Colorado’s July 2026 AI Compliance Reports Set the Operational Floor for National Carriers
Deck: The amended Regulation 10-1-1 imposes a hard July 1, 2026 deadline for full governance framework implementation and annual SERFF compliance reports covering AI and ECDIS use in underwriting, pricing, claims, and marketing. With NAIC Model Bulletin adoption in roughly two dozen other states still focused on expectations rather than timed public filings, Colorado’s requirements are becoming the practical national standard.
The Deadline That Changed the Timeline
Insurers authorized in Colorado that use External Consumer Data and Information Sources (ECDIS), algorithms, or predictive models now face a concrete 2026 milestone. The Division of Insurance’s amended Regulation 10-1-1, effective October 15, 2025 and expanded to private passenger automobile and health benefit plans, requires covered carriers to have their full governance and risk management framework in place and available to examiners by July 1, 2026, with the first standardized annual compliance reports due in SERFF on the same cycle and each July 1 thereafter.
The framework is not a policy binder. It must include an inventory of every ECDIS variable and model, documented quantitative testing for unfair discrimination (including proxies such as ZIP code, spending patterns, education, or occupation that correlate with protected classes), ongoing monitoring protocols, vendor oversight procedures, remediation steps when disparities appear, and clear senior management accountability. Non-users file a simple annual attestation by December 1; users file the substantive report.
This is the first US state insurance regime to pair a specific calendar date for full operational readiness with a recurring public filing that names the responsible officers.
How the Rules Actually Operate
SB 21-169 (2021) prohibits unfair discrimination in insurance practices when ECDIS or models are involved. Regulation 10-1-1 translates that prohibition into process. Insurers must maintain a cross-functional governance group, run statistical tests (often using Bayesian Improved Surname Geocoding or approved alternatives to infer race/ethnicity), document why any variable that correlates with protected characteristics is retained, and show reasonable steps to mitigate harm.
The 2025 amendment did more than add auto and health lines. It converted what had been an evolving expectation into a hard implementation date plus recurring attestation. Bulletin B-10.004 provided interim relief on the granularity of quantitative testing descriptions for the 2024 and 2025 reporting cycles; that relief is not expected to carry forward once the July 1, 2026 reports are due.
Senior officers must effectively stand behind the program. The annual SERFF filing requires identification of the individuals responsible for each element of Section 5 compliance. That creates a personal accountability layer that pure NAIC-adoption states have not replicated at the same granularity.
The National Alignment Effect
Twenty-four to twenty-six states (plus DC) have adopted the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers with little or no material change. Those adoptions emphasize governance, risk management, and fairness principles. They do not, in most cases, impose a single hard date by which a carrier must produce a complete inventory, completed bias testing methodology, and officer-attested compliance report for public filing.
A national property-casualty or life carrier with licenses in Colorado and twenty other NAIC states faces a simple choice. It can maintain twenty different compliance postures, or it can build once to the strictest and most specific set of operational requirements it actually faces. Colorado’s July 1, 2026 package — documented framework on demand plus named-officer SERFF report — is the clearest target.
The practical result is already visible in vendor briefings and compliance calendars: multi-state carriers are treating the Colorado standard as the baseline for model documentation, testing infrastructure, and board reporting packages. Reinsurers and MGAs serving those carriers are being asked for the same artifacts.
Colorado also benefits from a safe-harbor interaction with the state’s broader AI Act (SB 24-205). Insurers that satisfy the insurance-specific rules and Regulation 10-1-1 receive a compliance carve-out for high-risk AI uses in insurance. That linkage gives carriers a single coherent program to defend rather than two overlapping regimes.
What Changes on the Ground
Carriers are building or buying three new capabilities at once:
- An authoritative inventory of every data source and model touching Colorado policyholders or applicants.
- Repeatable quantitative testing pipelines that can be re-run on material model changes or on a scheduled basis.
- A governance record that can be produced to the DOI on short notice without a six-week scramble.
Smaller regional carriers are feeling the resource pinch most acutely. Larger national writers are absorbing the cost into existing model-risk and compliance functions, but they are also re-evaluating marginal AI use cases in pricing and underwriting where the testing burden may outweigh the lift.
Plaintiff exposure is real but secondary to the regulatory obligation. A plaintiff can point to a documented disparity that was not remediated, or to a governance framework that existed only on paper. The bigger near-term pressure is simply the filing itself: if the DOI asks for the framework on July 2, 2026 and the carrier cannot produce it in usable form, the enforcement conversation starts immediately.
The Precedent, Not the Exception
Other states will watch the first July 1, 2026 filings and the DOI’s examination findings. If Colorado demonstrates consistent enforcement and publishes usable guidance on acceptable testing methodologies, the template effect strengthens. If the first cycle produces mostly process complaints and extensions, the de-facto floor softens.
For carriers, the calculation is straightforward. The cost of building a Colorado-grade program once is lower than the cost of defending multiple enforcement theories, managing twenty different examiner expectations, and explaining to a national board why the company maintained weaker controls in one of its largest markets.
The July 1, 2026 date is therefore not just a Colorado compliance exercise. It is the date on which the most specific US insurance AI governance requirement becomes the working standard for any carrier that cannot afford to ignore it.
Sources
- Colorado Division of Insurance, “Protecting Consumers from Unfair Discrimination in Insurance Practices (SB 21-169)”: https://doi.colorado.gov/for-consumers/sb21-169-protecting-consumers-from-unfair-discrimination-in-insurance-practices (includes amended Regulation 10-1-1 text, filing instructions, and Bulletin B-10.004).
- NAIC, Implementation of NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (map and status as of April 2026).
- Willkie Farr & Gallagher LLP, “Colorado Division of Insurance Adopts Amended AI Governance Regulation” (Sept 2025) and related analyses detailing the July 1, 2026 full-implementation and annual reporting milestone.
- Faegre Drinker, “Colorado Division of Insurance Expands AI-Related Governance and Risk Management Obligations for Insurers” (2025).
- NAIC, Key Facts and Market Trends — Colorado (insurer licensing counts).
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.