The NAIC Is Building Enforcement Infrastructure for AI in Insurance While the Cyber Threat Landscape Accelerates Around It

Two things are happening simultaneously in insurance right now, and neither has fully caught up to the other.

On one side, state insurance regulators are moving from principles to enforcement infrastructure on AI governance. The NAIC's Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023, has now been adopted by approximately 25 states. A multistate AI Evaluation Tool pilot launched in January 2026 and will run through September across 12 participating states. The NAIC published a formal Issue Brief in March 2026 staking out its position against federal preemption of state AI regulation. An AI Systems Evaluation Tool is being developed to guide regulators during market conduct exams, financial analysis, and financial examinations.

On the other side, Anthropic's Project Glasswing announcement revealed that its Claude Mythos Preview model has found thousands of zero-day vulnerabilities across every major operating system and web browser, including bugs that survived decades of human review. Chubb's Evan Greenberg, speaking on the company's first quarter 2026 earnings call, called the resulting dynamic an "arms race" and told analysts that AI tools like Mythos have lowered the threshold for what counts as a vulnerability, allowing attackers to stitch together minor issues into serious exposures. Bain and Company published an analysis arguing that most organizations need to double their cybersecurity spending, characterizing planned 10% annual increases as falling far short of what the threat now demands.

The regulatory buildout and the threat acceleration are on a collision course. The question is whether carriers, brokers, and the regulatory infrastructure itself can move fast enough to keep the two aligned.

Where the NAIC Regulatory Infrastructure Actually Stands

The NAIC's approach to AI regulation has been deliberately incremental, and that incrementalism is now producing tangible enforcement mechanisms.

The Model Bulletin itself is principles-based. It reminds insurers that decisions made or supported by AI must comply with existing insurance laws, including unfair trade practices and unfair discrimination statutes. It requires insurers to adopt a written AI governance program, the AIS Program, covering the use of AI across the insurance lifecycle: underwriting, rating, pricing, claims administration, fraud detection, and marketing. It establishes expectations around transparency, fairness, accountability, and risk management.

What has changed in 2026 is the shift from guidance to implementation tooling. The multistate AI Evaluation Tool pilot is designed to give regulators a structured framework for examining how insurers actually govern their AI systems during market conduct actions and financial examinations. Twelve states are participating, each developing project summaries and meeting monthly to share progress. The pilot is intended to determine whether the tool helps insurers clearly explain their AI governance to regulators, and to create long-term recommendations for how AI should be assessed in regulatory review processes.

The practical implication is significant. Carriers operating in pilot states should expect that their next market conduct exam may include specific questions about AI governance, model inventories, testing protocols, third-party vendor oversight, and documentation of how AI systems influence consumer-facing decisions. The Evaluation Tool covers data integrity, risk management controls, transparency procedures, and audit processes. Carriers that have treated the Model Bulletin as a compliance checkbox rather than an operational governance framework are going to find those examinations uncomfortable.

The NAIC's March 2026 Issue Brief adds a federal dimension. In it, the NAIC argues explicitly against federal preemption of state AI regulation, noting that state regulators have already built meaningful supervisory infrastructure, including AI-specific principles, interpretive guidance, and examination tools, and that preemptive federal legislation would displace that work and leave consumers with diminished protections. The NAIC's position is that AI is a tool used in underwriting, pricing, claims, fraud detection, and utilization management, and that existing state insurance laws apply regardless of whether decisions are made by humans, algorithms, or third-party vendors.

For carriers operating across multiple states, this means navigating a patchwork of adoption timelines. Approximately 25 states have adopted the Model Bulletin, but implementation specifics vary. Connecticut, Rhode Island, and Vermont were among the earliest adopters. New York issued its own circular letter. States that have not yet adopted the bulletin may still reference its principles during examinations. The practical compliance challenge is not whether to build an AI governance program, but how to build one that satisfies the most demanding state requirements while remaining operationally manageable across jurisdictions.

The Mythos Effect on Cyber Underwriting

While regulators build the infrastructure to examine how carriers use AI internally, the external threat landscape is moving faster than most carrier risk models anticipated.

Anthropic's Claude Mythos Preview has demonstrated the ability to find vulnerabilities that automated tools missed millions of times and that survived decades of expert human review. Chubb's Greenberg described the dynamic in unusually concrete terms on the Q1 earnings call. He noted that Mythos can read and analyze code at scale, and that because many organizations use open-source components, AI tools can now find vulnerabilities before the software suppliers themselves are aware of them. The critical nuance Greenberg added is that finding a vulnerability does not mean a patch exists. The discovery-to-remediation gap is where the risk concentrates.

From an underwriting perspective, Greenberg redrew Chubb's cyber risk map along familiar segmentation lines but with updated threat assessments. Large corporate buyers, with the resources to invest in robust cybersecurity and disciplined hygiene, are relatively well-positioned. Very small companies are less attractive individual targets but create systemic concerns when aggregated. The middle market, in Greenberg's words "the biggest meatball," is the most exposed segment: attractive enough to target, large enough to have meaningful assets at stake, and generally less capable at cybersecurity hygiene than their risk profile warrants.

That segmentation has direct implications for pricing and policy conditions across the cyber book. Fitch Ratings noted in a recent cyber insurance marketplace brief that while AI tools can help with vulnerability analysis, the technology also lowers barriers for attackers, expands third-party risks, and could materially increase attack volume. Bermuda Monetary Authority data shows that cyber claims costs nearly doubled from $521.9 million across 19,680 claims in 2023 to $903.6 million across 93,757 claims in 2024, even as rates softened.

