In January 2026, the Insurance Services Office issued three new generative AI exclusions for commercial general liability policies. Within weeks, carriers including Berkley Insurance and Chubb began cutting AI-related coverage across D&O, E&O, fiduciary, and corporate policy lines.
For any enterprise deploying AI in consequential decisions, the message from the insurance market is now unambiguous: AI governance is no longer a compliance exercise. It is a coverage condition.
The Exclusion Wave Is Not Hypothetical
The three ISO endorsements (CG 40 47, CG 40 48, and CG 35 08) give insurers standardized language to exclude or limit liability arising from generative AI outputs. These are not experimental. They are being adopted across the commercial insurance market in real time.
What makes this different from prior technology risk cycles is the speed and breadth. Lockton Re has publicly argued that AI needs its own risk class, separate from cyber. Aon's 2026 risk outlook identifies AI deployment as a top-tier D&O exposure alongside tariff volatility and geopolitical instability. When reinsurers start calling for standalone classification, the pricing implications cascade fast.
Meanwhile, insurers offering affirmative AI coverage through endorsements to cyber, E&O, media liability, and EPLI programs are conditioning that coverage on demonstrable governance. Underwriters are not asking whether you use AI. They are asking how you govern it, document it, and disclose it.
What Underwriters Are Looking For
The underwriting conversation has shifted from "do you have an AI policy?" to "show us the evidence." Specifically, insurers and brokers are demanding:
- Documentation of AI system inventories. Which systems make or materially influence consequential decisions? What data do they ingest? What are their known limitations?
- Disclosure practices. Are consumers and affected parties notified before AI-driven decisions are made? Is there a post-adverse-outcome explanation process?
- Human oversight protocols. Who reviews AI outputs before they become binding decisions? Do reviewers have authority to override the system?
- Board-level governance integration. Has the board incorporated AI oversight into its risk and compliance framework, or is AI governance still siloed in IT?
These questions map almost perfectly onto the regulatory requirements already taking shape. Colorado's SB 26-189, which takes effect January 1, 2027, requires deployers to provide pre-use disclosure, post-adverse-outcome explanations within 30 days, and meaningful human review with override authority (Sections 6-1-1704 and 6-1-1705). The EU AI Act's transparency obligations for high-risk systems become enforceable on August 2, 2026.
Insurers are not waiting for enforcement dates. They are pricing the risk now.
The Safe Harbor Trap
SB 26-189 includes safe harbors for insurers complying with existing state insurance regulations, as well as creditors operating under ECOA, Reg B, and FCRA. HIPAA-covered entities receive partial protection. Some organizations will read these provisions and conclude they are exempt from the disclosure regime.
That conclusion is premature. Safe harbors define the floor of legal compliance. They do not address how an underwriter evaluates your AI governance posture when setting your D&O premium. A healthcare system operating under HIPAA's safe harbor still faces underwriting scrutiny if it cannot document how its AI triage system handles adverse outcomes. A lender relying on the ECOA safe harbor still needs to demonstrate governance maturity to its E&O carrier.
Federal compliance is the floor, not the ceiling. Underwriters are setting the ceiling.
Where Independent Ratings Fit
This is the environment that makes third-party AI transparency ratings operationally relevant. When an underwriter asks a prospective insured to demonstrate AI governance maturity, the answer cannot be a self-assessment. The same dynamic played out in cybersecurity: BitSight and SecurityScorecard became standard inputs to cyber insurance underwriting precisely because insurers needed independent, comparable signals.
The AI Clear public registry rates over 500 companies on AI disclosure quality using a 57-criteria rubric anchored to NIST AI RMF, ISO/IEC 42001:2023, ISO/IEC 23894:2023, and Colorado SB 26-189. The five-pillar methodology covers exactly the governance dimensions underwriters are now interrogating: AI disclosure and inventory, data and model governance, risk management and human oversight, automated decision transparency, and AI security and assurance.
For insurance professionals evaluating AI-related exposures, the registry is open and free at aiclear.org. For enterprises preparing for renewal conversations, understanding where you stand on a standardized governance scale is no longer optional. It is the difference between coverage and carve-out.
What to Do Before Your Next Renewal
The 60-day cure period in SB 26-189 exists for a reason: it assumes companies will discover gaps and need time to remediate. But insurance renewals do not come with cure periods. The underwriting assessment happens on the carrier's timeline.
Three steps worth taking now: inventory every AI system touching consequential decisions, document your disclosure and human-review processes end to end, and benchmark your governance posture against an independent standard before your underwriter does it for you.
The AI insurance exclusion wave is not a forecast. It is a current market condition. The companies that treat governance documentation as a coverage prerequisite, not an afterthought, will be the ones that maintain affordable, comprehensive coverage as the market reprices AI risk.
Check your company's AI transparency rating at aiclear.org. To request a full certification assessment or learn about continuous monitoring, contact the AI Clear team.
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.