The insurance industry has made its position clear: AI risk without AI governance is uninsurable.
In January 2026, the ISO issued three new generative AI exclusions for commercial general liability policies: endorsements CG 40 47, CG 40 48, and CG 35 08. Several carriers adopted them within weeks. But the real action is in management liability lines. AIG, W.R. Berkley, and Great American are now seeking regulatory clearance for AI exclusions targeting D&O, E&O, and fiduciary liability policies.
Berkley's language is the broadest: it purports to exclude coverage for any claim "based upon, arising out of, or attributable to" the actual or alleged use, deployment, or development of artificial intelligence. That is broad enough to strip coverage from securities claims, regulatory enforcement actions, and governance failures, if AI played any role in the underlying decision.
For enterprises deploying AI across finance, HR, lending, or customer-facing operations, this is not a theoretical risk. It is a coverage gap that opens the moment a carrier attaches one of these endorsements to your renewal.
What Carriers Are Really Asking
The exclusion language is blunt, but the underwriting conversation behind it is more nuanced. Carriers are not refusing to cover AI altogether. They are refusing to cover AI they cannot evaluate.
The emerging underwriting standard requires demonstrable governance: model registries, bias testing documentation, audit trails, continuous monitoring, and clear human oversight protocols. These are no longer aspirational elements of a mature AI program. They are prerequisites for obtaining and maintaining coverage.
This tracks with what regulators are demanding. Colorado's SB 26-189, signed into law in May 2026 and effective January 1, 2027, shifts AI regulation to a disclosure-based model. Section 6-1-1702 requires AI developers to provide deployers with documentation on intended uses, training data categories, known limitations, and human review instructions. Section 6-1-1704 requires deployers to notify consumers before using automated decision-making tools for consequential decisions, and to disclose adverse outcomes within 30 days.
The overlap between what insurers want to see and what SB 26-189 requires is not coincidental. Both are converging on the same principle: organizations that cannot document how their AI systems work, what data they consume, and how humans oversee them are carrying risk that no one else is willing to absorb.
The Safe Harbor Question
SB 26-189 includes safe harbors for insurers operating under existing state insurance regulations (Section 10-3-1104.9), as well as for creditors subject to ECOA and Reg B, HIPAA-covered entities, and FERPA institutions. These safe harbors acknowledge that federal compliance frameworks already impose relevant obligations.
But safe harbors create differentiation, not immunity. An insurer relying on its own safe harbor still faces the question of how to evaluate AI risk in the companies it underwrites. A lender compliant with Reg B still needs to demonstrate that its AI models are not producing disparate impact outside the scope of federal testing.
For the entity being underwritten or evaluated, the practical question is the same: can you prove your AI governance posture to a third party that has financial exposure to your decisions?
Quantifying the Governance Gap
The term "AI governance gap" describes a measurable condition: the distance between an organization's AI deployment footprint and its documented oversight infrastructure. In many organizations, AI adoption across operations, legal, finance, and HR is expanding faster than the governance frameworks needed to oversee it.
Independent AI transparency ratings offer one way to make that gap visible and actionable. The AI Clear public registry, which scores over 500 companies across a 57-criteria rubric anchored to NIST AI RMF, ISO/IEC 42001:2023, ISO/IEC 23894:2023, and Colorado SB 26-189, provides a standardized baseline that underwriters, procurement teams, and compliance officers can use to benchmark AI governance posture before making coverage, contracting, or investment decisions.
The value is not in the score itself. It is in the documentation trail that a structured rating produces: the same documentation that carriers are now requiring and that SB 26-189 will mandate.
What This Means for Q3 Renewals
If your organization deploys AI in any of the seven domains covered by SB 26-189 (education, employment, housing, financial services, insurance, healthcare, or government services) and you have a D&O or E&O renewal approaching, the governance conversation needs to happen before the renewal, not during it.
Three steps to take now:
- Audit your AI deployment footprint against your existing documentation. Identify systems making or informing consequential decisions that lack model cards, bias assessments, or human oversight protocols.
- Benchmark your disclosure posture against the SB 26-189 requirements in Sections 6-1-1702 through 6-1-1705. The AG's rulemaking must be finalized by January 1, 2027, but the statutory requirements are already defined.
- Obtain an independent AI transparency rating. The 60-day cure period in SB 26-189 (Section 6-1-1706) is designed for organizations that discover and remediate deficiencies proactively. A third-party rating tells you today what a regulator, or a carrier, would find tomorrow.
Visit the AI Clear registry to see how your organization or your portfolio companies score. Request a rating or read the full rubric to start your internal assessment.
---
*AI Clear is an independent AI transparency rating company. The public registry at aiclear.org is open to anyone without restriction.*
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.