Updated June 10, 2026 with the current NAIC adoption count, the 12-state AI evaluation pilot, Colorado's repeal-and-replace, Texas TRAIGA, and the Florida and Idaho picture.
Artificial intelligence has spread through every corner of insurance work — and the rules are now real, dated, and state-by-state. Agents don't need to read statutes for a living, but in 2026 "I didn't know" stopped being a defensible posture. Here's the current map, what actually applies to an agency (as opposed to a carrier), and the short list of things to do about it.
The Scorecard, as of Mid-2026
- 24 states plus DC have adopted the NAIC Model Bulletin on insurers' use of AI (NAIC tracker, April 1, 2026). Hawaii was the most recent, in December 2025.
- Four states — California, Colorado, New York, and Texas — run their own insurance-specific AI rules instead. That's 29 jurisdictions with some form of insurance-AI guidance.
- The NAIC is piloting an AI Systems Evaluation Tool with 12 states through September 2026 — including Florida — with adoption anticipated at the Fall 2026 national meeting. Translation: examiners are building a standard playbook for auditing AI use.
- Washington tried to preempt the states and didn't. The Senate voted 99–1 in July 2025 to strip a proposed 10-year freeze on state AI laws, and a December 2025 executive order created a DOJ task force to challenge state AI rules — but as of June 2026, every state rule above remains in force. Plan for state-by-state compliance.
What Regulators Are Focused On
The themes are stable across every adopting state, and they map directly onto agency work:
Transparency
Carriers — and the agencies in their distribution chain — should know how an AI system reaches outputs that affect pricing, eligibility, or claims.
Bias Prevention
Models must be tested so they don't discriminate on race, gender, age, income, or ZIP code — in underwriting, marketing targeting, and claims alike.
Data Privacy
AI tools that store or process personal data still answer to GLBA, state privacy laws, and vendor-security expectations. New in 2026: California's CPPA regulations took effect January 1 and spell out when insurance businesses must comply with the CCPA for data that isn't covered by the Insurance Code — think marketing-site visitors and employee data.
Human Oversight
Every framework expects humans to stay in the loop on decisions that affect clients. Florida's HB 527 — which passed the House 108–0 in March 2026 before dying in the Senate — would have required qualified-human review of AI claim denials. It failed, but it tells you exactly where regulators' attention is.
Three State Stories Worth Knowing
Colorado: repealed and replaced
Colorado's first-in-the-nation AI Act never reached its compliance date. After a postponement to June 30, 2026, the legislature repealed and replaced it in May 2026 with a narrower "automated decision-making technology" framework effective January 1, 2027 — and insurers subject to Colorado's existing insurance-AI statute are deemed in compliance for the practice of insurance. The lesson for agencies: these laws are moving targets; don't build your compliance posture on one statute's text.
Texas: TRAIGA, with an insurance carve-out
The Texas Responsible AI Governance Act took effect January 1, 2026. Its discrimination provisions exempt insurance entities already governed by Texas unfair-discrimination insurance law — the AI rules for Texas insurance stay with TDI. Penalties elsewhere run $10,000–$200,000 per violation, enforced by the AG.
Utah: disclose the bot
Utah's AI Policy Act (as amended May 2025) requires businesses in state-licensed occupations — which would include licensed insurance producers — to proactively disclose generative-AI use in high-risk interactions like financial advice or collecting sensitive data, with fines up to $2,500 per violation. If an AI chats with your clients in Utah, it has to say so up front.
Florida and Idaho: Where Our Clients Operate
Florida has not adopted the NAIC bulletin and the OIR has issued no AI guidance — but Florida is one of the 12 pilot states for the NAIC's AI examination tool, so the quiet won't last. Also: Florida is an all-party consent state for call recording (Fla. Stat. § 934.03). If your agency uses an AI notetaker on client calls in Florida, every participant needs to know.
Idaho has not adopted the bulletin and has issued no insurance-specific AI guidance. Idaho is a one-party consent state — an agent on the call can record it. Our tools default to disclosure anyway; consent notices are cheap, and lawsuits aren't: a consolidated federal class action against Otter.ai alleges its notetaker recorded participants without proper consent. That case is live in 2026, and it's the clearest signal yet that "the AI was listening" is becoming a litigated question.
What This Means for Your Agency: The Four-Item Checklist
1. AI Usage Policy
A simple internal document outlining what AI tools your team may use, what data can and cannot be entered, and the requirement that AI-generated content gets human review before it reaches a client. One page is enough. It protects the agency and creates consistency.
2. Vendor Due Diligence
Before adopting AI tools, confirm where the data is stored, whether your data trains anyone's models, what security controls exist, and how long data is retained. This matters most for tools touching PHI, PII, or financial data. For example, PolicyIQ uses role-based access control and encrypted storage — your documents are never shared across agencies — and MeetingIQ stores audio encrypted with UUID-only filenames, redacts PII before logging, and never pushes raw transcripts to your CRM.
3. Human Review of AI Output
Emails reviewed before sending. Summaries validated. AI-drafted recommendations checked by a licensed human before a client hears them. Every regulatory framework above assumes this; make it your house rule now.
4. Documentation
Record which tools you use, what tasks AI assists with, and how staff are trained. If a regulator, carrier, or E&O auditor asks "show me your AI program," a thin folder beats an empty one every time.
Use AI Anyway — Just Use It Like a Professional
None of this is a reason to avoid AI. Drafting emails, summarizing meetings, answering policy questions from your own carrier documents, automating scheduling — all of it sits comfortably inside every framework above, because a human stays in the loop and no consumer-affecting decision is delegated to a model. AI gets risky when it decides; it stays safe when it assists.
Most agencies don't have bandwidth to track 29 jurisdictions of AI guidance — that's part of what you hire us for. We pick compliant tools, set up the usage policy, train your team, and keep the documentation current. See how we implement compliant AI for agencies, or book a 30-minute discovery call.