Software demonstrations are a key part of the sales cycle and your evaluation of competing software products.

  • Software vendors will wow you with features and functionality.
  • You need to step back and ensure you have an objective system to evaluate the software and functionality across competing product demonstrations.

Vendors will sometimes show specific demonstration software that has little resemblance to the software you will implement.

  • You need to question everything you see and ensure that what you are shown is real and represents the product you are going to buy.
  • How do you get the most out of software demonstrations, and how do you overcome the fundamental flaws of software demos?

I discuss these issues in my latest video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

Adopting technology for the sake of adopting technology rarely makes sense. This is true for Artificial Intelligence.

  • AI is the shiny new object right now.
  • ERP software vendors are rushing to incorporate AI functionality into their products.

To utilize AI, you must have a well-thought-out strategy for selecting, implementing, and using AI.

  • You need to ensure you have a business case for AI.
  • You must ensure you understand the risks and how to mitigate those risks.

If you don’t understand your business processes and how to utilize artificial intelligence functionality, you can’t have a strategy for using AI.

  • This makes it challenging to understand your risks and how to mitigate them.

I discuss these issues in this clip from my latest video.

Shelfware is software that you are no longer using or no longer need.

  • It can range from too many users.
  • It can be modules you no longer need or functionality that no longer meets your needs.

The first step is avoiding getting into this situation.

  • You can’t just rely on what your salesperson recommends or what your competitors are doing.
  • You need to understand your present state, your business processes, and what your future state will look like.

From a legal perspective, the goal is to ensure that the contract includes as much flexibility as possible regarding usage metrics and restrictions.

  • Ideally, you want the ability to swap unused functionality, licenses, and users for other functionality.
  • You want to include future options in the contract so that you can ramp up over time.
  • You also want to include the ability to remove users/licenses, etc., from the contract without penalty.

We have developed novel approaches that software vendors are likely to agree upon.

  • Focusing on change management and what your users need is one of the best ways to avoid shelfware.
  • Having the flexibility to swap users, modules, and functionality is great, but if your organization is reluctant (or refusing) to use the software, future options and swapping SKUs are not going to save you.

I discuss these issues in my latest video.

What are the advantages of using best-of-breed solution providers and deploying a multi-cloud implementation model?

  • Some of the advantages are choosing the best service/product for the job, optimizing different infrastructures, and maintaining flexibility.
  • But what are the risks?
  • Increased complexity and the need to manage multiple vendors increase the likelihood of an ERP implementation failure.

I discuss these issues in my latest video.

#saps4hana #saas #erplawyer

Your data is valuable and ERP vendors know this.

  • They are including language in their contracts giving them not only the right to use your data to train their AI models, but the right to extract fees if you want other software products to access the data you input into your ERP system.
  • What is worse is that they will find a way to charge you to access data that you have input into your ERP system.

How can you prevent this?

  • What strategies can you use to mitigate risk and lower costs?

I discuss these issues in this clip from my latest YouTube video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

With the change in administrations and the rapid evolution of technology, business leaders and their legal advisors now more than ever need information to help them navigate the constantly shifting technology landscape.

In this one-hour presentation, Taft Partners Jackie Benson, Scot Ganow, Zach Heck, and Bill Wagner discuss some key things to know in the first quarter of 2025.

  • Getting Your Arms Around Data Privacy and Protection in 2025. Just. Get. Started.
  • Strategies for Cyber Insurance: Getting (and Staying) Insured.
  • AI Regulation in 2025: National.
  • AI Regulation in 2025: Colorado.

1.00 hour of CLE credit pending for Arizona, Colorado, Indiana, Illinois, Kentucky, Minnesota, and Ohio.

In-Person Registration

Taft Denver: 675 Fifteenth Street Suite 2300, Denver, CO 80202. In-person attendees should kindly RSVP by March 6.

Webinar Registration 

The Google Threat Intelligence Group revealed a chilling reality: nation-states are weaponizing AI tools like Gemini for sophisticated cyberattacks. This new frontier of AI-powered fraud demands immediate attention from business leaders and general counsel, who stand at the confluence of technology, data security, and governance.

