All resources AI Security for the C-Suite

Insurance and AI: The Policy Gap Most Companies Have

Cyber, E&O, and D&O policies typically don't cover AI-specific incidents. The endorsements to negotiate this renewal cycle.

TL;DR

Three policy gaps most companies have:

  1. Cyber policy doesn’t cover model failure or hallucination-driven incidents (only “cyber events” — breach, ransomware, business interruption from cyber).
  2. E&O / professional liability doesn’t cover AI-driven advice if the policy contemplates human professionals.
  3. D&O is increasingly silent on AI governance failures even though those failures land at director level.

The endorsements to negotiate this renewal: explicit “AI incident” coverage with a specific definition, hallucination-driven harm coverage, governance-failure coverage in D&O, model supply-chain coverage in cyber.

Cyber policies don’t cover model failure. E&O doesn’t cover hallucinations. D&O is silent on AI governance. The endorsements to negotiate this renewal cycle.

The AI insurance question doesn’t show up at the executive level until something goes wrong. By then it’s too late — the policy is what it is, and the gaps are what they are. This piece is the gap analysis to run before your next renewal cycle.

The three policy gaps

Cyber policy

What it typically covers: data breaches, ransomware, business interruption from cyber events, regulatory fines for privacy violations.

What it typically doesn’t cover: AI-specific incidents that aren’t cyber events. A hallucination-driven customer harm isn’t a cyber event. A model-supply-chain compromise might be (depends on definition). An autonomous-agent action that costs the company money is usually not.

Endorsements to negotiate:

  • Explicit “AI incident” definition that includes hallucination-driven harm, autonomous-agent actions causing financial loss, and model-supply-chain compromise.
  • Coverage for first-party costs (incident response, customer notification, remediation) and third-party costs (customer claims, regulatory).
  • Specific exclusions removed if you can negotiate (some cyber policies exclude “AI failures” entirely).

E&O / professional liability

What it typically covers: errors or omissions by your professionals delivering services.

What it typically doesn’t cover: errors by AI tools delivering similar services. The policy was written assuming human professionals; AI advice is in a gray zone.

Endorsements to negotiate:

  • Explicit coverage for AI-assisted services (where AI augments human delivery).
  • Coverage for AI-generated outputs that customers rely on.
  • Definition that doesn’t carve out “automated processes.”

D&O

What it typically covers: directors’ and officers’ personal liability for governance failures.

What it typically doesn’t address explicitly: AI governance failures. As regulators and shareholders increasingly view AI oversight as a board-level duty, the failure to oversee AI properly becomes a covered claim — but the policy may not contemplate it.

Endorsements to negotiate:

  • Explicit reference to AI governance in the policy’s covered governance areas.
  • Coverage for shareholder claims arising from AI-related disclosure failures (the SEC is heading this direction).
  • Coverage for regulatory actions related to AI deployment.

The size of the gap

For most enterprises, the policy gap on AI is in the seven-figure-plus range — meaning a meaningful AI incident could cost more than the policies cover. Specific examples:

  • A hallucination-driven customer harm from a regulated-advice agent: $5M+ in claims and remediation; cyber policy excludes “non-cyber” AI; E&O excludes “automated process.” Coverage may be near-zero.
  • An autonomous-agent action causing $2M of financial loss: cyber policy’s “business interruption” doesn’t apply; first-party loss exclusions kick in. Coverage may be partial at best.
  • A model-supply-chain compromise leading to data leak: cyber policy covers the data leak; doesn’t cover the broader AI program disruption.

Each of these is recoverable with the right endorsements; uncovered without them.

How to talk to your broker

Three specific asks for your renewal conversation.

1. Run a gap analysis specifically for AI scenarios. Walk through 5–7 plausible AI incidents and ask the broker to identify what’s covered, what isn’t, what’s ambiguous.

2. Request specific endorsement language for the gaps. Brokers can often negotiate AI-specific endorsements at the major carriers (AIG, Beazley, Coalition, Travelers, etc.) at modest premium increases.

3. Get the AI definition in writing. What counts as an “AI incident” for your policy? The definition matters more than most other terms.

The broker conversation typically takes 2–3 sessions. Worth the time.

What to do this quarter

  1. Pull your current cyber, E&O, and D&O policies. Read the AI-related language (or absence thereof).
  2. Schedule the gap-analysis conversation with your broker. Don’t wait for renewal.
  3. Document specific AI incident scenarios for the gap analysis. Hallucination, autonomous-agent action, model supply-chain.
  4. Plan to negotiate endorsements at next renewal. Some carriers offer AI-specific endorsements at modest premiums; others require negotiation.

FAQ

Is AI-specific insurance available as a standalone product? Emerging in 2026. Several carriers offer dedicated AI policies; most are still in early stages. For most enterprises, endorsements to existing policies are more practical than standalone AI insurance.

Will insurance premiums rise sharply with AI use? Modestly so far. Most carriers haven’t priced AI risk well yet — expect more sophistication and possibly higher premiums by 2027–2028 as claims data accumulates.

What’s the most common gap discovered in an AI insurance review? Cyber policies that exclude “AI failures” without specific definition. The exclusion is broader than most companies realize until they need to claim.

Should we self-insure for some AI risks? For low-frequency-low-severity, possibly. For low-frequency-high-severity, no — that’s exactly what insurance is for. Reserve a self-insurance pool for the predictable small losses (small hallucination claims, minor agent errors).

Will our cyber policy renewals require AI-specific disclosure? Increasingly yes. Carriers are asking AI-specific questions in renewal questionnaires. Honest, complete answers protect you; vague answers can become claim-denial fodder later.

Working with JAIN on AI insurance gap analysis? We help executive teams identify the gaps and write the endorsement language for renewal. Book a 30-minute call.

Related reading:

Want to talk through this for your team?

30 minutes, no slides. We'll work the specific call your company is facing.