top of page

AI Governance and ORSA Reporting: A Guide for Insurers

  • May 8
  • 7 min read

How a well-designed AI governance program supports your ORSA Summary Report and the regulatory expectations now converging around it.


For insurers, two regulatory frameworks that used to live in separate filing cabinets are now expected to talk to each other.

The first is the Own Risk and Solvency Assessment (ORSA) — the annual self-assessment that insurers above the NAIC premium threshold must submit to their lead state regulator, describing their enterprise risk management framework, their material risks, and their forward-looking capital adequacy.


The second is the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023 and now adopted by roughly half of US states. The bulletin requires insurers to maintain a written AI Systems Program (an "AIS Program") covering governance, risk management, internal controls, third-party oversight, and consumer transparency for any AI used in regulated insurance practices.


The connection is straightforward but consequential: regulators now expect AI risk to be treated as a material enterprise risk, governed under your ERM framework, and reflected in your ORSA Summary Report. Insurers without a coherent AI governance program will struggle to produce the documentation an ORSA examiner — or a market conduct examiner — will ask for.


This post lays out where AI risk shows up across the three core sections of an ORSA report, what documentation regulators expect, and how a well-designed AI governance program produces those artifacts as a by-product of running the business rather than as a year-end fire drill.


A short primer on ORSA, for context


ORSA is required under the NAIC Risk Management and Own Risk and Solvency Assessment Model Act (#505), with state-level adoption through bulletins and regulations. Individual insurers with annual direct written and unaffiliated assumed premium of $500 million or more, and groups above $1 billion, are typically in scope. Property and casualty carriers, life and annuity writers, and health payers all fall under the same framework.

The ORSA Summary Report is generally structured around three sections:

  1. Description of the insurer's enterprise risk management framework — governance, risk culture, risk identification and prioritization processes, risk appetite and tolerances.

  2. Insurer's assessment of risk exposures — material risks identified, methodologies used to assess them, results in normal and stressed conditions.

  3. Group risk capital and prospective solvency assessment — forward-looking view of capital adequacy across business planning horizons, integrated with strategy.

AI risk is now expected to surface in all three.


ORSA is near-universally adopted — the AI Bulletin is catching up

ORSA Model #505 became an NAIC accreditation standard in 2017, which is why state adoption is effectively complete. Every state and the District of Columbia has implemented ORSA in some form, meaning every insurer above the premium threshold — regardless of where it is domiciled or licensed — is already subject to ORSA reporting.

Per NAIC tracking, the following 50 jurisdictions have adopted the Risk Management and Own Risk and Solvency Assessment Model Act (#505) in substantially similar form:

Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Virgin Islands, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

Maine and New York have adopted portions of Model #505 and have related ERM and ORSA filing requirements through their own statutes and regulations — notably New York's Regulation 203 (11 NYCRR 82), which imposes ORSA filing obligations functionally equivalent to the model. The practical effect is that every meaningful US insurer is subject to an ORSA reporting regime.

The NAIC AI Model Bulletin, by contrast, is earlier in its adoption curve but accelerating. Roughly half of US states have adopted it since December 2023, including Alaska, Connecticut, Delaware, Hawaii, Illinois, Kentucky, Maryland, Massachusetts, Michigan, Nebraska, Nevada, New Hampshire, New Jersey, North Carolina, Oklahoma, Oregon, Pennsylvania, Rhode Island, Vermont, Virginia, Washington, and West Virginia, with several others — notably Colorado (Regulation 10-1-1) and New York (Insurance Circular Letter No. 7) — operating pre-existing or parallel AI regulatory regimes that go further than the bulletin in some respects.

The practical implication: if you are an insurer subject to ORSA — and almost every meaningful one is — then AI risk is already in your ORSA scope through the existing requirement to identify and assess all material risks under your ERM framework. The AI Model Bulletin clarifies and formalizes the expectations, but it does not create the underlying obligation. Insurers domiciled in states that have not yet adopted the AI bulletin should not assume they have more time; their ORSA examiners are already asking AI questions.

Where AI shows up in each ORSA section

Section 1 — ERM framework

Regulators reading this section want to see that AI oversight is part of the same governance fabric as financial, operational, and cyber risk — not a parallel program owned by data science. Specifically, examiners look for:

  • Board and senior management oversight of AI use, with documented charters and reporting lines

  • A written AIS Program aligned with the NAIC bulletin and a recognized framework such as the NIST AI Risk Management Framework

  • Cross-functional accountability that includes actuarial, underwriting, claims, compliance, legal, IT, privacy, and data science

  • Risk appetite statements that explicitly address AI-related risks

  • Reflection of AI governance in the Corporate Governance Annual Disclosure (CGAD), which the bulletin specifically calls out

Section 2 — Material risk assessment

AI rarely sits as a standalone risk in a risk register. It acts as an amplifier across categories regulators already understand:

  • Model risk — flawed models producing systematically wrong pricing, underwriting, reserving, or claims outcomes

