Every conversation about AI in an insurance agency eventually hits the same wall. An agent gets excited about the time they’ll save — drafting renewals, qualifying leads, answering the phone at midnight — and then someone in the room asks the question that stops the meeting cold: “And who’s responsible when it gets something wrong?”
It’s the right question. And in 2026, the answer is no longer fuzzy. The regulators have arrived, the rules are written, and the principals who freeze — or who go reckless — are both making expensive mistakes. The agencies that win are the ones treating compliance not as a reason to avoid AI, but as the discipline that lets them deploy it safely and pull ahead. This guide lays out the actual 2026 landscape — NAIC, CMS, and the states — and gives you a framework you can run without a legal department.
Key takeaways
- Using AI does not transfer liability. The licensed agent remains responsible for what AI drafts, quotes, or recommends.
- 24 states plus D.C. have adopted the NAIC AI Model Bulletin, and several more have their own AI rules — over half the country now regulates insurer AI.
- In 2026, 12 states are piloting the NAIC's AI Systems Evaluation Tool — examiners are about to start checking AI governance directly.
- For Medicare, CMS still requires the TPMO disclaimer and that sales calls be recorded and retained for 10 years — AI or not.
- The compliant pattern is "human-approved automation": AI drafts, qualifies, and logs; the licensed agent reviews, approves, and owns the outcome.
Who's liable when AI gets it wrong
Start with the principle that governs everything else, because it’s the one agents most want to wish away: using AI does not move your liability anywhere. If an AI tool miscalculates a premium, leaves out a material detail, misreads a plan’s coverage rules, or generates a piece of client communication that turns out to be wrong, the licensed agent who relied on it is the one holding the bag. The model didn’t sign the application. You did.
This is the consistent message from every corner of the regulatory world in 2026. Regulators expect human oversight, transparency, and procedural fairness in any AI deployment — and they’ve been explicit that “the algorithm did it” is not a defense. As the American Agents Alliance has warned producers directly: if an AI model miscalculates or misconstrues coverage and you act on it, you can be held liable for the AI’s faulty recommendation. Your errors-and-omissions exposure doesn’t shrink because you added software; if anything, sloppy AI use expands it.
"The AI did it" is not an E&O defense. Regulators and courts treat AI as a tool you chose to use. The accountability — and the liability — stays with the licensed human every single time.
But here’s the part agents miss when they let that scare them off: the same fact that creates the risk also defines the safe path. If liability stays with the human, then the entire compliance question becomes “is a competent human reviewing and approving anything that constitutes advice or a sale?” Keep that answer “yes,” and you can automate aggressively around it. As we covered in our guide to AI for insurance agents in 2026, the winning pattern isn’t AI-as-decision-maker — it’s human-approved automation, where AI does the intake, triage, and drafting, and the licensed agent owns the outcome.
The regulators have arrived
For a few years, AI in insurance lived in a regulatory gray zone. That zone is gone. In 2026, three layers of rules now apply to a Health & Life agency at once: the NAIC’s model framework (adopted state by state), state-specific AI laws (Colorado being the most aggressive), and the CMS marketing rules that have always governed Medicare. Ignore any one of them and you’re exposed.
The pace of adoption tells the story. The NAIC finalized its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. In barely two years it has swept across the country.
As of early 2026, 24 states plus the District of Columbia have adopted the NAIC Model Bulletin, and four more states have enacted their own insurance-specific AI regulation or guidance — meaning over half the country now has formal expectations on the books. And the enforcement teeth are coming: the NAIC’s new AI Systems Evaluation Tool, a standardized framework for examiners to review an insurer’s AI governance during market conduct exams, is being piloted by 12 states from January through September 2026, with broader adoption expected at the Fall 2026 National Meeting.
Colorado is the bellwether for where this goes next. Its landmark law, SB 21-169, prohibits insurers from using external consumer data, algorithms, and predictive models in ways that produce “unfair discrimination” against protected classes, and it requires a documented, risk-based governance and risk-management framework to prove it. The framework first applied to life insurers and, through an amended regulation effective October 15, 2025, expanded to private passenger auto and health benefit plan insurers as well. Other states are watching Colorado closely — and the direction of travel is unmistakable: more documentation, more testing, more human accountability, not less.
