AI regulation for insurance: what the global map actually shows

AI regulation for insurance is not a single wave. It’s an EU statute, a US state patchwork, a Singapore framework that redefines what counts as AI in the first place, a Chinese regime built on algorithm filing, and a long tail of jurisdictions whose insurers are adopting AI faster than the regulators are writing rules. The map is less about compliance deadlines and more about which authority owns the question in each country.

This article walks through the patterns visible on the live AI regulation map — the ones that shape what an insurance AI governance programme actually has to cover.

The EU AI Act is the regulatory anchor

Twenty-plus EU and EEA countries show as “Binding” on the map. The single reason is the EU AI Act, which classifies AI systems used for insurance pricing, risk assessment, and claims decisions as high-risk under Annex III. The high-risk compliance deadline is 2 August 2026. After that, an insurer deploying a high-risk AI system without completing a conformity assessment, fundamental rights impact assessment (FRIA), logging infrastructure, and human oversight protocols is in breach.

The AI Act’s gravity extends beyond its borders. Norway and Iceland will align via the EEA. Switzerland’s FINMA is explicitly watching the Act for cross-border alignment. Italy went further and enacted its own national AI law in October 2025, layering additional provisions on top of the EU text. Luxembourg’s draft bill 8476 designates the Commissariat aux Assurances as the specific market-surveillance authority for insurance AI — a clarity most EU countries have not yet reached.

The quieter effect is on international groups. A US or UK insurer writing risk through an EU subsidiary, or through a reinsurance programme that touches EU cedants, inherits the Act’s requirements on those contracts even though its home jurisdiction is not binding. The compliance perimeter is bigger than the map colour suggests.

What the EU Act does not do is give insurance-specific answers. Annex III tags insurance as high-risk, but the implementation detail — how to document a pricing model’s fairness testing, what counts as meaningful human oversight on automated claims triage, how to scope the FRIA for a retention model — is left to the insurer and its supervisor to work out. That work is happening now, not in 18 months.

The US patchwork is more insurance-specific than the EU

There is no federal US AI law. What exists instead is the most insurance-specific body of AI regulation anywhere — the NAIC Model Bulletin on AI, published December 2023, now adopted in 24+ states.

The Model Bulletin is specific in a way the EU AI Act is not. It names the functions it covers — underwriting, pricing, claims, fraud detection, marketing — and sets expectations for a written AIS governance programme, board-level oversight, third-party model risk management, and consumer outcome testing. Insurers that had a model risk management function from SR 11-7 or OSFI E-23 already had most of the scaffolding. Those that did not had to build it.

The state-level overlay matters. Colorado AI Act (SB 24-205) took effect 1 February 2026 and requires bias prevention, disclosure, and documented risk management for high-risk AI systems. Virginia HB 2094 mirrors Colorado’s approach. The California AI Transparency Act came into force January 2026. Connecticut’s SB 3 restricts automatic AI-driven claim denials in health insurance. At least 17 states have introduced insurance-specific AI bills; most are built on the NAIC Model Bulletin as a template.

The IAIS Application Paper on the Use of AI Systems by Insurers, published July 2025, sits above all of this as the international-standard reference. Regulators cite it; insurers operationalising AI governance are reading it as the closest thing to a global baseline.

The practical implication is that a US insurer writing in 10 states today probably has 10 slightly different compliance postures. The Model Bulletin harmonises most of it. State overlays on disclosure, bias testing cadence, and consumer notification do not fully align.

Singapore redefined what AI is

The Monetary Authority of Singapore did something in Project MindForge (2023) that no other regulator has yet replicated: it broadened the definition of AI to cover any model that learns from data. Under that definition, a GLM used for personal lines pricing is AI. A credibility-adjusted frequency model is AI. A decision tree used for underwriting triage is AI.

This matters because most actuarial teams have been building these models for thirty years without calling them AI. Under MindForge, all of them fall inside the MAS AI risk management framework — fairness testing, explainability, model risk governance, logging, and lifecycle controls.

MAS issued comprehensive AI Risk Management Guidelines for consultation in November 2025, with a 12-month transition once finalised (expected mid-2026). The guidelines bake MindForge’s definition in and extend it with proportional governance — high-impact insurance AI models face the strictest controls, lower-impact models face proportional ones. The Veritas toolkit and AI Verify testing framework exist to support implementation.

Singapore is the clearest template in APAC. Hong Kong’s Insurance Authority and the HKMA reference similar principles. Malaysia’s BNM has issued technology risk management guidance covering AI. None yet match MindForge’s breadth of definition.

China regulates via algorithm filing

China’s AI regime is binding, not principles-based. The Interim Measures for Generative AI (August 2023), Deep Synthesis Provisions, and Algorithmic Recommendation Rules together form the most comprehensive binding AI regulation in Asia. The NFRA (insurance supervisor) expects governance of AI used in insurance sales, pricing, and claims. Recommendation-type AI must be filed with the Cyberspace Administration of China.