Recent Incidents and the Evolving Sophistication of These Attacks

Generative AI, like the tools used by these cybercriminals, can create highly convincing text, images, voice recordings, and even video interactions that are nearly impossible to distinguish from genuine content. In the report Adversarial Misuse of Generative AI, the Google Threat Intelligence Group explains how more than 20 countries have used Google’s generative AI tool named Gemini for nefarious purposes, including cyber espionage, destructive computer network attacks, and attempts to influence online audiences in a deceptive, coordinated manner.

The report explains how cyber criminals, especially in Iran, China, and Russia, are using Gemini to create impeccably real AI-generated content to facilitate advance phishing techniques and fraudulent wire transfer requests. The report states that criminals are using Gemini for research; content generation, including developing personas and messaging; translation and localization; and to find ways to increase their reach.

The criminals are also using Gemini to teach them how to deliver a payload to access a company’s network system, to move laterally within the network, to evade detection and privilege escalation, and to remove data.

AI-enabled social engineering has improved the ability of cybercriminals to create highly personalized and more sophisticated content than historical social engineering attempts. Cybercriminals are increasingly using AI to create realistic and interactive audio, video, and text that allows them to target specific individuals by email, telephone, text, videoconferencing, and online postings. Some recent examples are listed below.

Video

In February 2024, a Hong Kong finance worker was tricked into transferring $25 million to criminals after they set up a video call in which the other five people participating, including the company’s chief financial officer, was a video deepfake.

Voice Recordings

In August 2019, a senior executive at a UK-based energy firm was tricked into wiring approximately $243,000 based on an AI-generated voice deepfake that accurately mimicked the distinct German accent of the chief executive of the firm’s parent company, who requested an urgent wire transfer of funds.

Facial Recognition

In June 2024, criminals used deepfake technology to bypass facial recognition security measures allowing them to steal $11 million from a company’s cryptocurrency account.

Fake Resumes

In May 2024, the U.S. Department of Justice said more than 300 U.S. companies unknowingly hired foreign nationals with ties to North Korea for remote IT work, sending $6.8 million of revenues overseas in a sprawling fraud scheme that helped the country fund its nuclear weapons program.

Immediate Action Steps for Companies

To protect companies from falling victim to AI-generated wire transfer or other payment scams, take the following action steps:

  1. Designated Payment Account: Specify that payments to a vendor will only be made to a single, designated bank account, and any changes to this account must be made in writing and verified through a secure, pre-established process. The vendor must designate the bank account in the vendor’s contract or through a binding vendor payment agreement. Remind vendors of the designated payment account and verification process by disclaimers and statements in purchase orders.
  2. Verification Process: Establish a multi-step verification process for any changes to a vendor’s payment information. The process should include:
    • Written notice from the vendor requesting the change on official letterhead;
    • Verbal confirmation from two designated vendor representatives, whereby the company calls each vendor representative separately using pre-established phone numbers to confirm their authorization of the change;
    • Management review, confirmation, and approval of the payment information change; and
    • A waiting period of at least 48 hours before any changes are implemented.
  3. Regular Account Verification: Establish a schedule for regular verification of vendor’s payment information, such as annual confirmations of the authorized representatives and their phone numbers. Document the verifications. For companies with hundreds or even thousands of vendors, prioritize which are contacted by using the deductible as a cutoff. For instance, for a $50,000 deductible, make it a priority to verify the information of vendors who regularly receive payments in amounts of more than $50,000.
  4. Training Staff: Train employees to presume that any request to change a vendor’s payment information is fraudulent. Conduct regular cybersecurity training to alert employees, management, and IT staff to the threats posed by AI-generated wire transfer or other payment scams. Document the training.
  5. Risk Assessments: Conduct regular AI-focused risk assessments to measure how well employees are following established data security protocols. Consider conducting simulated attacks on the employees and management who have the authority to update a vendor’s payment information. Do those employees notice and act on banner warnings for emails that originate outside of the company or from email addresses from which they normally do not receive emails? Are they performing and documenting the call back requirements?
  6. Update Policies and Procedures: Keep up to date on the new ways in which cybercriminals are attacking their victims. Take those new attack methods into consideration when reviewing and updating payment verification procedures, which should be regularly and no less than annually.
  7. Confidentiality and Security: Require each vendor to represent and warrant that it will maintain strict confidentiality of vendor payment instructions, the identities and contact information of the vendor’s authorized representatives and follow best practices to maintain security measures to protect their email and other communication systems.
  8. Establishing Binding Authority: Clearly state in contracts or vendor payment agreements that only specific, named individuals designated by the vendor have the authority to request changes to the vendor’s payment information and that their actions are binding on the vendor.
  1. Liability Clause: Include a clause that states the vendor releases the company of any liability and agrees to hold it harmless from any losses, damages, and legal actions resulting from fraudulent wire transfer requests originating from the vendor’s compromised systems. Specify that the vendor bears responsibility for any losses resulting from compromised email accounts or false instructions originating from their end. This is especially important because there is case law holding the company remains obligated to pay its vendor if the vendor was unaware of the fraud and the company was in the best position to avoid the loss.
  2. Indemnification Clause: Include a clause that states the vendor agrees to defend and indemnify the company, from any losses, damages, and legal actions resulting from fraudulent payment requests originating from the vendor’s compromised systems and authorizations obtained following the verification process from the vendor’s designated authorized representatives who are contacted using the vendor’s designated phone numbers.
  3. Audit Rights: Include a clause allowing the company to audit the vendor’s security practices related to payment instructions, changes to payment instructions, and email communications. Include the right to review the vendor’s cyber insurance coverage to ensure that the insurance coverage is adequate and will actually protect the company in the event of a loss requiring indemnification. Again, prioritize which vendors to audit based on covering the deductible or the company’s tolerance for how much money it is willing to lose if the insurance coverage turns out to be inadequate.
  4. Dispute Resolution: Specify a clear process for resolving any disputes related to payment instructions, including governing law and jurisdiction.
  5. Termination Rights: Reserve the right to immediately terminate the agreement if there’s evidence of fraudulent activity or repeated suspicious requests from the vendor.

