Lockton Re Says AI Needs Its Own Insurance Risk Category

AI Should Be Its Own Insurance Risk Class

AI is changing risk across the economy in ways that don't fit neatly into cyber, tech E&O, D&O, or product lines. Treating it as a distinct risk class makes sense because it introduces new loss drivers and amplifies existing ones with speed, scale, and correlation.

Here's a practical framework insurers and brokers can use now.

Why AI Is Different

• Systemic correlation: A small set of model providers and widely shared libraries create single points of failure.
• Speed and scale: Software errors, jailbreaks, or model updates can propagate across millions of users instantly.
• Blended causation: Losses can involve algorithms, data, human oversight, and vendors-making attribution and coverage triggers harder.
• Regulatory heat: New rules add compliance exposure and fines, even for "soft" harms like explainability or bias.

Where Traditional Lines Fall Short

• Cyber: Covers breaches and outages, but often misses model error, data drift, or harmful outputs.
• Tech E&O / Professional Liability: Captures service failure but may exclude training data IP, bias, or third-party model faults.
• Product Liability: AI embedded in devices or software can cause bodily injury or property damage, with unclear fault lines.
• D&O: Disclosures, model risk governance, and "AI strategy" misstatements drive securities claims.
• Media/IP: Generated content can trigger defamation and copyright claims at scale.

A Practical Classification: "AI as Hazard" Overlay

Use an overlay across lines to rate, underwrite, and aggregate AI risk consistently.

• Model type: Foundation vs. narrow; open vs. closed weights.
• Autonomy level: Assistive, human-on-the-loop, closed-loop control.
• Use case criticality: Advice, decisioning, or physical control.
• Data sensitivity: Personal, health, financial, safety-critical.
• Connectivity: External interfaces, third-party tools, plugin access.
• Vendor concentration: Dependence on a small set of providers.
• Change velocity: Update frequency, rollback capability, kill switch.

Underwriting Questions That Matter

• What decisions or actions does the AI drive? Who can override it and how fast?
• Which models are in use (vendor, version, fine-tuning)? How are prompts, outputs, and feedback logged?
• Red-teaming, evals, and guardrails: scope, cadence, coverage of jailbreaks and harmful outputs.
• Data governance: provenance, licensing, consent, retention, and deletion.
• Monitoring: drift detection, hallucination metrics, rollback plans, incident response, and forensics.
• Third-party risk: SLAs, indemnities, audit rights, and shared responsibility matrices.

Controls and Standards To Look For

• NIST AI Risk Management Framework adoption with mapped controls.
• ISO/IEC 23894 or ISO/IEC 42001-style AI risk and management systems.
• EU AI Act readiness: risk classification, documentation, and conformity checks.

Accumulation and Capital

• Scenario sets: Vendor outage, harmful model update, widespread jailbreak, training data liability wave, regulation-triggered product recall.
• Exposure mapping: Inventory clients using the same model vendors, SDKs, or safety layers.
• Reinsurance alignment: Affirmative AI language and event definitions to avoid silent accumulation.

Wording Moves To Consider

• Affirmative AI coverage grants or explicit exclusions to reduce ambiguity.
• Clear definitions for "AI system," "autonomous decision," and "model error."
• Training data IP, defamation, and output liability-stated treatment and sublimits.
• Model update and recall triggers; outage waiting periods; forensic cost coverage.
• Vicarious liability for third-party models and vendors; indemnity and contribution.

Product Ideas Worth Testing

• Model outage parametric: Payout tied to verifiable downtime or degraded quality thresholds.
• AI portfolio wrap: Aggregates cyber, E&O, media/IP with a unified AI event definition and shared limit.
• Regulatory response cover: Documentation, conformity assessment, and mandated remediation costs.

What Insurers and Brokers Can Do This Quarter

• Stand up an "AI as hazard" registry across the book; tag accounts by model vendor, autonomy, and criticality.
• Update underwriting playbooks and appetite; add AI control questionnaires and minimum standards.
• Run portfolio stress tests against the top five AI scenarios; brief reinsurance partners.
• Pilot affirmative AI endorsements with tight definitions and accumulations reporting.
• Build internal training for underwriters, claims, and wordings teams on model risk and AI incidents.

For Corporate Risk Managers

• Document AI use cases, model inventory, and owners; keep change logs and rollback paths.
• Adopt an internal AI policy with approval gates, human oversight, and kill-switch protocols.
• Align contracts: SLAs, uptime, data rights, and auditability with model vendors and integrators.
• Pre-negotiate claims forensics access and data retention to speed incident resolution.

Treat AI as a distinct hazard class, price the correlation, and reduce ambiguity in wording. That's how you protect the balance sheet while supporting clients who are building with AI at scale.

If you're building internal capability on AI risk and governance, see our curated programs by role: AI Learning Path for CIOs, AI Learning Path for Regulatory Affairs Specialists, and AI Learning Path for Business Unit Managers.