Who Pays When AI Goes Wrong? Liability, Insurance, and the Law in Flux

AI liability is moving fast. Insurance needs to keep up.

AI is now inside core business decisions. That brings real questions for insurance: Who is responsible when it fails? What is covered? And how do we price it with limited claims history?

Building on research with Professor Anat Lior and ongoing market discussions, here's where liability and insurability for AI stand today-and what insurers, brokers, and risk managers can do about it.

Note: The referenced conversation dates to Summer 2025. Some policies or laws may have advanced since then.

01. The evolving AI risk landscape

AI risk doesn't fit neatly into traditional lines yet. Many carriers still lean on tech E&O or cyber, while newer players and innovation teams are testing AI-specific wordings and endorsements.

The result: uneven coverage, exclusions that bite in unexpected places, and uncertainty for novel use cases (beyond well-trodden areas like autonomous vehicles).

• Map every AI system in use (model, version, vendor, purpose, data sources, decision rights).
• Check for "silent AI" exposures hidden in cyber, E&O, product liability, and D&O.
• Ask for affirmative AI coverage and clear definitions (e.g., "AI," "automated decision-making," "generative").
• Test scenarios against policies: model error, biased output, IP claims, data leakage, safety failures.

02. Regulatory uncertainty and global divergence

The EU AI Act will reset compliance expectations for high-risk systems, but real-world enforcement and insurance impacts will take time. In the US, fragmented rules keep exposures fluid across states and sectors.

Insurers are watching how obligations around data governance, transparency, human oversight, and incident reporting translate into warranties, exclusions, and pricing.

• Track the EU AI Act and how carriers incorporate it into underwriting questions and conditions.
• Build a simple jurisdiction matrix for your AI footprint (EU/UK/US state laws/sectoral rules) and align policy terms.
• Negotiate notification and cooperation clauses that match likely AI incident workflows.

03. Rethinking traditional risk models

Classical actuarial methods struggle where claims data is thin and model behavior shifts with updates or prompts. Generative and agentic systems add volatility, long-tail error modes, and vendor dependency.

One response: guarantee-style coverage that addresses performance failure rather than accident-only liability. Another: more granular underwriting tied to controls, monitoring, and rollback capability.

• Evidence of control: model versioning, change logs, guardrails, red-teaming, kill-switches, and human-in-the-loop thresholds.
• Data hygiene: provenance records, IP screening, privacy safeguards, and bias testing.
• Vendor discipline: indemnities, audit rights, incident SLAs, and clear pass-through of obligations.

04. Litigation trends and claims management

Courts are now testing AI in copyright, product liability, defamation, and biometric privacy. Each ruling influences policy wording, attachment points, and exclusions.

Claims teams need fast access to logs, prompts, training data sources, and decision traces to assess causation and quantum.

• Set a litigation watchlist for AI-related cases and sync takeaways with underwriting and counsel.
• Pre-build incident playbooks: preserve logs, freeze model versions, notify vendors, engage panel counsel.
• Clarify IP coverage for training and output, plus media and defamation exposures for generative systems.

05. The role of insurance in AI governance and safety

Insurance can accelerate safer AI by rewarding strong controls and clear accountability. But silence in policies creates false confidence.

The ask from risk managers is simple: say what's covered, what's excluded, and what triggers apply. Then align those terms with practical governance.

• Push for explicit AI endorsements and remove ambiguous "technology" or "cyber" carve-backs that undercut intent.
• Tie premium credits to controls: pre-deployment testing, monitoring, prompt security, human oversight, and post-incident reviews.
• Join cross-sector forums to close gaps between regulators, engineers, and insurers.

For ongoing market insights, see AI for Insurance.

06. Looking ahead: Quantum and policy evolution

Quantum capabilities could stress cryptography, accelerate model training, and expose new failure modes at scale. Expect fresh exclusions, sublimits, and endorsements as scenarios mature.

The market may move to standalone AI policies-or fold exposures back into broader lines as data improves. Be ready for either path.

• Run forward-looking scenarios: cryptographic breaks, model theft, runaway agent actions, supply-chain failures.
• Align business continuity plans with AI-specific outages and vendor incidents.
• Stage renewals early to resolve AI definitions, triggers, and conditions before crunch time.

Practical checklist for insurers and risk managers

• Inventory AI systems and map them to specific policies and clauses.
• Get affirmative AI language; eliminate silent exposures.
• Negotiate vendor contracts to match insurance terms and claims needs.
• Demonstrate controls that matter to underwriters; document them.
• Track key legal cases and adjust coverage and limits accordingly.
• Align with recognized frameworks like the NIST AI RMF to support underwriting and claims defensibility.

Bottom line

AI liability is here, not hypothetical. The winners will be the teams who clarify coverage, demand precision in policy language, and link governance to insurability-before the next claim arrives.

Source context

This article reflects insights drawn from a market discussion with Professor Anat Lior as part of broader research into AI liability. Some laws, guidance, or products mentioned may have changed since Summer 2025.