AI Exclusions: What Businesses Must Know Now
Insurers are adding AI-related exclusions across policies. The core issue is not new exposures but amplified versions of existing ones. That means risk managers must update controls and documentation so insurers can underwrite AI use with confidence.
Cyber Coverage Holds Steady, For Now
Resilience Against AI-Driven Attacks
Most cyber policies continue to respond to AI-enabled threats such as deepfakes, social engineering, and automated malware. Carriers commonly add endorsements that clarify coverage boundaries. Silent cyber remains a concern when policies do not explicitly address AI-origin incidents, so review policy language and endorsements carefully.
Broader Risks: Management Liability Under Pressure
Defining Broad Exclusions in D&O and E&O
D&O, E&O, employment practices, fiduciary and crime policies are seeing broader AI exclusions. Some insurers define AI very broadly to exclude claims linked to models, automated decisioning, or use of third-party AI tools. Examples include broad language introduced by Berkley and others that can carve out entire categories of liability tied to AI use.
Scarcity of Dedicated AI Coverage
Standalone AI policies remain rare and narrow. Niche providers such as Armilla AI offer targeted products, but many exclude major perils like bodily injury or property damage. Expect limited appetite for broad, mainstream AI coverage for the near term.
Proactive Measures: Focus on Processes, Not Just Policies
Essential Internal Controls for AI Adoption
Adopt written acceptable use policies, role-based access, model validation and testing, audit logs, incident playbooks, human-in-the-loop review, vendor risk clauses and staff training. Keep records of testing, bias checks, versioning and change control.
Underwriting’s New Focus: Validating AI Reliance
Underwriters will want documented evidence: validation reports, governance committees, security controls, incident history and third-party audits. Treat AI risk assessment like fraud prevention: prove the controls exist, operate and are monitored.
Quick answers: Cyber policies often cover AI-driven attacks but confirm endorsements. D&O and E&O are most affected. A separate AI policy is seldom a complete solution today. Close gaps by strengthening controls, documenting processes and preparing validation evidence for renewals.
