← Security Frontier 🕐 10 min read
Security Frontier

AI Model Risk Beyond Banking: What Insurance, Investment, and Healthcare Regulators Actually Expect

Brandon Sneider · April 2026

The NAIC Model Bulletin (Dec 4, 2023) does not create new law.

See also (wiki): model-risk-management · eu-ai-act-compliance · ai-output-quality-governance

Executive Summary

  • SR 11-7 is the banking baseline. But mid-market firms in insurance, investment advice, and healthcare operate under three parallel frameworks that borrow SR 11-7’s DNA and add industry-specific teeth.
  • Insurance: the NAIC Model Bulletin on Use of AI Systems by Insurers (Dec 4, 2023) expects every admitted insurer to maintain a written “AIS Program” governing AI across the policy lifecycle. As of early 2026, 24 states have adopted it — creating a patchwork where a national mid-market carrier faces 24 different examination regimes.
  • Investment advice: the SEC has no AI-specific rule. Its July 2023 Predictive Data Analytics proposal stalled under industry pushback. Enforcement instead runs through the Marketing Rule and anti-fraud provisions — the March 18, 2024 actions against Delphia ($225K penalty) and Global Predictions ($175K penalty) established that “AI-washing” in marketing is the operative risk for RIAs, not model validation.
  • Healthcare: the ONC HTI-1 Final Rule (Jan 9, 2024, effective Jan 1, 2025) forces certified EHR vendors to publish 31 “source attributes” for every Predictive Decision Support Intervention — a nutrition label for clinical AI. It does not regulate AI tools outside certified EHRs (ambient scribes, standalone imaging tools, radiology AI), which is where most mid-market health system AI actually lives.
  • Across all three frameworks: the written program, documented model inventory, third-party due diligence, and ongoing validation are the four artifacts every examiner will ask for. Firms with vendor AI in production and none of the four are exposed.

Insurance: The NAIC Model Bulletin

The NAIC Model Bulletin (Dec 4, 2023) does not create new law. It tells insurers how existing unfair-trade-practices, unfair-claims-settlement, corporate-governance, and P&C rating statutes apply when AI makes or supports decisions. The mechanism is examination: a market conduct action in an adopting state will request the insurer’s written AI Systems (AIS) Program.

The bulletin expects the AIS Program to cover governance, risk management and internal controls, and third-party AI oversight — “tailored to and proportionate with the Insurer’s use and reliance on AI” and the “Degree of Potential Harm to Consumers.”

Concrete AIS Program elements examiners can request:

  1. The written program itself, with senior management accountable to the board.
  2. Model inventories and descriptions of Predictive Models; data lineage, quality, bias analysis, suitability.
  3. Validation, testing, retesting including Model Drift evaluation.
  4. Third-party AI due diligence: contract terms for audit rights and regulator cooperation; performance of those audit rights.
  5. Consumer notice: “processes and procedures providing notice to impacted consumers that AI Systems are in use.”
  6. Documentation of all of the above.

The bulletin explicitly endorses the NIST AI Risk Management Framework (version 1.0) as an acceptable reference.

State Adoption as of April 2026

Per the NAIC Big Data and AI Working Group implementation tracker and law firm summaries (Quarles, Holland & Knight), 24 states have adopted with varying modifications. Known adoption dates include: Vermont (Mar 2024), Rhode Island (Mar 2024), Pennsylvania (Apr 2024), Kentucky (Apr 2024), Maryland (Apr 2024), Nebraska (Jun 2024), Oklahoma (Nov 2024), Massachusetts (Dec 2024), North Carolina (Dec 2024), Delaware (Feb 2025), New Jersey (Feb 2025), Hawaii (Dec 2025).

Four states run their own frameworks: Colorado, New York, California, Texas. Colorado’s Regulation 10-1-1 on algorithms and predictive models in life insurance underwriting (effective 2023) is the most prescriptive — it requires quantitative testing for disparate impact and annual reporting to the Division of Insurance.

NAIC-level work continuing through 2026: an AI Systems Evaluation Tool (12 states piloting as of March 2026, full adoption planned for Fall 2026 National Meeting); a Third-Party Data and Models Working Group framework in development.

