State, Global & Industry AI Frameworks
Beyond the Core: A Growing Regulatory Map
Alongside the EU AI Act, NIST AI RMF, and ISO 42001, organizations face a growing set of state laws, international standards, and industry-specific requirements. Trustible covers them all.
Colorado SB 21-169 · Colorado AI Act (SB 24-205)
Colorado AI Governance
Colorado is the most active state legislature in the US on AI governance. SB 21-169 establishes insurance-specific AI requirements with annual certification obligations. The broader Colorado AI Act (SB 24-205) extends consumer protection requirements for high-risk AI across multiple sectors.
Colorado SB 21-169: Insurance AI
Governs use of external consumer data, algorithms, and predictive models to prevent unfair discrimination in regulated insurance practices. Effective 2022 with annual compliance certification to the Colorado Commissioner of Insurance.
| REQUIREMENT | WHAT IT MEANS |
|---|---|
| Written AI Governance Program | A documented program covering all AI systems in regulated insurance practices — not just a policy, but an operational process with defined roles and documentation standards. |
| Board-Level Accountability | Boards and C-suite executives engaged with AI risk, informed about significant AI systems, and accountable for program adequacy. |
| Bias Testing and Validation | Active testing for unfairly discriminatory outcomes across protected classes, with documented methodology and results available for regulatory examination. |
| Third-Party Vendor Oversight | Contractual and operational oversight of AI from vendors — insurers cannot delegate accountability for AI they use to the vendor. |
| Annual Compliance Certification | Regulated entities must certify compliance with the Commissioner of Insurance each year. |
Colorado AI Act (SB 24-205)
Colorado’s broader AI Act extends high-risk AI consumer protections across sectors including insurance, employment, education, healthcare, and financial services. Organizations subject to both laws will find significant overlap in governance activities — all managed in a single Trustible program.
How Trustible Supports
Colorado Compliance
| COMPLIANCE | Trustible Capability |
|---|---|
| AI Inventory | Centralizes all AI systems, models, and external data sources with ownership and assessment history. |
| Risk Management | Structured risk assessments evaluate each AI system for bias and discriminatory impact, with inherent and residual risk scoring and mitigation tracking. |
| Insights Taxonomies | Expert-curated risk categories address fairness, bias, and discriminatory outcomes with relevant incident data and mitigation options. |
| Model and Vendor Evaluations | AI-assisted analysis of vendor documentation surfaces transparency gaps for third-party AI and external data providers. |
| Reporting & Dashboards | Compliance reporting generates audit-ready evidence for regulatory review and supports annual certification requirements. |
Your First 90 Days
Day 30: Inventory AI and External Data Sources
Identify and document all AI systems, external consumer data sources, algorithms, and predictive models in use within regulated business functions.
Day 60: Assess Bias and Discriminatory Risk
Launch structured bias and fairness assessments for each identified AI system. Document testing methodology and results.
Day 90: Operationalize and Certify
Connect AI governance workflows to internal policies and vendor oversight processes. Generate documentation for annual certification and regulatory audit readiness.
Colorado AI FAQs
Does SB 21-169 require specific testing methods?
The law specifies outcomes — no unfair discrimination — rather than prescribing specific testing methodologies. Regulated entities have flexibility in how they test, provided they can document methodology and results.
How does SB 21-169 interact with the Colorado AI Act (SB 24-205)?
SB 21-169 established insurance-specific AI governance requirements. SB 24-205 establishes broader requirements for high-risk AI across multiple sectors. Organizations subject to both will find significant overlap in governance activities — all of which Trustible manages in a unified platform.
Global AI Governance Frameworks
Multinational enterprises face the compounding complexity of managing frameworks from multiple jurisdictions alongside EU and US requirements. Trustible’s cross-framework architecture handles this by mapping governance activities to every applicable framework simultaneously — no separate compliance track for each jurisdiction.
Voluntary Framework · Published by IMDA and PDPC · Updated 2020
Singapore Model AI Governance Framework
Singapore’s framework provides detailed, implementable guidance for deploying AI in a responsible, human-centric manner. Widely adopted by enterprises operating in Singapore and increasingly referenced in APAC procurement and regulated sector contexts.
| DECISION AREA | DESCRIPTIONS |
|---|---|
| Decision Area 1: Internal Governance Structure | Designated roles, internal policies, risk management processes, and board-level accountability for AI decisions. |
| Decision Area 2: Human Involvement Calibration | Calibrating human oversight based on severity of impact, AI system accuracy, and reversibility of harm. |
Four Guiding Principles
Accountability
Organizations take responsibility for AI outputs, even when using third-party models.
Human-Centricity
AI should augment human decision-making, not replace it in high-stakes contexts.
Transparency
Stakeholders should understand how AI systems make decisions and what data they use.
Fairness
AI systems should not discriminate based on protected characteristics.
