Usage-Based Insurance With Due-Process Hostility Separation

Regulatory Framework

The NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023 and now incorporated by reference or by parallel issuance in a majority of state insurance departments, establishes the baseline. The bulletin requires insurers to maintain a written AI Systems program covering governance, risk management, and third-party model oversight; to demonstrate that AI-influenced decisions affecting consumers are explainable, contestable, and free of unfair discrimination; and to be able to produce, on regulator demand, the data, model versions, and decision rationale behind any adverse action.

Colorado has gone further. SB 21-169 prohibits insurers from using any external consumer data and information source, algorithm, or predictive model that unfairly discriminates against consumers on the basis of protected class. Division of Insurance Regulation 10-1-1 implements that statute for life insurance underwriting and is being extended sector by sector; the regulation requires quantitative testing for disparate impact, governance documentation, and an internal challenge process. New York DFS Circular Letter No. 7 of 2024 imposes parallel obligations on New York-licensed insurers, with explicit requirements around explainability and consumer challenge channels.

At the supranational level, the EU AI Act classifies AI systems used for risk assessment and pricing in life and health insurance as high-risk under Annex III §5b, triggering conformity assessment, risk management, data governance, technical documentation, human oversight, and post-market monitoring obligations. GDPR Article 22 grants any data subject the right not to be subject to a solely automated decision producing legal or similarly significant effects, with rights to obtain human intervention, express their viewpoint, and contest the decision. Federal U.S. law layers on the Equal Credit Opportunity Act for any product deemed credit-adjacent, the Fair Credit Reporting Act where third-party data feeds the decision, Title VII for employment-linked group products, and the ADA for disability-related questions. Each regime independently demands what the others demand: a record of the decision sufficient for the affected person to contest it.

Architectural Requirement

The architectural requirement that emerges from this stack is bifurcation plus lineage. Bifurcation: the system must distinguish actuarial classifications (which carry premium consequences under insurance-rate regulation) from adversarial classifications (which carry consequences resembling enforcement — non-renewal, adverse-event reporting, law-enforcement referral, denial of claims for alleged misconduct). The two classes of decision invoke different bodies of law and require different procedural protections; conflating them in a single score-driven pipeline collapses the distinction that regulators are explicitly drawing.

Lineage: every adjudication that touches an insured must carry a credentialed record of the policy version, model version, data sources, and authority chain that produced it. The record must be durable, tamper-evident, producible to the regulator on demand, and producible to the insured at the moment of adverse action so that the insured can exercise contest rights under GDPR Art. 22, the NAIC bulletin's challenge requirement, Colorado Reg 10-1-1, NY DFS CL-7, and the federal anti-discrimination statutes. The architecture must also support disparate-impact testing as a structural property — the lineage is the dataset against which testing runs.

Why Procedural Compliance Fails

The dominant compliance practice today is procedural. Carriers maintain AI governance committees, model-risk management documentation, vendor due-diligence files, and periodic disparate-impact testing performed against sampled historical data. When a regulator inquires about a specific adverse decision, the carrier reconstructs the decision narratively from logs, model artifacts, and analyst recollection. When a consumer contests, the carrier provides a generic adverse-action notice that names the high-level factor categories without disclosing the model logic.

This approach fails the new regimes along three axes. First, it cannot satisfy individualized contest rights. GDPR Art. 22 and the NAIC bulletin both require that the affected individual receive enough information to challenge the specific decision, not merely the general practice. A reconstructed narrative, produced weeks after the decision, does not meet the standard. Second, it cannot satisfy disparate-impact testing at the granularity regulators are now demanding. Colorado Reg 10-1-1 contemplates testing across protected-class proxies on the actual decision population, not on a sampled training set; without per-decision lineage, the testing population cannot be assembled rigorously. Third, it cannot distinguish actuarial from adversarial consequences. When a UBI product surcharges a driver under criteria that conflate low skill with hostile intent, the carrier faces ECOA and ADA exposure for treating a competence proxy as a misconduct finding without any procedural protection.

The procedural approach also fails the explainability requirement of the EU AI Act and NY DFS CL-7. Post-hoc explanation tools (SHAP, LIME, counterfactual generators) produce explanations that are themselves model artifacts, not credentialed records of what the deciding model actually used. Regulators are increasingly skeptical of explanations that cannot be tied cryptographically to the decision they purport to explain.

What the AQ Primitive Provides

The AQ human-relatable-intelligence primitive provides bifurcated adjudication with credentialed lineage as a structural property. The actuarial pipeline operates under standard insurance-rate regulation: telematics observations, claims history, and demographic-permissible variables feed risk-classification models that produce premium-affecting scores. Each score carries lineage — model version, input snapshot, policy version under which the score was computed, and the credentialing chain that authorized the model. Disparate-impact testing operates over the lineage record as its native dataset.