Incorporating these terms and conditions can significantly reduce the risk of falling victim to email scams and protect the company from potential losses due to fraudulent payment scams.

Conclusion

As AI technology rapidly evolves, so do the threats to companies’ financial security. Implementing robust safeguards against AI-generated fraud is no longer optional — it’s critical to businesses. In Taft’s upcoming articles, insurance coverage and legal remedies available to companies victimized by AI-generated fraud will be explored.

Software audits are never random. If you are being targeted, the ERP vendor believes there is a revenue opportunity with your use of the software.

  • ERP vendors take advantage of ambiguous terms in the contract governing the scope of use of the software.
  • They also have no incentive to be accurate in their audit of the software.

If you are facing an audit, you need to have a plan to push back.

  • The audit report they generate to justify the imposition of additional fees is almost always exaggerated, unreasonable and one sided.
  • You can never take it at face value.
  • If you suspect you are going to be audited (or are being audited), it makes sense to conduct a self-audit based on your own reasonable interpretation of the contract.

Having that baseline can be invaluable in pushing back on the software vendor’s allegations and demands for additional fees.

I discuss strategies for dealing with aggressive software audits in my latest YouTube video.

#erplawyer #erpcommunity #erpfailure #saps4hana #oraclecontracts #softwarelawyer #sapservices #saphanacloudplatform #saas #erpcloud #teamtaft #sapcontracts #oraclelawsuit #oraclefailure #oracletermination #saptermination

What Is It

A trademark holder may file a complaint alleging trademark infringement against hundreds of defendants identifying them as the “Individuals, Corporations, Limited Liability Companies, Partnerships and Unincorporated Associations” on Schedule A, which may be filed separately from the complaint or under seal. Infringers often use an alias and as a result, the actual names and locations of many of the defendants are unknown to the plaintiff. In such case, the plaintiff may list the assumed names on Schedule A.

Why File Schedule A Cases

After filing the complaint and Schedule A, the plaintiff may file an ex parte motion for a temporary restraining order (TRO) against the “secretly named” defendants before they can transfer their assets or destroy evidence. As a result, the defendants do not receive notice of the proceedings nor an opportunity to appear. Instead, if the court grants the TRO, the plaintiff presents the TRO to the internet marketplaces demanding that they stop selling infringing or counterfeit products and sends the TRO to the merchants to freeze the defendants’ accounts. This is typically when the defendants first learn of the lawsuit against them.

