SB 205 gap analysis: insurance underwriting AI -- 12 controls checked
Ran a full SB 205 control sweep against a representative insurance underwriting AI system. 12 controls checked, 7 gaps identified, 4 rated critical. Full findings and remediation paths included.
Executive Summary
The target system is an AI-assisted insurance underwriting platform that evaluates risk factors for personal auto and homeowner policies. The system ingests applicant data, credit information, claims history, and property data to generate a risk score and premium recommendation.
Control Sweep Results
| Control | Status | Severity |
|---|---|---|
| C1: Impact Assessment | FAIL | CRITICAL |
| C2: Consumer Disclosure | FAIL | CRITICAL |
| C3: Human Override Path | FAIL | CRITICAL |
| C4: Data Inventory | PASS | -- |
| C5: Bias Testing | FAIL | HIGH |
| C6: Model Documentation | PASS | -- |
| C7: Incident Response | FAIL | MEDIUM |
| C8: Annual Review | PASS | -- |
| C9: Third-Party Audit | FAIL | HIGH |
| C10: Data Retention | PASS | -- |
| C11: Adverse Action Notice | FAIL | CRITICAL |
| C12: Record Keeping | PASS | -- |
Critical Findings
C1 -- Impact Assessment: No algorithmic impact assessment exists for the underwriting model. This is a foundational requirement under SB 205 Section 6-1-1702.
C2 -- Consumer Disclosure: Applicants are not informed that an AI system contributes to underwriting decisions. The disclosure must occur before the decision is made.
C3 -- Human Override: No documented process for applicants to request human review of AI-influenced underwriting decisions.
C11 -- Adverse Action Notice: When the AI contributes to an adverse underwriting decision, the notice does not mention AI involvement as required by statute.
Remediation Priority
- Complete impact assessment (C1) -- all other controls reference it
- Implement consumer disclosure (C2) -- pre-decision notification
- Build human override workflow (C3) -- request intake + SLA
- Update adverse action notices (C11) -- add AI disclosure language