Inside the NAIC AI Model Bulletin
So what does the NAIC bulletin actually require? It’s worth understanding even though it’s aimed primarily at insurers, because its expectations flow straight downhill to the agencies and third parties that carriers work with — and because it’s the clearest articulation of what “responsible AI” means in insurance. At its core, the bulletin tells insurers to build a written AI Systems (AIS) program governing how AI is developed, used, and overseen, anchored to the NAIC’s longstanding AI principles. Those principles are a useful checklist for any agency, not just a carrier:
| NAIC AI principle | What it means for your agency |
|---|---|
| Fair & ethical | AI must not produce unfair discrimination or biased outcomes against consumers. |
| Accountable | A named human is responsible for every AI-assisted decision. Oversight is documented. |
| Compliant | AI use must satisfy all existing insurance laws — marketing, privacy, suitability, and more. |
| Transparent | You can explain what the AI did and why, to a regulator or a consumer, in plain terms. |
| Secure, safe & robust | Data is protected, the system is tested, and errors are caught before they reach a client. |
In practice, the bulletin expects governance (written policies and a responsible owner), risk management and testing (including for bias and accuracy), documentation (records that show how AI is used and reviewed), and third-party oversight — meaning carriers are increasingly required to ensure the AI vendors and tools in their distribution channel meet the same standards. That last point matters enormously for agents: the AI you choose can become a compliance question your upline asks about. Picking a tool built for insurance, with governance baked in, is no longer just a convenience — it’s risk management.
The agencies that win with AI aren't the ones avoiding the rules — they're the ones who built the rules into the tool, so compliance happens automatically on every interaction.
— The throughline of every 2026 insurance-AI regulationMedicare's rules: TPMO, recording, and marketing
If you sell Medicare, you already live under the strictest marketing regime in insurance — and none of it relaxes because an AI is involved. The Centers for Medicare & Medicaid Services (CMS) treats any agent or agency acting as a Third-Party Marketing Organization (TPMO) to specific, non-negotiable standards, and an AI voice or chat agent operating in your funnel must meet them exactly as a human would.
The essentials haven’t changed, but the stakes of automating them have:
- The TPMO disclaimer must be stated, prominently and early — “We do not offer every plan available in your area…” — on calls and in marketing materials.
- Sales calls must be recorded in their entirety and retained for 10 years. This is one place AI actually helps: an automated system records and stores every call by default, with no human forgetting to hit “record.”
- Marketing materials and scripts must follow the CMS Medicare Communications and Marketing Guidelines, including rules on what can be said, how plans are compared, and how leads are generated and handled.
This is precisely why an AI tool’s insurance-specific design matters more than its raw capability. A generic chatbot doesn’t know what a TPMO disclaimer is. A purpose-built system opens with it automatically. As we explored in our piece on speed-to-lead and AI voice agents, an always-on voice agent can answer every Medicare lead in seconds — but only a compliant one, reading an approved script and logging every call, belongs anywhere near your book.
Automation can strengthen CMS compliance, not weaken it. A well-built system never skips the disclaimer, never forgets to record, and never loses the file. The discipline that's hard for a busy human is automatic for a properly configured AI — which is exactly why how you configure it is the whole game.
Always confirm your scripts, disclosures, and marketing against the current CMS Medicare Communications and Marketing Guidelines — these rules are updated regularly, and AI assistance is never a substitute for your own compliance review or legal counsel.
Data, HIPAA, and where agents slip
The fastest way to turn an AI productivity win into a compliance disaster is to be careless with client data. Health & Life agents routinely handle sensitive information — health conditions, medications, financial details, dates of birth, Medicare numbers — and the moment that data touches an AI tool, the question becomes: where is it going, who can see it, and is it protected?
The most common, most avoidable mistake of 2026 is pasting client information into a free, consumer-grade chatbot to “draft a quick email” or “summarize this case.” That data may be stored, used to train models, or simply sitting on infrastructure with none of the controls your obligations require. For anything involving protected health information, that’s not a shortcut — it’s an exposure.
The compliant approach treats every AI tool like any other vendor that touches client data:
- Use platforms with HIPAA-conscious architecture — where security, access controls, and data handling are the baseline design, not a bolt-on.
- Keep sensitive data inside systems built for the industry, not pasted into public tools.
- Maintain the documentation and agreements your obligations require, and know where your data lives.
This is one of the core reasons the Ambrose AI platform was built on enterprise-grade, HIPAA-conscious infrastructure from the ground up — designed by engineers who understand insurance, where protecting client data is the starting point rather than an afterthought. When the tool is built for the industry, “handle data correctly” stops being a thing you have to remember on every task and becomes the default state of the system.
A compliance framework you can actually run
You don’t need a legal department or a compliance officer to use AI responsibly. You need a simple, repeatable division of labor — one that maps cleanly onto the human-in-the-loop principle every regulator is demanding. The cleanest way to think about it is to sort every task into “AI does this” and “the licensed human does this,” and never let the line blur.
| Task | Risky (uncontrolled AI) | Compliant pattern |
|---|---|---|
| Client communications | AI writes and sends advice unsupervised | AI drafts; the agent reviews, edits, and sends |
| Lead intake & qualification | AI "advises" or recommends a plan | AI qualifies and books; the agent advises and enrolls |
| Medicare sales calls | No disclaimer, no recording | TPMO disclaimer + full recording, retained 10 years |
| Client data | Pasted into a public chatbot | Kept inside HIPAA-conscious, purpose-built systems |
| Plan comparisons / summaries | AI output sent as-is | AI summarizes; agent verifies vs. current CMS guidance |
This is exactly the role of a tool like the Compliance Checker spoke inside Ambrose AI: run your ad copy, scripts, and emails through it for a CMS marketing-compliance review before they go live — a first-pass safety net that catches obvious problems, while never replacing your own judgment or a proper compliance review. Used this way, AI becomes a force for more consistent compliance, because the disclosure, the documentation, and the review step are built into the workflow instead of depending on a busy agent remembering them at 9 p.m. during enrollment season.
