Industry Leader in Insurance and AI Technologies at PricewaterhouseCoopers (PwC)
Answered 5 months ago
#1 From what I have seen, the major problems are all about model behavior: outputs that are totally wrong, biased recommendations, using copyrighted material incorrectly, bad summaries, and AI decisions that just cost money. These aren't the standard cyber threats, like someone stealing data; this is the model itself messing up. Which is why insurers are splitting into two camps, one group willing to insure and another pushing for huge exclusions that basically cover nothing. The industry is still figuring out how to tell the difference between 'the AI acted weird' and 'the AI was hacked or compromised,' and that distinction is quickly becoming the central factor in how they price, write, or deny coverage. #2 In my opinion, AI engineering is going to be a lot like how we handle regulated software . We'll need things like solid audit trails that can't be changed, better ways to track the model's origins, and proof of all the training data. Plus, these optional 'liability modes' that just put on stricter guardrails and keep the outputs within a much safer, narrower range. Eventually, insurers will demand explainability reports before they even offer coverage, kind of like safety testing in other fields. Essentially, model builders are going to have to prove responsibility, not just performance, because capital tends to flow toward what's traceable. #3 I don't think there is one simple answer to this, but a shared responsibility model is definitely going to emerge. Model providers will handle baseline safety, companies will be responsible for how they use it, and users accountable for misuse. The whole black box problem with large language models complicates things, but it won't make insurance impossible. Insurers look for clarity along the lines of Who fine tuned this model? Who approved the prompts we used? Who relied on that final decision? Expect frameworks similar to product liability, where responsibility follows the chain of influence, rather than one person or party carrying the entire weight
AI's mistakes and hallucinated content are causing many issues around responsibility. Because of this, we'll see tougher checks at every stage of AI output. When I built an AI rule system for legal process, I learned that carefully checking facts manually and confirming sources was essential to defending AI use to clients, courts, and regulators. I think insurance companies will want to see these kinds of audit trails and standards before they provide coverage, especially where AI mistakes could lead to wavier of privilege or open up an attorney to malpractice claims. To prepare, law firms and others will need to implement structured AI governance to get clarity on internal risk tolerance and AI tool management.
Future models may need a secure internal space that logs every significant decision, parameter shift, or data influence in a tamper-proof ledger. Engineers could be forced to maintain an internal diary that regulators or insurers can review during disputes. This would reshape training pipelines, as every optimization step would need to withstand legal scrutiny. Teams would start treating debugging sessions like depositions, which means less improvisation and more structured documentation from day one. Prepare for engineers to joke that their models have better record-keeping habits than their accounting software.
I've built SaaS platforms, and I see what insurers worry about with AI. They're scared of hallucinations or unsupported claims leading to big mistakes. I saw this firsthand when AI guidance broke a customer's workflow. Suddenly you can't tell if it's the platform's fault or the user's error. Until providers build systems that show their work, liability just floats between the model creator and the customer.
Our health-tech platform sometimes gets a little ahead of itself predicting conditions, and insurers react differently. One carrier flagged it as a "hallucination" claim, which is specific. Another just tossed it under generic cyber risk. That creates a mess. You have to push for clearer policy language. From what we've seen, regular model checks and good records make underwriting a lot smoother.
Briefly: Insurers and the Legal Community are reacting to the emergence of new risks associated with Generative AI (a.k.a. GenAI) and the impacts of those reactions are evident now in how they shape Engineering, Contracts and Allocation of Risk. What Factors Are Driving Underwriting Activity? The main factors driving underwriting activity revolve around Claims associated with Hallucinations (i.e., false or plausible Claims), Defamation/IP Infringement, Biased/Discriminatory Outputs and Automated Decisions resulting in the loss of Financial and/or Reputational Value. Each of these types of Claims is dissimilar to "Classic" Cyber Claims; rather, "Cyber" typically involves the Loss of Data or Unauthorized Access to Data; while, with the Claims associated with AI, the focus is on What Comes Out of the Model, but is, in essence, Incorrect, Harmful and/or Unexplainable. Insurers have begun to price both types of Claims; however, most Insurers are also beginning to exclude AI-Coverage from their Policies because of the distinctiveness of the Loss Modes and Measurement Issues associated with these types of Claims. How will this affect the Engineering Lifecycle? As new and changed Engineering Requirements (e.g., Immutable Audit Trails, Documented Rigorous Input/Output Provisions, Deterministic "Liability Modes" (guardrails and monitoring for outputs that are deemed to be "high-risk" and/or the use of Standardized Validation Suites and Model Cards)) are being established by Insurers increasingly as a Coverage Requirement, the Engineering requirement to test, monitor and document Incident "Playbooks" will increasingly require evidence of Demonstrable Testing, Monitoring and Incident "Playbooks" (i.e., Auditable Evidence) that reasonable measures were taken to Mitigate Risk. How will we see Liability Standardized in 2-3 Years? Not entirely. I believe that different Layers of Liability Standards will emerge, including Contractually Allocated liabiilty between Model Providers and Model Users, as well as Standards and Certification Programs for Markets that Insurers will rely upon. Courts and Arbitrators will create precedent for future Developments, but the "Black Box" with respect to AI Models will inhibit Pure Standardization for the Immediate Future. However, Practical Development will take place in the form of Enforceable SLAs, Provenance Requirements, and Industry Standards.
