Why Vendor AI Doesn’t Transfer Risk (Even If Your Contract Says It Does)

Executive Summary

Insurance executives adopting AI vendor solutions are making a familiar mistake in unfamiliar territory: assuming that contract language transfers regulatory and operational risk to the technology provider. It doesn’t. Regulators across the country have made clear that the insurer — not the vendor — bears ultimate responsibility for AI-driven decisions that affect consumers. Understanding this reality isn’t an argument against using vendor AI. It’s an argument for treating vendor AI with the same governance discipline you’d apply to any delegated authority.

This is the second article in a series on AI governance in insurance. The first article, “The AI Did It” Is Not a Defense, establishes that insurers cannot delegate accountability to the algorithm. The second, Why Vendor AI Doesn’t Transfer Risk (Even If Your Contract Says It Does), demonstrated that vendor contracts don’t move regulatory liability off your books. The third article, When AI Starts Acting on Its Own: The Governance Gap Insurers Aren’t Ready For,  addresses what happens when AI stops assisting and starts acting.

The contract looks airtight. Your AI vendor has agreed to broad indemnification. The service-level agreement includes performance guarantees. There’s a liability clause that assigns responsibility for algorithmic errors to the company that built the system.

You’re covered.

Except you’re not. And the gap between what your contract says and what regulators will actually hold you accountable for may be the most underappreciated risk in insurance technology today.

Regulators Don’t Read Your Vendor Contract

The foundational principle across every emerging AI regulation in insurance is straightforward: the insurer is the regulated entity, and the insurer is responsible for outcomes. Full stop.

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023, could not be more explicit on this point. It requires insurers to develop and maintain a written AI governance program covering all AI systems used in decision-making — including those built by third parties. It expects insurers to conduct diligence on vendors, maintain audit rights, and ensure contractual protections that support cooperation with regulatory inquiries. And it puts insurers on notice that market conduct examinations will probe how AI systems are governed regardless of who developed them.

As of March 2025, 24 states have adopted the NAIC Model Bulletin with little or no material changes. That’s nearly half the country operating under the same baseline expectation: your AI, your responsibility.

But some states are going further. Colorado’s SB 21-169, signed into law in 2021, requires insurers to affirmatively demonstrate that their use of external consumer data, algorithms, and predictive models does not produce unfairly discriminatory outcomes across protected classes. The law doesn’t ask whether the vendor tested for bias. It asks whether the insurer tested for bias. Auto insurers and health benefit plan insurers in Colorado must begin submitting annual compliance reports on July 1, 2026.

New York’s Department of Financial Services issued Circular Letter No. 7 in July 2024, establishing that insurers retain full responsibility for understanding any AI tools used in underwriting and pricing, whether developed internally or by third-party vendors. The DFS was particularly pointed on one issue: an insurer cannot rely on the proprietary nature of a vendor’s algorithmic processes to justify a lack of transparency in adverse underwriting or pricing decisions. In other words, “we don’t know how it works because the vendor won’t tell us” is not a defense. It may actually constitute an unfair trade practice.

The Indemnification Illusion

Now look at the vendor contract sitting on your desk. What does that indemnification clause actually protect you from?

In most AI vendor agreements, liability is capped at a multiple of the fees paid — often just 12 months of subscription costs. For an insurer paying $200,000 a year for an AI underwriting tool, that means the vendor’s maximum exposure might be $200,000 to $600,000, depending on the multiplier. That sounds reasonable until you consider what’s on the other side of the ledger.

A market conduct examination triggered by algorithmic bias can cost millions in legal fees, remediation, and operational disruption. Regulatory fines for unfair trade practices aren’t calibrated to your vendor’s contract value. The reputational damage from a public enforcement action — particularly one involving discrimination — can affect your ability to write business in an entire state. And if you need to re-underwrite a book of business because your vendor’s model was producing biased results, the cost of that exercise alone could dwarf the total value of the vendor contract.

The structural problem goes deeper than dollar caps. AI vendor contracts routinely disclaim responsibility for outputs generated in response to the insurer’s specific data inputs. They limit indemnification to “authorized” or “intended” uses. They exclude consequential damages — which is precisely the category that covers most regulatory and reputational harm. A recent analysis found that 88% of AI vendors impose liability caps, and only 17% provide warranties for regulatory compliance. Broad indemnification clauses frequently require customers to hold vendors harmless for discriminatory outcomes.

This creates a dynamic that should concern every insurance executive: the vendor builds the system, the insurer deploys it, and the contract quietly shifts the meaningful risk back to the insurer while creating the appearance of shared accountability.

The TPA Analogy Your Team Already Understands

Here’s the good news: the insurance industry already knows how to manage this kind of risk. It just hasn’t applied the framework to AI vendors yet.

Every carrier that uses a third-party administrator for claims processing understands that outsourcing the function doesn’t outsource the duty of good faith. If your TPA mishandles a claim, the insured’s complaint lands on the carrier’s desk, the DOI investigation examines the carrier’s oversight practices, and the carrier bears the regulatory consequences. The TPA contract may provide some recourse after the fact, but it doesn’t shield the carrier from the initial accountability.

