Compliance & Regulation · · 7 min read

NAIC Model Bulletin on AI in Insurance: What It Means for Deepfake Detection

Analysis of the NAIC Model Bulletin on AI for US insurers, the state-by-state regulatory landscape, and a compliance checklist for AI-powered deepfake fraud.

In December 2023, the National Association of Insurance Commissioners (NAIC) issued its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers. This document — adopted by a growing number of US states — represents the most significant regulatory guidance on AI in the American insurance industry to date. For insurers deploying deepfake detection technology, the bulletin creates specific obligations around governance, transparency, and fairness that demand careful attention.

As synthetic media fraud costs US insurers an estimated USD 4.6 billion annually (Coalition Against Insurance Fraud, 2025), the pressure to deploy AI-powered detection is immense. But the regulatory framework surrounding that deployment is complex, fragmented, and evolving rapidly.

What the NAIC Model Bulletin Requires

The Model Bulletin applies to any “AI system” used in insurance — defined broadly to include machine learning, deep learning, natural language processing, and other computational techniques that produce outputs influencing insurance decisions. Deepfake detection technology falls squarely within this definition.

Core Principles

The bulletin establishes several foundational requirements:

1. Insurer Accountability Insurers remain responsible for AI-driven decisions, regardless of whether the AI system was developed in-house or procured from a third party. If a deepfake detection tool incorrectly flags a legitimate claim as fraudulent, the insurer — not the technology vendor — bears regulatory responsibility.

2. Governance Framework Insurers must establish an AI governance framework proportionate to the risk posed by the AI system. For deepfake detection used in claims decisions, this means a comprehensive program covering model development, validation, deployment, monitoring, and retirement.

3. Risk Management Each AI system must undergo a risk assessment evaluating potential adverse impacts on consumers. For deepfake detection, this includes assessing:

  • False positive rates and their impact on legitimate claimants
  • Potential for demographic bias in detection accuracy
  • Consequences of system failures or adversarial manipulation

4. Third-Party Oversight When using third-party AI tools, insurers should conduct due diligence and maintain ongoing oversight. The bulletin specifically states that “reliance on a third party does not absolve the insurer of responsibility.”

Documentation Requirements

The bulletin requires insurers to maintain documentation sufficient to demonstrate compliance, including:

  • A description of the AI system’s purpose and intended use
  • The data used to develop and operate the system
  • The methodology for testing and validating the system
  • Ongoing monitoring procedures and results
  • Records of any adverse outcomes and remediation actions

For deepfake detection, this translates to maintaining detailed records of every detection event, including confidence scores, the evidence analyzed, the outcome, and any human review that followed.

The State-by-State Regulatory Landscape

The NAIC Model Bulletin is not binding law. It is a template that individual states may adopt, modify, or ignore. As of early 2026, the adoption landscape is fragmented:

States That Have Adopted or Closely Aligned

  • Colorado — The first state to enact comprehensive AI insurance regulation through SB 21-169 and subsequent rules. Colorado’s framework goes beyond the NAIC bulletin, requiring algorithmic impact assessments and external audits for high-risk AI systems. Deepfake detection used in claims adjudication is likely to qualify as high-risk.
  • Connecticut — Adopted AI governance requirements aligned with the NAIC bulletin, effective 2025. Requires annual AI risk assessments.
  • Virginia — Enacted AI transparency requirements for insurance decisions, with specific provisions for consumer notification when AI influences claim outcomes.
  • New York — The Department of Financial Services (DFS) has issued separate AI guidance emphasising fair lending and underwriting, with fraud detection increasingly in scope.

States with Active Legislation

As of early 2026, at least 18 states have introduced AI-related insurance bills. Key themes include:

  • Mandatory bias testing for AI systems used in claims decisions
  • Consumer notification requirements when AI is used
  • Right to human review of AI-driven decisions
  • Transparency requirements for AI methodologies
  • Restrictions on using certain data types in AI models

States with No Specific AI Guidance

Many states — particularly smaller markets — have not yet addressed AI in insurance specifically. However, existing unfair trade practices acts and claims handling regulations still apply. An insurer cannot escape liability for an unfair claims decision simply because it was made by an AI system.

How Deepfake Detection Fits the Regulatory Framework

The NAIC bulletin and state-level regulations create specific compliance considerations for deepfake detection that differ from other AI applications in insurance.

Classification as a Claims Decision Tool

Deepfake detection is not a standalone system — it is a component of the claims investigation process. When a detection tool flags evidence as potentially synthetic, this directly influences whether a claim is paid, denied, or referred for further investigation. This classification matters because:

  • AI systems that influence claims outcomes are subject to stricter regulatory scrutiny
  • Consumer protection requirements apply to any technology that could result in claim denial
  • Reporting obligations may be triggered by detection results

The Human-in-the-Loop Requirement

Multiple states require meaningful human oversight of AI-driven decisions. For deepfake detection, this means:

  • AI detection results should not automatically trigger claim denial
  • A trained human investigator must review flagged claims before adverse action
  • The human reviewer must have the authority and information to override the AI
  • Documentation must demonstrate that human review was substantive, not pro forma

This requirement aligns with best practice. Even the most accurate deepfake detection models produce false positives, and the consequences of wrongly accusing a policyholder of fraud are severe — both for the individual and for the insurer’s legal exposure.