The World Economic Forum's Global Cybersecurity Outlook 2026 flagged a growing gap between the pace of cyberthreats and organizations' ability to respond, noting that more than 60% of organizations say geopolitical tensions have already affected their cybersecurity strategies. Bain's analysis went further, arguing that Claude Mythos is a signal rather than the threat itself, because other frontier models, including those from OpenAI and Google, already have comparable capabilities in development. The era of AI-enabled attacks at scale has arrived, and most organizations have significantly underinvested in cybersecurity as a direct result of boards and executive teams repeatedly deprioritizing it.

For cyber underwriters, this creates a tension. The underwriting tools are getting better at the same time the threat surface is expanding. AI-assisted vulnerability scanning may eventually become a standard part of risk assessment, but in the near term, the asymmetry between discovery capability and remediation capacity means that more known vulnerabilities do not automatically translate to more secure insureds. The World Economic Forum noted that more visibility does not automatically mean more security if organizations lack the capacity to act on what they find.

Where These Two Threads Converge

The convergence point is straightforward but underappreciated. The NAIC is building regulatory infrastructure to examine how carriers use AI in underwriting, claims, and pricing. Simultaneously, AI is transforming the threat landscape that cyber underwriters are trying to price. The carriers that navigate this successfully are the ones that treat AI governance not as a compliance exercise but as the operational foundation for underwriting in an AI-transformed risk environment.

Consider the practical chain of events. A carrier deploys an AI-assisted underwriting model for cyber risk. The model ingests vulnerability scan data, claims history, and exposure metrics to generate pricing recommendations. If the carrier is in a state participating in the NAIC's Evaluation Tool pilot, regulators may examine how that model was developed, how it is monitored, what testing was performed, how third-party data vendors were vetted, and what controls prevent unfairly discriminatory outcomes.

Simultaneously, the threat landscape that model is attempting to price is shifting on a quarterly basis as frontier AI models like Mythos reveal new categories of vulnerability and lower the cost of attack orchestration. A model that was well-calibrated six months ago may be materially mispricing risk today if it does not account for the acceleration in AI-enabled threat capabilities.

The carriers best positioned for this environment are the ones building AI governance programs that satisfy regulatory requirements while also being operationally responsive enough to update risk models as the threat landscape evolves. Static governance frameworks that document a model at the point of deployment but do not include ongoing monitoring, recalibration, and model risk management processes will satisfy the letter of the Model Bulletin but not the spirit, and will leave the carrier exposed both regulatorily and actuarially.

What Practitioners Should Be Doing Now

For carriers, the priorities are concrete. First, treat the NAIC Evaluation Tool as a self-assessment benchmark regardless of whether your domiciliary state is participating in the pilot. The tool provides a structured framework for the kinds of questions regulators will eventually ask everywhere, and building your governance documentation against that framework now is significantly cheaper than building it reactively during an examination.

Second, revisit cyber portfolio assumptions in light of the Mythos-driven acceleration. The middle-market segment that Greenberg flagged as most exposed is also the segment where many carriers have grown their cyber books most aggressively over the past three years. If your pricing models do not account for the shift from human-driven to AI-assisted vulnerability discovery on both the offensive and defensive sides, the loss ratios that looked adequate in 2024 may not hold through 2027.

Third, build AI governance and cyber risk management as connected functions rather than separate compliance tracks. The NAIC's framework emphasizes that AI governance, including data integrity, model monitoring, and third-party vendor oversight, requires robust cybersecurity controls. In a world where AI is both the underwriting tool and the source of the risk being underwritten, the firewall between AI governance and cyber risk management is artificial.

For brokers, the implication is that the cyber conversation with clients needs to evolve beyond "do you have multi-factor authentication" toward "how are you preparing for AI-accelerated vulnerability discovery, and what does your remediation pipeline look like." The carriers that are tightening underwriting standards in response to the Mythos-era threat landscape are going to require more granular security posture data from applicants, and brokers who can guide clients through that process will differentiate themselves.

For everyone in the industry, the regulatory trajectory is clear even if the timeline varies by state. AI governance is moving from guidance to enforcement, the threat landscape that AI underwriting models are trying to price is changing faster than most models can adapt, and the carriers, brokers, and regulators that treat these as connected problems rather than parallel workstreams will be the ones that navigate the next three years successfully.

The Takeaway

The insurance industry is in the early stages of a period where AI is simultaneously the tool, the risk, and the regulatory focus. The NAIC is building the examination infrastructure to hold carriers accountable for how they use AI. Frontier models like Mythos are redefining the cyber threat landscape faster than most carrier risk models anticipated. And the convergence of these two dynamics is creating both operational complexity and competitive opportunity for practitioners who see the full picture.

The carriers that build responsive, well-documented AI governance programs will satisfy regulators and build better risk models. The brokers that understand both the regulatory trajectory and the evolving threat landscape will add the most value to their clients. And the industry as a whole will benefit from treating AI governance and cyber risk management as the same conversation rather than separate line items on a compliance checklist.

The regulatory infrastructure is being built right now. The threat landscape is accelerating right now. The window to get ahead of both is not unlimited.

Fabio Faschi is an Insurance leader, Founder of Scholarus AI and Hogglet.com, National Producer, Board Member of the Young Risk Professionals New York City chapter and Committee Chair at RISE with over a decade of experience in the insurance industry. He has built and scaled over a dozen national brokerages and SaaS-driven insurance platforms. Fabio's expertise has been featured in publications like Forbes, Consumer Affairs, Realtor.com, Apartment Therapy, SFGATE, Bankrate, and Lifehacker.