Two weeks ago, Colorado Governor Jared Polis signed SB 26-189 into law, replacing the state’s original AI Act with a disclosure-centered framework that takes effect January 1, 2027. Sixty-seven days from now, the EU AI Act’s transparency obligations under Article 50 become enforceable. And somewhere between those two dates, your D&O or E&O renewal is coming up.
These three facts are not unrelated. They are converging into a single question that insurance underwriters are already asking: *How does your organization govern its use of artificial intelligence?*
The Underwriting Shift Is Already Happening
For the past eighteen months, insurers have been embedding AI-related risk into existing coverage lines rather than carving it out into standalone policies. Cyber liability, professional liability, and directors and officers policies now routinely include questions about AI governance frameworks, documentation practices, and disclosure protocols.
The logic is straightforward. A company that deploys AI in consequential decisions without documented governance creates the same category of risk as one that handles sensitive data without a security policy. The exposure shows up in regulatory enforcement actions, consumer litigation, and reputational damage that triggers securities claims.
Underwriters are not asking whether you use AI. They are asking how that use is governed, documented, and disclosed. The absence of an answer is itself a risk signal.
Why SB 26-189 Changes the Calculus
Colorado’s new law narrows the regulatory frame from the broad “algorithmic discrimination” standard of the repealed SB 24-205 to a disclosure-based model centered on automated decision-making technology (ADMT) used in consequential decisions. Seven domains are covered: education, employment, housing, financial services, insurance, healthcare, and government services.
The obligations are specific. Under Section 6-1-1704, deployers must provide clear and conspicuous notice before using ADMT for consequential decisions. Within 30 days of an adverse outcome, they must deliver a plain-language explanation of the technology’s role. Consumers gain rights to access their personal data, correct inaccuracies, and request meaningful human review.
Enforcement sits exclusively with the Colorado Attorney General under the Consumer Protection Act, with a 60-day cure period before penalties attach. No private right of action exists.
For insurers, this structure creates a clean risk-pricing framework. Companies that can demonstrate compliant disclosure practices present a quantifiably lower regulatory risk than those that cannot. The cure period means that companies with mature documentation and response protocols can remediate before enforcement escalates. Companies without those protocols cannot.
The Safe Harbor Illusion
SB 26-189 includes safe harbors for insurers operating under state insurance code (Section 10-3-1104.9), creditors complying with ECOA, Regulation B, and FCRA, HIPAA-covered entities in clinical contexts, and FERPA-governed institutions.
These safe harbors are narrower than they appear. They protect specific regulated activities, not the organization as a whole. A health system with HIPAA safe harbor protection for clinical AI still faces full SB 26-189 exposure when it uses AI in employment decisions or financial assistance determinations. A lender compliant with Regulation B still needs to address AI disclosure obligations that fall outside the federal framework.
Federal compliance is the floor, not the ceiling. Underwriters pricing D&O and E&O risk understand this distinction. The question on the application will not be whether you qualify for a safe harbor. It will be whether you have mapped which of your AI deployments fall inside that harbor and which do not.
The EU AI Act Adds a Second Layer
For organizations with European exposure, August 2, 2026, brings enforceable transparency obligations under Article 50 of the EU AI Act. These include disclosure of AI interactions, labeling of synthetic content, and identification of deepfakes. High-risk AI systems in employment, financial services, and insurance face conformity assessments, technical documentation requirements, and mandatory registration in the EU database.
Penalties scale to 7% of global turnover for prohibited practices. Even for organizations primarily operating in the United States, the extraterritorial reach of the EU AI Act means that any AI system whose output affects individuals in the EU triggers compliance obligations.
Insurance underwriters with multinational books are already cross-referencing these two regulatory regimes. A company that cannot demonstrate compliance readiness for either one presents compounded risk.
What Underwriters Are Looking For
The emerging standard in AI governance underwriting centers on three questions. First, has the organization inventoried its AI deployments and classified them by risk level and regulatory exposure? Second, does documentation exist that maps each deployment to applicable disclosure requirements under SB 26-189, the EU AI Act, and sector-specific regulations? Third, are there response protocols for adverse outcomes that meet the 30-day disclosure window under Colorado law?
Organizations that can answer these questions with auditable evidence are positioned for favorable underwriting outcomes. Organizations that cannot are facing a risk premium that will only increase as enforcement begins.
The Rating as Risk Signal
Independent, standardized assessments of AI governance maturity are becoming the reference point for this underwriting process, much the way cybersecurity ratings from firms like BitSight became standard inputs for cyber liability pricing. The AI Clear public registry, which rates over 500 companies on a 57-criteria rubric anchored to NIST AI RMF 1.0 and ISO/IEC 42001:2023, provides exactly the kind of comparable, third-party signal that underwriters need to differentiate risk across a portfolio.
The analogy is precise. Before BitSight, cyber underwriters relied on self-reported questionnaires. After BitSight, they had an external, continuous signal. AI governance is at the same inflection point.
---
Check your organization’s AI governance rating at aiclear.org, or contact us to request a certification assessment that documents your compliance readiness before your next renewal.
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.