AI & Emerging Tech

Insurers Are Pulling Back on AI Coverage as Agentic Risk Grows

Insurers Are Pulling Back on AI Coverage as Agentic Risk Grows

Cyber insurers are struggling to price a risk they cannot yet measure. As businesses accelerate AI integration across their operations, insurers are responding with exclusions, coverage carve-outs and harder questions at renewal not because AI claims are common yet, but because the loss data needed to set premiums does not exist in any meaningful volume.

The concern is not primarily that AI systems get hacked. It is that they act. Gerry Glombicki, head of cyber risk at Fitch Ratings, put it directly, “Agentic AI brings even greater risks, the most serious being if an agent takes an action that it was not supposed to, such as deleting data, authorizing incorrect actions or causing some other sort of business losses.” That framing matters. The threat model for agentic AI is not a breach in the traditional sense, it is an autonomous system that does something wrong at scale faster than a human can intervene.

No Loss History Means No Reliable Pricing

Insurance pricing depends on actuarial tables. Actuarial tables depend on claims history. AI liability has almost none. According to the Geneva Association’s October 2025 report on generative AI risks for the insurance sector, the combination of limited loss data and asymmetric information between insurers and policyholders makes AI risk genuinely difficult to underwrite at this stage, not just commercially uncomfortable, but technically unresolvable with current data.

That asymmetry cuts in one direction, the company deploying an AI system knows far more about how it behaves, what data it touches and how its outputs feed into business decisions than any insurer asking questions at renewal. Underwriters cannot audit a model’s behavior the way they can audit a firewall configuration.

Dark Reading reported in May 2025 that insurers are responding in two ways, excluding AI-related losses from existing cyber policies or attempting to quantify AI exposure separately and price it as a distinct coverage layer. Neither approach is settled. The exclusion route creates gaps that policyholders may not notice until a claim is denied. The separate pricing route requires data that does not yet support confident modelling.

Autonomous Actions Are the Coverage Gap Worth Watching

Traditional cyber insurance was built around a recognizable event, a system was compromised, data was exfiltrated or encrypted and a recoverable loss occurred. Agentic AI breaks that model in ways that matter practically.

An AI agent that autonomously executes a financial transaction, modifies a database, cancels supplier contracts or sends communications on behalf of a business does not require an attacker. The loss can be caused entirely by the system behaving outside expected parameters due to a flawed prompt, corrupted training data or a downstream integration failure. That is not a cyber incident in the conventional sense. It is closer to a professional indemnity or product liability claim, depending on jurisdiction and how the policy is worded.

Bias is the second exposure that insurers are beginning to take seriously. An AI system used in hiring, credit assessment or customer pricing that produces discriminatory outputs creates regulatory liability, potential litigation and reputational damage, none of which sit cleanly inside a standard cyber policy. The EU AI Act which entered into force in August 2024, creates specific obligations for high-risk AI systems in exactly these categories. Under that framework, companies that deploy non-compliant high-risk AI systems face fines of up to €30 million or 6% of global annual turnover.

What Businesses Should Actually Do Before Renewal

The honest answer is that most businesses have not mapped their AI deployments in enough detail to answer the questions a competent insurer will ask. That gap matters now. Renewal conversations are happening and companies that cannot describe what their AI systems are authorized to do and what controls prevent them from doing more, will face higher premiums, broader exclusions or both.

Three practical steps before the next renewal conversation. First, inventory every AI system that can take an action including send an email, execute a transaction, modify a record or communicate externally. Know what data each system touches and what authorizations it holds. Second, document the controls on autonomous action, specifically whether human approval is required before any irreversible operation. Insurers are beginning to ask this explicitly. Third, check how your existing cyber policy handles AI-generated losses. Look for exclusions added at the last renewal. Many policyholders have not read them carefully enough.

The Iowa Bar Blog noted in 2025 that AI exclusions are creeping into insurance policies broadly but that cyber policies have so far been less affected than other lines. That will not hold. As agentic deployments expand and the first large AI-related business losses make it into case law, cyber insurers will tighten their language fast.

The Geneva Association’s position, stated plainly in their 2025 report, is that the insurance industry needs to build loss data now, through careful underwriting of early AI risks rather than blanket exclusion, or it will not have the tools to price the next generation of deployments at all. That is a reasonable long-term argument. It does not help a business renewing in the next 90 days.

References

  1. AI Risk Worries Insurers and Businesses Alike
  2. Gen AI Risks for Businesses – Exploring the Role for Insurance
  3. Cyber Insurance – How Quantifying Risk Is Reshaping Security
  4. AI Exclusions Are Creeping into Insurance
  5. Can Companies Insure Against AI’s Growing Risks?
  6. AI Advancements Are Reshaping Cyber Insurance Coverage

This post is also available in: Svenska

Erik Berg

Erik Berg is CTO and Principal Security Architect at eBuilder Security, with more than a decade in blue team security operations across the private and public sectors, and a focus on emerging threats including the security risks that come with AI.