Consumer Notification

Several states require insurers to notify consumers when AI systems are used in processing their claims. The specific requirements vary:

  • Colorado requires notification that AI was used, along with an explanation of how it influenced the decision
  • Virginia requires disclosure that automated decision-making tools are employed
  • New York (proposed) would require detailed explanations of AI-driven adverse actions

For deepfake detection, this creates a tension: disclosing the specific detection methods used could help fraudsters evade them. Insurers need to balance transparency obligations with operational security.

Compliance Checklist for AI-Powered Deepfake Detection

Governance and Accountability

  • Designated AI officer or committee with authority over fraud detection AI
  • Board-level reporting on AI system performance and incidents
  • Clear accountability chain from detection output to claims decision
  • Written AI governance policy addressing deepfake detection specifically

Risk Assessment

  • Initial risk assessment completed for the deepfake detection system
  • Demographic bias testing across protected classes (race, gender, age, ethnicity)
  • False positive and false negative impact analysis
  • Adversarial robustness assessment
  • Annual risk reassessment schedule established

Documentation

  • System description including purpose, methodology, and limitations
  • Training data documentation (sources, composition, potential biases)
  • Validation testing methodology and results
  • Detection event logs with confidence scores and outcomes
  • Human review records for flagged claims

Third-Party Vendor Management

  • Vendor due diligence completed (security, accuracy, bias testing)
  • Contractual provisions for audit rights, data protection, and performance standards
  • Ongoing monitoring of vendor performance against SLAs
  • Vendor’s own compliance documentation obtained and reviewed
  • Contingency plan for vendor failure or contract termination

Consumer Protection

  • Consumer notification process for AI-influenced claims decisions
  • Human review process for AI-flagged claims before adverse action
  • Appeals mechanism for consumers to challenge AI-influenced decisions
  • Adverse action notices that explain the role of AI in the decision (where required)

Monitoring and Reporting

  • Ongoing monitoring of detection accuracy, false positive/negative rates
  • Drift detection for model performance degradation
  • Incident response plan for AI system failures
  • Regulatory reporting processes for material AI incidents

Emerging Federal Considerations

While insurance regulation in the US remains primarily state-based, federal activity is increasing:

  • The Federal Insurance Office (FIO) has signalled interest in AI oversight, particularly regarding systemic risk and consumer protection
  • The CFPB has issued guidance on AI in financial services that, while not directly applicable to insurance, influences state regulators’ thinking
  • Executive Order 14110 on Safe, Secure, and Trustworthy AI (October 2023) directed federal agencies to address AI risks, with downstream implications for regulated industries

Insurers should monitor federal developments closely. A federal AI framework — while politically difficult — would simplify the current patchwork of state regulations.

Practical Implications for Multistate Insurers

Insurers operating across multiple states face the challenge of complying with varying requirements simultaneously. The practical approach:

1. Adopt the highest standard. Rather than maintaining state-specific compliance programs, implement controls that satisfy the most stringent state requirements (currently Colorado). This approach is more expensive initially but far less complex to maintain.

2. Build modular compliance. Design deepfake detection workflows with configurable compliance features — consumer notifications, documentation levels, and human review processes that can be adjusted per jurisdiction.

3. Engage with regulators proactively. Several state insurance departments have expressed willingness to engage with insurers on AI governance practices before formal adoption. Early engagement can shape reasonable requirements and demonstrate good faith.

4. Monitor NAIC developments. The NAIC continues to refine its AI guidance through the Innovation, Cybersecurity, and Technology Committee. Active participation in NAIC working groups provides advance insight into regulatory direction.

The Compliance Cost of Inaction

Some insurers may consider delaying deepfake detection deployment to avoid regulatory complexity. This is a false economy. The cost of deepfake fraud already exceeds the cost of compliance, and regulatory expectations are converging on a clear message: insurers that fail to deploy reasonable fraud detection measures face liability for the fraud they miss.

The NAIC bulletin establishes a framework for responsible AI deployment — not a prohibition on it. Insurers that implement deepfake detection within this framework protect themselves on both fronts: against fraud losses and against regulatory action.

Conclusion

The NAIC Model Bulletin on AI in insurance creates a clear, if complex, compliance landscape for deepfake detection. The requirements are substantial — governance frameworks, risk assessments, documentation, consumer protections, and ongoing monitoring — but they are navigable with proper planning.

For US insurers, the question is not whether to comply but how efficiently. Deepfake detection solutions that are designed for regulatory compliance — with built-in audit trails, configurable human review workflows, and comprehensive documentation — reduce the compliance burden significantly.

The regulatory trajectory is unambiguous: more states will adopt AI governance requirements, and those requirements will become more stringent. Insurers that build compliant deepfake detection programs now will be well-positioned as the landscape matures. Those that delay will face both escalating fraud losses and a more demanding compliance catch-up.

This article is for informational purposes only and does not constitute legal, regulatory, or compliance advice. Insurers should consult qualified legal and compliance professionals for guidance specific to their circumstances and jurisdiction.