How to Use the Insurance Controls Schema - AI Shared Responsibility

Experimental schema. This vertical is a proposed extension of the CoSAI Shared Responsibility Framework, developed independently to demonstrate the approach. It is not part of CoSAI SRF v1.0 and has not been endorsed by CoSAI, the NAIC, or any regulator. Regulatory section references are marked TBD where verification against source documents is required.

The NAIC Model Bulletin requires a written AIS Program but prescribes no implementation schema. Colorado's amended Regulation 10-1-1 requires the entire governance framework to be available to the Division of Insurance on request from July 1, 2026. The NAIC AI Systems Evaluation Tool gives examiners a structured review framework, but insurers have had no control-by-control counterpart to map against.

This schema provides that counterpart: 40 controls with named accountable personas, measurable thresholds, and OCSF-compatible evidence pointers. These five steps walk you through applying it to your organization.

Before selecting controls, establish which regulatory regimes apply. Not all controls apply to all lines of business, and the tier parameters you set in step 4 depend on consumer impact by line.

Line of business	Applicable regime
Life insurance (all states)	NAIC Model Bulletin (where adopted). Colorado original Reg 10-1-1 (effective November 14, 2023). EU AI Act Annex III high-risk if EU exposure.
Private passenger auto (CO)	NAIC Model Bulletin. Colorado amended Reg 10-1-1 (effective October 15, 2025). Framework availability deadline: July 1, 2026. SRF-L1-DEV-005 is zero-tolerance.
Health benefit plans (CO)	NAIC Model Bulletin. Colorado amended Reg 10-1-1 (effective October 15, 2025). Same July 1, 2026 availability deadline. EU AI Act if EU exposure.
All lines (NY-licensed)	NYDFS Circular Letter No. 7 (July 2024) adds governance, fairness analysis, and senior management accountability obligations for underwriting and pricing AI.

Colorado July 1, 2026

Auto and health benefit insurers writing business in Colorado must have their complete governance framework available to the Division of Insurance on request from that date. If you write those lines in Colorado, SRF-L1-DEV-005 is a zero-tolerance control with immediate escalation on breach. Confirm your readiness now; the deadline is weeks away as of this writing.

Output from this step: a scope matrix listing lines of business, applicable regulatory regimes, and the subset of controls that carry zero-tolerance status for your book.

Each AI system in your inventory must be assigned to one of the four operating models. The operating model determines which controls apply and which do not. Insurance has a distinctive model not found in banking: Vendor-Model, covering third-party predictive models and ECDIS vendors.

Operating model	Description and examples
AI-SaaS	Turnkey AI application delivered as a service. The insurer configures and operates it but does not train or host the model. Example: a claims triage SaaS platform.
AI-PaaS	AI platform on which the insurer builds and trains its own models. Example: an MLOps platform used to develop proprietary underwriting models.
Agent-Ops	Agentic AI workflows with tool use, multi-step reasoning, or autonomous action. Example: an AI agent handling first-notice-of-loss intake and claims routing.
Vendor-Model	Third-party predictive model or ECDIS vendor whose output is used in underwriting, rating, or claims. The NAIC Model Bulletin holds insurers accountable for these. Example: a bureau loss cost model, a credit-based insurance score, or a telematics scoring engine.

Vendor-Model is the key insurance-specific model

Most of your third-party model and ECDIS obligations land on the Vendor-Model operating model. Controls SRF-L1-DEV-003, SRF-L2-DEV-001, SRF-L5-TPO-001, and the full L5 layer apply to Vendor-Model. If you use bureau models, credit-based scores, or telematics scoring as inputs to underwriting or rating, those relationships need a due-diligence evidence package per SRF-L5-TPO-001.

Output from this step: each AI system in your inventory tagged with its operating model. Feed this into the next step to identify the accountable persona for each control.

Each control names one accountable persona. Personas are abstract roles in the SRF. Your task is to map each persona to a named officer or function in your organization. The NAIC Model Bulletin requires a named senior officer for the AIS Program (SRF-L1-MON-002); that officer should also anchor the L1 persona mapping.

SRF persona	Typical insurance mapping
`ai-system-governance`	Chief Compliance Officer (CCO) or Chief Risk Officer (CRO) designated as AIS Program owner. All L1 controls are accountable to this persona.
`data-provider`	Chief Actuary or Actuarial Data Science lead responsible for training data governance, ECDIS sourcing, and PSI monitoring. All L2 controls.
`application-developer`	AI/ML Engineering or InsurTech development team responsible for the application layer: explanation coverage, human review gates, fairness testing. All L3 controls.
`ai-platform-provider`	Infrastructure Security or Platform Engineering team responsible for model gateways, encryption, audit logging, and anomaly detection. All L4 controls. May be an external cloud provider for AI-SaaS deployments.
`model-provider`	Vendor AI model supplier (for Vendor-Model) or internal model development team (for AI-PaaS). All L5 controls. For vendor models, the insurer remains accountable for due diligence even though the provider supplies the artifacts.

Output from this step: a persona mapping table signed off by each named officer, retained in your AIS Program documentation. This table is a primary exam artifact for the governance and accountability dimensions of the NAIC Evaluation Tool.

Tier-configurable controls carry a parameter name in the threshold (e.g., TIER_PSI_DRIFT_THRESHOLD). Your organization sets the numeric value for that parameter. Insurance tiering is by line of business and consumer impact level, not by bank-style materiality. Higher consumer impact means tighter thresholds and shorter monitoring windows.

Impact tier	Line examples	Guidance
High	Health benefit plans, life insurance, disability income	Tightest thresholds. Fairness testing quarterly or more frequently. PSI drift window monthly. Adverse impact ratio minimum at or above 0.85.
Medium	Private passenger auto, homeowners	Standard thresholds. Fairness testing semi-annually. PSI drift window monthly. Adverse impact ratio minimum at or above 0.80 (4/5ths rule).
Lower	Commercial lines, specialty, reinsurance	Relaxed thresholds where no individual consumer is directly impacted. Fairness testing annually. PSI drift window quarterly.

Key parameters to configure: PSI drift threshold (SRF-L2-MON-001), adverse impact ratio minimum (SRF-L3-MON-001), audit log completeness percentage (SRF-L4-MON-002), and vendor disclosure SLA windows (SRF-L5-MON-001, SRF-L5-MON-002).

Note on a life quantitative testing regulation

A separate Colorado regulation proposing quantitative testing standards for life insurance AI was in draft as of this writing. Controls referencing testing thresholds for life lines should be treated as TBD pending that regulation's finalization. Watch for updates and revise your tier parameters accordingly.

Output from this step: a tier parameter register documenting each configurable parameter, its value, the line of business it applies to, the rationale for the chosen value, and the officer who approved it. This register is a required component of the exam readiness package assembled in step 5.

The NAIC AI Systems Evaluation Tool gives examiners a structured framework to review insurer AI governance. Your evidence package maps each examiner dimension to the controls and artifacts that satisfy it. Assembling this package before the exam is the difference between a manageable review and a protracted information request.

Package components: Start with these four workstreams, then cross-reference the control IDs in each.

Component	Controls covered
Governance artifacts	AIS Program with board approval (SRF-L1-DEV-001), senior officer designation (SRF-L1-MON-002), AI system inventory (SRF-L1-DEV-002), third-party vendor register (SRF-L1-DEV-003), adverse-decision appeal process (SRF-L1-DEV-004), Colorado framework availability readiness (SRF-L1-DEV-005).
Tier parameters and persona mapping	The tier parameter register from step 4, signed off by the accountable officer. The persona mapping table from step 3. These demonstrate that controls are configured, not just declared.
Model documentation per system	For each production AI system: model card (SRF-L5-DEV-001), independent validation report (SRF-L5-VAL-002), pre-deployment fairness evaluation (SRF-L5-VAL-001), explainability validation (SRF-L3-VAL-003), ECDIS permissible-purpose determination (SRF-L2-DEV-001), proxy variable screen (SRF-L2-DEV-002).
Ongoing monitoring evidence log	Last 12 months of PSI drift results (SRF-L2-MON-001), fairness outcome testing results (SRF-L3-MON-001), audit log completeness metrics (SRF-L4-MON-002), and adverse action explanation coverage rates (SRF-L3-VAL-001). For vendor models: evidence of performance disclosure SLA compliance (SRF-L5-MON-001).

Vendor model due diligence

For each third-party AI model in scope, the complete due-diligence evidence package (SRF-L5-TPO-001) is a stand-alone exhibit in the exam package. Examiners applying the NAIC Evaluation Tool will specifically assess whether the insurer has documented oversight of vendor AI, not just the vendor's self-attestation. Your package must demonstrate that the insurer reviewed and retained the required artifacts.

Output from this step: a complete, indexed evidence package ready for production to the NAIC exam team or the Colorado Division of Insurance. The package index should cross-reference each evaluation tool dimension to the specific artifacts and control IDs that satisfy it, making the examiner's review straightforward.

Exam-readiness workpaper

XLSX · Generated from insurance-controls.json · Includes Instructions, Tier Parameters, Persona Mapping, and Exam Evidence Log

Download workpaper