Additionally, because plaintiffs can bring hundreds of defendants selling their counterfeit or infringing products into one case, plaintiffs can save on attorneys’ fees and costs, rather than litigating numerous cases across the country.

Northern District of Illinois

Schedule A cases are common in the Northern District of Illinois (Northern District). For example, from January 3, 2013, through February 14, 2025, roughly 4,207 Schedule A cases were filed in the Northern District based on a trademark docket search conducted in Westlaw where defendants’ names included “Partnerships and Unincorporated Associations.” One judge in the Northern District went so far as to say “[i]t has become the Northern District of Illinois vs. the Internet.” BRABUS GmbH v. Individuals Identified on Schedule A Hereto, 20-CV-03720, 2022 WL 7501046, at *1 (N.D. Ill. Oct. 13, 2022). This is also due, in part, to the Northern District becoming a popular forum for granting ex parte TROs. However, not all judges in the Northern District are familiar with Schedule A cases.

Best Practices in Filing Schedule A Cases

Due Diligence in Preparing Schedule A

It is imperative that the plaintiff and its counsel conduct due diligence when gathering the list of defendants on Schedule A. Otherwise, the plaintiff may be ordered to pay the attorneys’ fees and costs of the improperly joined defendants like in Opulent Treasures, Inc. v. the Individuals et. al., Case No. 23-cv-14142 (N.D. Ill. April 8, 2024) (ECF No. 94). In Opulent, the plaintiff prevailed on an ex parte TRO against more than 200 defendants, including two affiliates of defendant, Ya Ya Creations, Inc. (Ya Ya), an active defendant in a lawsuit the plaintiff filed in California federal court based on the same set of facts as the Northern District case. Id. at ECF No. 94 at 1-2. It was not until after Ya Ya incurred substantial attorneys’ fees and costs that the plaintiff realized its mistake in including the two affiliates in this case. Id. As a result, the court ordered the plaintiff to pay $98,276.20 to Ya Ya. Id. The court reasoned that a bad faith finding was not required to avoid sanctions. Id. at 3. Rather, fee reimbursements are warranted under Rule 11 of the Federal Rules of Civil Procedure (Rules) when, like here, a “reasonable inquiry” could have prevented the increased litigation costs. Id. at 3-4.

Review the Court’s Standing Order

For example, in the Northern District, many district judges have standing orders addressing various requirements for Schedule A cases. At least one judge has her own standing order for Schedule A cases, which includes citations to pertinent case law covering personal jurisdiction, joinder, service of process via electronic means as well as what must be included in TROs. Additionally, many Northern District judges include templates for submitting proposed orders for TROs, preliminary injunctions, and default judgments and require any deviation from the templates to be redlined and explained to the court. Moreover, some include a schedule of information that must be filed for cases seeking ex parte injunctive relief where Schedule A was filed under seal. Further, some Northern District judges require a $1,000 bond for each defendant named in Schedule A, which can add up quickly if the plaintiff is suing hundreds of defendants.

The Importance of Joinder

In Schedule A cases where the defendants are too numerous or unconnected, plaintiffs may be required to file a memorandum addressing whether joinder is proper under Rule 20(a)(2). At least one judge in the Northern District invites plaintiffs in her standing order to amend Schedule A instead of filing such memorandum. Pursuant to Rule 20(a)(2), defendants may be joined in a single action if: “(A) any right to relief is asserted against them jointly, severally, or in the alternative with respect to or arising out of the same transaction, occurrence, or series of transactions or occurrences; and (B) any question of law or fact common to all defendants will arise in the action.” Fed. R. Civ. P. 20(a)(2).

As the court in Bose Corp. v. Partnerships & Unincorporated Associations Identified on Schedule “A” stated, Rule 20(a)(2) may not be satisfied simply because defendants have identical websites copying plaintiff’s style and each other. See 334 F.R.D. 511, 514 (N.D. Ill. 2020) (“Bose points out similarities among the aliases’ webpage designs and marketing information, arguing that these similarities permit a plausible inference that the aliases are actually all connected in some way. But even if the webpages were all identical, that would not overcome the likelihood that Defendants are just copycats, both of the Bose style—which is precisely the claim here—and of each other.”). Yet, the court in Bose Corp. found joinder was proper due, in part, to practical reasons and “occurrences” of mass harm by defendants, who acted as a swarm of counterfeiters, assisted by their anonymity and the international reach of the internet to violate plaintiff’s trademarks. Id. at 516.

