In January 2026, the National Association of Insurance Commissioners (NAIC) launched a live, multistate pilot of its AI Systems Evaluation Tool. Twelve states — Colorado, Maryland, Louisiana, Virginia, Connecticut, Pennsylvania, Wisconsin, Florida, Rhode Island, Iowa, Vermont, and California — are now using a structured questionnaire framework to examine how insurers govern, monitor, and secure their AI systems during market conduct reviews. The pilot runs through September 2026.
This isn't a future risk. Examiners in those 12 states are asking questions right now about your AI governance program.
What Regulators Are Looking At
The NAIC's Model Bulletin — adopted by approximately 24 states — requires insurers to maintain a written AI governance program covering transparency, fairness, accountability, and risk management. The 2024 NYDFS Circular Letter No. 7 goes further for New York-licensed carriers: it requires board-level oversight, senior management accountability for day-to-day AI implementation, and documented third-party vendor oversight — with NYDFS explicitly reserving the right to audit and examine AI system usage.
The Evaluation Tool pilot operationalizes those requirements. During examinations, regulators are asking insurers to document every AI system in production, explain governance processes for model updates, and demonstrate how third-party AI tools are monitored and controlled.
For most firms, the hardest question isn't "do we have a policy?" It's "can we prove our policy is being enforced, in real time, across every AI tool our employees use?"
The Gap Most Firms Haven't Closed
Written governance programs are table stakes. The NAIC knows many carriers have them. What the Evaluation Tool actually probes is operational evidence: access control logs, prompt-level audit trails, documented human-in-the-loop checkpoints for sensitive decisions, and third-party vendor controls.
That evidence doesn't exist if AI usage is ungoverned at the point of interaction — when an underwriter pastes customer data into ChatGPT, when a claims adjuster routes PHI through an unsanctioned AI tool, when Copilot autocompletes a client-facing email with hallucinated policy details.
The NAIC's examination focus is shifting from "show me your policy document" to "show me your enforcement logs."
What a Real-Time Enforcement Layer Looks Like
Containment.AI sits between your employees and every AI tool they access — enforcing policy in real time, logging every prompt and response, and generating the audit trail regulators are now asking for. When an examiner asks "can you demonstrate your AI governance program is operational?" the answer is a dashboard, not a binder.
No proxy reconfiguration required. No ripping out existing infrastructure. The browser extension deploys in minutes; the admin dashboard gives compliance teams a searchable, exportable record of every AI interaction across the organization.
With the NAIC pilot running through September 2026 and 24-state Model Bulletin adoption continuing to expand, the window to build that enforcement layer before your examination cycle is closing.
→ See how Containment.AI maps to NAIC AI governance requirements