Service for Lincoln mid-market companies
AI policy & governance for Lincoln companies — written to your real risk posture
An AI use policy your board can stand behind, an approved tool list your IT team will enforce, and a quarterly review cadence that keeps both alive. Backed by NAIC, OCC, and HHS guidance where it applies — relevant for Ameritas-class insurers, Nelnet-class fin-services, Bryan-class healthcare, and the firms serving them.
Text Rosey · Schedule a call →How we run this in Lincoln
Same method anywhere; the local context shapes the work.
- Map what AI is actually in use today — sanctioned, shadow, embedded in vendor products. You can't govern what you can't see.
- Identify the regulators whose guidance applies. NAIC + Nebraska IGD-H1 for insurers. OCC/FDIC interagency third-party + OCC 2026-13 model risk for banks. HIPAA Security Rule + Section 1557 for healthcare. NITC 8-609 if you're contracting with the State of Nebraska.
- Draft the AI use policy with your Legal team. Approved tools, prohibited data, review standards, escalation paths, attestation.
- Stand up the AIS Program governance for insurers (per NAIC §4) — accountability, monitoring, third-party oversight.
- Build the approved tool list jointly with IT and Security. Test data-residency, retention, BAA terms, opt-outs.
- Set a quarterly review cadence. Tools change, regulators publish, threats evolve.
What you get
- AI use policy (10–15 pages, your tone, your risk posture, your Legal team's sign-off)
- Approved AI tool list with IT/Security review per tool
- AIS Program documentation (insurers) aligned to NAIC Model Bulletin §4
- Third-party AI vendor due-diligence template (per OCC 2023-17 / FDIC FIL-29-2023)
- Attestation workflow — staff sign-off, tracked
- Quarterly review playbook — what to re-check, who reviews, when
90-day shape
Plan · Weeks 1–2
Two weeks understanding your current AI surface, regulatory exposure, and existing policies. Find the gaps before we draft.
Build · Weeks 3–10
6–8 weeks of policy drafting + AIS Program build + tool-list review, in working sessions with your Legal, IT, Security, and HR leads.
Train · Weeks 11–13
Two weeks rolling out the policy — staff attestation, manager training, IT enforcement. Quarterly cadence handed off.
FAQ — from Lincoln leaders
- Do we really need an AI policy if we're just using ChatGPT for emails?
- Yes. SHRM 2026 found only 49% of organizations have AI use policies, and Express-Harris found only 36% provide approved tool lists. Without those, every employee is making their own data-handling decisions — exactly how PII ends up pasted into a free-tier consumer chatbot.
- We write business in Nebraska as an insurer. What does IGD-H1 require?
- Nebraska adopted the NAIC AI Model Bulletin via IGD-H1 in June 2024. You need a written AIS Program covering governance, risk management, third-party oversight, testing/validation, and consumer protection — applied to AI in underwriting, pricing, marketing, claims, and fraud detection.
- We contract with the State of Nebraska. Does NITC 8-609 apply?
- If you operate AI systems on behalf of state agencies, yes. NITC Standard 8-609 governs AI systems owned, used, or managed by the state — agencies must consult OCIO Security Risk Mitigation and Compliance and complete privacy impact assessments and security reviews. Vendors get pulled into that workflow.
- How often should we update the policy?
- Quarterly minimum. SHRM 2026 found only 25% of orgs with AI policies feel they are 'future-proof.' Tools change, regulators publish, model behavior shifts. Your policy is a living document.
- Who signs the policy?
- Board adoption, executive sponsorship (typically CEO or COO), staff attestation. For insurers, the AIS Program owner is named in the documentation. For healthcare, the Privacy/Security Officer must be in the chain of approval.
Sources
- Only 49% of organizations have AI use policies — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
- Of organizations with AI policies, only 25% feel those policies are 'future-proof' — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
- 47% of nonprofits have no formal AI governance policy — The 2026 Nonprofit AI Adoption Report, Virtuous and Fundraising.AI, 2026
- Insurers must develop, implement, and maintain a written AI Systems (AIS) Program for the responsible use of AI systems making or supporting decisions related to regulated insurance practices — Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, National Association of Insurance Commissioners (NAIC), 2023
- OCC Bulletin 2026-13 explicitly excludes generative AI and agentic AI from its scope; an interagency RFI on those technologies is anticipated — Model Risk Management: Revised Guidance, Office of the Comptroller of the Currency (OCC), with FDIC and Federal Reserve, 2026
- Only 36% of companies provide a list of approved or preferred AI tools — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
Related
→ Start here
Text Rosey to begin.
Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.
Text Rosey · Schedule a call →