Colorado AI Insurance Rules: 2026 Compliance Checklist

Colorado AI insurance regulation has become the reference point that compliance teams in every other state now study before their own regulators move. What began as a single statute aimed at unfair discrimination has matured into a working governance regime with reporting deadlines, attestation duties, and an unfinished testing rule that keeps shifting the goalposts. For chief medical officers, reinsurance medical directors, and compliance leaders deciding how to deploy external data and predictive models, Colorado is no longer a future risk to monitor. It is an operating requirement with a 2026 calendar attached.

Colorado Senate Bill 21-169, signed into law on July 6, 2021, was the first state mandate in the United States requiring insurers to test and govern their use of external consumer data, algorithms, and predictive models to prevent unfair discrimination. Regulation 10-1-1 took effect for life insurers on November 14, 2023, and was amended effective October 15, 2025 to cover private passenger automobile and health benefit plan insurers.

What colorado AI insurance regulation actually requires

The framework rests on two layers. The statute, SB 21-169, sets the prohibition: insurers may not use External Consumer Data and Information Sources (ECDIS), or the algorithms and predictive models built on them, in a way that results in unfair discrimination based on protected characteristics. The implementing rule, Colorado Division of Insurance Regulation 10-1-1, translates that prohibition into a governance and risk management framework that insurers must build, document, and report on.

ECDIS is defined broadly. According to the Colorado Division of Insurance, it reaches credit-based information, social media habits, purchasing behavior, biometric data, and risk scores derived from those sources. Any carrier feeding non-traditional signals into a digital underwriting model should assume the data falls inside scope until proven otherwise. This is the practical center of SB 21-169 compliance: the rule is concerned less with the model architecture than with the inputs and the outcomes.

The amended regulation, effective October 15, 2025, expanded applicability beyond life insurance. Faegre Drinker analysts noted that private passenger automobile and health benefit plan insurers were brought into the same governance framework, with their own staggered deadlines. That expansion signals the Division's intent to make the governance model the baseline expectation across lines, not a life-only experiment.

Compliance timeline at a glance

The reporting obligations differ by line of business, which is the most common source of confusion for multi-line carriers. The table below maps the duties that govern a 2026 program.

Requirement	Life insurers	Auto and health benefit plan insurers
Statute (SB 21-169)	Applies since 2021	Applies since 2021
Regulation 10-1-1 effective date	November 14, 2023	October 15, 2025 (amended)
Initial progress report	Due June 1, 2024	Interim report due December 1, 2025
Full compliance report and attestation	Due December 1, 2024, annually thereafter	Full compliance due July 1, 2026
Quantitative bias testing description	Waived for Dec 2024 and Dec 2025 reports	Not yet required (rule unadopted)
Governance framework documentation	Required	Required

The quantitative testing line deserves attention. A draft regulation for testing the fairness of algorithms and predictive models in life insurance underwriting was released in September 2023, and an ACLI-backed draft has circulated since. no quantitative testing rule has been adopted. The Division waived the requirement to describe quantitative testing in the reports due December 1, 2024 and December 1, 2025, because no agreed methodology existed. Compliance teams should not read that waiver as relief from testing duties generally. The governance framework still requires carriers to detect and remediate unfair discrimination, and the quantitative rule remains on the agenda.

The 2026 governance framework checklist for insurers

A defensible governance framework under Regulation 10-1-1 is built from documented components, not aspirations. The Division expects evidence that the program is operating. Use the following as a working checklist.

• Documented governing principles that state how the carrier prevents unfair discrimination across the ECDIS, algorithm, and predictive model lifecycle.
• Board of directors oversight, with a clear record that the board or a designated committee reviews the program.
• Senior management accountability, naming the individuals responsible for the framework and its outcomes.
• A cross-functional governance group spanning legal, compliance, actuarial, data science, and underwriting, with a charter and meeting cadence.
• An inventory of every ECDIS source and every algorithm or predictive model in use, including third-party and vendor-supplied models.
• Written policies for selecting, approving, and monitoring data sources and models before deployment.
• Ongoing monitoring procedures designed to detect unfair discrimination, with defined remediation triggers.
• Vendor due diligence documentation for any externally built model, since the carrier remains accountable for what it deploys.
• A retention and version-control system so prior model states and decisions can be reconstructed for examiners.
• An annual attestation process tied to the December 1 reporting deadline for life insurers.

