The Insurability Question

In the years I spent running large technology functions, the annual insurance renewal was one of the few fixtures I could rely on. It came around, the broker sent a questionnaire, somebody on the team filled it in, the premium moved a little, and we signed. For a long stretch, cyber cover worked the same way. It was cheap and broad, and almost nobody read the wording closely.

That changed. Cyber insurance had a hard few years in the early 2020s. Premiums climbed steeply. Insurers narrowed what they would cover and added exclusions. They also stopped accepting a filled-in questionnaire as evidence of anything. The renewal became a diligence exercise. Underwriters wanted proof of multi-factor authentication, endpoint detection, tested backups, and an incident response plan they could actually read. Cover became conditional on controls you could evidence, not controls you could describe.

AI insurance is at the start of that same arc, and it is moving faster. For most B2B operators, the question about their AI deployment has quietly changed. A year ago it was whether to insure it. For a growing number of companies it is now whether they can still get it insured, and on what terms. That is a different question, and the honest answer for many operators is that they do not yet know, because nobody has asked them to prove what their AI actually does.

Two things are happening to AI insurance at the same time, and they pull in opposite directions.

The first is that insurers are removing AI from the policies you already hold. For most of the past few years, AI-related losses sat in what underwriters call silent cover: exposure that was neither named nor excluded, and therefore arguably included. A general liability policy did not mention AI, so a claim arising from an AI error might or might not be paid, depending on how the wording was read after the fact. Insurers dislike that ambiguity, and they are closing it. The Insurance Services Office, whose standardised policy forms are used widely across the United States commercial insurance market, has published optional endorsements that let carriers exclude generative-AI claims from commercial general liability policies. The law firm Lathrop GPM, which has analysed the forms, describes one as a broad exclusion and a second as a narrower version. Individual carriers are going further. The law firm Jones Day reported in April 2026 that Berkley had introduced what it calls an absolute AI exclusion for management and professional liability policies, including directors-and-officers and errors-and-omissions cover, with a definition of AI broad enough to capture almost any modern machine-learning system.

The second thing is that a small, separate market of cover bought specifically for AI is forming to fill the gap. Munich Re has for some years offered a product called aiSure that insures the performance of an AI system, paying out when a model performs below agreed performance thresholds rather than when it suffers an outage or a breach. In September 2025 Munich Re partnered with Mosaic Insurance to distribute that cover to AI vendors more widely. Armilla, which operates as a Lloyd's of London coverholder specialising in AI risk, writes AI warranties and AI liability cover on a similar performance-trigger basis. The affirmative market is early. The products are bespoke and limited, and a review published by Tufts in May 2026 noted that many AI-specific policies still repackage existing coverage rather than offering something genuinely new.

Put the two together and the picture for a B2B operator is clear enough. AI exposure is being moved out of the broad, barely-read policies you already hold, and into a narrow, scrutinised, still-immature market where cover is sold separately and priced against how well you can account for your own systems. The years when AI exposure was quietly included in the policies you already held are ending.

The common assumption I hear from commercial leaders is that this is a renewal problem. It belongs to the risk manager or the broker, it gets handled a few weeks before the policy expires, and the worst case is a higher premium. That assumption is comfortable, and it is wrong in a way that matters.

It is wrong because insurability is now earned through evidence. An underwriter decides whether your AI is insurable from what you can show them. The change underneath the exclusions is a change in how underwriters think. They have largely given up trying to answer the question of whether a given company's AI is safe. They cannot answer it, because they cannot see inside the model, and often neither can the company. So they have stopped asking it. Instead they price what they can see: whether the company knows what AI it is running, whether it can contain what that AI does, whether a human is accountable for the consequential decisions, and whether it can reconstruct what happened when something goes wrong. The shift shows up clearly in the underwriting questionnaires themselves. Underwriters now assume an AI system will fail at some point. What they price is how quickly the company would notice, and how well it could contain the damage.