The adversarial pipeline operates separately. Adversarial classification — flagging an insured as engaged in misconduct, fraud, or hostile behavior — requires criteria signed by an authority appropriate to the consequence: the state insurance regulator for non-renewal-class decisions, a credentialed law-enforcement liaison for adverse-event reporting decisions, a special-investigations-unit credential for fraud referrals. Supporting observations are identified specifically and bound to the classification at signing time. The classified insured has structural standing to challenge: the lineage record is producible to the insured, the criteria are inspectable, and the contest pathway is built into the primitive rather than offered as a downstream administrative concession.

Cross-feed between the two pipelines is governance-controlled and asymmetric. A driver's risk profile may inform an adversarial review only through credentialed authorization — for example, a pattern so extreme that it crosses a regulator-signed threshold for SIU referral. An adversarial classification, once finalized through due process and recorded with full lineage, may inform the actuarial profile, but the direction is one-way and the cross-feed itself is credentialed. The asymmetry encodes the legal reality that risk-rating consequences and misconduct-finding consequences live under different procedural regimes.

The primitive emits, at the moment of adverse action, a notice that contains the credentialed lineage in a form the insured can present to counsel or to the regulator. The notice satisfies GDPR Art. 22 disclosure requirements, the NAIC bulletin's challenge-information requirements, and the FCRA adverse-action notice obligations on a single substrate. The same lineage record, aggregated across the carrier's decision population, satisfies Colorado Reg 10-1-1's testing-dataset requirement and NY DFS CL-7's documentation requirement without separate ETL.

Compliance Mapping

NAIC Model Bulletin governance, risk-management, and consumer-protection clauses map onto the primitive's credentialed-lineage record and bifurcated-pipeline structure. Colorado SB 21-169 and Regulation 10-1-1 disparate-impact testing maps onto lineage-as-dataset queries; the regulation's challenge-process requirement maps onto the primitive's structural-standing notice. NY DFS Circular Letter No. 7 explainability requirements map onto the lineage record's model-version and input-snapshot fields; its consumer-protection requirements map onto the bifurcation between actuarial and adversarial pipelines.

EU AI Act Annex III §5b high-risk obligations map onto the primitive's signed-policy authorship (Article 9 risk management), lineage retention (Article 12 logging), human oversight integration (Article 14), and post-market monitoring (Article 17) requirements. GDPR Article 22 contest rights map onto the structural-standing notice. ECOA adverse-action requirements, FCRA adverse-action notice content, Title VII employment-linked group-product oversight, and ADA disability-question handling all map onto the same lineage substrate, with the credentialing chain documenting which authority signed off on each variable's permissibility.

Adoption Pathway

Adoption proceeds in three phases. The first phase is internal lineage capture. A carrier deploys the primitive behind existing underwriting and claims systems, capturing credentialed lineage on every AI-influenced decision without changing consumer-facing behavior. The lineage immediately satisfies regulator-on-demand documentation requirements under the NAIC bulletin and Colorado Reg 10-1-1, and immediately powers internal disparate-impact testing on the actual decision population.

The second phase is bifurcation. The carrier separates actuarial scoring from adversarial classification in production. UBI surcharges, premium adjustments, and rate-class assignments flow through the actuarial pipeline under standard insurance-rate authority. Non-renewal triggers, SIU referrals, adverse-event reporting, and misconduct-based denials route through the adversarial pipeline with credentialed criteria and structural-standing notices. Consumer-facing notices begin including the lineage-grounded contest information required by GDPR Art. 22, NY DFS CL-7, and FCRA.

The third phase is regulator integration. The carrier exposes its lineage substrate to its primary regulator under a supervised-access charter — the regulator gains structural visibility into the carrier's adjudication population without requiring narrative reconstruction; the carrier gains an examination posture in which compliance is demonstrated structurally rather than re-litigated each cycle. The procurement entry point is the human-relatable-intelligence module of the AQ stack, deployed alongside existing core insurance systems (Guidewire, Duck Creek, Majesco) as a governance overlay rather than as a replacement.

The economics of adoption favor early movers. A carrier that captures structural lineage before its first multi-state market-conduct examination under the NAIC bulletin enters the examination with cryptographically grounded evidence; a carrier that arrives with reconstructed narratives faces re-examination cycles, consent orders, and the reputational exposure that has begun to attach to insurers caught using opaque AI in coverage decisions. The same calculus applies to GDPR Art. 22 challenges in the EU market and to the Colorado Reg 10-1-1 testing cadence as it extends from life insurance into auto, health, and homeowners. Class-action exposure under ECOA and FCRA, which has historically followed any sustained finding of disparate impact in a regulated decisioning system, creates litigation-defense incentives independent of the regulatory schedule.

Bifurcation, lineage, and structural-standing notice are not three optional features layered onto a conventional underwriting stack. They are the architectural shape that the converging regulatory regime now requires of any AI-influenced insurance decision. The AQ human-relatable-intelligence primitive supplies that shape directly, replacing procedural attestation with cryptographically verifiable adjudication on the substrate that the law now demands and that consumers — increasingly aware of their contest rights — have begun to exercise.