The recurring theme across these items is evidence. A policy binder that describes intent will not satisfy an examiner who asks to see the governance group's minutes, the model inventory, or the remediation log.

Industry Applications

Life insurance underwriting

Life carriers carry the most mature obligations because they have already filed multiple annual reports. The practical focus for 2026 is sustaining the program: refreshing the model inventory, confirming that newly added ECDIS sources have moved through the approval workflow, and preparing for the eventual quantitative testing rule. Carriers using accelerated underwriting or contactless health signals should pay particular attention to whether biometric-derived inputs are documented as ECDIS.

Health benefit plans and auto

For health benefit plan and auto insurers newly captured by the October 2025 amendment, 2026 is a build year. The interim progress report was due December 1, 2025, and full compliance is required by July 1, 2026. These carriers can shorten the path by adapting the life-insurance governance template rather than designing from scratch, but they should validate that data sources unique to their lines are mapped into the framework.

Reinsurance and medical direction

Reinsurance medical directors and chief medical officers occupy a specific role here. When a ceding carrier relies on predictive models tied to health signals, the medical leadership often owns the clinical justification for those inputs. Documenting that clinical rationale strengthens the carrier's position that a model reflects genuine risk rather than a proxy for a protected characteristic.

Current research and evidence

Independent analysis has consistently framed Colorado as the proving ground for algorithmic accountability in insurance. Writing in Forbes, commentators described the Division's draft life-insurance test as an attempt to make carriers prove the algorithm is not a proxy for race, a standard that pushes well beyond traditional disparate-treatment analysis into outcome testing. Pinnacle Actuarial Resources documented the September 2023 draft quantitative testing proposal and the technical debate over which methodology, from Bayesian Improved Surname Geocoding estimation to alternative approaches, should be used to infer protected-class status when carriers do not collect it directly.

Legal commentary from Faegre Drinker and Willkie Farr & Gallagher on the amended Regulation 10-1-1 reached a shared conclusion: the governance obligations are now line-agnostic in design, and the Division is treating the framework as portable infrastructure that can extend to additional lines and data types over time. ReSource Pro Compliance documented the Division's decision to suspend the quantitative testing description requirement for the 2024 and 2025 life-insurer reports, confirming that the testing methodology remains the most contested open question in the regime.

The future of colorado AI insurance regulation

Three trajectories are worth planning around. First, the quantitative testing rule will likely be adopted in some form, and carriers that have already structured their data to support outcome testing will absorb it more easily than those waiting for the final text. Second, the multi-line expansion signals that more lines and more data categories may follow, so a governance framework built only for one product is a short-lived asset. Third, Colorado's model is being studied by other state regulators and by the NAIC, which means investments made for SB 21-169 compliance increasingly carry value as a national template for digital underwriting compliance.

The carriers best positioned for 2026 are not those waiting for the testing rule to be finalized. They are the ones treating governance documentation, model inventory, and outcome monitoring as permanent operating functions.

Frequently asked questions

Does the testing waiver mean life insurers do not need to test for bias?

No. The Division waived only the requirement to describe quantitative testing in the December 2024 and December 2025 reports because no methodology had been adopted. The underlying governance framework still requires carriers to detect and remediate unfair discrimination in their use of ECDIS, algorithms, and predictive models.

Who is now covered by Regulation 10-1-1?

Life insurers have been covered since November 14, 2023. The amended regulation effective October 15, 2025 extended coverage to private passenger automobile and health benefit plan insurers, with full compliance required by July 1, 2026.

What counts as external consumer data and information sources?

ECDIS includes data such as credit-based information, social media habits, purchasing behavior, biometric data, and risk scores derived from those sources. If a non-traditional data signal feeds an underwriting model, treat it as in-scope until a documented analysis says otherwise.

Are carriers responsible for vendor-supplied models?

Yes. The governance framework holds the carrier accountable for the models and data sources it deploys, including third-party tools. Vendor due diligence and documentation are expected components of a compliant program.

Circadify is building regulatory technology to help insurers operationalize obligations like Colorado AI insurance regulation, from model inventory and governance documentation to outcome monitoring. Compliance officers who want to find gaps before an examiner does can start with a governance gap review and explore compliance guides and regulatory insights at circadify.com/industries/payers-insurance.