The gap to exploit here is enormous. Deloitte’s research found that 90% of insurance leaders recognize the need to reinvent work for AI, but only 25% have taken meaningful action. The agencies moving deliberately — automating with guardrails in place — are pulling away from both the frozen majority and the reckless minority who deploy without governance and eventually get burned.
A six-step compliant-AI playbook
Here’s the practical sequence for deploying AI in a Health & Life agency without creating a compliance problem.
1. Name an owner. Decide who in your shop is accountable for how AI is used. Even a solo agent should be able to say “I own this.” Accountability is the first thing every regulator looks for.
2. Write down what AI is allowed to do — and what it isn’t. A one-page policy is enough for most agencies: AI may draft, qualify, schedule, summarize, and record. AI may not advise, recommend, enroll, or send client communications without human approval. Put the line in writing.
3. Bake the rules into the tool from day one. Load your TPMO disclaimer, approved scripts, and disclosures into any automation before it touches a prospect. Turn on recording and logging immediately — not after an incident.
4. Keep the human on advice and the close. Let AI own the repetitive front-of-funnel work. Keep your licensed producers on anything that constitutes advice, a recommendation, or a sale. This single rule protects most of your E&O exposure.
5. Protect the data. Never paste protected health information into consumer-grade tools. Use platforms with HIPAA-conscious architecture and know where your client data lives.
6. Document and review. Keep records that show how AI is used and reviewed, run your outbound language through a compliance check, and revisit your policy as CMS and state rules evolve. The agencies that can show their work are the ones that survive a market conduct exam — and the new NAIC evaluation tool means those exams are coming.
Compliance is a moat, not a brake. The agencies that build governance in from day one can deploy AI faster and more aggressively than their nervous competitors — because they're not afraid of what the tool might do behind their back.
What this means for a Health & Life agency
Strip away the acronyms and the 2026 reality is simple. AI is now firmly inside the regulators’ field of view; more than half the states have rules on the books; CMS hasn’t relaxed a single Medicare marketing requirement; and through all of it, the licensed agent remains the responsible party. None of that is a reason to sit out. It’s a reason to deploy correctly — and correctly is a learnable, repeatable discipline, not a mystery.
The agencies that will pull away over the next 24 months treat compliance as infrastructure, the same way they treat their CRM or their phone system. They use AI built for insurance, on HIPAA-conscious architecture, with the TPMO disclaimer and recording baked in, a compliance check on outbound language, and a bright line between what the machine drafts and what the licensed human approves. That’s the model behind Ambrose AI and the broader Tech Savvy community: teach Health & Life agents to wield these tools — fast — without breaking compliance, ops, or their bank account.
If you take one thing from all of this, make it the principle that ties it together: AI changes who does the work, not who’s responsible for it. Keep a competent, licensed human in the loop for every recommendation and every sale, document what you do, and use tools built for the industry — and you get all the speed and leverage of AI with your license, your book, and your peace of mind intact.
Want the templates, scripts, and live trainings behind a compliant AI deployment — including the Compliance Checker spoke inside Ambrose? That's what the Tech Savvy community exists for. See also our pillar guide on AI for insurance agents in 2026, our breakdown of speed-to-lead and AI voice agents, and more build-with-you guides for Health & Life agents.
Sources
- NAIC — Artificial Intelligence (Model Bulletin & AI principles)
- NAIC — Principles on Artificial Intelligence (fair, accountable, compliant, transparent, secure)
- Quarles & Brady — Nearly Half of States Have Adopted the NAIC AI Model Bulletin (24 states + D.C.)
- Colorado Division of Insurance — SB 21-169: Protecting Consumers from Unfair Discrimination
- CMS — Medicare Communications and Marketing Guidelines (TPMO disclaimer; 10-year call-recording requirement)
- American Agents Alliance — How AI Is Changing E&O Risks for Agents and Brokers
- Deloitte Insights — Scaling gen AI in insurance (90% recognize the need; 25% have acted)
Ready to put this into practice?
Join a private community of Health & Life insurance professionals using AI, Meta Ads, and automation to grow — without draining their bank account.
Join Tech Savvy — $97/month