Insurance Curator DENVER — The Colorado Division of Insurance (DOI) finalized its latest round of compliance audits this week, marking a pivotal milestone in the implementation of the nation’s first comprehensive regulatory framework governing the use of artificial intelligence and external consumer data by life insurance companies.
The enforcement phase of Senate Bill 21-169, which began its staggered rollout in late 2023, now requires life insurers operating in Colorado to demonstrate rigorous data governance and provide empirical evidence that their use of external consumer data and information sources (ECDIS) does not result in unfair discrimination based on race or ethnicity. As other states monitor Colorado’s progress, the insurance industry is undergoing a fundamental shift in how it manages the intersection of big data, predictive modeling, and consumer protection.
Under the direction of Colorado Insurance Commissioner Michael Conway, the regulation targets the use of non-traditional data—ranging from credit scores and social media activity to purchasing habits and educational attainment—that insurers increasingly use to supplement traditional medical underwriting.
"Our goal has never been to stifle innovation, but to ensure that as the industry moves toward automated decision-making, it does so without baking systemic bias into its algorithms," Conway said in a recent public hearing. "Data governance is no longer a back-office suggestion; it is a regulatory mandate."
The New Governance Standard
The Colorado regulations, specifically Regulation 10-1-1, require life insurers to establish a formal governance framework overseen by their boards of directors or a designated committee of senior management. This framework must document the specific ECDIS used, the rationale for their use in underwriting, and a detailed map of how these data points influence the final consumer score or premium rate.
Insurers are now required to submit annual reports to the DOI detailing their risk management processes. These reports must include a "privileged" narrative describing the steps taken to identify and mitigate unfair discrimination.
For many companies, this has necessitated the creation of new executive roles, such as Chief AI Officer or Data Ethics Lead, to bridge the gap between actuarial science and legal compliance.
"The Colorado requirements have forced a level of cross-functional collaboration that we haven’t seen previously," said Sarah Thompson, a senior compliance analyst at the Insurance Research Institute. "You have data scientists, actuaries, and legal counsel all sitting at the same table to justify why a specific consumer score is a valid predictor of mortality and, more importantly, that it doesn't serve as a proxy for a protected class."
Testing for "Proxy Discrimination"
The most significant hurdle for life insurers under the Colorado model is the requirement for quantitative testing. Insurers must test their algorithms to ensure that the use of external data does not result in a disproportionately negative impact on protected groups.
Because insurers are generally prohibited from collecting race and ethnicity data directly from applicants, the DOI has approved the use of "proxy" methods—such as the Bayesian Improved Surname Geocoding (BISG)—to estimate the demographic makeup of an insurer's book of business for testing purposes.
"The challenge is that insurers are being asked to prove a negative," said Robert DiUbaldo, a shareholder at Carlton Fields who specializes in insurance regulation. "They must prove their models aren't discriminating, even though they don't have the underlying race data. This has created a complex technical environment where the methodology of the test is as scrutinized as the results themselves."
According to DOI documents, if a model is found to have a "disproportionate impact," the insurer must either modify the model or provide a robust actuarial justification showing that the data point is essential to the business and that no less-discriminatory alternative exists.
Industry Response and Economic Impact
The American Council of Life Insurers (ACLI), which represents the majority of the life insurance market, has expressed support for the goals of the regulation while raising concerns about the potential for a "patchwork" of state-by-state rules.
In a statement, the ACLI noted that life insurers rely on accurate risk assessment to maintain solvency and offer competitive pricing. "We support the state’s efforts to ensure fairness. However, it is critical that these regulations remain workable and do not prevent the industry from using innovative tools that can actually expand access to life insurance for underserved communities by streamlining the application process," the group stated.
Recent data suggests the cost of compliance is significant. A 2025 industry survey estimated that mid-to-large-sized life insurers spent an average of $2.4 million in the last year on governance restructuring and third-party auditing specifically to meet Colorado’s standards.
Despite these costs, some proponents argue that better data governance leads to better business outcomes. By cleaning up data pipelines and eliminating "noisy" or irrelevant consumer scores, insurers may actually improve the predictive accuracy of their underwriting models.
A National Precedent
The developments in Colorado are serving as a blueprint for the National Association of Insurance Commissioners (NAIC). The NAIC’s Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted by several other states in 2024 and 2025, draws heavily from the Colorado governance requirements.
States such as New York and California have recently introduced similar measures, though Colorado remains the only state with a specific, enacted testing requirement for life insurance underwriting.
"What happens in Denver doesn't stay in Denver in the insurance world," said Thompson. "Carriers are generally choosing to apply the Colorado governance standards across their entire national operations rather than maintaining different data silos for different states. In effect, Colorado is setting the national standard for AI ethics in insurance."
Looking Ahead
As the 2026 reporting cycle continues, the Colorado DOI is expected to release a summary report on the industry's progress by late summer. This report will likely highlight common pitfalls discovered during the audit process and provide further guidance on acceptable testing methodologies.
For consumers, the impact of these regulations is becoming visible in the form of more transparent disclosures. Life insurance applicants in Colorado are now receiving more detailed information about the third-party data sources used to evaluate their applications, along with clearer pathways to challenge inaccuracies in their external consumer scores.
"This is about trust," Commissioner Conway said. "If people don't trust the math behind their life insurance policy, the whole system falters. We are building the guardrails for the next century of insurance."
As of February 2026, the DOI confirmed that over 140 life insurers have submitted their initial governance frameworks, with the first major round of enforcement actions—if any—expected to follow the review of the 2025 testing data.