The insurance industry is undergoing a major shift as businesses look to quickly adopt artificial intelligence (AI) while seeking insurance policies to manage potential risks — especially those posed by agentic AI  systems that could cause significant damage before being caught by human-in-the-loop processes.

The current risk is small as companies test potential ways to integrate AI into their operations. But some insurers are already taking steps to exclude AI-caused damage from their more traditional insurance policies, leaving the risk to be absorbed by cyber insurance policies or tech errors-and-omissions (E&O) coverage. Others have already created explicit policies to protect against AI risks, even if the current market for insuring against AI risk is tiny.

Insurance companies — and their clients — need to focus on the problem because AI is quickly becoming ingrained as part of operations, both by businesses and cyberattackers, says Maria Long, chief underwriting officer at Resilience, a cyber resilience and insurance provider. Resilience, for example, has seen an increase in the frequency of cyber-insurance claims by its policyholders in 2025 — an increase the company attributes, in part, to attackers’ use of AI to improve phishing lures and speed up their operations.

Related:Most CISOs Report Pressure to Bury Bad Security News

As a result, the company is shifting toward a strategy that separates the risks from AI and traditional computers to better create appropriate coverage.

“Our current policies inherently cover AI exposure since they do not distinguish the manner of attack but rather the outcome, like business interruption, fraud, and data breach,” she says. “But we also know that AI is evolving rapidly, and lumping AI-related issues with traditional cyber claims won’t always work.”

The concerns come as enterprises have accelerated their AI adoption. Sixty percent of workers now have access to sanctioned AI applications, up from 40% at the beginning of 2025, according to consultancy Deloitte’s 2026 “State of AI in the Enterprise” survey of 3,200 businesses. OpenAI sees an even greater uptake of AI usage, with 75% of workers reporting that they have seen productivity gains with AI, saving nearly an hour a week. Token usage is also 320 times higher than a year ago, OpenAI stated in its “State of Enterprise AI” report published in December 2025.

Security and governance, however, have not kept pace. While most companies (74%) plan to deploy agentic AI, only 21% have developed a mature AI governance model, Deloitte stated.

Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security

Uncertainty of AI Behaviors Requires Mitigating Risks

Businesses need to figure out their risk mitigation strategy for AI, whether that’s working with an insurance company or accepting the default of essentially self-insurance, says Michael von Gablenz, the head of the Insure AI team for Munich Re and its HSB subsidiary, which offers AI liability insurance to businesses and plans to cover additional AI risks over time.

Because the value of AI lies in its ability to automate knowledge-based processes, companies will be unlikely to slow their adoption, but it is critical that they offset the risks when things go wrong, he says.

“If the AI makes mistakes or hallucinates, discriminates, or generates infringing or harmful content, then actions and decisions taken based on the AI will lead to unintended consequences, liabilities, and financial losses for the users,” von Gablenz says. “In [our] view, insuring the errors of an AI model addresses one of the most fundamental risks of AI … providing financial protection to an AI user if an AI does not act in the way it was envisioned to do.”

Bar chart showing phishing surge possibly due to AI

Agentic AI brings even greater risks, the most serious being if an agent takes an action that it was not supposed to, such as deleting data, authorizing incorrect actions, or causing some other sort of business losses, says Gerry Glombicki, head of cyber risk at credit-rating and analysis firm Fitch Ratings. Other risks depend on the exact application and whether the AI is transparent in its decision-making. A human resources AI agent, for example, may expose a company to a lawsuit alleging bias if the agent is not transparent about how it filters resumes.

Related:How CISOs Should Prep for Agentic-Ready AI BOMs

“AI [risk] — when you specifically talk about AI insurance itself — becomes extremely bespoke very quickly,” Glombicki says. 

Businesses should talk with their insurance providers about what risks they need to offset because a lack of clarity is not good for either party. 

“Because if it’s not specifically excluded, but it’s not necessarily affirmed, then it’s what we call silently affirmed, if you will — that leaves some legal liability,” Glombicki says.

Munich Re, for example, does not cover AI models that predict stock market prices because those risks lie outside the company’s risk appetite, von Gablenz says.

AI Governance Is Critical

Whether a particular incident or event is covered by an insurance policy depends heavily on the details. For underwriters, if an attack — such as a prompt injection or another vulnerability in an AI system — causes a business interruption or data breach, the cyber policy should cover the event, says Resilience’s Long. Financial losses resulting from incorrect responses by a foundational AI company would typically be covered by a Tech E&O policy.

“Whether AI was the vector — how the threat is delivered — or the peril — the source of risk itself — is a question that will become more prevalent as policy language continues to evolve,” she says.

Businesses should conduct an assessment of the exposure inherent in AI capabilities, evaluated as a “forest view” across AI-enabled cyberattacks, shadow AI used by employees, and errors and hallucinations from company-approved AI tools, Long says.

“AI governance and risk assessment is at the core of all guidance,” she says. “Rather than require specific controls, we work with clients to understand their risk and recommend the mitigations most likely to lower their risk.”

Businesses should establish a strong governance system early on. The audit trail produced by such systems will help companies investigate an AI incident — especially if it involves agentic AI — to determine who is responsible when something does happen, says Fitch Ratings’ Glombicki.

“Was it the employee who did it? Was it Claude who did it? Was it something else? Who is ultimately accountable for its actions?” he says. “There’s a slippery legal field where, again, the insurers are trying to minimize the risk for that.”

Companies should discuss their insurance policies before widely deploying AI, Glombicki adds. Without clarity, businesses risk not having insurance coverage in the event of an incident, thereby accepting the default: self-coverage.

“Adding unknown risks at scale is usually the recipe for disaster,” he says.





Source link

#

Comments are closed