The filing requirement is operationally different from the EU Act’s conformity-assessment approach. Insurers deploying AI that makes recommendations to consumers must submit the algorithm, its training data description, and its use case to the CAC. This creates a paper trail no other jurisdiction currently requires at that scale.

The UK and Australia run a pragmatic middle

The UK has no AI statute. The FCA and PRA apply existing frameworks — PRA SS1/23 on model risk management, FCA Consumer Duty on AI-driven outcomes, and sector-level principles. The approach is working, partly because UK insurers already operate under a heavy supervisory regime that happens to capture AI risk under existing lenses. Whether this remains sufficient through the next wave of generative AI deployment is an open question the AI Safety Institute is effectively testing in real time.

Australia operates similarly. APRA’s CPS 220 (Risk Management) and CPS 230 (Operational Risk) cover AI without naming it. The government’s mandatory AI guardrails consultation (2024) is still ongoing; in the meantime, insurance AI is governed under existing prudential standards. The Voluntary AI Ethics Framework fills the gap.

The middle path has a ceiling. Principles-based supervision works when the supervisor has deep engagement with the regulated entity. It breaks when AI deployment scales faster than supervisor capacity. Most UK and Australian supervisors are now hiring specifically for AI oversight — a signal that the current approach is being stretched.

South Korea and Canada are moving asymmetrically

South Korea’s AI Basic Act passed January 2025 and took effect January 2026. It establishes risk-based classification and requires impact assessments for high-risk AI. The FSS oversees financial services AI, layering expectations onto an insurance sector already under heavy data-reporting pressure from K-IFRS 17.

Canada’s AIDA (Artificial Intelligence and Data Act) was proposed but has stalled in Parliament. OSFI Guideline E-23 on model risk management remains the effective baseline for federally regulated insurers. The gap between Korea and Canada on statutory AI regulation is meaningful — Korean insurers have firm compliance deadlines; Canadian insurers do not.

Africa is largely unregulated, with South Africa as the exception

Most African jurisdictions show as “Minimal” or “Emerging” on the map. The POPIA (data protection) applies to AI processing in South Africa, and the FSCA expects governance of AI under the Conduct of Financial Institutions framework and TCF (Treating Customers Fairly) principles. The Prudential Authority has not issued insurance-specific AI guidance yet but is expected to as CoFI is finalised.

Nigeria, Kenya, Rwanda, and Egypt are at the emerging stage — national AI strategies published, no binding insurance-specific rules. Rwanda is collaborating with Singapore on the AI Playbook for Small States, which is notable; it suggests a Singapore-template approach could take root in African jurisdictions sooner than an EU or US one.

The practical reality: African insurers deploying AI today are governing it under general prudential and data-protection frameworks, not AI-specific ones. The opportunity is to build governance that can satisfy future regulation before it lands. The risk is that first-wave AI deployments embed biases or data practices that subsequent regulation will force unwinding.

The Middle East is framework-driven, not statute-driven

Saudi Arabia, UAE, and Bahrain all sit on “Framework” status. SAMA, CBUAE, and the CBB expect governance of AI in financial services without prescribing a statute. DIFC has published its own AI Principles for financial services. ADGM operates a parallel framework.

This is a region where the gap between stated framework and observed practice is the smallest anywhere. SAMA sandboxing, UAE’s Minister of State for AI, and the DIFC’s AI Principles all reflect active regulatory engagement, not passive observation. Insurance AI in the Gulf is governed today, via direct supervisor relationships, even without a binding statute.

The insurance-specific gap

Most AI frameworks are not insurance-specific. The EU AI Act tags insurance as high-risk but uses Annex III generic text. South Korea’s AI Basic Act is sector-agnostic. China’s regime covers algorithmic recommendation broadly. The UK and Australia apply general principles.

The exceptions are the NAIC Model Bulletin in the US, the IAIS Application Paper (July 2025) as the international reference, Singapore’s MAS framework with its MindForge definition, and scattered supervisor guidance — DNB in the Netherlands, FSCA in South Africa, FSS in Korea.

The insurance-specific detail matters because AI in underwriting and claims presents risks that generic frameworks cannot fully anticipate: portfolio-level redlining, protected-class proxy discrimination via rating factors, claims-triage feedback loops, and fairness testing at the granularity of coverage bands. A generic AI statute does not tell an insurer how to run fairness testing on a 200-variable auto rating model. The NAIC Model Bulletin and the IAIS Application Paper are the closest existing answers.

Where the map is going

The EU AI Act’s high-risk compliance deadline lands 2 August 2026 — the single most important date on the map. The NAIC is expected to release a draft model law in 2026, which would consolidate the state patchwork. MAS guidelines will finalise mid-2026 with a 12-month transition. South Korea’s Basic Act is already live.

The next wave will be climate + AI coupling. Singapore’s MAS is closest to treating them as a combined governance question; most other regulators treat them separately. That separation will not hold as climate risk modelling increasingly depends on AI.

The map will gain colour through 2026 and 2027. The harder question — who owns the insurance-specific answers that generic AI frameworks do not provide — will take longer to resolve.