Insurance companies have moved past asking whether to use AI. Now the focus is on making it work, getting AI embedded into core workflows and delivering real, measurable results.
The AI execution phase brings its own urgency, and with it, new exposures. The faster AI moves into underwriting, claims, and coverage decisions, the more it attracts regulatory attention. Carriers that treat compliance as something to sort out after deployment are learning that regulators aren't waiting.
Colorado made that point clear last fall. The state is the first in the country to specifically regulate how insurers use AI and external consumer data.
The Division of Insurance (DOI) put Regulation 10-1-1 into effect in October 2025, setting clear documentation and oversight requirements for life, private passenger auto, and health benefit plan insurers that use external consumer data, algorithms, and predictive models.
These regulations apply to any insurer authorized to do business in Colorado, regardless of where the company is headquartered. Now, any insurer writing life, auto, or health benefit plans in Colorado is subject to the same requirements as a Colorado-based insurer.
Regulation 10-1-1 focuses on how insurers use external consumer data and information sources (ECDIS) and the algorithms or predictive models built on that data.
Think credit scores, purchasing behavior, telematics data, social media activity, and similar inputs that increasingly influence underwriting and claims decisions. The regulation is explicitly designed to ensure that the use of ECDIS and predictive models doesn't result in algorithmic discrimination.
The regulation originally applied only to life insurers. The 2023 amendment expanded it to cover auto and health carriers. Under the rule, insurers must build a formal governance and risk management framework, approved at the board level and documented. Oversight and controls must be proportional to the potential impact of each model, and insurers must be ready to produce that documentation on request.
Insurers that rely on third-party vendors for any of these systems remain on the hook. The regulation makes clear that outsourcing the work doesn't outsource the accountability. That applies to every external consumer data source, algorithm, and model in the vendor's stack.
At its core, the regulation is focused on preventing unfair discrimination and ensuring that insurers can explain, test, and defend how models influence decisions. That expectation shifts AI from a technology initiative into a governed operational capability, with accountability that reaches from model design to consumer impact.
Regulation 10-1-1 doesn't exist in a vacuum. Colorado's original omnibus AI Act, SB24-205, has been repealed and replaced. On May 14, 2026, Governor Polis signed SB26-189, a comprehensive rewrite that significantly narrows the 2024 law’s requirements. The new law drops the requirements for mandatory impact assessments and bias audits. Instead, it focuses on transparency and consumer rights.
People must be told when AI is used to make important decisions about them, and they have the right to request human review of those decisions. It covers insurance, employment, housing, healthcare, and financial services, among others. Most requirements take effect January 1, 2027.
There’s a direct upside for insurers already working under Regulation 10-1-1. SB26-189 includes an explicit provision stating that insurers subject to Colorado’s existing algorithmic discrimination rules are deemed compliant with the new law. In other words, carriers that have built out their Regulation 10-1-1 programs aren’t starting over. The work counts toward both.
That connection matters across the organization. Risk managers, compliance teams, actuaries, product managers, and technology leaders all need to understand how these frameworks work together. The regulatory picture is still shifting, at both the state and federal level. Insurers that treat governance as an ongoing discipline rather than a one-time project will be better prepared as the rules continue to develop.
The December 2025 compliance narrative report deadline for auto and health carriers has passed. And annual compliance reports under Regulation 10-1-1 begin in July 2026.
For SB26-189, the Colorado Attorney General is now writing the implementing rules, with most requirements taking effect January 1, 2027. Enforcement timing could shift depending on how ongoing litigation over the prior law plays out.
For executive teams, the near-term priorities are straightforward. Confirm that board-level oversight of AI and data governance is formally documented and assigned:
Map every external consumer data source and predictive model in use, including any managed through third-party vendors.
Verify that testing and bias-detection protocols are in writing and current.
Check that consumer-facing adverse action and complaint processes account for algorithmic decisions.
If your organization is still building out its governance structure, we’ve created resources on AI governance committees and what CIOs need to know before deployment to provide useful starting points for framing the work that lies ahead.
Colorado continues to set the pace on insurance AI regulation, and its latest move is a reminder that the rules are still taking shape. The shift from mandatory audits to transparency and disclosure reflects a broader trend. States are rethinking how to regulate AI without slowing it down.
The governance habits insurers are building now will carry over as other states develop their own rules, each on their own timeline. For a broader look at what carriers need to track across the country, thisoverview of AI-related insurance regulations covers the national picture.
Carriers that view Regulation 10-1-1 as a foundation rather than a burden are already ahead of the curve. Colorado was the first state to specifically regulate how insurers use AI and external consumer data, and that work isn’t going away. It’s evolving.
Insurers that document their models, stay accountable, and keep consumers informed are building the kind of operational discipline that earns trust from regulators, partners, and policyholders. In a market where AI is rapidly becoming standard practice, how you govern can deliver a powerful competitive advantage.