1) I think that there is a particularly high incidence of liability cover verses hard exclusions in this area right now because a very high proportion of claims and related risk relate to financial or operational losses: erroneous decisions (business, financial, medical) that have been generated by model output, biased credit scores, incorrect contract generation etc. Insurers are beginning to understand that the kind of risk they are underwriting with respect to AI is not at all like cyber, and that there are loss scenarios that are endemic to AI risks that are likely based on the internal logic of the model rather than some form of intrusion or attack, so policies that are tailored to these sorts of AI products are going to be needed in any event. 2) Once liability is properly defined, I also think we are likely to see model engineering incorporate features like immutable audit trails and hard guardrails into the design - at least for any applications that will be deployed where there are regulated activities or other forms of accountability around outputs. There will be pressure on providers to be able to explain outputs and internal functions of the model. 3) Liability consensus is unlikely to be reached in the near future. It will continue to be a moving target (but hopefully at least a known target) in which responsibility will be spread between providers, deployers, and users for a period of time, subject to the specific contractual arrangement and operational context. The "black box" nature of most LLMs and generative models also means that a one-size-fits-all for liability assignment is not really possible in any event.
1) From a product and operations perspective, the biggest AI risks driving insurers to bespoke policies are non-functional or service failures: hallucinations, misinformation, and other biased outputs that cause downstream errors. The underlying harms are categorically different from baseline cyber events, and policies need to be worded explicitly to cover the AI making autonomous decisions 2) Liability pressure will accelerate a more formalised and documented engineering lifecycle. Audit logging, error-tracking dashboards, and pre-deployment risk assessments will become a necessity to qualify for coverage. Embedding explainability, and more directly "liability modes" within models, will also become a precondition to qualify for coverage. 3) In the short-medium term, standardising liability coverage will be hard, as who is liable for the behavior of the outputs is highly case-specific. In the 2-3 years time frame, we might see use-case or sector-specific precedent being set, but given the complexity and opacity of LLMs, a one-policy-fits-all insurance product is likely to be unfeasible, forcing providers and enterprises to reach coverage agreements on a case-by-case basis.
From what I've seen, the recent wave of AI-related insurance activity is being driven by real-world incidents where generative AI has caused tangible reputational or financial harm — hallucinated legal citations, biased outputs, and defamation are at the center of these claims. The challenge insurers face is that these failures differ fundamentally from traditional cyber risks. A system breach or data leak is binary and traceable, while an AI hallucination is probabilistic and context-dependent. I've seen businesses rely on AI-generated content without adequate review, only to face PR crises or legal threats when false information was published — that's the kind of "gray-area" loss insurers are now trying to quantify. As these risks grow, I believe the engineering lifecycle of AI will adapt to insurance demands. Just as cybersecurity standards evolved from best practices into compliance requirements, we'll likely see AI systems built with mandated audit trails and transparency logs. A "liability mode" — where outputs are monitored, traceable, and verifiable — could become essential for enterprise use. When clients ask me how to mitigate AI risk in marketing automation, I always recommend building review checkpoints and human validation layers. Insurers will expect the same level of accountability baked into model design before offering coverage. Looking two to three years ahead, I don't think we'll reach a full consensus on liability yet. The black-box complexity of large language models makes clear attribution difficult — was it the developer's training data, the enterprise's fine-tuning, or the user's misuse? In practice, I expect insurers to adopt tiered frameworks that share responsibility across all three. It's similar to how digital marketers are accountable for ad performance even when using third-party tools — shared liability forces everyone in the ecosystem to be more transparent and cautious.
The surge in AI-specific insurance policies—and the parallel rise of absolute AI exclusions—is being driven largely by claims tied to hallucinated outputs, reputational harm, data-handling errors, and automated decision-making bias. What I'm seeing is that carriers aren't just reacting to traditional cyber risks like data breaches; they're reacting to a new category of "performance failures" that stem directly from model behavior. One tech company I advised faced a contract dispute after an LLM-powered agent produced convincingly detailed—but entirely fabricated—regulatory citations. That single event triggered legal fees, client churn, and a breakdown in trust—harms that don't map neatly to classical cyber coverage. Cases like Mata v. Avianca are already shifting how engineers think about the model lifecycle. I expect liability exposure to push teams toward immutable logs of prompts, weights, and training data sources; reproducibility requirements for high-stakes use cases; and a formal "liability mode" where models operate with narrower temperature ranges, stricter retrieval-only constraints, and more transparent refusal logic. A few months ago, I worked with a startup that redesigned its entire inference pipeline simply because its insurer required demonstrable provenance for any factual output. That kind of pressure—coming from insurers rather than regulators—may end up shaping engineering norms more aggressively than policy. Looking two to three years ahead, I don't think we'll reach a complete consensus on liability, but I do see the contours forming. Model providers will ultimately shoulder responsibility for systemic defects, while enterprises will absorb responsibility for deployment context and inadequate human oversight. Users may only bear risk when they intentionally override safeguards. The "black box" problem complicates neat allocations of fault, but insurers don't need perfect explainability—they need traceability. If the industry can standardize around verifiable logs and clear handoff points between model outputs and human decision-makers, AI liability insurance will become more practical, though still fragmented across sectors and risk classes.
In my work as an insurance dispute lawyer, I've observed insurers grappling with how to underwrite AI risks that go beyond conventional cyber threats. Claims stemming from hallucinations, biased decision-making, and erroneous outputs are pushing some insurers to offer targeted AI policies, while others opt for broad exclusions. The legal distinction between standard cyber losses and unique AI failures is becoming increasingly critical. As courts begin to handle AI-related claims, the engineering process will need to evolve. Lawyers advising clients are already discussing mechanisms like liability modes, robust audit trails, and enhanced explainability as prerequisites for risk transfer. These legal requirements will likely shape future AI deployments, with liability considerations integrated from design through monitoring. Disputes over AI service performance will continue to challenge traditional insurance frameworks. Determining whether liability rests with the developer, deployer, or end user is difficult, given the opaque nature of many models. From a legal standpoint, companies need to document controls and decision-making pathways to mitigate exposure and support coverage claims. The intersection of law and AI insurance will require ongoing adaptation. Lawyers must guide clients through emerging policies and exclusions, while insurers develop underwriting criteria that accurately reflect the nuances of AI risk. This collaboration is critical to avoiding gaps in coverage and mitigating costly disputes.
1) The main issue for the industry right now is the type of potential harm AI systems may cause. In a simple language, we are facing with a 'nontraditional' types of harm that no longer fit within exsiting categories (e.g., cyber risk, professional liability etc.). The major driver for underwriting is already known hallucinations. For instance, when AI systems provide you the reference to a court case, or even a legal act (!) which has never existed in the first place. Some examples even include situations when AI provides you with a reference to a real case, but twist circumstances in such a way so that they 'fit' your answer or question you ask in the chat. Those problems usually excluded from the scope of liability, as they fall within the definition of a content generation issue, not system intrusion. One more issue is that AI systems are inheritably biased because they are created by humans. That's why certain discriminator elements could be incorporated into AI algorithms by design. Traditional cyber insurance does not contemplate liability based on discriminatory outputs, leading some carriers to exclude AI-decisioning altogether. 2) Legal side of this question already changes how algorithms operate. After recent famous cases in which ChatGpt allegedly forced a young guy to commit a suicide, they changed the way how chat must respond to conversations related to suicide and related topics. As legal risks around generative AI become more visible, we should expect the way models are engineered to change quite significantly. Developers will likely be required to keep permanent and tamper-proof records showing how a model produced certain outputs, since courts and insurers will want those details when something goes wrong. We may also see the emergence of special "liability modes," where models operate with narrower guardrails, more conservative output behavior, and stricter refusal rules. On top of that, insurers will increasingly demand clearer documentation explaining how models work, where their data comes from, and what limitations they carry. In short, legal pressure will push AI development toward systems that are more traceable, more explainable, and much more defensively designed.
