What is the minimum viable AI policy for an insurance agency?

Five components. First, an inventory of every AI tool in use, who uses it, and for what purpose. Second, an approval process for new AI tools that requires sign-off by a named owner. Third, an acceptable-use policy for staff that covers prohibited use cases (e.g., confidential client data into unapproved tools) and documentation requirements. Fourth, a vendor diligence checklist (security, contractual escape, audit trail). Fifth, an incident response protocol for when AI behavior produces a complaint, error, or breach. Most agencies can have a defensible first version in two weeks.

Playbook

AI governance for insurance agencies.

Q: What are carriers asking agencies about AI in 2026?

Most carrier questionnaires now include some version of: do you have a written AI use policy, do you maintain a list of approved AI tools, do you train staff on AI use, do you have an incident response process, and do you require AI vendor due diligence. Some specialty carriers add line-of-business specific questions: AI use in underwriting submissions, claims documentation, or producer-side automation. Expect this to expand over the next 18 months.

Q: How do I run an AI governance rollout?

A defensible first rollout is 90 days. Days 1-30: inventory current AI use, draft the minimum viable policy, train staff. Days 31-60: implement vendor diligence on the top three tools, set up the audit trail capture, write the incident response protocol. Days 61-90: pilot the incident response on a tabletop exercise, refresh the policy based on findings, prepare a one-page summary for carrier questionnaires. After 90 days, governance becomes maintenance: quarterly inventory refresh, annual policy review, immediate updates when new tools or regulations land.

A practitioner-grade framework for the policy, audit trail, vendor diligence, and incident-response infrastructure agencies need in 2026. Built for the COO, the compliance lead, and the agency owner who just got a new carrier questionnaire asking about AI use.

Why governance is no longer optional
The four governance domains
NAIC Model Bulletin landscape
The E&O exposure layer
The minimum viable AI policy
Audit trail design
Carrier questionnaire patterns
The 90-day governance rollout
FAQ

Why governance is no longer optional.

Two years ago, an insurance agency could use AI tools without a written policy, an inventory, or an incident-response process and nothing in the carrier or regulatory environment would push back. That is no longer true in 2026.

Three forces converged. First, the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023 and rolled out across state insurance departments through 2024 and 2025, established a baseline expectation for AI governance at insurers. Second, carriers responded by extending those expectations downstream through producer questionnaires that now routinely ask agencies whether they have written AI policies, AI inventories, and AI incident processes. Third, agency E&O carriers started flagging AI-assisted work as a specific exposure category, with the inevitable consequence that policies cover it less cleanly than they cover traditional work.

An agency without a defensible governance posture in 2026 fails a meaningful number of new carrier appointments and renewals. The cost of building the posture is small. The cost of being caught without it is large. This playbook is the framework for building it.

The four governance domains.

Useful AI governance for an insurance agency sits on four domains. Each maps to a deliverable and an owner.

D1 Inventory

Risk inventory

A live list of every AI tool in use, who uses it, what data flows through it, and the risk classification for the workflow. Updated quarterly. Owned by the governance lead.

D2 Diligence

Vendor diligence

A repeatable evaluation process for every new AI vendor before procurement. Security posture, contractual escape, audit trail, and indemnification. Owned by the governance lead with sign-off from the agency owner or COO.

D3 Oversight

Workflow oversight

Active monitoring of AI-assisted work product. Sampling rate, review cadence, and escalation criteria defined per workflow. Owned by the line-of-business lead with reporting up to the governance lead.

D4 Response

Incident response

A documented protocol for when AI behavior produces an error, complaint, or breach. Who gets called, what gets preserved, when the E&O carrier is notified, what the client gets told. Owned by the agency owner or COO.

The four domains compound. A live inventory makes vendor diligence faster. Vendor diligence makes workflow oversight more targeted. Workflow oversight produces the data that makes incident response defensible. Skipping a domain produces gaps the carriers and regulators are now trained to spot.

NAIC Model Bulletin landscape.

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers was adopted by NAIC in December 2023. By mid-2025, a majority of state insurance departments had adopted it in some form, either by direct issuance, by reference inside broader AI guidance, or by integration into existing market-conduct expectations. The specific posture varies by state, but the consistent themes are:

Board-approved AI governance program. A documented governance framework with executive accountability.
Documented risk assessment process. Each AI use case categorized by risk and controlled proportionately.
Internal controls proportionate to risk. Higher-risk AI use cases get more oversight, lower-risk get less. The proportionality is the point; uniform controls fail in both directions.
Third-party vendor oversight. The agency or insurer is accountable for the AI tools it uses, even when the tools are vendor-supplied. Vendor diligence is required, not optional.
Testing and validation. AI systems should be tested for accuracy, bias, and unintended consequences before deployment and on an ongoing cadence afterward.

