Compliance Roadmap · Colorado AI Act × Insurance
Insurance AI governance built on the NIST AI RMF (and ISO/IEC 42001 where a certifiable management system is preferred) coordinates a specific Colorado insurance AI regulatory stack — Colorado Division of Insurance Regulation 10-1-1 (the country's first state insurance AI rule, 2023) — and the NAIC AI Model Bulletin (2023), which has been adopted by multiple states. Colorado's amended AI law, SB 26-189 — signed May 14, 2026 and effective January 1, 2027 — repealed and replaced the original SB 24-205, and now imposes a transparency/disclosure regime on automated decision systems used in insurance rather than the high-risk classification, impact-assessment, and deployer-duty framework the original act proposed. Reg 10-1-1 remains the operative substantive insurance AI obligation, in force independent of the AI law.
EFROS's experience with insurance AI governance programs is that most carriers already have the substantive infrastructure from Reg 10-1-1 compliance — bias testing, AI governance, transparency documentation — and NIST AI RMF organizes it into a defensible operating posture. Carriers operating in multiple states have additional NAIC AI Model Bulletin-derived requirements that vary; NIST AI RMF is the framework that scales across all of these without requiring parallel programs. Under SB 26-189, the Colorado-specific obligation is transparency/disclosure for automated decision systems — not the deployer-developer impact-assessment framework or the 90-day discovery clock the repealed SB 24-205 would have imposed — so carriers coordinate SB 26-189 disclosure with existing state insurance notice requirements rather than standing up a separate Colorado regime.
NIST AI RMF organizes the bias-testing and transparency infrastructure carriers already build for Reg 10-1-1 into a scalable governance posture. Colorado's amended AI law (SB 26-189, effective 2027) repealed and replaced SB 24-205, swapping the proposed high-risk / impact-assessment / deployer-duty regime for a transparency/disclosure regime for automated decision systems in insurance. Reg 10-1-1 (the 2023 insurance AI rule) and NAIC AI Model Bulletin-derived state requirements remain the operative substantive obligations. Multi-state carriers need one coordinated AI governance program.
Of the controls and obligations in Colorado AI Act, these are the ones that most consistently show up as audit findings or operational gaps in insurance environments. Order reflects sequence of typical implementation, not abstract importance — most items depend on the earlier ones.
Includes vendor AI and embedded AI in policy administration, claims, and fraud detection platforms.
Organizes the bias-testing and transparency infrastructure carriers already build. Coordinates with Colorado Reg 10-1-1 and NAIC AI Model Bulletin expectations.
NIST AI RMF Measure work. Coordinate with Reg 10-1-1 bias testing and consumer protection documentation — the operative substantive obligation.
Existing state insurance notice requirements remain operative. Coordinate the SB 26-189 automated-decision-system disclosure with them — build the UX once.
NAIC AI Model Bulletin has been adopted by multiple states with variations. NIST AI RMF is the framework that scales across them.
Patterns EFROS sees consistently across insurance Colorado AI Act engagements. None of these are unfixable; all of them are common enough to be worth naming.
Typical EFROS engagement cadence for a insurance organization starting from a credible baseline. Earlier maturity shifts the timeline left; less mature starting positions shift it right.
Complete insurance AI inventory affecting Colorado consumers. Adopt NIST AI RMF (or ISO/IEC 42001) as the multi-state operating anchor. Extend existing Reg 10-1-1 infrastructure into it.
Complete risk documentation and bias testing per insurance AI. Coordinate the SB 26-189 automated-decision-system disclosure with existing state insurance notice requirements.
Stand up continuous monitoring across underwriting, rating, claims, and fraud detection AI. Coordinate with state insurance regulator inquiry workflows.
EFROS operates insurance AI governance as a coordinated multi-state program — NIST AI RMF as the operating anchor, Colorado Reg 10-1-1 extension, NAIC AI Model Bulletin coordination, and the SB 26-189 automated-decision-system disclosure. We frame Colorado around the amended SB 26-189 transparency regime — not the repealed SB 24-205 deployer-duty regime — and coordinate with carriers' existing actuarial and bias testing infrastructure rather than rebuilding it.
Disclaimer: this roadmap is a compliance research artifact, not legal advice. Implementation decisions for insurance organizations require analysis of specific facts and should be made in consultation with qualified legal counsel and an assessor appropriate to Colorado AI Act.
Reference this resource with attribution under CC-BY-4.0. Copy any of the formats below for academic papers, blog posts, AI citations, or vendor evidence packages.
Efros, S. (2026, May). Colorado AI Act for Insurance: Compliance Roadmap (2026). EFROS. https://efros.com/compliance/colorado-ai-act-for-insurance/
Efros, Stefan. "Colorado AI Act for Insurance: Compliance Roadmap (2026)." EFROS, May 2026, https://efros.com/compliance/colorado-ai-act-for-insurance/.
Efros, Stefan. 2026. "Colorado AI Act for Insurance: Compliance Roadmap (2026)." EFROS. https://efros.com/compliance/colorado-ai-act-for-insurance/.
S. Efros, "Colorado AI Act for Insurance: Compliance Roadmap (2026)," EFROS, May 2026. [Online]. Available: https://efros.com/compliance/colorado-ai-act-for-insurance/
@misc{efros2026coloradoaiactfor,
author = {Stefan Efros},
title = {Colorado AI Act for Insurance: Compliance Roadmap (2026)},
year = {2026},
month = {May},
publisher = {EFROS},
url = {https://efros.com/compliance/colorado-ai-act-for-insurance/},
note = {Accessed: May 2026}
}https://efros.com/compliance/colorado-ai-act-for-insurance/
Site-wide citation metadata is also published as a CITATION.cff file at /CITATION.cff for citation-management tools and academic indexers.
End-to-end compliance program design and operation across multiple frameworks.
OpenVertical program for insurance organizations — security operations, compliance, and AI governance.
OpenNIST AI RMF, Colorado SB 26-189, and state AI law overlays as an operating program.
OpenCitation-ready research on US state-level AI laws and compliance obligations.
Open60-second posture scan plus senior engineer follow-up.
Open