Q. When we asked business leaders what frameworks they had in place to mitigate AI-related risks, less than half had an incident response plan. That seems quite low, doesn't it?
It does, but it's not that surprising. When ransomware started hitting businesses, many companies had no incident response plan at all. As time went on, people started to put plans together for ransomware and social engineering.
However, AI incidents require an additional response. It's not just about calling a breach attorney to find out your legal obligations for notifying people whose information has been compromised or engaging a ransomware negotiator to negotiate the extortion amount down.
With an AI bias situation, you have to get into the black box of the AI platform, figure out where it went wrong, how to stop it and how to pivot to another platform to continue business. That may require the skill set of a data scientist or other technology experts.
In addition to the legal and operational issues, there are reputational issues and third-party supply chain risks. We're going to see more attention paid to best practices for AI and to how businesses can modify or add to existing ransomware incident response plans.
While businesses say they're aware of the potential risks of AI, only half have addressed AI-related security vulnerabilities, including
investing in cybersecurity. And only 43% have developed a written incident response plan specifically for AI losses.
Q. How is the insurance industry responding to AI liability risks?
Some carriers in the market are affirmatively covering these risks. One insurer issued an endorsement last year to cover data poisoning for platform providers, covering the cost of retraining the AI platform.
But if you look back at what happened with cyber over a decade ago, many property policies didn't have exclusions for cyber perils. Still, when they experienced enough cyber losses, they ended up excluding cyber, and then standalone cyber policies finally emerged.
We may see a similar situation across traditional lines of coverage when it comes to AI-driven losses. If there are enough losses, we're going to see that pivot and, in the short term, more exclusions added.
Recent anecdotal evidence supports this point, with the news that at least three leading carriers are seeking regulatory approval for the exclusion of AI-driven losses in their professional indemnity and commercial general liability policies.
“
Many coverage issues are associated with data poisoning. If the model has to be retrained, that's a cascading loss for thousands of businesses.
John Farley, managing director, Cyber Liability, Gallagher.
We know the claims are out there. The MIT AI Risk Initiative database has an incident tracker that shows these incidents are happening.1 The question is, what will be the frequency of incidents in 2026 and beyond, and how severe will any insured losses be? We don't have enough losses to see a market shift yet, but that could change this year.
Q. Who will ultimately be held responsible for incidents involving AI?
It's going to be a shared blame. Plaintiffs will sue both the developer and the deployer of AI, so there is likely to be contractual language between them defining who's responsible for what. Because while it may be the platform provider's fault, there will be fingers pointed at the user, saying they should have had a human in the loop to monitor the output.
While regulation is still in the early stages, you may see attorneys general say that a bank, hospital or manufacturer should have had controls in place rather than blindly trusting the AI platform.
One in five businesses had losses and/or made insurance claims due to AI-related risks, according to Gallagher's 2026 AI Adoption and Risk Survey.
Q. How can businesses be more proactive in managing their AI exposures, and what might best practice look like?
We've been advising our clients to keep an eye on their cyber policy, but also other lines of coverage that may start to exclude AI-driven losses.
Businesses can do a lot to put safeguards around AI as they adopt it:
- Use privileged access mechanisms that govern who can access the platform and input data.
- Having a human in the loop is critical — ensure you have someone to audit and monitor outputs regularly.
- Keep up to speed with the regulations on what you can and can't do, and how to react if there's an incident.
- Stay on top of publicly available frameworks like NIST and ISO to keep informed about best practices as you adopt AI.
Of course, there's the shifting landscape of insurance risk transfer mechanisms out there. We could see exclusions being added to traditional lines of coverage, endorsements that expand coverage in some way, which could mean different things to developers and deployers of AI.
Only 53% of business leaders in the insurance sector said insurance fully covered their clients' AI-related losses.
Q. How should companies approach development of an AI incident response plan?
It's similar to the ransomware playbook. You're going to have legal exposure, so your general counsel will play a part. You may need an external attorney who knows all the regulations in play and can help with any regulatory investigation.
But you also need to identify who your AI experts are — whether it's a proprietary or third-party platform — to determine where the platform started to go sideways, what caused that and what you need to do to prevent it from happening again.
If you're using the platform to provide critical services and products to your clients, and it comes to a screeching halt, what does that mean for your business? Can you pivot to another platform? Do you have insurance for that? There are so many questions to answer that won't be covered by a traditional ransomware plan.
For more insights on managing the risks as your business operationalizes AI and for our full survey findings, check out the Gallagher 2026 AI Adoption & Risk Survey: AI in Action
Published May 2026
