When AI Risk Becomes Uninsurable
For two years, the default move was simple: deploy AI everywhere. That phase is ending. As losses go systemic and legal exposure spikes, carriers are quietly pulling back. Exclusions are spreading, appetite is shrinking, and uncapped AI risk is getting priced out or cut out.
This piece explains how underwriting is reframing AI exposure and what that means for pricing, wording, and your risk controls. The goal: keep more loss off your balance sheet when the paper stops catching it.
Why the underwriting model is straining
Underwriting thrives on familiarity. New risks are priced by resemblance to old ones. Generative AI breaks that pattern. It lacks the claims history, stable loss cycles, and bounded failure modes that turn uncertainty into rate.
Worse, AI failures don't stay local. A bad model update can echo across thousands of insureds at once. That's digital contagion, not a single-site event. Aggregation is the real exposure-and it is hard to price with confidence.
Three pressure points changing the loss curve
1) Hallucinations: confident errors, real consequences
The problem isn't that AI makes mistakes. It's how it makes them-detailed, confident, and automated. Fabricated citations, invented data, and persuasive misinformation scale losses fast. Once a workflow trusts a flawed output, negligence stacks rather than accumulates.
2) Algorithmic bias: discrimination at machine speed
Bias used to trigger isolated claims. Opaque models now embed it into thousands of decisions before anyone notices. In 2025, a class action was allowed to proceed alleging an insurer used an algorithm to auto-deny large volumes of claims with near-instant "reviews." The risk isn't a single error-it's a system-level miss that becomes a regulatory flashpoint.
3) Deepfake fraud: when seeing stops believing
Voice and video can be forged with precision. An impostor "CFO" on a live call can greenlight a wire, pass KYB checks, and beat instincts. If human detection can't be trusted, traditional social engineering cover breaks down. Verification must move out of band, or loss frequency jumps.
Coverage implications you'll see first
Legacy wording hides AI exposure in places it was never meant to live. Expect AI-specific exclusions, endorsements, and sublimits across cyber, E&O, and professional lines. Silent tech risk is getting scrubbed from appetites.
Translation: if your terms don't address AI today, they will soon-usually by exclusion. When hallucinations, bias, or deepfakes hit, liability boomerangs back to the insured unless controls and clear wording are in place.
What underwriters want to see before they quote
- AI inventory: systems, vendors, use cases, data sources, and business criticality ranked by impact.
- Model risk management: documented testing, validation, red teaming, and monitored performance thresholds.
- Human orchestration: named owners, approval paths, and a visible "kill switch" with escalation SLAs.
- Bias controls: pre-deployment fairness tests, drift monitoring, and remediation playbooks.
- Hallucination controls: retrieval-augmented designs, source citation checks, and refusal policies.
- Out-of-band verification for money movement and access: callback procedures, device checks, and two-person rules.
- Vendor governance: contracts with audit rights, incident duties, logs, and indemnities tied to AI behavior.
- Incident response for AI: logging, containment steps, legal/regulatory notification, and rollback plans.
Regulatory teams looking to align controls with supervisory expectations can follow the AI Learning Path for Regulatory Affairs Specialists.
Wording and structure moves that protect your balance sheet
- Define "AI system," "automated decision," and "algorithmic error" to remove gray zones.
- Add AI endorsements that clarify triggers, causation, and concurrency across cyber/E&O.
- Use event-based sublimits for social engineering when synthetic media is involved.
- Address aggregation: shared model outages, vendor updates, and third-party API failures.
- Set logging and audit duties as conditions precedent to coverage where feasible.
- Carve-backs for vicarious vendor faults if minimum controls are proven.
- Tighten retro dates and discovery wording for latent model defects.
Controls that actually move the rate
- Payments: eliminate "voice/video ok." Require out-of-band callbacks, device attestation, and two-human approval above set thresholds (see AI for Finance).
- Access: step-up auth for sensitive actions; ban single-channel approvals; monitor for deepfake indicators.
- Model safety: implement retrieval-augmented generation, content validation, and output filters that can block execution.
- Bias monitoring: pre-launch tests against protected classes; continuous drift checks with automatic rollback.
- Production guardrails: rate-limit high-impact actions, sandbox new models, and gate promotions behind change control.
- Observability: structured logs of prompts, context, outputs, and user actions to support forensics and defense.
The aggregation reality
Most insureds depend on the same few model providers and middleware. One bad update can cross policies, industries, and geographies in minutes. Reinsurance will price that concentration. Your best lever is control over deployment speed, rollout rings, and fast rollback.
Tech leaders and infrastructure owners can reference the AI Learning Path for CIOs for governance and operational guidance.
A 90-day plan for insureds
- Days 1-30: Build an AI inventory, rank use cases by impact, and freeze auto-approvals for payments and access.
- Days 31-60: Stand up human orchestration, kill switches, and out-of-band verification. Red team top three use cases.
- Days 61-90: Update policies, training, and vendor contracts. Capture evidence packs for underwriters (diagrams, test results, logs).
Useful references
Bottom line
AI isn't "just software" anymore. It behaves like a powerful decision-maker-smart, persuasive, and expensive if left unsupervised. Insurance still matters, but it follows discipline. Show control, earn transfer. Skip control, keep the risk.
If your team needs practical upskilling on AI risk and controls, review the role-based learning paths linked above for targeted guidance.
Your membership also unlocks:
