specific documentation.
The insurance industry faces over 3,300 regulatory changes annually. An increasing portion targets AI and automated decision-making. These penalties are being enforced.
When a regulator asks why your AI denied a claim or raised a premium, "the model decided" is not an answer. It's the beginning of an expensive problem.
The Black Box Problem Is Real
According to Deloitte's 2025 Global Insurance Outlook, 82% of insurers now use generative AI. But there's a critical gap: most don't know how their systems actually work.
A team builds or buys a model. It performs well in testing. It goes live. Then someone asks: "How does it actually make decisions?" The room goes silent.
This isn't just a compliance issue. It's a business risk. When your underwriting model can't explain why it priced a policy at a certain tier, you can't defend that price to a regulator. When your claims system can't justify why it flagged a file as suspicious, you can't justify the delay to a policyholder. When your fraud algorithm can't prove it isn't targeting protected groups, you're one audit away from a class-action lawsuit.
The State of AI in Business 2025 report found that 95% of organizations aren't seeing a return on their AI spending. Much of that failure stems from deploying AI without governance infrastructure to sustain it.
What Explainability Actually Requires
Explainable AI doesn't mean dumbing down your models. It means building systems that answer three specific questions at any moment:
What data did the model use?
It's not enough to list inputs. You need to prove data sources are compliant and unbiased across state lines. Privacy laws in California differ from Texas. Fair lending rules in New York apply differently to auto than to property. Your system needs to know the difference.
Why did the model reach this conclusion?
A confidence score is not an explanation. A probability is not a justification. Regulators want to see the chain of reasoning: which factors carried the most weight, how they interacted, and whether the outcome would change if a protected characteristic were removed.
Who changed what, and when?
Every rule tweak, model update, and parameter adjustment needs a timestamp, an author, and an impact assessment. The NAIC Model Bulletin explicitly requires "documentation of AI systems, including their intended purpose, inputs, and decision-making processes." Without an audit trail, you have no proof of oversight.
Build Compliance Into Your Architecture
Carriers getting this right don't bolt on compliance after the fact. They build it in from day one.
Separate business logic from code
When underwriting logic is hard-coded, every change requires a developer, a release cycle, and testing across 50 jurisdictions. This makes auditability nearly impossible. According to the PwC 2025 Insurance Technology Survey, 70-80% of IT budgets go to legacy maintenance, leaving little for governance.
External rule engines solve this. Compliance officers can update state-specific rules without touching code, and every change is logged.
Build jurisdictional awareness
Your AI needs to know that a pricing decision in a "file and use" state like Illinois requires different documentation than in a "prior approval" state like New York.
According to Milliman, the time to get homeowners' rates approved in New York jumped from 62 days in 2023 to 233 days in 2025. If your system can't automate jurisdiction-specific documentation, you're wasting resources or missing critical filings.
Run pre-deployment impact analysis
Before any AI model or rule change goes live, know exactly which products in which states will be affected. No surprises. No emergency patches. No "we didn't realize this would affect Florida homeowners" moments.
Compliance Is a Competitive Advantage
Most insurers treat compliance as a cost. That's wrong. Explainability and auditability are competitive advantages.
Insurers who can prove their AI systems are accountable move through regulatory filings faster. They enter new states with confidence. They launch products in weeks, not months, because their oversight infrastructure is already in place.
There's also a business case that doesn't show up in compliance budgets: trust. Agents who understand how their AI tools work use them more. Policyholders who get clear explanations for decisions complain less. Regulators who see a strong governance framework dig less.
Three Questions to Ask Now
If you're deploying AI or planning to, answer these:
- Can your AI systems explain every decision in a way a state regulator would accept?
- Do you have a jurisdiction-aware governance framework that adapts to every state you operate in?
- Is your compliance team involved in AI deployment from day one, or do they find out about new models after they're already live?
AI in insurance is no longer optional. But deploying it without explainability isn't innovation. It's recklessness. The regulators have made their move. The question is whether your architecture is ready to answer.
Your membership also unlocks:
