Dark ReadingArchived Jun 11, 2026✓ Full text saved
As companies adopt AI, many insurance firms are explicitly excluding AI risks, while others are forging ahead to create the right framework. What risks can firms reasonably manage?
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBER RISK
CYBERSECURITY OPERATIONS
CYBERSECURITY ANALYTICS
VULNERABILITIES & THREATS
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
AI Risk Worries Insurers and Businesses Alike
As companies adopt AI, many insurance firms are explicitly excluding AI risks, while others are forging ahead to create the right framework. What risks can firms reasonably manage?
Robert Lemos,Contributing Writer
June 10, 2026
5 Min Read
SOURCE: MUNGKHOOD STUDIO VIA SHUTTERSTOCK
The insurance industry is undergoing a major shift as businesses look to quickly adopt artificial intelligence (AI) while seeking insurance policies to manage potential risks — especially those posed by agentic AI systems that could cause significant damage before being caught by human-in-the-loop processes.
The current risk is small as companies test potential ways to integrate AI into their operations. But some insurers are already taking steps to exclude AI-caused damage from their more traditional insurance policies, leaving the risk to be absorbed by cyber insurance policies or tech errors-and-omissions (E&O) coverage. Others have already created explicit policies to protect against AI risks, even if the current market for insuring against AI risk is tiny.
Insurance companies — and their clients — need to focus on the problem because AI is quickly becoming ingrained as part of operations, both by businesses and cyberattackers, says Maria Long, chief underwriting officer at Resilience, a cyber resilience and insurance provider. Resilience, for example, has seen an increase in the frequency of cyber-insurance claims by its policyholders in 2025 — an increase the company attributes, in part, to attackers' use of AI to improve phishing lures and speed up their operations.
Related:Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
As a result, the company is shifting toward a strategy that separates the risks from AI and traditional computers to better create appropriate coverage.
"Our current policies inherently cover AI exposure since they do not distinguish the manner of attack but rather the outcome, like business interruption, fraud, and data breach," she says. "But we also know that AI is evolving rapidly, and lumping AI-related issues with traditional cyber claims won't always work."
The concerns come as enterprises have accelerated their AI adoption. Sixty percent of workers now have access to sanctioned AI applications, up from 40% at the beginning of 2025, according to consultancy Deloitte's 2026 "State of AI in the Enterprise" survey of 3,200 businesses. OpenAI sees an even greater uptake of AI usage, with 75% of workers reporting that they have seen productivity gains with AI, saving nearly an hour a week. Token usage is also 320 times higher than a year ago, OpenAI stated in its "State of Enterprise AI" report published in December 2025.
Security and governance, however, have not kept pace. While most companies (74%) plan to deploy agentic AI, only 21% have developed a mature AI governance model, Deloitte stated.
Related:How CISOs Should Prep for Agentic-Ready AI BOMs
Uncertainty of AI Behaviors Requires Mitigating Risks
Businesses need to figure out their risk mitigation strategy for AI, whether that's working with an insurance company or accepting the default of essentially self-insurance, says Michael von Gablenz, the head of the Insure AI team for Munich Re and its HSB subsidiary, which offers AI liability insurance to businesses and plans to cover additional AI risks over time.
Because the value of AI lies in its ability to automate knowledge-based processes, companies will be unlikely to slow their adoption, but it is critical that they offset the risks when things go wrong, he says.
"If the AI makes mistakes or hallucinates, discriminates, or generates infringing or harmful content, then actions and decisions taken based on the AI will lead to unintended consequences, liabilities, and financial losses for the users," von Gablenz says. "In [our] view, insuring the errors of an AI model addresses one of the most fundamental risks of AI ... providing financial protection to an AI user if an AI does not act in the way it was envisioned to do."
Agentic AI brings even greater risks, the most serious being if an agent takes an action that it was not supposed to, such as deleting data, authorizing incorrect actions, or causing some other sort of business losses, says Gerry Glombicki, head of cyber risk at credit-rating and analysis firm Fitch Ratings. Other risks depend on the exact application and whether the AI is transparent in its decision-making. A human resources AI agent, for example, may expose a company to a lawsuit alleging bias if the agent is not transparent about how it filters resumes.
Related:Checkbox Assessments Aren't Fit to Measure Risk
"AI [risk] — when you specifically talk about AI insurance itself — becomes extremely bespoke very quickly," Glombicki says.
Businesses should talk with their insurance providers about what risks they need to offset because a lack of clarity is not good for either party.
"Because if it's not specifically excluded, but it's not necessarily affirmed, then it's what we call silently affirmed, if you will — that leaves some legal liability," Glombicki says.
Munich Re, for example, does not cover AI models that predict stock market prices because those risks lie outside the company's risk appetite, von Gablenz says.
AI Governance Is Critical
Whether a particular incident or event is covered by an insurance policy depends heavily on the details. For underwriters, if an attack — such as a prompt injection or another vulnerability in an AI system — causes a business interruption or data breach, the cyber policy should cover the event, says Resilience's Long. Financial losses resulting from incorrect responses by a foundational AI company would typically be covered by a Tech E&O policy.
"Whether AI was the vector — how the threat is delivered — or the peril — the source of risk itself — is a question that will become more prevalent as policy language continues to evolve," she says.
Businesses should conduct an assessment of the exposure inherent in AI capabilities, evaluated as a "forest view" across AI-enabled cyberattacks, shadow AI used by employees, and errors and hallucinations from company-approved AI tools, Long says.
"AI governance and risk assessment is at the core of all guidance," she says. "Rather than require specific controls, we work with clients to understand their risk and recommend the mitigations most likely to lower their risk."
Businesses should establish a strong governance system early on. The audit trail produced by such systems will help companies investigate an AI incident — especially if it involves agentic AI — to determine who is responsible when something does happen, says Fitch Ratings' Glombicki.
"Was it the employee who did it? Was it Claude who did it? Was it something else? Who is ultimately accountable for its actions?" he says. "There's a slippery legal field where, again, the insurers are trying to minimize the risk for that."
Companies should discuss their insurance policies before widely deploying AI, Glombicki adds. Without clarity, businesses risk not having insurance coverage in the event of an incident, thereby accepting the default: self-coverage.
"Adding unknown risks at scale is usually the recipe for disaster," he says.
About the Author
Robert Lemos
Contributing Writer
Rob is an award-winning, veteran technology journalist of more than 30 years, reporting on global cybersecurity issues, the latest offensive and defensive technologies, malware incidents, cyber conflict, and AI's impact on software and cybersecurity.
A former research engineer, Rob has written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. He has received five awards for journalism, including Best Deadline Journalism (Online) in 2003 for his coverage of the Blaster worm. Rob also analyzes data on various trends using Python and R for both his reporting and his clients. Recent reports include analyses of the shortage in cybersecurity workers, annual vulnerability trends, and annual threat reports.
Rob holds degrees from Cornell University in Electrical Engineering and Computer Science (double major).
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBER RISK
How Can CISOs Respond to Ransomware Getting More Violent?
by James Doggett
JAN 28, 2026
CYBER RISK
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
by Alexander Culafi
JAN 05, 2026
CYBER RISK
Switching to Offense: US Makes Cyber Strategy Changes
by Robert Lemos, Contributing Writer
NOV 21, 2025
CYBER RISK
Microsoft Exchange 'Under Imminent Threat,' Act Now
by Arielle Waldman
NOV 12, 2025
Edge Picks
APPLICATION SECURITY
AI Agents in Browsers Light on Cybersecurity, Bypass Controls
CYBER RISK
Browser Extensions Pose Heightened, but Manageable, Security Risks
CYBERSECURITY OPERATIONS
Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds
ENDPOINT SECURITY
Extension Poisoning Campaign Highlights Gaps in Browser Security
Latest Articles in The Edge
ENDPOINT SECURITY
The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
JUN 9, 2026
CYBER RISK
AI Slop Will Kill Cybersecurity Storytelling If We Let It
JUN 8, 2026
CYBERSECURITY OPERATIONS
Zoom CISO: AI as a Security Enabler, Not Role-Replacer
JUN 2, 2026
CYBER RISK
Focus on Cyber Insurance: How Quantifying Risk Is Reshaping Security
MAY 28, 2026
Read More The Edge
Want more Dark Reading stories in your Google search results?
Loading...
BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE
Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass.
GET YOUR PASS