AI liability upends insurance coverage, from deepfakes to chatbot claims

AI liability risks are testing insurance in real time

AI is now part of day-to-day business - and part of day-to-day claims. Chatbots misquote. Deepfakes move money. Hallucinated facts damage reputations. Insurers are rethinking coverage while loss patterns and policy language lag behind.

Carriers are starting to weigh a company's AI posture in underwriting. The catch: the tech's general-purpose nature blurs line boundaries, and the loss history is thin. Proactive insureds can earn better terms by showing control over how AI is built, used and monitored.

Where does an AI claim "live" - CGL, cyber, E&O, or media?

That's the core friction. If an AI system contributes to bodily injury, does it fall under CGL or cyber? If a bot gives faulty guidance, is that E&O? If an AI summary defames a business, is that media liability or personal and advertising injury? The industry is still sorting it out, and gaps appear when incidents don't fit neatly in one bucket.

• Chatbot misquote: Air Canada had to honor a discount its bot promised.
• Deepfake fraud: A scammer used synthesized video of executives to trick an employee at Arup into a multimillion-dollar transfer.
• AI hallucination: Google's AI Overviews allegedly named a company in a lawsuit that didn't involve it, costing a contract.

Cyber as a product is relatively young, and AI at scale is newer. That means fewer test cases, more debate over intent, triggers and exclusions, and slower movement toward standard forms.

Underwriting signals carriers are watching

Formal AI requirements aren't standard yet, but underwriters are asking smarter questions. Directionally, they're looking for proof of control, not promises.

• Documented AI governance: policies, ownership, and change control for models and prompts.
• Data handling: restrictions on feeding sensitive or regulated data into public models; access controls for AI tools.
• Human-in-the-loop checks for client-facing outputs and high-impact decisions.
• Authentication and call-back protocols to counter voice/video deepfakes and social engineering.
• Logging, disclosure, and auditing of AI outputs, prompts, and training data sources.
• Employee training on AI misuse, data leakage, and deepfake awareness.

Privacy suits are climbing - chatbots are in the crosshairs

Coalition's analysis flagged website chatbots in a share of web privacy claims. The pattern: complaints allege interception of communications without consent, often citing state "wiretapping" laws - especially Florida's statute.

Florida's Security of Communications Act has become a favored basis for "digital wiretapping" class actions. If your site runs chat, pixels or analytics, your disclosure and consent flows matter.

• Florida Security of Communications Act (Chapter 934)

Deepfakes are moving from headlines to endorsements

Coalition introduced deepfake-related coverage under its cyber policies in multiple markets, including response services like forensics, takedown support and crisis communications. Expect more carriers to trial endorsements that blend incident response with reputational harm considerations.

Traditional network safeguards don't fully address deepfakes. Attackers need seconds of public audio or video to impersonate leaders. Most companies can't avoid that exposure - marketing requires visibility - so emphasis shifts to verification protocols and rapid takedown capability.

How claims may be framed across lines

• Incorrect chatbot output: may be argued under E&O/professional liability (service error), with potential carve-outs or exclusions to navigate in contracts and advertising injury.
• AI-induced bodily injury: contested between CGL (bodily injury/property damage) and cyber (tech cause), depending on wording, definitions, and exclusions.
• Defamatory or misleading AI content: media liability or personal and advertising injury, with growing use of AI-specific definitions and carve-backs.
• Privacy interception via chat/trackers: web privacy or "wiretapping" class actions under state laws, often routed through cyber or media, depending on form language.
• Deepfake payment fraud: crime/social engineering endorsements, cyber extortion/incident response, and, increasingly, deepfake-specific coverages.

What carriers can do now

• Define "AI-related incident" or "automated decisioning" in forms to clarify triggers across cyber, E&O, and media.
• Draft targeted endorsements for deepfake response and reputational harm, with clear sublimits and service panels.
• Align exclusions and carve-backs to avoid silent AI exposure and remove gray zones between CGL and cyber.
• Update supplemental apps: inventory of AI use cases, data sensitivity, vendor reliance, and control maturity.
• Collect loss data distinctly tagged as AI-involved to inform pricing and wording in the next 12-24 months.

What brokers should press for

• Pre-bind AI questionnaires to surface exposures and negotiate carve-backs before renewal.
• Coordinate across lines: cyber, E&O, media, crime, and CGL - identify overlaps and gaps explicitly.
• Secure endorsements for deepfakes, social engineering, and web privacy where clients face material exposure.
• Build a claims playbook for AI events: who to call, what to preserve, and how to frame notice across policies.

What insureds can implement this quarter

• Publish an AI use policy and assign ownership; log models, prompts, data sources, and approvals.
• Block public LLM use with sensitive data; prefer private instances or gateways with audit trails.
• Enforce human review for customer-facing content and high-risk decisions.
• Roll out call-back and multi-person verification for payments and vendor changes.
• Disclose chat recording and data use; refresh consent banners and privacy notices.
• Train staff on deepfake cues, prompt hygiene, and reporting processes. For structured upskilling, consider curated AI governance and usage programs via Complete AI Training.

Market direction

Expect more defined AI questionnaires, tighter privacy wording and specialized endorsements over the next one to two years. Companies that can show governance, auditability and staff training will see better access to capacity and cleaner terms.

Quick checklist for your next renewal

• Do you have a current map of AI use cases, data flows and vendors?
• Are disclosures and consents clear for chat, analytics and recordings?
• Is there human review for AI outputs that touch customers or revenue?
• Do you have deepfake-resistant verification for payments and authorizations?
• Are AI incidents defined, noticed and logged across all relevant policies?
• Have you tested a takedown and crisis comms plan for a reputational AI event?

The firms that treat AI like any other operational risk - documented, monitored, and reviewed - will have fewer surprises at claim time and more leverage at underwriting.