  • Operational risk — failures in deployment, monitoring, incident response, or human oversight

  • Conduct and fair-treatment risk — unfair discrimination, biased outputs, or adverse consumer outcomes that violate UDAP, unfair claims settlement laws, or other state insurance regulations

  • Third-party and vendor risk — reliance on external models, datasets, or AI-enabled services without adequate diligence or contractual protections

  • Cyber and data risk — model inversion, prompt injection, training-data leakage, and the broader CIA-triad concerns the bulletin highlights

  • Legal and litigation risk — class actions, enforcement, and reputational exposure tied to algorithmic decision-making

For each material AI use case — particularly higher-impact ones in underwriting, rating and pricing, claims handling, fraud detection, and marketing — examiners expect to see inventory, classification by potential consumer harm, validation evidence, ongoing monitoring metrics, and documented bias and fairness testing.

Section 3 — Prospective solvency assessment

This is where many insurers are still building muscle. AI-related scenarios increasingly belong in stress and scenario testing, including:

  • A material model failure or systemic mispricing event

  • A regulatory enforcement action or consent order tied to AI-driven outcomes

  • A class action arising from alleged discriminatory algorithmic decisions

  • Vendor model failure or sudden withdrawal of a critical third-party AI service

  • Reputational and policyholder-trust impact of a public AI incident

Quantifying these is genuinely hard, and regulators understand that. What they look for is evidence the insurer has thought structurally about AI-driven tail risk and reflected it in capital planning rather than treating AI as a benign efficiency play.

How an AI governance program produces what ORSA needs

The insurers who treat ORSA preparation as a year-end document assembly exercise spend the most and produce the weakest reports. The insurers who build governance infrastructure that runs continuously have most of the artifacts ready before the ORSA process even begins. A well-designed AI governance program produces the following ORSA-ready outputs as a natural byproduct of operations:

  • A live AI inventory. A complete catalog of AI systems in use — internal and third-party, in production and in pilot — with use case, business owner, model type, data sources, status, and risk classification. This is the foundation of Section 2.

  • Risk classification and impact assessments. Standardized assessments that score each AI system against the bulletin's "degree of potential harm to consumers" expectation, mapped to specific regulated insurance practices.

  • Policy and control documentation. Written AIS Program policies — model lifecycle, validation, monitoring, change management, human oversight, incident response, vendor management, consumer notice — that examiners can read and tie to specific use cases.

  • Continuous monitoring evidence. Performance metrics, drift detection, bias and fairness testing results, override and exception rates, and complaint correlation. These feed both Section 2 risk assessments and Section 3 stress scenarios.

  • Vendor and third-party files. Diligence records, contract terms preserving audit and cooperation rights, and evidence of ongoing oversight of third-party data and model providers.

  • Immutable audit trails. Records of who approved what, when, and why — across model deployment, configuration changes, and incident response. This is where most manual-process governance programs fall apart under examination.

  • Consumer-impact documentation. Records of notice provided, decisions made or supported by AI, and adverse-outcome reviews — particularly important under the bulletin's Section 4 examination expectations.

When governance is built this way, the ORSA narrative writes itself: the report references a living program rather than describing aspirations.

How ALIGNMT supports this

ALIGNMT AI is built on the principle that AI governance has to layer onto production workflows in real time, not run as a parallel compliance exercise. For insurers facing the AI-risk-meets-ORSA convergence, the platform provides:

  • A centralized inventory of AI systems with status, versioning, ownership, and compliance mapping

  • Policy templates aligned with NAIC bulletin expectations, NIST AI RMF, EU AI Act, and adjacent regulatory regimes, customizable to your AIS Program

  • Continuous monitoring of deployed AI systems for performance, drift, and bias — without exposing sensitive customer or claimant data

  • Structured change management for model and configuration updates, with reviews tied to compliance requirements

  • Immutable audit trails covering AI inventory decisions, approvals, and incident response

  • Role-specific training modules so business, technical, and compliance teams can demonstrate AI literacy

  • Audit-ready reporting that converts day-to-day governance evidence into the documentation regulators ask for during ORSA, market conduct, and financial examinations

The result is governance infrastructure that does double duty: it reduces the operational risk of AI in production and produces the artifacts your ORSA filing, Corporate Governance Annual Disclosure, and examination responses already require.

Where to start

If you are an insurer above the ORSA premium threshold, three near-term steps consistently pay off:

  1. Inventory and classify every AI system touching regulated insurance practices, including third-party models, and tier them by potential consumer impact.

  2. Map your AIS Program to the NAIC bulletin's four sections and identify the documentation gaps your next ORSA filing would expose.

  3. Operationalize continuous monitoring for your highest-impact use cases — underwriting, rating and pricing, claims handling, fraud detection, and reserving — so that ORSA Section 2 and Section 3 narratives are backed by live evidence rather than point-in-time attestations.

Insurers who do this early gain more than a cleaner ORSA filing. They build the governance posture that lets them deploy more AI, faster, with regulators on side.

 
 
 
bottom of page