The AI Underwriting Gap: Why Provable Records Now Decide What Gets Covered

The clause you have not read yet

Somewhere in the renewal pack your broker sent over this quarter, there is a paragraph about artificial intelligence. It was not there last year. It may sit under definitions, or inside the cyber endorsements, or in a single exclusion form bolted to the general liability wording. Most risk managers have not read it closely. They should. In 2026 the repricing of artificial intelligence (AI) risk has become the most consequential change to commercial insurance wordings since the arrival of silent cyber exclusions, and it is moving faster than most boards have registered.

The mechanism is technical and unglamorous. In January 2026 the Insurance Services Office and Verisk introduced new generative AI endorsements for commercial general liability, including forms CG 40 47, CG 40 48 and CG 35 08. The broadest of these lets a carrier exclude any claim arising from generative AI outputs: defamation from generated content, privacy breaches from data handling, copyright infringement, and bodily injury or property damage flowing from an AI recommendation. Verisk defined generative AI expansively, as a machine-based system trained on data that can create text, images, audio, video or code. That definition is wide enough to capture most of what enterprises now call an assistant or an agent.

Carriers are repricing, carving out, or walking away

The market response falls into three camps. The first is wholesale retreat. Major insurers have asked state regulators in the United States for permission to exclude AI-related damages from corporate policies, and a large majority of those requests have been approved. Berkley introduced an absolute exclusion that bars cover for any use, deployment or development of AI, content generation included. Chubb, Travelers, Berkshire Hathaway, American International Group (AIG), Great American and WR Berkley have moved in the same direction across directors and officers, errors and omissions, and professional lines, citing an unpredictability that, in their words, resembles an uninsurable risk.

What worries the underwriters is not the single bad output. It is correlation. A widely deployed model that malfunctions can trigger thousands of near-identical claims at once, with no diversification to absorb them. An executive at the broker Aon framed the fear plainly: the market can handle ordinary losses, but not an agentic AI mishap that triggers ten thousand losses simultaneously. Munich Re, which now ranks AI as its leading cyber security challenge, has put the accumulation potential in the tens of billions of dollars. Exposures of that size do not get absorbed quietly. They get carved out.

The affirmative market wants proof, not promises

The second camp is building cover rather than fleeing it. Armilla, a Lloyd's of London coverholder, wrote one of the first standalone AI liability policies at Lloyd's in April 2025, underwritten by syndicates including Chaucer. By early 2026 it had reportedly expanded limits to twenty-five million dollars or more per organisation. The policy covers precisely what the standard market is now excluding: hallucinations, model drift, inaccurate outputs, data leakage and AI regulatory violations, alongside financial damages and legal defence costs tied to AI underperformance.

The condition attached to that cover is the part enterprises should study. Armilla policies are bound on the back of independent AI system assessment, drawing on evaluations across regulated industries. That pattern is spreading. Underwriters increasingly want empirical evidence rather than policy statements, moving from a signed attestation that you hold a model risk framework to technical validation that you actually applied it. Before they will bind cover, carriers expect to see model risk frameworks, AI playbooks and clear approval paths, and they want documented controls and monitoring to keep that cover at workable terms.

Regulation is making the evidence mandatory anyway

The push for evidence is not coming only from actuaries. It is being written into law. The European Union Artificial Intelligence Act (EU AI Act), whose high-risk obligations begin to bite from August 2026, classifies AI used in insurance underwriting and claims as high-risk and requires auditable documentation, bias testing, human oversight and decision explainability. In the United States, more than half of the states have adopted the National Association of Insurance Commissioners (NAIC) Model Bulletin or equivalent guidance, which expects insurers to explain decisions and maintain an audit trail of each one. In the United Kingdom, the Financial Conduct Authority (FCA) Consumer Duty pushes in the same direction.

Two demands converge here. The regulator wants to know what the system did and why. The carrier wants the same record, both to underwrite the risk before an incident and to defend or settle a claim after one. The shared requirement is a trustworthy account of every automated decision: what data was used, which components contributed, and why a given outcome was produced. The difficulty is that the account has to survive scrutiny by a party who does not trust you, and it has to stay credible after the fact, when an incident is being litigated and the temptation to revise the record runs highest.

Without a verifiable record, the enterprise is self-insuring its agents

This is where most organisations are quietly exposed. Gartner expects a substantial share of enterprise applications to include task-specific AI agents by the end of 2026. Agent behaviour, and the risk it carries, can shift without a clear deployment event or a business approval step, which makes it hard to know when a control should have been reviewed or who was accountable when it was not. Very large companies with strong balance sheets often retain a slice of this risk through captives, leaning on existing cover and their own capacity. Most enterprises do not have that option, yet many are doing the same thing by accident.

If you cannot produce a tamper-evident record of what your AI did, an AI exclusion in your policy is not a hypothetical. It is your default position. The carrier declines, the regulator presumes the worst, and the loss settles on your balance sheet. You are self-insuring your agents whether or not you meant to. The logs most teams rely on do not close this gap. Application logs are written after the fact, sit inside systems the operator controls, and can be edited, deleted or simply doubted. An adversary, or opposing counsel, need only argue that the record could have been changed.

The Open Audit Record as the underwriting artefact

This is the problem the Open Audit Record (OAR) was built to solve. Mickai is a Sovereign Intelligence Operating System (SIOS), built and running in production, with fifty brains (twenty-five domain and twenty-five operational) on the Poseidon silicon substrate. Within it, every action an agent takes is signed before it executes, into an append-only, hash-chained ledger. The signature is post-quantum, using the Federal Information Processing Standards (FIPS) 204 ML-DSA-65 standard, and the record is verifiable offline by a browser-resident verifier that needs no network connection and asks the reader to trust nothing about the vendor. The audit root anchors to Bitcoin through Pantheon, Mickai's sovereign Layer 1 blockchain (token PAN, fixed supply five billion), so the timeline cannot be quietly rewritten after an incident.

Read against the 2026 insurance market, that design lines up with what carriers and regulators are now asking for. Signing before execution means the record of intent exists ahead of the outcome, not reconstructed afterwards. The hash chain and the Bitcoin anchor give an underwriter independent assurance that the evidence has not been edited, which is what turns a controls attestation into the technical validation that affirmative insurers such as the Armilla and Chaucer programme already require. The offline verifier lets a claims adjuster, an auditor or a court confirm the record without taking the operator's word for it. In a market where coverage increasingly depends on proving what an AI system did, the OAR is both the artefact that helps bind the cover and the evidence that defends the claim.

Mickai LTD (Companies House 17166618, United Kingdom), founded and led by Micky Irons, holds 101 filed UK patent applications covering roughly 2,234 claims, the verifiable record and the sovereign substrate among them; the named inventor is Micky Irons and the portfolio is owned by Mickai LTD. Those applications are filed and building toward examination. The wider point stands regardless of any single vendor. The underwriting gap of 2026 is, at bottom, an evidence gap. Enterprises that can prove what their agents did will stay insurable on reasonable terms. Those that cannot will keep signing renewal packs whose AI clause quietly hands the risk back to them.