The way I read this is that the underwriting questionnaire has become a legibility test. Once you see it that way, a second thing becomes obvious. The questions an underwriter asks to decide whether to cover your AI are almost exactly the questions an auditor asks in an ISO/IEC 42001 or SOC for AI engagement. They are also almost exactly the questions an enterprise customer's assurance team asks in a security review before they will buy from you. Three different reviewers, arriving for three different reasons, asking one set of questions. Most companies treat insurance, audit, and customer assurance as three separate workstreams owned by three separate people. They are one piece of work, and the work is making your AI deployment legible.

If insurability is evidenced rather than bought, the useful question is what exactly you have to be able to evidence. The framework below is the one I have arrived at from tracking both sides of this market: the exclusions on one side, and the underwriting questionnaires on the other. I call it the Insurability Test. It is four questions. An underwriter needs all four answered before AI exposure can be priced rather than excluded, and they are worth asking in order, because each one depends on the one before it.

Can you produce, today, a current list of every AI system running in your business, what each one does, and which decisions it touches?

This sounds basic. For most companies it is the question that fails. AI has entered the average B2B company the way shadow IT once did: through individual teams, embedded in tools already bought, switched on as a feature of software the company was already paying for. The result is that very few operators can produce an accurate inventory on request. You cannot insure, audit, or sell around an exposure you cannot enumerate. Inventory is the precondition for everything else in this test, which is why it comes first. An underwriter who asks for your AI inventory and receives an estimate has learned the most important thing about your risk before the conversation has properly started.

For each AI system on that list, what is the worst thing it can do before a human stops it?

This is the blast-radius question. It is answered by what surrounds the system, the scope limits, the approval gates, and the kill switches, rather than by the quality of the model inside it. A support chatbot that can answer questions has a small blast radius. The same chatbot, if it can commit the company to a price, a refund, or a policy interpretation, has a large one. The case that settled this point in law is small in money and large in consequence. In February 2024 the British Columbia Civil Resolution Tribunal decided Moffatt v. Air Canada. Air Canada's website chatbot had told a customer that a bereavement discount could be claimed retroactively. The airline's actual policy did not allow that. Air Canada argued, in effect, that the chatbot was a separate entity responsible for its own statements. The tribunal rejected that outright. The chatbot's words were Air Canada's words, the airline was liable for negligent misrepresentation, and the website's general disclaimers did not change the outcome. The award was about 650 Canadian dollars. The precedent is that an AI system operating as an official channel speaks for the company, and "the chatbot did it" is not a defence. An underwriter pricing your AI exposure wants to know, system by system, how far that voice can reach.

For the decisions that carry real consequence, is human review mandatory, can a human override the AI, and who is accountable when it goes wrong?

Containment is about the limits on the system. Oversight is about the person. The two are different, and underwriters ask about both. The hallucination problem is the clearest illustration of why. Through 2025 and into 2026 a steady catalogue of cases accumulated in which lawyers were sanctioned for filing court briefs containing AI-generated case citations that did not exist. The model did what generative models do. It produced fluent, plausible text, some of which was false. The loss happened because no person sat between that output and the act of filing it in court. Underwriters have noticed that the loss is rarely caused by the model alone. It is caused by the model plus a missing human checkpoint. So they ask where the checkpoint is, whether it is mandatory or optional, and whose name is against it.

After something goes wrong, can you reconstruct what happened, and tie a specific AI decision to the inputs it received, the model version that produced it, and any human who reviewed it?

This is the question that connects insurance to everything else. An underwriter asks it because a claim cannot be assessed without a reliable account of what occurred. An auditor asks it because an ISO/IEC 42001 or SOC for AI engagement is, in the end, a request for evidence. And it is the question that decides the scale of a loss when the loss is large. Anthropic agreed a settlement reported at 1.5 billion US dollars in the Bartz copyright class action over the books used to train its models. That figure is what carriers have in mind when they think about silent AI exposure. The median AI claim is small. The tail is not, and underwriters price the tail. A company that can produce a clean, per-system record of what its AI did, on what data, and under whose authority is a company an underwriter can price. A company whose audit log treats an AI agent's chain of decisions as a single anonymous system event is not.