Government Standard · Digital Transformation Agency · Active
Australia AI Technical Standard
The DTA’s technical standard translates Australia’s eight AI Ethics Principles into operational requirements for Commonwealth agencies. Private sector organizations selling AI to government find that meeting the Standard’s requirements is an increasingly practical expectation for procurement.
Australia's Eight AI Ethics Principles
Human, Societal and Environmental Wellbeing
Human-Centered Values
Fairness
Privacy Protection and Security
Reliability and Safety
Transparency and Explainability
Contestability
Accountability
How Trustible Supports
Global Framework Alignment
| COMPLIANCE | Trustible Capability |
|---|---|
| Unified Governance Infrastructure | Unified governance infrastructure — The AI Inventory, intake workflows, risk assessments, and policy management that satisfy NIST AI RMF and EU AI Act requirements also satisfy the core governance requirements of Singapore and Australia's frameworks. |
| Human Oversight Calibration | Human oversight calibration — Trustible's risk scoring engine calibrates governance intensity to AI risk level — automatically routing higher-risk use cases to deeper review and human approval gates. |
| Third-Party AI Governance | Third-party AI governance — Model and Vendor Evaluations apply the accountability principles both frameworks require to AI embedded in vendor-supplied tools. |
| Multi-Framework Mapping | Multi-framework mapping — Governance activities map alongside ISO 42001, NIST AI RMF, and applicable EU and US requirements simultaneously. |
Industry-Specific AI Governance
General-purpose frameworks give organizations a foundation. Industry-specific frameworks give them the detail that matters — the risk categories, regulatory context, and compliance expectations unique to each regulated sector. Trustible layers sector-specific intelligence on top of general AI governance infrastructure.
US Insurance
Insurance AI Compliance: NAIC, NYDFS, and Colorado
Three regulatory frameworks. One governance program. US insurance regulators have converged on five core governance expectations. Trustible consolidates compliance across NAIC Model Bulletin, NYDFS guidance, and Colorado SB 21-169 simultaneously.
| FRAMEWORK | WHAT IT REQUIRES |
|---|---|
| NAIC Model Bulletin | The national baseline for US insurer AI governance — adopted by state regulators across jurisdictions. Requires written governance programs, board accountability, fairness testing, and vendor oversight. |
| NYDFS AI Guidance | New York's examination-ready governance expectations, including consumer transparency and senior management accountability for AI systems involving cybersecurity-relevant data. |
| Colorado SB 21-169 | Annual compliance certification, bias testing requirements, and written governance programs for Colorado-regulated entities. |
Healthcare · Trustible is a CHAI Partner
Healthcare AI — CHAI Governance Framework
The Coalition for Health AI’s governance guidelines address responsible AI in clinical and operational healthcare settings — where model failures carry patient safety implications. As a CHAI partner, Trustible’s platform reflects the CHAI Responsible AI Guide’s requirements.
CHAI's Six Core Governance Principles
Trustworthiness
AI systems should perform consistently and reliably across patient populations and clinical environments.
Equity
AI systems should not perpetuate or worsen health disparities. Governance must actively assess and mitigate algorithmic bias.
Transparency
Healthcare organizations must be able to explain AI system inputs, logic, and outputs to clinicians, patients, and regulators.
Accountability
Clear organizational accountability for AI governance outcomes with defined roles for clinical AI ownership and oversight.
Privacy and Security
AI systems must meet HIPAA requirements and handle protected health information in compliance with applicable law.
Safety
Patient safety implications of AI system failures must be explicitly assessed and mitigated.
Regulatory Context
FDA AI/ML SaMD
AI systems that meet the definition of a medical device require FDA clearance or approval, with post-market monitoring requirements.
ONC Health IT Certification
AI embedded in certified health IT products may be subject to ONC transparency and non-discrimination requirements.
HIPAA
AI systems processing protected health information must comply with HIPAA’s Privacy and Security Rules.
State AI Legislation
An expanding set of state laws impose specific requirements on health-related AI applications.
How Trustible Supports
Industry-Specific Governance
| COMPLIANCE | Trustible Capability |
|---|---|
| Insurance AI Inventory | Insurance AI Inventory — Pre-populated templates for underwriting, pricing, claims, fraud, and customer service AI capturing insurance-specific governance context. |
| Healthcare AI Inventory | Healthcare AI Inventory — Clinical AI use case templates capturing CHAI-relevant context including clinical purpose, validation status, affected populations, and FDA regulatory status. |
| Sector-Specific Risk Taxonomies | Sector-specific risk taxonomies — Insights Taxonomies include insurance-specific risks (unfair discrimination, explainability gaps, adverse action obligations) and healthcare-specific risks (patient safety, health equity, clinical validation). |
| Vendor Governance | Vendor governance — Structured evaluations for third-party AI vendors — EHR-embedded AI, insurance scoring models, algorithmic underwriting tools — with AI-assisted documentation analysis. |
| Multi-Framework Mapping | Multi-framework mapping — Industry framework governance activities map alongside NIST AI RMF, ISO 42001, EU AI Act, and applicable state requirements simultaneously. |