What This Means for a Mid-Market Carrier

If a 250-person regional P&C carrier writes in 12 states and 8 of them have adopted the bulletin, the carrier needs one AIS Program that satisfies the strictest adopter, not 8 different programs. Colorado adds a second layer for any life underwriting. The vendor AI in the underwriting stack (LexisNexis, Verisk, Cape Analytics) still counts — Section 4.0 of the bulletin makes the insurer, not the vendor, responsible for documented due diligence, validation, and audit rights.

Investment Advice: SEC Through Anti-Fraud and Marketing Rule

The SEC proposed the Conflicts of Interest / Predictive Data Analytics rule in July 2023 (Release Nos. 34-97990, IA-6353). It would have required RIAs and broker-dealers to eliminate or neutralize conflicts of interest arising from AI and other “covered technologies” in investor interactions. The proposal stalled under industry pushback and has not been finalized as of April 2026.

In the absence of an AI-specific rule, the SEC’s enforcement tools are:

  1. Advisers Act §206 anti-fraud — any material misrepresentation about AI capability.
  2. Marketing Rule (Rule 206(4)-1) — applies to any claim about AI performance or capability in advertising.
  3. Fiduciary duty — RIAs must understand the tools they use in client-facing decisions.

The March 2024 AI-Washing Cases

On March 18, 2024, the SEC announced the first AI-specific enforcement actions against investment advisers (Press Release 2024-36):

  • Delphia (USA) Inc. (Toronto-based RIA): $225,000 civil penalty. From 2019 to 2023, Delphia claimed it “put[s] collective data to work to make our artificial intelligence smarter so it can predict which companies and trends are about to make it big.” SEC found Delphia “did not in fact have the AI and machine learning capabilities that it claimed.”
  • Global Predictions, Inc. (San Francisco-based RIA operating a chatbot-based allocation platform): $175,000 civil penalty. Falsely advertised as the “first regulated AI financial advisor” producing “[e]xpert AI driven forecasts.”

Then-SEC Enforcement Director Gurbir Grewal: “We’ve seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies.” Chair Gary Gensler separately flagged “AI-washing” as analogous to earlier ESG over-claims.

The pattern in the two orders is not about model quality. Neither case faulted the firms for bad model performance. Both faulted the firms for marketing claims that did not match operational reality.

What This Means for a Mid-Market RIA

For a mid-market RIA ($1B–$20B AUM), the SEC priority is the claims audit. Every piece of client-facing copy — website, pitch deck, RFP response, chatbot disclosure, ADV Part 2 — needs engineering attestation that the AI capability described actually exists and performs as claimed. Chief compliance officers are pulling old marketing copy and rewriting. Budget exposure: $50K–$200K in external legal review plus controls build-out.

Model validation quality — the SR 11-7 style work banks are doing — is a second-order concern for the SEC at a typical RIA. It becomes first-order if the AI drives trade execution, allocation, or fiduciary-advice automation rather than just marketing.

Healthcare: ONC HTI-1 Final Rule

Published January 9, 2024 under the 21st Century Cures Act. Effective for certified health IT on January 1, 2025. The regulator is HHS Office of the National Coordinator for Health Information Technology (ONC).

HTI-1 regulates Predictive Decision Support Interventions (Predictive DSIs) embedded in certified EHRs — the Epic, Oracle Health (Cerner), Meditech, athenahealth, eClinicalWorks stack. For each Predictive DSI, the developer must:

  1. Risk-analyze the intervention across the “FAVES+” factors: validity, reliability, robustness, fairness, intelligibility, safety, security, privacy.
  2. Publish 31 source attributes (13 for evidence-based DSIs) — effectively a nutrition label: developer identity, intended use, intended users, intended patient population, cautioned uses, training data description and dates, input features, output, performance metrics, validation process, fairness/bias assessments, known risks, maintenance schedule. Must be accessible to clinicians at point of use.
  3. Annual attestation to ONC that documentation has been reviewed and updated.
  4. Public disclosure of intervention risk management practices on an ONC-accessible site.

HTI-1 does not exempt FDA-approved clinical decision support software. Dual compliance is required where applicable. HTI-2 (finalized Dec 2024) added TEFCA interoperability provisions. HTI-3 is expected to expand AI transparency requirements in 2026.

The Gap HTI-1 Does Not Cover

Most AI that mid-market health systems are actually buying in 2026 is not in certified EHR modules. Ambient scribes (Nuance DAX Copilot, Abridge, Suki, Nabla), standalone radiology AI (Aidoc, Viz.ai, RapidAI), AI-driven population health tools, and revenue cycle AI are typically purchased outside the certified EHR and so fall outside HTI-1.