However, other courts in the Northern District have cautioned against some of the reasoning in Bose Corp. See e.g.Zaful (Hong Kong) Ltd. v. Individuals, Corps., Ltd. Liab. Cos., P’ships, & Unincorporated Ass’ns Identified on Schedule A, 24 CV 11111, 2025 WL 71797, at *4 (N.D. Ill. Jan. 10, 2025) (“This Court declines Plaintiff’s invitation to adopt Bose Corp.’s reasoning. There are innumerable bad acts conducted using the internet that have a substantial impact in the aggregate – courts must require more than that to establish joinder.”) (citation omitted); see also Bailie v. P’ships & Unincorporated Ass’ns Identified on Schedule A, 734 F. Supp. 3d 798, 804 (N.D. Ill. 2024) (“Without a limiting principle, adopting the approach taken in Bose would undermine a consistent line of cases in this district holding that ‘Rule 20(a)’s requirement for a common transaction or occurrence is not satisfied where multiple defendants are merely alleged to have infringed the same patent or trademark.’”) (quoting Estee Lauder Cosmetics Ltd. v. P’ships & Unincorporated Ass’ns Identified on Schedule A, 334 F.R.D. 182, 187 (N.D. Ill. 2020)).

Accordingly, joinder is a fact-specific analysis that not only differs across jurisdictions but may differ among judges in each district. Plaintiffs, thus, should pay close attention to how judges in their district apply Rule 20(a)(2) in Schedule A cases.

How Can TROs Affect Infringers’ Online Marketplace and How to Notify the Online Marketplace with the TRO?

TROs in Schedule A cases can require the online marketplaces to provide expedited discovery relating to the identity and location of the defendants, the nature of defendants’ operations, and financial information related to the same. The court can also require such marketplaces to cease any advertisement for the defendants’ counterfeit products. Additionally, the TRO can require the marketplaces to enjoin the accounts, funds, or other assets of the defendants from being transferred or disposed.

The prevailing plaintiff should serve the TRO on the online marketplace by following the procedures of the marketplace. Some of this information may be available on the marketplace’s website or may require the plaintiff’s attorney to call the marketplace and confirm their procedure for court orders. To expedite the process, counsel for the plaintiff should contact the online marketplaces before the TRO is entered so if the court grants such relief, the plaintiff can immediately serve the same on the online marketplaces.

What Actions Can Defendants Take if They Are the Subject of an Improperly Granted Ex Parte TRO?

Assuming a defendant has not incurred substantial fees and costs from the improperly granted TRO, contact plaintiff’s counsel and demand dismissal with prejudice. Otherwise, the defendant can move for an emergency motion for a TRO and, if warranted, seek attorneys’ fees and costs like in Opulent.

Contact one of Taft’s Intellectual Property Litigation attorneys if you find yourself involved in Schedule A trademark litigation.

Artificial Intelligence (AI) is reshaping the insurance industry, prompting regulators to issue guidance for responsible use of AI. As AI transforms the insurance industry, insurers must balance innovation with regulatory compliance and consumer protection. Delaware and New Jersey have recently joined 21 other states and issued guidance on AI in insurance based on the AI Model Bulletin adopted by the National Association of Insurance Commissioners (NAIC) in 2023. Here’s what insurers need to know.

Delaware’s AI Bulletin No. 148

On February 5, 2025, the Delaware Department of Insurance issued Bulletin No. 148, providing regulatory guidance for insurers using Artificial Intelligence (AI). Insurers are expected to comply with all insurance laws and regulations when making decisions or taking actions impacting consumers that are using AI, particularly when those impact consumers, are expected to comply with all insurance laws and regulations when making decisions or taking actions. Key points include:

  • Compliance with Existing Laws and Regulations: The Department’s regulatory expectations require compliance with existing laws and regulations for AI-driven decisions or actions, particularly those that impact consumers, and include the following:
  • Unfair Trade Practice Act (UTPA) 18 Del. C. Ch. 23 and Unfair Claims Settlement Practices Act (UCSPA) 18 Del. C § 2304: AI must not lead to unfair methods of competition, deceptive practices, or unfair claims handling.
  • Corporate Governance Annual Disclosure Act (CGAD) 18 Del. C. Ch. 85: Insurers must disclose governance practices and AI oversight mechanisms.
  • Delaware Rate Making Laws 18 Del. C. Chs. 25 and 26: AI-driven pricing models must avoid producing excessive, inadequate, or unfairly discriminatory rates.
  • AI Systems (AIS) Program: Insurers must establish a formal AIS Program that serves as a governance framework for AI that includes risk management controls and internal audits to oversee AI and ensure transparency as well prevent unfair discrimination. 
  • Third-Party AI Accountability: Insurers using AI from third-parties must ensure AI vendors comply with regulatory requirements.  
  • Regulatory Examination: The Department may request documentation on how AI is used in consumer decision-making during investigations or market conduct examinations.

Delaware joins 21 jurisdictions, preceding New Jersey as the 23rd, in adopting AI guidance similar to the NAIC Bulletin on the Use of Artificial Intelligence (AI) Systems by Insurers.

New Jersey’s AI Bulletin 25-03

Similarly to Delaware, on February 11, 2025, New Jersey’s Department of Banking and Insurance issued Bulletin 25-03 concerning the use of AI systems in insurance, with a focus on the following:

  • Compliance with Existing Laws: Insurers must ensure that AI Systems do not lead to unfair discrimination and that they adhere to state laws, including the following:
    • Unfair Trade Practices Act (UTPA)
    • Unfair Claims Settlement Practices Act (UCSPA)
    • Corporate Governance Annual Disclosure Act N.J.S.A. 17:23-38
    • Property and Casualty Rating Laws: N.J.S.A.17:29A-1 (motor vehicle); N.J.S.A. 17:29AA-1 (commercial lines); N.J.A.C. 11:1-2.1 (property and casualty filings); N.J.A.C. 11:3-16.1 (private passenger auto automobile insurance); N.J.A.C. 11:4-9.1 (personal lines); and N.J.A.C. 11:13-8.1  (commercial lines)
    • Market Conduct Surveillance: N.J.S.A. 17:23-20
  • AI Governance and Risk Management: Insurers must establish AI governance frameworks to document, monitor, and oversee AI use. Governance must include policies for bias detection, risk assessment, and explainability of AI.   
  • Consumer Protection: Consumers must be notified when AI is used in underwriting, rating, or claims decisions. Insurers must provide clear, understandable explanations of AI-driven outcomes upon request.
  • Third-Party AI Oversight: Insurers are responsible for AI used from third-parties and must ensure compliance with New Jersey regulatory requirements. AI risk assessments should extend to external data sources and algorithms used in decision-making.
  • Regulatory Review: The Department may request detailed documentation on AI governance, risk assessments, and model validation during audits.

New Jersey is the 23rd state to adopt AI guidance similar to the NAIC Bulletin on the Use of Artificial Intelligence (AI) Systems by Insurers.

NAIC’s Model Bulletin on AI Systems

The NAIC adopted a Model Bulletin on the Use of Artificial Intelligence (AI) Systems by Insurers in December 2023, serving as a regulatory framework on AI to be adopted by state insurance regulators. The bulletin outlines expectations for insurers using AI, focusing on the following:

  • Legal Compliance: Insurers must ensure that AI-driven decisions align with all applicable federal and state laws, including the Unfair Trade Practices Act (UTPA) and the Unfair Claims Settlement Practices Act (UCSPA).
  • AI Governance Framework: Insurers should establish comprehensive governance structures overseeing the development, acquisition, and deployment of AI. Insurers should implement risk management protocols and internal controls to prevent unfair discrimination and ensure transparency.
  • Risk Mitigation: Insurers should adopt measures to identify and mitigate risk associated with AI. Insurers should implement verification and testing methods to identify and fix potential biases, data vulnerabilities, and issues related to transparency in AI models.
  • Documentation and Oversight: Insurers must maintain detailed records of AI system usage and be prepared to provide the information during investigations or regulatory examinations.

As of February 2025, 23 states have adopted bulletins based on the NAIC AI Model Bulletin.