The 51-Jurisdiction Problem

No single regulator oversees American insurance. There are fifty-one of them, every state, plus the District of Columbia, and that fragmentation is not an accident of history but the deliberate architecture of the industry. A carrier writing private passenger auto, homeowners and life policies nationwide must satisfy overlapping codes in each jurisdiction, file financial statements on staggered deadlines, answer market-conduct inquiries, and prove, on demand, that its internal controls actually map to the obligations those codes impose. For most of the twentieth century, that proof lived in filing cabinets and the heads of compliance officers nearing retirement. Today it increasingly lives in software that watches the rulebook so people don't have to.

The shift is being driven less by ambition than by arithmetic. The volume of regulatory obligations, the frequency of examinations, and the cost of getting any of it wrong have all climbed past the point where manual tracking is defensible. This is the story of how compliance tracking, monitoring many frameworks at once, mapping controls to obligations, and watching deadlines automatically, moved from a back-office convenience to a board-level necessity in one of the most heavily regulated industries on earth.

Sources: NAIC, R Street Institute, Process Street / IRES 2026, Vanta.

The Old Way: Binders, Calendars and Institutional Memory

Insurance is the largest financial-services sector in the United States regulated almost entirely at the state level, and that single design choice has shaped how compliance was done for generations. As the R Street Institute documents in its annual regulation report card, insurers must master a "welter" of disciplines, underwriting, rating, reserving, reporting, enterprise risk management and compliance among them, each governed by state law, state regulators and state court decisions that vary considerably from one border to the next. The same study notes that the structure itself differs jurisdiction to jurisdiction: eleven states elect their insurance commissioner, twenty-six fill the role by gubernatorial appointment subject to legislative consent, and others use administrative or independent-commission processes.

To harmonize this patchwork, the National Association of Insurance Commissioners publishes model laws, regulations and guidelines that states may adopt, the Market Conduct Surveillance Model Law, the Unfair Trade Practices Act, the Unfair Claims Settlement Practices Act and dozens more, each carrying its own state-action history. But "may adopt" is the operative phrase. A model law adopted verbatim in one state, amended in a second and ignored in a third produces exactly the divergence that compliance teams spent decades reconciling by hand.

The legacy method was painfully literal. Someone owned a binder. Someone else owned a spreadsheet of filing deadlines. A third person remembered which states had quietly changed their rate-filing rules. When an examiner arrived, the work was archaeological: reconstructing, after the fact, evidence that procedures had been followed. One account of the field, drawn from a 2026 insurance regulators' conference, described the persistent reality bluntly, "rework, manual evidence assembly, approval chasing, babysitting email threads that should have been automated years ago", and estimated the internal cost of that inefficiency across U.S. insurance at roughly $16 billion a year, separate from any fines or penalties.

The Shift: When Cost and Cadence Outran the Spreadsheet

What pushed compliance tracking from optional to essential was a measurable squeeze. The cost of regulation rose, examinations grew more data-driven, and the human hours available to manage it all did not keep pace. The trend is visible across markets that have actually tried to quantify it. In Canada, the Insurance Bureau of Canada reported that regulatory compliance costs for the property-and-casualty sector reached $753 million in 2024, up 81% from $416 million in 2022, with Canadian insurers spending 17% of operating costs on compliance versus 6.5% for EU insurers in 2017. In Australia, the Insurance Council of Australia put the figure at A$2.5 to 3.5 billion a year, or 4 to 6% of gross written premium, against more than 30,000 obligations enforced by 25 authorities under 300 instruments.

The examination cadence intensified in parallel. State codes generally mirror NAIC model language requiring every domestic insurer to be examined at least once every three to five years. R Street's analysis of financial exams from 2018 through 2022 found that, against a baseline expectation of 100% over five years, the mean share of domestic insurers examined was 163.3%, meaning the average company faced 1.63 exams in that window, with some states examining their insurers more than three standard deviations above the norm. Market conduct surveillance grew alongside financial oversight. As of the 2024 data year, fifty-one jurisdictions participate in the NAIC's Market Conduct Annual Statement, collecting claims and underwriting data across thirteen lines of business.

The people doing this work were already stretched thin. Cross-industry surveys collected by Vanta found professionals spending 9.5 hours per week on compliance-related tasks in 2024, up from 8.1 hours in 2023, the equivalent of eleven full working weeks a year, while only 37% of compliance leaders, per a Gartner figure cited in the same compilation, felt fully confident in their ability to assess the effectiveness of their own programs. When the surface area of obligation expands faster than the workforce, automation stops being a luxury.

What It Looks Like Now: Control-to-Obligation Mapping at Scale

The present-day model inverts the old one. Instead of reconstructing compliance after an examiner asks, modern compliance-tracking systems maintain a living map between two things: the obligations imposed by every applicable framework, and the internal controls an organization operates to satisfy them. When a state amends a rule, the obligation node updates; the system flags which controls, and which owners, are now affected. Deadlines for solvency filings, annual statements and market-conduct data calls are tracked automatically rather than transcribed onto a wall calendar.

The mechanics rest on a normalized control library. Practitioners describe building "a unified control taxonomy that maps across frameworks, eliminating duplication and enabling machine-readable control relationships," so a single control can be evidenced once and credited against multiple obligations. The payoff is concrete: rather than gathering proof during audit season, evidence is captured continuously as work happens. The same cross-industry data show why teams pursue this, organizations estimate they could save three to five hours per week through automation, and more than 4.5 hours weekly from automating compliance-system monitoring and audit-evidence collection alone.

That intent is showing up in spending. The governance, risk and compliance software market was valued at roughly $21.04 billion in 2025 and is projected to reach $39.01 billion by 2031, a compound annual growth rate near 10.8%. The broader regulatory-technology category is climbing faster still: Allied Market Research estimates the RegTech market grew from $11.7 billion in 2023 toward a projected $83.8 billion by 2033, a 21.6% compound rate. Insurance carriers are explicitly named as an end-user segment driving that demand.

The most consequential present-day wrinkle is artificial intelligence, both as a compliance tool and as a regulated subject. Regulators have made clear that automation does not dilute accountability. The NAIC's Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023, reminds carriers that decisions made or supported by AI must comply with all applicable insurance laws, and that documentation of an AI system program should be retained because regulators may request it during market-conduct actions. By early 2026, twenty-five jurisdictions had adopted the bulletin, and four states, California, Colorado, New York and Texas, had enacted their own AI frameworks, bringing the total with some form of insurance-AI regulation to roughly 28.

The Next Few Years: Continuous Assurance and the Trust Problem

The trajectory points toward continuous assurance, a state in which compliance posture is computed in near-real time rather than snapshotted before an exam. Practitioners increasingly describe systems that interpret regulatory language to identify control obligations, map requirements across multiple standards automatically, and analyze evidence from operational systems as it is generated. The examination itself is being reengineered to match: the NAIC is piloting an AI Systems Evaluation Tool with twelve participating states from January through September 2026, designed to help regulators probe how insurers govern AI during financial and market-conduct examinations, with adoption anticipated at the 2026 Fall National Meeting.

This is also where the risk lives. The same automation that promises continuous readiness introduces what compliance professionals describe candidly as model bias, lack of explainability, model drift and over-reliance on automated outputs. The cautionary principle, echoed across the field, is that AI in compliance "supports, but does not replace, human decision-making." Regulators are converging on the expectation that firms must evidence control, explainability and auditability whether or not AI is involved, and that human judgment, not automation bias, drove each material decision, backed by explainability logs and benchmarking against human review.

The deeper governance lesson is that an automated tracker is only as defensible as the data feeding it. As one risk-and-compliance analysis put it, AI-driven systems "must govern themselves," with documented model oversight, decision-logic records and continuous validation against drift. For insurers, the stakes are unusually concrete: the NAIC bulletin already warns that AI documentation will be requested during examinations, meaning an opaque compliance engine could itself become the subject of the exam it was bought to pass.

The Through-Line

The arc from binder to continuous assurance is, at bottom, a response to a mismatch. The obligation surface in insurance, fifty-one jurisdictions, dozens of model laws, thirteen lines of market-conduct reporting, escalating costs and examinations running at 1.6 times the baseline, long ago exceeded what manual methods could track honestly. Automated compliance tracking closes that gap by treating obligations and controls as living, mapped, machine-readable objects rather than entries in a filing cabinet. The technology will not absolve insurers of judgment; if anything, regulators are raising the bar on proof. But for an industry whose regulators now arrive expecting evidence captured in real time, the question is no longer whether to automate the tracking. It is whether the automation can withstand the same scrutiny it was built to survive.

Sources

1. R Street Institute, 2024 Insurance Regulation Report Card
2. National Association of Insurance Commissioners, Model Laws, Regulations and Guidelines
3. NAIC, Market Conduct Annual Statement (2024 data year participation and counts)
4. NAIC, Artificial Intelligence (Model Bulletin and AI Systems Evaluation Tool pilot)
5. NAIC Journal of Insurance Regulation, Artificial Intelligence and Insurance Regulation
6. Mordor Intelligence, GRC Software Market Size, Share & Growth (2026)
7. Allied Market Research, RegTech Market to Reach $83.8 Billion by 2033 (2025)
8. Vanta, Security and Compliance Statistics (compiling PwC, Coalfire, Gartner data)
9. Process Street, Insurance Spends $16 Billion a Year Proving Work Got Done (IRES 2026)
10. Insurance Bureau of Canada, The Rising Cost of Regulation (2025)
11. Insurance Council of Australia, The Cost of Regulatory Burden (2025)
12. International Compliance Association, AI in Compliance: Governance and Risks (2026)
13. Crowell & Moring, NAIC Intensifies AI Regulatory Focus (2026)
14. EQS Group, Compliance in 2026: AI Governance, Risk & Compliance Trends
15. Continuum GRC, How AI Is Redefining Governance, Risk, and Compliance (2026)