AI governance is now an underwriting question, a coverage condition, and an active regulatory obligation — all at once. This guide consolidates everything an organization needs to understand the convergence of the insurance market, Colorado SB 26-189, the EU AI Act, and independent AI transparency ratings before the next D&O or E&O renewal.
The Exclusion Wave Is Not Hypothetical
In January 2026, the Insurance Services Office issued three new generative AI exclusions for commercial general liability policies: endorsements CG 40 47, CG 40 48, and CG 35 08. Within weeks, carriers including Berkley Insurance and Chubb began cutting AI-related coverage across D&O, E&O, fiduciary, and corporate policy lines.
AIG, W.R. Berkley, and Great American are now seeking regulatory clearance for AI exclusions targeting D&O, E&O, and fiduciary liability policies. Berkley's language is the broadest: it purports to exclude coverage for any claim "based upon, arising out of, or attributable to" the actual or alleged use, deployment, or development of artificial intelligence. That is broad enough to strip coverage from securities claims, regulatory enforcement actions, and governance failures, if AI played any role in the underlying decision.
Lockton Re has publicly argued that AI needs its own risk class, separate from cyber. Aon's 2026 risk outlook identifies AI deployment as a top-tier D&O exposure alongside tariff volatility and geopolitical instability. When reinsurers start calling for standalone classification, the pricing implications cascade fast.
What Underwriters Are Actually Asking For
The exclusion language is blunt, but the underwriting conversation behind it is more nuanced. Carriers are not refusing to cover AI altogether. They are refusing to cover AI they cannot evaluate.
The underwriting conversation has shifted from "do you have an AI policy?" to "show us the evidence." Insurers and brokers are demanding:
- Documentation of AI system inventories. Which systems make or materially influence consequential decisions? What data do they ingest? What are their known limitations?
- Disclosure practices. Are consumers and affected parties notified before AI-driven decisions are made? Is there a post-adverse-outcome explanation process?
- Human oversight protocols. Who reviews AI outputs before they become binding decisions? Do reviewers have authority to override the system?
- Board-level governance integration. Has the board incorporated AI oversight into its risk and compliance framework, or is AI governance still siloed in IT?
For enterprises deploying AI across finance, HR, lending, or customer-facing operations, this is not a theoretical risk. It is a coverage gap that opens the moment a carrier attaches one of these endorsements to your renewal.
Why SB 26-189 Changes the Underwriting Calculus
Colorado's SB 26-189, signed in May 2026 and effective January 1, 2027, narrows the regulatory frame from the broad "algorithmic discrimination" standard of the repealed SB 24-205 to a disclosure-based model centered on automated decision-making technology (ADMT) used in consequential decisions. Seven domains are covered: education, employment, housing, financial services, insurance, healthcare, and government services.
The obligations are specific. Under Section 6-1-1704, deployers must provide clear and conspicuous notice before using ADMT for consequential decisions. Within 30 days of an adverse outcome, they must deliver a plain-language explanation of the technology's role. Consumers gain rights to access their personal data, correct inaccuracies, and request meaningful human review.
Enforcement sits exclusively with the Colorado Attorney General under the Consumer Protection Act, with a 60-day cure period before penalties attach. No private right of action exists.
For insurers, this structure creates a clean risk-pricing framework. Companies that can demonstrate compliant disclosure practices present a quantifiably lower regulatory risk than those that cannot.
The questions that underwriters are asking map almost perfectly onto what SB 26-189 requires: AI system inventories, disclosure practices, human oversight protocols, and board-level governance — all mandated under Sections 6-1-1702 through 6-1-1705.
The Safe Harbor Trap
SB 26-189 includes safe harbors for insurers operating under state insurance code (Section 10-3-1104.9), creditors complying with ECOA, Regulation B, and FCRA, HIPAA-covered entities in clinical contexts, and FERPA-governed institutions.