Operations Director (Sales & Team Development) at Reclaim247
Answered 5 months ago
1) The claims pushing insurers into action all come down to one thing: people trusting AI outputs that look confident but are wrong. At Reclaim247, I have seen AI give answers that sound authoritative but fall apart the moment a human checks them. In legal and financial settings, that kind of mistake becomes expensive fast. Hallucinated citations, biased recommendations, or incorrect eligibility decisions can cause real damage. Insurers are now separating classic cyber risk from AI risk because the pattern is different. Traditional cyber incidents come from outside attackers. AI failures come from the system itself. The danger is not a breach. It is an answer that no one questioned because it looked polished. That is a new type of harm, and insurers are trying to get ahead of it. 2) The cases emerging today make it clear that companies can no longer treat AI as a black box. Once accountability enters the picture, audit trails are essential. I expect engineering teams to shift toward models that show how an output was generated, what data shaped it, and whether a human reviewed it. In regulated sectors, I already see organisations adding version control, clear sign off steps, and documented overrides for AI assisted decisions. I think we will soon see a "liability mode" where the model stays within strict boundaries, logs sources, and avoids guessing. This will not be added for convenience. It will be added because insurers will require it before offering coverage. Just as financial controls shaped how banking software evolved, liability standards will shape the next phase of AI development. 3) We will get closer to clarity, but not a perfect rulebook. Over the next few years, I expect liability to fall mainly on the organisation deploying the AI. Courts usually look at whether the business had proper controls and oversight. That mirrors how responsibility works in other high risk industries. The black box element makes it harder, but it will not stop insurers and regulators from holding the deploying organisation accountable. What remains uncertain is how much fault sits with the enterprise versus the model provider. Without better transparency into model behaviour, insurers cannot confidently standardise risk. Until explainability improves, liability frameworks will stay uneven. In many ways, insurer pressure may be what finally forces AI developers to provide more visibility, not regulation alone.
Expert Commentary: AI Liability Insurance Jarad Stolz, Principal at Diversified Insurance Brokers 1) What AI-driven harms are pushing insurers toward either AI-specific coverage or absolute AI exclusions? The split is happening because generative AI introduces risks that don't resemble traditional cyber losses. We're seeing claims tied to hallucinations that cause financial or operational harm, defamation, biased or discriminatory outputs, and unauthorized use of copyrighted or sensitive training data. Unlike cyber incidents, these losses occur without a breach—the model itself generates the harmful output. That's why some insurers are building performance-based AI policies, while others exclude AI entirely until clearer loss patterns emerge. 2) How will rising liability reshape how AI is engineered? As claims grow, insurers will require stronger evidence that organizations can monitor and control model behavior. Expect the engineering lifecycle to shift toward: * Immutable audit trails for prompts, outputs, and updates. * "Liability modes" where models run with stricter guardrails and lower creativity. * Explainability standards as a prerequisite for underwriting. * Continuous monitoring of hallucination, drift, and bias metrics. Insurers will want traceable, documented processes—similar to what we require in regulated financial products. 3) Will we reach consensus on who is liable within 2-3 years? We'll move toward a shared-liability model, but not complete uniformity. Courts will likely divide responsibility between: * Model providers for inherent model defects, * Enterprise deployers for fine-tuning and implementation choices, * Users for misuse or ignoring warnings. Because LLMs remain partly opaque, insurers will underwrite based on governance maturity, not full model transparency. Standardization will improve, but the "black box" nature means liability will remain distributed for the foreseeable future.
Hi, 2. I anticipate engineering teams will start striving for verifiable output pipelines in which each answer can be traced back to the source data. In one deployment, after a client questioned a number that couldn't be figured out, we tacked on something we called safe output mode and it soon became a requirement for our other deployments. Insurers are also sure to favor models with hard guardrails, little creativity in high risk use cases and immutable audit logs. Explainability will shift to a condition for policy approval. Best regards, Ben Mizes CoFounder of Clever Offers URL: https://cleveroffers.com/ LinkedIn: https://www.linkedin.com/in/benmizes/