The operating standard in that gap is the Coalition for Health AI (CHAI) framework — voluntary, not regulator-endorsed, but widely referenced. A mid-market health system’s AI governance committee typically uses CHAI model cards as the internal equivalent of HTI-1 source attributes for non-EHR AI.

What This Means for a Mid-Market Health System

A 400-bed community hospital can count on the EHR vendor for HTI-1 compliance on embedded DSIs. It cannot count on anyone for the AI scribe contract, the radiology AI contract, or the sepsis prediction tool if it was built in-house on Epic data but lives outside the certified module. Those require local AI governance: written policy, model inventory, performance monitoring, bias review, clinician notification, patient consent framework where applicable.

Cross-Framework Comparison

Framework Regulator Type What Triggers Primary Artifact Examiner Wants
SR 11-7 Fed / OCC Guidance (1997, 2011, 2021 handbook) Bank examination Model validation reports, inventory
NAIC Model Bulletin State insurance depts Guidance (adopted state-by-state) Market conduct exam Written AIS Program, model inventory, third-party due diligence
SEC (Advisers Act, Marketing Rule) SEC Existing rules applied to AI Advertisement review, OCIE exam Claims substantiation, marketing copy review
ONC HTI-1 HHS/ONC Final rule (2024) Certification maintenance Source attributes for every Predictive DSI

All four share common DNA with SR 11-7: written program, senior management accountability, lifecycle governance, documentation, third-party oversight, regulator exam rights. Differences cluster around who holds the governance obligation — the insurer itself (NAIC), the RIA for its own claims (SEC), the EHR vendor passing data to the provider (ONC).

Key Data Points

Data Point Source Date Notes
NAIC Model Bulletin adopted NAIC Executive Committee Dec 4, 2023 Adopted by state insurance departments thereafter
24 states have adopted NAIC bulletin Quarles / NAIC tracker Mar 2025 23 plus DC per late 2025 H&K analysis
Colorado Reg 10-1-1 (quantitative testing for life underwriting) Colorado Division of Insurance Effective 2023 Most prescriptive state framework
Insurance AI adoption rate NAIC Big Data & AI WG survey 2022–2025 58% life, 92% health
SEC Delphia penalty SEC Press Release 2024-36 Mar 18, 2024 $225,000
SEC Global Predictions penalty SEC Press Release 2024-36 Mar 18, 2024 $175,000
SEC PDA Rule proposed SEC July 2023 Stalled; not finalized as of Apr 2026
ONC HTI-1 Final Rule published Federal Register Jan 9, 2024 Effective Jan 1, 2025 for certified health IT
Source attributes required for Predictive DSI 45 CFR 170.315(b)(11) 2024 31 attributes; 13 for evidence-based DSIs

What This Means for Your Organization

If you run AI in insurance, investment advice, or healthcare, you operate under a framework that borrowed SR 11-7’s structure and added sector-specific teeth. None of these regulators is waiting for an AI-specific federal law before examining.

The practical exposure for a mid-market firm is not catastrophic risk. It is the examination that arrives without a written program to hand over. NAIC-adopting states will ask an insurer for the AIS Program in a market conduct action. The SEC will ask an RIA to substantiate AI marketing claims in the next exam cycle. HHS/ONC will ask EHR vendors for source attributes, and the accrediting body (Joint Commission, NCQA) will increasingly ask health systems for AI governance policies covering non-EHR tools.

Three decisions worth making this quarter:

  1. Inventory the AI in production. Not the roadmap — what actually runs. Vendor tools count. Shadow IT counts.
  2. Name the senior owner accountable to the board, and give that person a written program covering governance, risk management, third-party due diligence, and monitoring. The NIST AI RMF 1.0 is an acceptable foundation under both NAIC and ONC; for RIAs, the Marketing Rule claims audit is the more urgent build.
  3. Pull every piece of client-facing or regulator-facing copy that describes AI capability. Verify each claim against operational reality.

Building the first written program is the work that moves examination exposure from open-ended to bounded. If that is the right next step but internal resources cannot start this quarter, that is the kind of question to send to brandon@brandonsneider.com — a 30-minute call can scope whether this is a three-week gap-fill or a six-month build.

Sources

Brandon Sneider | brandon@brandonsneider.com April 2026