Readers who followed the argument I made a few weeks ago about Know Your Agent will recognise the last two questions. The containment and evidence questions are the same controls, viewed from the underwriter's side of the table rather than the operator's. Agent identity, scoped permissions, and a real audit trail do double duty. They verify the agents reaching your business, and they are also what keeps you insurable.

The Insurability Test lands in three places, and most operators are only watching one of them.

The first is your own insurance renewal. If your company carries general liability, cyber, professional indemnity, or directors-and-officers cover, expect the next renewal to ask about AI, and expect to find AI exclusions in the proposed wording. United Policyholders, a United States insurance-consumer body, has been advising policyholders to read renewal terms for AI exclusions and negotiate them before signing rather than after a loss. That advice is sound, but negotiation only works when you have something to negotiate with, and what you negotiate with is evidence. A broker can argue for better terms for a client who can answer the four questions. A broker has very little to work with for a client who cannot.

The second place it lands is your customers' security reviews, and this is the one most commercial leaders are not yet watching. If you sell software or services to enterprises, your buyers' assurance teams are starting to ask the same four questions, for their own risk reasons. The AI you embed in your product is AI exposure your customer now carries. A buyer who cannot get a clear answer about your AI inventory, containment, oversight, and evidence has learned something about whether to proceed. The same four answers that keep you insured increasingly decide whether an enterprise customer will sign.

The third place is your audit and assurance posture. ISO/IEC 42001 certification and SOC for AI engagements ask, in their own vocabulary, the same four questions. There is not yet evidence that underwriters give an explicit premium discount for an ISO/IEC 42001 certificate. The realistic position in 2026 is that good AI governance earns indirect credit: a smoother underwriting conversation, fewer exclusions in the wording, better terms. That is roughly how ISO 27001 and SOC 2 worked in cyber insurance before the market matured enough to price them directly, and AI insurance looks likely to follow the same path.

The categories that will feel this first are the ones that have always sat at the leading edge of this kind of pressure: B2B SaaS, payments, identity-adjacent products, and regulated B2B such as financial services and healthcare. If you operate in one of those, your timeline is shorter than it looks. If you operate outside them, the same questions will still reach you, on a slower cycle.

Two moves are worth making this quarter:

The first is to build the AI inventory. It needs to be an actual list rather than a strategy paper: every AI system in production, what it does, which decisions it touches, what data it sees. This is the most useful single move you can make, because three of the four questions in the Insurability Test are unanswerable without it, and because the inventory is the deliverable that the underwriter, the auditor, and your customer's assurance team all need first. Most operators do not have one. The ones who build it now will find every later conversation easier.

The second is to take one high-impact AI system, the one that touches your most consequential decisions, and run the full Insurability Test on it as a pilot. Answer all four questions for that single system honestly. The gaps you find, a missing approval gate, an optional human checkpoint that should be mandatory, an audit log that cannot tell an AI action from a human one, are the gaps you will find across the rest of the estate. Fixing them once, on one system, gives you both a template and a credible answer for the next renewal.

There is an asymmetry worth holding in mind while you sequence this. The exclusions are arriving now, on a six to twelve month horizon, as policies renew. The affirmative market, the cover you would buy specifically for AI, is maturing more slowly, on something closer to an eighteen to twenty-four month horizon. An operator who waits for the AI insurance market to settle before doing the legibility work will renew, at least once, into the gap between the two: AI exposure excluded from the old policies and not yet cleanly covered by the new ones. Closing that gap is operational work. It means making your own AI legible, and that cannot be bought a few weeks before a renewal.