4 Practical Steps for Effective AI Governance

By Eric Lipton
While federal legislation remains under active consideration, Congress has not yet enacted a comprehensive federal law regulating artificial intelligence (AI). Recent executive orders have addressed AI at a high level, ranging from attempts to limit state regulation to efforts to promote national security and innovation. However, the ultimate scope and impact of federal action remain uncertain.

2026 Big ‘I’ Market Share report
Given the rapidly evolving regulatory and business landscape, here are four steps agents may wish to consider as they evaluate and deploy new AI tools and functionality.
1) Establish AI policies and staff training. As an initial step, agents should consider adopting and maintaining written policies and procedures governing acceptable AI use within their business. Such policies and procedures help ensure that employees understand both the benefits and limitations of using AI technology, including when human review, revision and approval may be required or desired.
The Big “I” Office of General Counsel and Agents Council for Technology (“ACT”) issued a memo and sample Acceptable Use Policy for AI to assist agents in developing their own internal controls and governance practices.
Of course, effective governance requires more than simply sharing a written policy with staff. Agents should also consider AI-specific employee training and discussions. Key topics may include:
- Approved AI tools, vendors and use cases.
- Restrictions around using data that contains personal, confidential or sensitive information with AI systems.
- Procedures for reviewing and validating generative AI content and maintaining appropriate “human-in-the-loop” oversight of AI processes.
- Documenting and reporting AI-related issues, errors or concerns, such as bias, inaccuracy, and fabricated outputs—or “hallucinations”—before such outputs are used.
Proactively engaging staff can help agencies leverage AI across different facets of their business, while effectively reducing operational and compliance risks. The ACT Agency AI Labs program and the Trusted Choice® AI Marketing Toolkit provide helpful resources and outline some specific ways agents can reap the benefits of AI.

Use AI Without Losing the Human Touch
2) Consider AI risk management and compliance. The legal and regulatory landscape surrounding AI remains fluid and uncertain. Circumstances could evolve quickly, however, and agents will need to monitor and respond to relevant changes in the law.
Existing legal standards and regulatory requirements naturally may extend to instances and scenarios in which AI is used. Those who use AI systems in ways that could harm, mislead or otherwise adversely affect consumers should both consider the manner in which these tools are used and the implementation of mitigation controls and procedures.
A growing number of states, such as Maine and California, have enacted laws governing the use of chatbots and similar AI technology. Depending on the type and use of the chatbots, some of these jurisdictions may require clear and conspicuous disclosures informing consumers that they are interacting with an AI and not a human. Agents who utilize chatbots of this nature may wish to consider making such disclosures even if not required by law. Proactive measures may help avoid uncertainty and strengthen customer trust.
Chatbot and note-taking AI may raise other potential issues to consider, such as all-party consent for recording of conversations and anti-wiretapping laws in certain jurisdictions. Given an increase in litigation alleging violations under these or similar types of existing laws, businesses may also wish to consider implementing functionality to collect and memorialize consents to recording and tracking activity in connection with AI-related tools in certain jurisdictions.
Although the regulatory landscape remains uncertain, some key areas to evaluate and monitor may include:
- Procedures for verifying the accuracy of AI-generated content and maintaining human review and oversight of AI processes, including autonomous or agentic AI processes.
- Retention of AI-related records and supporting documentation where appropriate.
- Whether the use of AI could create exposures not fully addressed by coverage, in light of emerging market trends ranging from policy exclusions related to generative AI risks to recent affirmative AI-related coverage offerings.
Exploring AI Podcast Series
3) Conduct an AI inventory. Agents should consider documenting AI uses across their operations, including standalone AI tools, embedded AI features and other AI-enabled solutions. Maintaining an inventory can help an agency better understand where and how AI is or may be used in its operations both safely and effectively.
In particular, an inventory may help identify:
- How AI accesses, processes or stores agency and customer data.
- Whether personal, confidential or sensitive data is involved.
- How AI interacts with agency clients or prospects.
- Whether AI influences recommendations, communications or decisions.
- The intended purpose, benefits and risks of each use case.
When evaluating AI use, it is important to consider both third-party and internally developed AI solutions. Note that many service providers publish AI model cards or similar documentation describing key details about an AI model’s design, intended use, limitations and training data sources. To the extent possible, agents may wish to request and retain this information as part of their governance process.
More on AI
4) Broaden vendor due diligence to cover AI. Due diligence remains critical before onboarding new technology providers, whether using AI or not. Agents should carefully review their third-party service provider contracts, as well as any settings, guidelines or “standard” terms that may be incorporated by reference. It is especially important to consider what representations and disclaimers providers make about AI and data management.
Some key questions to consider include:
- Is the provider permitted to use agency or client data to train AI models?
- Can the provider introduce new or embedded AI functionality without express notice and approval?
- What other AI usage requirements and contractual obligations exist?
- What specific controls exist to address potential security incidents, service interruptions or AI-related errors?
- What warranties, indemnities, limitations of liability and insurance coverages apply with respect to data privacy and security and AI?
The Big “I” offers a variety of resources to assist agents with vendor evaluation, including key questions to consider and related checklists from ACT, as well as the OGC Guide to Service Provider Contracts that provides high-level guidance and sample contract terms.
Catalyit also provides detailed technology guides and resources relating to AI that agents may wish to explore, including a solution provider directory with information on more than 100 providers offering AI capabilities.
By taking some practical steps now to establish a thoughtful AI governance framework, agents can responsibly leverage AI’s many benefits, while staying prepared for more business and regulatory changes in the future.
If you have any further questions about this or related topics, contact Wes Bissett, Kasey Connors, Nancy Germond, Scott Kneeland or Eric Lipton.
Eric Lipton is Big “I” senior counsel.













