Author: Sam Cheshire
AI adoption is accelerating across UK businesses, driven by the promise of efficiency gains and operational improvements. Yet governance, regulatory oversight and incident readiness are not keeping pace, leaving businesses exposed to emerging and often unrecognised liability risks. As adoption scales rapidly, businesses increasingly operate in a gap between AI deployment and effective risk management.
At the same time, cybersecurity risks such as deepfakes, voice cloning, third-party dependencies and unintended exposure of sensitive data through public AI tools are gaining significant traction.
To provide practical insights into these issues, Sam Cheshire, head of Cyber, UK Retail at Gallagher, outlines how AI is reshaping risk exposure, governance expectations and insurance strategies.
Q: What is the real state of AI adoption and the risks associated with it today?
We've seen a substantial increase in AI adoption during the first five months of 2026, spreading across industries as businesses primarily use it to increase efficiency. Solicitors are adopting legal AI tools to verify details, while insurers are using AI for vulnerability scanning and faster underwriting. Moreover, AI capabilities are now demonstrating tangible success.
However, a key challenge that remains despite rapid AI adoption is ensuring human oversight to validate AI outputs and align them with expectations. This gap between adoption and governance creates vulnerabilities.
At the same time, emerging cyber tools are raising concerns about restricted access to advanced AI technologies and their potential replication by threat actors. Today, the need for vigilance in managing evolving AI risks is becoming increasingly critical.
Q: How is AI changing the cyber risk landscape?
AI is a double-edged sword in cybersecurity, empowering both defenders and threat actors. While neither side has gained a definitive advantage, advancements in AI have enhanced the sophistication of fraud techniques.
One significant impact of AI is its enhancement of language capabilities. For instance, voice cloning, deepfakes and AI writing tools are making it harder for the gatekeepers to detect malicious communications.
Another often overlooked risk arises from using publicly available AI tools for sensitive corporate information. Employees may unknowingly expose sensitive data by using advanced Large Language Models (LLMs) on personal devices, potentially revealing information about clients, business operations and cybersecurity measures.
This highlights the importance of implementing AI policies and their robust enforcement mechanisms to mitigate risks.
Q: What types of AI-related losses should businesses expect, and which of these losses are more likely to be considered as insurable events?
AI-related losses span financial fraud, including data leakage, operational disruptions, reputational damage and legal liabilities arising from misuse or errors. These risks are interconnected and extend across cyber, operational and third-party dependencies.
However, most AI-related losses are insurable today, with insurers including AI coverage particularly for deepfake technology. The situation becomes more complex when it comes to AI production. For companies that create and sell emerging technologies, whether a standard technology professional indemnity (PI) policy offers sufficient coverage often remains an open question. This makes it crucial for businesses to actively negotiate policy terms. New insurance providers are also offering standalone liability coverage for AI producers.
Q: What risks are emerging from AI supply chains and third-party dependencies?
Heavy reliance on single AI providers creates systemic risk exposure. Currently, reducing the risk of widespread losses has become a major challenge. When businesses adopt new AI tools rapidly, it can create a single point of failure if they become overly reliant on one tool.
Moreover, vendor contracts often cap liability for AI tools at insufficient levels, leaving businesses vulnerable. As a result, if a cyber incident occurs due to that AI tool, the set liability limit under contract may not cover the costs of data loss, business recovery or downtime. Therefore, it's essential for businesses to assess whether the liability limit is sufficient or transfer that risk via insurance.
This also raises key questions: "Are business leaders aware of these limits, and have they discussed them with AI providers?" My top recommendation is to understand the contract's liability limit and explore whether it can be negotiated to ensure meaningful protection when a claim arises.
Q: How are UK organisations approaching AI incident response plans, and what challenges do they face?
In the cyber industry, incident response plans often lag behind other operational processes. Our 2026 Attitudes to AI Adoption and Risk Survey shows that less than half of businesses have developed an AI-specific incident response plan, reflecting a delay in readiness compared to adoption.
We observe that a large proportion of our clients delay developing an incident response plan until after an incident has occurred. While there has been some progress through 2026, the majority of businesses are still developing incident response plans reactively, rather than proactively.
We regularly emphasise the importance of incident response plans as they allow organisations to respond to incidents based on established training, rather than scrambling to figure things out during a crisis. With a well-developed and practised incident response plan, organisations are able to recover faster and therefore are less likely to suffer significant damage from an incident.
The challenge lies in ensuring that these plans are not only developed but also readily accessible and actionable. Proactive planning and regular rehearsals are key to minimising losses and ensuring resilience.
Q: What does effective AI governance look like?
AI risk governance requires cross-functional ownership, not just IT or risk management. Leading organisations are introducing dedicated roles, such as Chief AI Officers, to oversee AI risks and opportunities. Governance frameworks should align with AI use cases and include policies, approved tools and enforcement mechanisms to reduce misuse.
Over the next few years, businesses will increasingly realise the need for a dedicated leader to understand and manage AI, as its applications extend far beyond just the IT department. The integration of AI into various aspects of business operations is so extensive that it cannot simply be assigned to the existing IT director or CISO, whose workload is already significant.
Implementing effective AI governance represents a positive development, as it indicates a shift towards recognising the importance of AI management.
Q: What is your advice to businesses entering early in their AI journey?
To develop an effective AI policy, start by identifying which AI tools you plan to use and ensuring all staff are aware of the approved tools. A key factor is making the approved AI tools easily accessible, as limited availability can lead employees to use unauthorised services to speed up their work. Hence, making the selected AI tools both accessible and efficient should be a top priority.
Next, consider the associated risks. Most business leaders recognise the importance of understanding potential risks before implementing any innovative technology. Identify the specific risks that could affect your business and ensure that you address them appropriately.
Finally, establish an incident response plan centred on AI. Start by creating a cyber-centric plan, then develop a tailored version for AI-related incidents. This approach is essential for safeguarding your business effectively.
Shaping the future of AI risk management
As AI adoption reshapes cyber, operational and liability exposures simultaneously, it's critical for organisations to treat AI as both a risk and a governance challenge.