The bulletin applies primarily to insurers, but the carriers extend it downstream through agency appointments and renewal questionnaires. Even if your state has not formally adopted it, plan as if it applies. The carriers will treat you as if it does.

Verify your specific state's posture with your state insurance department or your E&O broker. Adoption details and effective dates vary.

The E&O exposure layer.

Most agency E&O policies in 2026 do not explicitly carve out AI-related claims. They cover claims arising from AI-assisted work the same way they cover any other professional negligence. The gap is in three specific scenarios.

AI behaved unexpectedly and the agency cannot reconstruct why. If the audit trail is missing, the defense narrative collapses. The carrier denies the claim or settles low. Audit trail design (below) is the mitigation.
The loss involves a third-party AI vendor's failure. The agency owes a duty of care to its clients. The vendor owes a duty of care to the agency. The gap between the two is where uninsured exposure lives. Vendor contracts with explicit indemnification, audit trail access, and incident notification close most of this gap.
The AI was used outside the agency's stated approved-use policy. If a producer used an unauthorized AI tool for client work and it produced the error, the agency's coverage may not extend. A written acceptable-use policy plus staff training closes the gap.

Most agencies should have an explicit AI conversation with their E&O broker in 2026. Ask: how does the policy treat AI-assisted work? What documentation do we need to maintain? What is the carrier's stance on third-party AI vendor failures? Get the answers in writing.

The minimum viable AI policy.

A defensible first-version AI policy for an insurance agency has five components. Most agencies can have it written in two weeks.

1. Inventory. Every AI tool in use, who uses it, what workflow, what data flows through it. Living document, refreshed quarterly. This is the document that proves the agency knows what it is doing.
2. Approval process. No new AI tool gets used for client work without sign-off by a named owner. Sign-off includes a vendor diligence checklist and a workflow risk assessment. The threshold should be low enough to be practical (not every Copilot use needs a committee) and high enough to catch the meaningful risks (any tool touching client PII or premium data).
3. Acceptable-use policy. What staff can and cannot do with AI tools. Prohibited use cases: confidential client data into unapproved tools, AI-generated work product passed off without review, AI use that violates a specific carrier appointment. Documentation requirements: when an AI tool produces client-facing output, the producer is responsible for review and is named on the audit trail.
4. Vendor diligence checklist. A repeatable evaluation framework. Security posture (SOC 2 floor in 2026), contractual escape, audit trail accessibility, indemnification, incident notification. See the AI Vendor Selection playbook for the full 12-question version.
5. Incident response protocol. What happens when AI behavior produces an error, complaint, or breach. Who is notified internally. What gets preserved. When the E&O carrier is contacted. What the client is told. Run a tabletop exercise on it before you need it for real.

The first version does not have to be perfect. The first version has to exist. Agencies that have a written policy with these five components answer most carrier questionnaires correctly and have something to point E&O underwriters at. Agencies that do not, do not.

Audit trail design.

An audit trail for AI-assisted work exists to reconstruct what happened in the event of a complaint, E&O claim, or regulator inquiry. Five fields per AI action:

Timestamp. When the action occurred.
User. Which producer, underwriter, or staff member.
AI system and model version. Which vendor, which model. Model version matters because behavior changes across versions, and you need to be able to say which version produced the action.
Input or prompt. What was sent to the AI. For free-form prompts, the exact prompt. For structured workflows, the input data record or its identifier.
Output and any user override. What the AI returned, and what the user did with it. Accepted as-is? Edited? Rejected? The override is often the most important field because it shows the producer applied judgment.

The audit trail should be retrievable in three views: per producer (for performance management), per client (for E&O defense), and per workflow (for governance reporting).

Most AI vendors do not surface a clean audit trail by default. Asking for it during vendor selection is the leverage point. The agency's audit trail is only as good as the vendor data feeding it. Pick vendors that produce per-action logs natively. The ones that do tend to be the more mature operators in the category.

Carrier questionnaire patterns.

