See also (wiki): ai-vendor-contracts
Executive Summary
- Major insurers — AIG, Chubb, W.R. Berkley, Great American — are actively seeking regulatory approval to exclude AI-related liabilities from standard commercial policies. ISO filed absolute AI exclusions for general commercial liability effective January 2026.
- Enterprise procurement teams demanding standard certificates of insurance from AI vendors are increasingly holding paper that excludes the exact risks the vendor creates: hallucinations, model drift, automated decision failures, and IP infringement.
- A new standalone AI liability market is forming — Armilla AI (first Lloyd’s coverholder for AI) offers up to $25 million per organization covering hallucinations, model drift, and regulatory violations — but most mid-market buyers do not yet know it exists.
- California’s Executive Order N-5-26 (March 30, 2026) establishes the first state-level AI vendor certification framework, with 120-day implementation. Enterprise buyers outside California should watch this as a template.
- 67% of vendors lost contract opportunities in 2024 due to insufficient insurance coverage. As AI exclusions widen, this number will grow — and the vendors losing deals may be your AI providers.
The Insurance Gap Nobody Is Talking About
Enterprise procurement has a standard playbook: before a vendor touches production data, collect a certificate of insurance showing general liability, professional E&O, and cyber coverage at the limits your risk team specifies. The problem: that playbook was designed before the vendor’s product could hallucinate, drift, or autonomously make decisions that trigger regulatory exposure.
Three forces are converging to create a coverage gap specifically around AI vendors:
1. Carriers are pulling back. AIG is seeking regulatory permission to exclude AI liabilities from standard corporate policies. W.R. Berkley’s proposed exclusion would “bar claims involving any actual or alleged use of AI, including products sold by a company that merely incorporate the tools” — language broad enough to encompass any software vendor shipping an AI feature (Walnut Insurance, Jan 2026). Chubb covers some AI risks but explicitly excludes “widespread” incidents where a single model failure affects many clients simultaneously — precisely the systemic risk scenario that keeps CISOs awake.
2. ISO has formalized the exclusion. As of January 2026, ISO filed absolute AI exclusions for general commercial liability and completed products/operations policies. This means the standard CGL policy your procurement team accepts as baseline coverage now contains a carve-out for the fastest-growing category of vendor risk.
3. The denial categories map exactly to AI vendor risk. Emerging exclusion categories include AI-generated errors and misrepresentations, hallucinated outputs, flawed chatbot advice, automated decision-making failures, and model-produced content causing infringement, defamation, or discrimination. Every one of these is a plausible failure mode for the AI tools enterprises are deploying today.
What Coverage Actually Exists in 2026
Aon identifies three distinct insurance market approaches for AI risk (Aon, “AI Risk 2026”):
| Approach | What It Covers | Limitations |
|---|---|---|
| AI-related endorsements | Case-by-case deployment on existing policies | Narrow, requires negotiation per-risk |
| Affirmative coverage via existing policies | Cyber, E&O, EPLI, media liability | Depends on policy language — ISO exclusions may override |
| Standalone AI products | Purpose-built AI liability coverage | New market, limited capacity, unfamiliar to procurement |
The standalone market is where the action is. Key products:
- Armilla AI / Chaucer (Lloyd’s): First dedicated AI liability coverholder at Lloyd’s. Covers hallucinations, model drift, inaccurate outputs, data leakage, AI regulatory violations, defamation, trade secret exposure, and confidentiality breaches. Limits: up to $25 million per organization. Their “Vanguard AI” product bundles $25M+ AI aggregate limits with $10M cyber limits.
- Munich Re AiSure: AI performance guarantee product — underwritten coverage against model underperformance.
- AXA XL, Vouch, Testudo: Entering the market with varying AI-specific endorsements.
- QBE North America: AI-focused cyber coverages for regulatory fines and LLMjacking (unauthorized use of AI API credentials).
Key Data Points
| Metric | Value | Source | Date |
|---|---|---|---|
| Carriers seeking AI exclusions | AIG, Chubb, W.R. Berkley, Great American | Walnut Insurance; Marketing AI Institute | Jan 2026 |
| ISO AI exclusion filing | Absolute exclusion for CGL + products/operations | ISO / Walnut Insurance | Effective Jan 2026 |
| Vendors losing deals over insurance gaps | 67% lost opportunities in 2024 | Delinea / industry survey | 2024 |
| Harmful AI incidents recorded | 233 in 2024 (56% YoY increase) | Aon “AI Risk 2026” | 2025 |
| Insurance decision makers viewing AI as material | 90%+ | Aon “AI Risk 2026” | 2025 |
| Standalone AI liability limit (Armilla/Chaucer) | $25M per organization | Armilla AI | 2025 |
| Cyber insurance market size | $16B (2025), projected $40B by 2030 | Walnut Insurance | 2025 |
| EU AI Act maximum fine | €35M or 7% of global turnover | EU AI Act | Effective 2026 |
| California AI vendor certification deadline | 120 days from March 30, 2026 | EO N-5-26 | Mar 2026 |
| Insurers requiring MFA | ~80% | Delinea | 2026 |
The D&O Dimension
Aon flags four AI-specific D&O exposure areas that board members and officers should understand:
- Governance/oversight failures — failing to establish AI governance before deploying
- Disclosure/reporting risks — material AI transformation that should have been disclosed to investors
- Regulatory compliance — evolving global regimes (EU AI Act, California N-5-26, state-level actions)
- Shareholder litigation — governance gaps creating derivative suit exposure
This means the insurance certification question is not just a procurement checkbox — it is a board-level fiduciary question. If the company deploys AI without adequate coverage and an incident occurs, the D&O exposure follows the directors personally.
California Sets the Template
Governor Newsom’s Executive Order N-5-26 (March 30, 2026) directs the Department of General Services and Department of Technology to develop new certification requirements for AI vendors contracting with California state agencies. Within 120 days, vendors must attest to:
- Prevention of illegal content distribution
- Harmful bias governance procedures
- Civil rights risk assessments
- Unlawful surveillance prevention
The order applies regardless of where the vendor is headquartered. While currently limited to state procurement, this framework will likely influence enterprise procurement standards nationally — the same way California’s CCPA became a de facto national privacy standard before most states passed their own laws.
What This Means for Your Organization
The immediate action is a three-part insurance audit:
First, pull the certificates of insurance for every AI vendor currently in production or pilot. Read the underlying policy language — not just the certificate face. Check whether the CGL, E&O, and cyber policies contain the ISO AI exclusion or carrier-specific AI carve-outs filed since January 2026. If they do, the certificate your procurement team accepted no longer covers the risk it appears to cover.
Second, decide whether to require AI vendors to carry standalone AI liability coverage. The market exists — Armilla/Chaucer at Lloyd’s offers $25 million limits covering hallucinations, model drift, and regulatory violations. The question is whether your vendor can get it and whether the premium gets passed through to your contract.
Third, update the vendor insurance requirements in your procurement template. The standard “commercial general liability / professional E&O / cyber” triad was designed for SaaS vendors whose failure mode is downtime. AI vendors’ failure modes include hallucination, bias, autonomous action, and IP infringement — none of which may be covered under the policies your template currently requires.
If this raised questions specific to your vendor insurance requirements, I’d welcome the conversation — brandon@brandonsneider.com
Sources
- Aon, “AI Risk 2026: What Business Leaders Need to Know” (2026). https://www.aon.com/en/insights/articles/ai-risk-2026-practical-agenda — Credibility: HIGH (Big 3 broker, primary research)
- Walnut Insurance, “The AI Coverage Paradox: Why Cyber Insurance Is at a Crossroads” (Jan 2026). https://www.gowalnut.com/insight/the-ai-coverage-paradox-why-cyber-insurance-is-at-a-crossroads — Credibility: MEDIUM (industry analysis, cites ISO filings and carrier actions)
- Marketing AI Institute, “The Safety Net Is Shrinking: Insurers Move to Exclude AI Risks” (2026). https://www.marketingaiinstitute.com/blog/insurers-move-to-exclude-ai-risks — Credibility: MEDIUM (secondary reporting on carrier filings)
- Fenwick & West, “Tracking the Evolution of AI Insurance Regulation” (2025). https://www.fenwick.com/insights/publications/tracking-the-evolution-of-ai-insurance-regulation — Credibility: HIGH (AmLaw 100 firm, regulatory analysis)
- Armilla AI / Chaucer Group, “AI Liability Insurance Product Launch” (2025). https://www.armilla.ai/resources/chaucer-and-armilla-launch-new-ai-liability-insurance-product — Credibility: MEDIUM (vendor announcement, but Lloyd’s-backed product)
- Vinson & Elkins / JD Supra, “California’s New Executive Order Establishes New AI Vendor Certification and Procurement Requirements” (Apr 2026). https://www.jdsupra.com/legalnews/california-s-new-executive-order-5050623/ — Credibility: HIGH (AmLaw 100 analysis of executive order)
- Delinea, “Cyber Insurance Coverage Requirements for 2026” (2026). https://delinea.com/blog/cyber-insurance-coverage-requirements-for-2026 — Credibility: MEDIUM (vendor blog, but cites insurer survey data)
Brandon Sneider | brandon@brandonsneider.com April 2026