These safe harbors are narrower than they appear. They protect specific regulated activities, not the organization as a whole. A health system with HIPAA safe harbor protection for clinical AI still faces full SB 26-189 exposure when it uses AI in employment decisions or financial assistance determinations. A lender compliant with Regulation B still needs to address AI disclosure obligations that fall outside the federal framework.
Federal compliance is the floor, not the ceiling. Safe harbors define the floor of legal compliance. They do not address how an underwriter evaluates your AI governance posture when setting your D&O premium. A healthcare system operating under HIPAA's safe harbor still faces underwriting scrutiny if it cannot document how its AI triage system handles adverse outcomes.
The EU AI Act Adds a Second Layer
For organizations with European exposure, August 2, 2026, brings enforceable transparency obligations under Article 50 of the EU AI Act. These include disclosure of AI interactions, labeling of synthetic content, and identification of deepfakes. High-risk AI systems in employment, financial services, and insurance face conformity assessments, technical documentation requirements, and mandatory registration in the EU database.
Penalties scale to 7% of global turnover for prohibited practices. Even for organizations primarily operating in the United States, the extraterritorial reach of the EU AI Act means that any AI system whose output affects individuals in the EU triggers compliance obligations.
Insurance underwriters with multinational books are already cross-referencing these two regulatory regimes. A company that cannot demonstrate compliance readiness for either one presents compounded risk.
The AI Governance Gap: A Measurable Condition
The term "AI governance gap" describes a measurable condition: the distance between an organization's AI deployment footprint and its documented oversight infrastructure. In many organizations, AI adoption across operations, legal, finance, and HR is expanding faster than the governance frameworks needed to oversee it.
The global AI-liability insurance segment has reached $6.8 billion, with rate increases of up to 15% hitting exposed organizations. For insurers, the challenge is identical to the one procurement teams face: how to evaluate third-party AI risk at scale without relying solely on self-reported questionnaires.
The Rating as Risk Signal
Independent, standardized assessments of AI governance maturity are becoming the reference point for underwriting, much the way cybersecurity ratings from firms like BitSight became standard inputs for cyber liability pricing. The AI Clear public registry rates hundreds of companies on a 57-criteria rubric anchored to NIST AI RMF 1.0 and ISO/IEC 42001:2023, providing exactly the kind of comparable, third-party signal that underwriters need to differentiate risk across a portfolio.
The analogy is precise. Before BitSight, cyber underwriters relied on self-reported questionnaires. After BitSight, they had an external, continuous signal. AI governance is at the same inflection point.
An independent, standardized rating provides the kind of signal insurers need to differentiate between organizations that have robust AI governance practices and those that do not. The same data that helps an underwriter decide how to price the policy helps a procurement team decide whether to onboard a vendor.
What to Do Before Your Next Renewal
The 60-day cure period in SB 26-189 exists for a reason: it assumes companies will discover gaps and need time to remediate. But insurance renewals do not come with cure periods. The underwriting assessment happens on the carrier's timeline.
Three steps worth taking now:
- Audit your AI deployment footprint against your existing documentation. Identify systems making or informing consequential decisions that lack model cards, bias assessments, or human oversight protocols.
- Benchmark your disclosure posture against the SB 26-189 requirements in Sections 6-1-1702 through 6-1-1705. The AG's rulemaking must be finalized by January 1, 2027, but the statutory requirements are already defined.
- Obtain an independent AI transparency rating. A third-party rating tells you today what a regulator — or a carrier — would find tomorrow.
If your organization deploys AI in any of the seven domains covered by SB 26-189 and you have a D&O or E&O renewal approaching, the governance conversation needs to happen before the renewal, not during it.
Visit the AI Clear registry to see how your organization scores, or request a rating to start your compliance documentation before your underwriter does it for you.
---
Related Articles
- Third-Party AI Risk Just Got a Deadline: What Procurement Teams Need Before August 2026 — how D&O carriers and procurement teams are using the same AI governance signal
- The Complete Guide to AI Vendor Due Diligence in 2026 — four regulatory regimes converging on procurement teams
---
*AI Clear is an independent AI governance firm. Explore the public registry at aiclear.org or request a rating for your organization.*
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.