AI is the next cyber: why insurers may carve out standalone cover
AI is spreading across insureds faster than policy language can keep up. That gap creates "silent AI" exposure - risk that may be sitting across multiple lines without being priced, modelled, or explicitly asked about.
The result is the same tension we saw with cyber. Clients expect cover; contracts hide ambiguity. Claims will test definitions, causation and exclusions.
Why this is surfacing now
Accumulation is the headache. If thousands of insureds lean on the same models, libraries or vendors, a single defect or legal theory can scale into correlated loss.
That's why the market is starting to cap ambiguity, sharpen underwriting questions, and - where needed - move exposure into products built for AI risk.
From ambiguity to exclusions
Early AI exclusions are appearing in some markets. Once an exclusion gets templated, it can spread quickly through guidelines, broker playbooks and renewal packs - often before insureds catch up.
Industry reporting also points to new general liability exclusionary forms aimed at generative AI with 2026 edition dates. If these standardise, expect a fast cascade across lines.
The coverage gap many will miss
AI incidents rarely sit in one tower. A single event can look like misrepresentation (GL/advertising injury), a professional error (PI/E&O), a privacy issue (cyber), or a governance failure (D&O).
If exclusions land across more than one of those at once, you get a multi-policy no man's land - exactly when a dispute or class action heats up.
Echoes of cyber - and the path to standalone
Cyber started as a silent pickup in traditional forms, then was carved out and rebuilt as a dedicated product with its own pricing, controls and limits. AI is tracking the same pattern.
"We're already looking at a standalone AI insurance product," said Eric Lowenstein, CEO of Tego. Expect DIC/DIL-style solutions to drop down where traditional policies retreat.
First waves of "affirmative AI" cover
Some Lloyd's markets are backing targeted AI solutions tied to performance degradation and model failure, not just a one-off mistake. Other offerings are exploring cover for "mechanical underperformance" - think hallucinations, model drift and tool malfunctions - alongside third-party liability.
This is the market doing what worked for cyber: define the peril, set clear triggers, and demand controls. That's the bridge from "we won't cover this" to "we will - under conditions we understand."
What to do now
For brokers
- Map client AI use. Build an AI inventory: use cases, autonomy level, user counts, criticality, vendors, and shared dependencies.
- Pre-empt underwriting. Add an AI supplemental to submissions with controls, providers, monitoring and rollback detail.
- Compare exclusions across GL, PI/E&O, cyber and D&O. Look for concurrent gaps and consider DIC/DIL or endorsements to coordinate triggers.
- Tighten contracts with AI vendors. Push for indemnities, SLA remedies tied to performance degradation, change notifications, audit rights and log retention.
- Pre-wire claim narratives. Where would a hallucination, biased output, defamation, IP misuse, or a provider outage actually land? Align towers before the loss.
- Educate buyers on grey areas. Misadvice from a chatbot may be treated differently than an operational outage - set expectations early.
For underwriters
- Exposure mapping: What decisions does AI touch? Customer-facing vs internal, human-in-the-loop, and the business processes at risk.
- Dependency risk: Which models, APIs, clouds and open-source components are common across your book? Watch vendor concentration.
- Controls and governance: Model testing, red-teaming, drift monitoring, evals, rollback/kill-switches, change management and incident response.
- Data posture: PII/PHI usage, copyright exposure, consent, RAG source governance, and prompt/content filtering.
- Auditability: Versioning, prompts, guardrails, logs and the ability to reconstruct an event for forensic and claims purposes.
- Legal posture: Disclaimers, product representations, bias/discrimination safeguards, jurisdictional exposure and IP risk management.
- Loss models: Frequency/severity for misstatement, discrimination, IP claims, privacy events and business interruption from provider outages.
For risk managers and insureds
- Build an AI register: owner, purpose, model/provider, data flows, integrations, and criticality. Keep it current.
- Adopt an AI control framework (e.g., the NIST AI RMF) and prove it with documentation.
- Strengthen vendor management: performance SLAs tied to model quality, change controls, notification windows, indemnities and meaningful caps/carve-outs.
- Keep evidence: prompts, outputs, model versions and decision logs. Claims depend on reconstructing what happened.
- Run tabletop scenarios: defamation from a chatbot, biased screening, pricing drift, bad RAG sources, provider outage. Check which policy would respond.
- Stress-test wordings at renewal. Ask directly about AI exclusions, performance-degradation triggers and any systemic risk terms.
What a standalone AI policy could include
- Third-party liability: algorithmic errors, misleading outputs/hallucinations, bias and discrimination, defamation, IP infringement, product misstatement.
- First-party: rectification costs, forensic costs, business interruption from AI/tool outage or degraded performance, extra expense, data restoration.
- Regulatory and investigations: defense costs, fines/penalties where insurable, consumer protection actions.
- Clear triggers: performance degradation thresholds, drift events, rollback activations - not just discrete "errors."
- Conditions: minimum governance, model monitoring, human oversight, vendor SLAs, logging and change controls.
- Aggregation controls: sublimits for vendor/systemic events and accumulators for widely used models or providers.
12-24 month outlook
Expect more exclusions, supplemental questionnaires and pilots of standalone cover. Brokers who map AI exposure across towers and pre-wire claims will win renewals.
Insurers will write AI under clearer triggers and documented controls. The market will move from silent exposure to affirmative risk - with pricing, limits and governance to match.
Want to go deeper on practical AI use across claims and underwriting? Explore AI for Insurance.
Your membership also unlocks:
