© 2023 National Association of Insurance Commissioners 5
1.3 The AIS Program should vest responsibility for the development, implementation, monitoring, and
oversight of the AIS Program and for setting the Insurer’s strategy for AI Systems with senior management
accountable to the board or an appropriate committee of the board.
1.4 The AIS Program should be tailored to and proportionate with the Insurer’s use and reliance on
AI and AI Systems. Controls and procedures should be focused on the mitigation of Adverse Consumer Outcomes
and the scope of the controls and procedures applicable to a given AI System use case should reflect and align
with the Degree of Potential Harm to Consumers with respect to that use case.
1.5 The AIS Program may be independent of or part of the Insurer’s existing Enterprise Risk
Management (ERM) program. The AIS Program may adopt, incorporate, or rely upon, in whole or in part, a
framework or standards developed by an official third-party standard organization, such as the National Institute
of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework, Version 1.0.
1.6 The AIS Program should address the use of AI Systems across the insurance life cycle, including
areas such as product development and design, marketing, use, underwriting, rating and pricing, case
management, claim administration and payment, and fraud detection.
1.7 The AIS Program should address all phases of an AI System’s life cycle, including design,
development, validation, implementation (both systems and business), use, on-going monitoring, updating and
retirement.
1.8 The AIS Program should address the AI Systems used with respect to regulated insurance practices
whether developed by the Insurer or a third-party vendor.
1.9 The AIS Program should include processes and procedures providing notice to impacted
consumers that AI Systems are in use and provide access to appropriate levels of information based on the phase
of the insurance life cycle in which the AI Systems are being used.
2.0 Governance
The AIS Program should include a governance framework for the oversight of AI Systems used by the
Insurer. Governance should prioritize transparency, fairness, and accountability in the design and implementation
of the AI Systems, recognizing that proprietary and trade secret information must be protected. An Insurer may
consider adopting new internal governance structures or rely on the Insurer’s existing governance structures;
however, in developing its governance framework, the Insurer should consider addressing the following items:
2.1 The policies, processes, and procedures, including risk management and internal controls, to be
followed at each stage of an AI System life cycle, from proposed development to retirement.
2.2 The requirements adopted by the Insurer to document compliance with the AIS Program policies,
processes, procedures, and standards. Documentation requirements should be developed with Section 4 in mind.
2.3 The Insurer’s internal AI System governance accountability structure, such as:
a) The formation of centralized, federated, or otherwise constituted committees comprised of
representatives from appropriate disciplines and units within the Insurer, such as business
units, product specialists, actuarial, data science and analytics, underwriting, claims,
compliance, and legal.