In 2026, carrier appointment and renewal questionnaires routinely include AI-specific questions. The exact wording varies, but the underlying patterns are consistent. The agency should be able to answer all of the following before the questionnaire arrives:

Do you have a written AI use policy? Yes or no. If no, your application stalls.
Do you maintain an inventory of approved AI tools? Yes or no, with the inventory available on request.
Do you train staff on AI use and limitations? Yes, with frequency and documentation.
Do you have an incident response process for AI errors? Yes, with the protocol summarized.
Do you conduct vendor due diligence on AI tools before procurement? Yes, with the checklist available.
Have you experienced an AI-related incident in the past 12 months? Honest answer, with mitigation if yes.

Some specialty carriers add line-of-business specific questions: AI use in underwriting submissions, claims documentation, producer-side automation. Expect this to expand over the next 18 months. A one-page summary that answers all the standard questions in writing is reusable across appointments and saves the operations team meaningful time.

The 90-day governance rollout.

Building defensible AI governance from zero in 90 days is realistic for most agencies. The shape that works:

Days 1-30. Inventory and policy draft. Inventory every AI tool currently in use across the agency. Draft the minimum viable AI policy. Train staff on the new acceptable-use rules. Identify the governance lead. Communicate the rollout internally so it does not feel like a surprise crackdown.
Days 31-60. Vendor diligence and audit trail. Run vendor diligence on the top three AI tools (the ones with the highest risk classification from the inventory). Set up audit trail capture for each. Write the incident response protocol. Pilot the staff training material across one office or one line of business before rolling it agency-wide.
Days 61-90. Tabletop and prep. Run a tabletop exercise on the incident response protocol with the named owners. Refresh the policy based on what the tabletop surfaced. Prepare the one-page carrier questionnaire response. Schedule the quarterly inventory refresh cadence.

After day 90, governance becomes maintenance, not project work. Quarterly inventory refresh. Annual policy review. Immediate updates when new tools or regulations land. The first 90 days are the hard part; everything after that is upkeep.

For the operator-side playbook on AI in claims operations (where most of the governance scrutiny shows up first), see the AI in Claims Operations playbook.

FAQ

Governance questions.

Do insurance agencies need a written AI policy?

Increasingly yes. The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (December 2023) was adopted in some form by a majority of state insurance departments by mid-2025. Downstream questionnaires from carriers to agents now routinely ask whether the agency has a written AI use policy, an AI risk inventory, and an incident response process. Agencies that cannot answer get flagged.

What does the NAIC AI Model Bulletin require?

The bulletin sets expectations around governance, risk management, internal controls, and third-party AI vendor oversight. State adoptions vary, but the consistent themes are: a board-approved AI governance program, a documented risk assessment process, controls proportionate to the risk of each AI use case, and oversight of third-party AI vendors.

Does my agency E&O policy cover AI mistakes?

Probably partially, with gaps. Most agency E&O policies in 2026 do not explicitly carve out AI-related claims. Coverage gaps appear when the AI's behavior was unexpected, the audit trail is insufficient to defend, or the loss involves a third-party AI vendor's failure. Review the policy with your broker specifically for these scenarios.

What is the minimum viable AI policy?

Five components: inventory of AI tools in use, approval process for new tools, acceptable-use policy for staff, vendor diligence checklist, incident response protocol. Most agencies can have a defensible first version in two weeks.

What should an AI audit trail look like?

Five fields per AI action: timestamp, user, AI system and model version, input or prompt, output, and any user override. Retrievable per producer, per client, and per workflow.

What are carriers asking agencies about AI in 2026?

Written AI use policy, list of approved AI tools, staff training, incident response process, vendor due diligence, and any AI-related incidents in the past 12 months. Some specialty carriers add line-of-business specific questions.

Who owns AI governance inside the agency?

The agency owner or COO owns the policy. Day-to-day execution sits with a designated governance lead — typically the operations director, compliance officer, or a senior producer with technology comfort. The named owner matters more than the title.

How do I run an AI governance rollout?

A defensible 90-day rollout. Days 1-30: inventory, policy draft, staff training. Days 31-60: vendor diligence on top three tools, audit trail setup, incident response protocol. Days 61-90: tabletop exercise, refresh, carrier questionnaire prep. After 90 days, governance becomes maintenance.

Where this lives in CAIC

Modules 5 and 9.

This playbook is a compressed version of the AI governance methodology inside the Certified AI Insurance Credential (CAIC). Module 5 covers consulting engagement design (including how to advise an agency through this 90-day rollout). Module 9 covers the deeper AI safety, security, and E&O exposure layer, including NAIC alignment and state DOI considerations. Full structure. Get Module 1 free below.