AI vendors are the new TPAs. They’re performing functions that directly affect regulated insurance decisions — underwriting, pricing, claims, fraud detection — and the regulatory framework applies the same fundamental logic: you can delegate the work, but you cannot delegate the responsibility.

The NAIC Model Bulletin explicitly addresses this parallel. It requires insurers to maintain standards, policies, and procedures governing how they assess, acquire, use, and rely on both third-party data and third-party AI systems. It expects contractual requirements that include audit rights. And it makes clear that regulators may ask detailed questions about an insurer’s vendor diligence processes during any investigation or market conduct action.

This isn’t new regulatory theory. It’s the same principle of accountability that has governed carrier-TPA relationships for decades, applied to a new category of delegated decision-making.

What Should You Actually Do?

None of this means you shouldn’t use vendor AI. The competitive advantages are real, and the market is moving in this direction regardless. But it does mean you need to treat vendor AI deployment with the same governance rigor you’d apply to any delegated authority arrangement.

Build your own governance layer. Don’t assume the vendor’s testing is sufficient. Implement independent validation and bias testing appropriate to the regulatory requirements in every state where you operate. Colorado expects quantitative testing for discriminatory outcomes. New York expects documentation of testing methodologies. The NAIC Model Bulletin expects a written AI governance program. Your vendor can’t build this for you, because the program needs to reflect your risk appetite, your regulatory obligations, and your operational context.

Negotiate contracts with your eyes open. Push for audit rights that allow you to examine algorithmic decision-making, not just system performance. Require explicit compliance warranties for applicable insurance regulations. Seek indemnification that covers regulatory penalties and remediation costs, not just direct damages. And understand that even the best contract language is a backstop, not a substitute for your own oversight.

Staff the oversight function. AI governance in insurance isn’t a technology problem that IT can handle alone. The NAIC and state regulators expect cross-functional governance structures that include actuarial, data science, underwriting, compliance, and legal representation. If your organization doesn’t have the internal expertise to evaluate whether a vendor’s model is producing fair outcomes under state-specific definitions of unfair discrimination, that gap is itself a regulatory risk.

Document everything. Regulators will ask. The NAIC Model Bulletin specifically notes that market conduct actions may include requests for policies, procedures, training materials, and other documentation relating to AI implementation, monitoring, and oversight. Your vendor’s documentation isn’t your documentation. Build the paper trail that demonstrates your governance of the AI systems you’ve deployed.

The Bottom Line

The insurance industry has spent decades refining its understanding of delegated authority, outsourced claims administration, and managing general agent relationships. In every one of those arrangements, the same principle holds: the regulated entity can delegate the function but not the accountability.

Vendor AI is no different. The contract might give you recourse against the vendor after something goes wrong. But it won’t stop the regulatory inquiry, it won’t prevent the market conduct examination, and it won’t protect your reputation with the policyholders and agents who trust you to make fair decisions.

The executives who understand this now will build the governance infrastructure while there’s still time. The ones who learn it during their first regulatory inquiry will wish they had started sooner.

Sources

1. NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (December 2023) — https://content.naic.org/sites/default/files/inline-files/2023-12-4%20Model%20Bulletin_Adopted_0.pdf
2. NAIC: Implementation of Model Bulletin Tracker — https://content.naic.org/sites/default/files/cmte-h-big-data-artificial-intelligence-wg-map-ai-model-bulletin.pdf
3. Colorado SB 21-169: Protecting Consumers from Unfair Discrimination in Insurance Practices — https://doi.colorado.gov/for-consumers/sb21-169-protecting-consumers-from-unfair-discrimination-in-insurance-practices
4. New York DFS Insurance Circular Letter No. 7 (2024): Use of AI Systems and External Consumer Data in Insurance Underwriting and Pricing — https://www.dfs.ny.gov/industry-guidance/circular-letters/cl2024-07
5. Quarles & Brady: “Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers’ Use of AI” (March 2025) — https://www.quarles.com/newsroom/publications/nearly-half-of-states-have-now-adopted-naic-model-bulletin-on-insurers-use-of-ai
6. Jones Walker: “AI Vendor Liability Squeeze: Courts Expand Accountability While Contracts Shift Risk” — https://www.joneswalker.com/en/insights/blogs/ai-law-blog/ai-vendor-liability-squeeze-courts-expand-accountability-while-contracts-shift-r.html
7. Holland & Knight: “The Implications and Scope of the NAIC Model Bulletin on the Use of AI by Insurers” (May 2025) — https://www.hklaw.com/en/insights/publications/2025/05/the-implications-and-scope-of-the-naic-model-bulletin
8. Plante Moran: “How the NAIC AI Model Bulletin is Evolving” (March 2026) — https://www.plantemoran.com/explore-our-thinking/insight/2026/03/how-the-naic-ai-model-bulletin-is-evolving
9. Kennedys Law: “Understanding the NAIC Model AI Bulletin: What It Means for Insurers” (January 2025) — https://www.kennedyslaw.com/en/thought-leadership/article/2025/understanding-the-naic-model-ai-bulletin-what-it-means-for-insurers/

AI Disclaimer: This content was created with assistance from artificial intelligence technology. While content is based on factual information from the source material, readers should verify all details directly with the respective sources before making business decisions.