AboutBlogBusiness First AIFounder FreedomBook a conversation

Insurance, liability and your real AI exposure

May 11, 2026
A services-firm owner and her insurance broker reviewing a printed policy and a notepad of questions at a desk over tea
TL;DR

Many SME insurance policies were written before AI use was normal in small business and cover for AI incidents is patchy. Professional indemnity, cyber, public liability, errors and omissions and directors and officers each have gaps that vary by insurer. Lloyd's market participants and insurers like Hiscox and Beazley are adding AI questions to underwriting. For a typical owner the right move is not specialist AI insurance, it is a short broker conversation at renewal with five specific questions held on file.

Key takeaways

- Five mainstream policies touch AI exposure: professional indemnity, cyber, public liability, errors and omissions, and directors and officers. Each has different gaps and different insurer positions. - Insurers are moving from silence to active questions. Hiscox, Beazley and AIG now ask SMEs about AI tools, data inputs and human oversight at underwriting, and the answers shape coverage and price. - Two failure modes recur. Coverage that looks broad until a claim arrives and the insurer points at an unstated AI exclusion, and non-disclosure of AI use that gives the insurer grounds to deny the claim entirely. - For most SMEs the proportionate response is not buying specialist AI insurance. It is reviewing existing cover, closing gaps through wording amendments or endorsements, and documenting basic AI governance. - Five questions, asked in writing of the broker at renewal and answered in writing, will close most of the practical exposure before the policy is signed.

An owner I spoke with last month has her professional indemnity renewal in eight weeks. The firm has been using AI tools for research and first drafts for over a year, the same way many of her peers have. She has never once mentioned this to her broker, and she has never asked whether her current cover responds to a claim where AI was involved in the work. Her assumption, like many owners’, is that nothing has changed. The policy is the policy.

The policy is not quite the policy. Mainstream SME insurance was largely written before AI use became normal in small business, and the coverage for AI-related incidents is patchy, often unclear, and frequently surprises owners who assumed their professional indemnity or cyber policy had it covered. The conversation with the broker is overdue. It is also short, once you know what to ask. This post is the working version of that conversation. None of it is insurance advice on your specific policy.

Which insurance policies actually touch AI exposure?

Five categories carry the weight for an SME. Professional indemnity covers claims that your advice caused a client a financial loss. Cyber covers data breach and business interruption. Public liability covers third-party injury or damage from your operations, including customer-facing chatbots in some readings. Errors and omissions sits next to PI for commercial firms. Directors and officers covers personal board liability.

The relative weight depends on the business. A management consultancy or a financial adviser leans heavily on professional indemnity. An e-commerce business with an AI-driven recommendation engine cares more about public liability and product liability. A software-services firm relies on errors and omissions. Almost every owner-operated business carries some cyber exposure now, because almost every business has staff who may at some point paste a piece of client data into a public AI tool to save twenty minutes.

What do current policies typically do and do not cover?

Many mainstream UK policies in 2025 remain silent on AI-assisted work, which insurers do not treat as the same thing as covered. Silence creates ambiguity, and ambiguity gets resolved at claim time. Some insurers have begun adding explicit AI exclusions for autonomous decision-making without human oversight, others are asking detailed underwriting questions, and a small number have written AI-inclusive wording.

The pattern varies sharply between lines. Cyber insurers like Beazley have moved fastest, publishing 2024 guidance that ties continued cover to documented AI governance and naming generative AI explicitly as a material risk. Professional indemnity has moved more slowly, with many insurers still relying on silence in the wording. Public liability is the murkiest, with chatbot misrepresentation cases sitting in an unresolved space between product liability and professional service. D&O cover for AI-deployment decisions remains an open question across the UK market, and a director who deploys an AI system without proper governance can find that the policy responds far less generously than expected if a shareholder or regulator challenges the decision.

What are insurers actually asking SMEs now?

A growing number are asking detailed AI questions at underwriting and renewal. Hiscox, AIG and Beazley have moved to structured questionnaires that ask which AI tools the business uses, what data flows through them, whether employees have been trained, and whether there is documented human oversight of material outputs. The questions are not theatre. The answers shape cover, exclusions and price.

This is the practical shift. Black-box underwriting, where the insurer prices the risk on industry, revenue and claims history, is giving way to white-box underwriting, where the insurer assesses the specific business practices around AI use. For owners this means that renewal is no longer a passive exercise of accepting last year’s terms. It is an active conversation in which what you say about AI use directly affects what you are covered for. Some insurers now reference the NIST AI Risk Management Framework or ISO/IEC 42001 as benchmarks for acceptable governance, and an SME that has aligned to those frameworks can sometimes negotiate coverage extensions or pricing improvements. The Lloyd’s Market Association has begun work on standardised model clauses that will, over time, make the questions more consistent across the market.

What are the five questions to ask your broker?

Ask all five in writing at renewal and hold the answers on file. One, does my professional indemnity or E&O policy explicitly cover AI-assisted advice, and on what conditions? Two, does my cyber policy cover data exposure from staff use of public cloud AI tools? Three, does my public liability policy respond to claims arising from chatbot misrepresentation or automated decision errors?

Four, does my current policy contain any AI-specific exclusions, and if so what use cases are excluded? Five, does the insurer require disclosure of my AI use as a material fact, and am I currently compliant with that obligation? The format matters as much as the questions. Written questions and written answers create a record of the insurer’s understanding of cover. That record, sitting in the file alongside a documented governance note about how the business uses AI, is what closes the gap between what an owner thinks the policy says and what an insurer will pay against. Insurance is a contract of utmost good faith. If an insurer can later show that a material fact about AI use was not disclosed, even an otherwise responsive policy can be set aside.

When should you buy specialist AI insurance, and when can you leave it alone?

For a typical SME in the 5 to 50 person bracket the answer is leave it alone. Specialist products from Munich Re aiSure, Armilla, Vouch and Lloyd’s participants are real and growing, but they are sized for businesses with substantial documented AI exposure. The usually sufficient move is to ask the broker to identify gaps and propose targeted wording amendments rather than a separate policy.

Specialist cover starts to earn its keep at the point where AI is central to the service the business sells, not when AI is helping with research and drafting in the background. The clearest trigger is a customer-facing AI system that influences third-party decisions or outcomes. A chatbot giving allergen information to restaurant customers, an automated scoring tool inside a recruitment service, an AI-driven recommendation engine on an e-commerce platform. For owners running operations of that shape, the conversation about specialist cover is worth having properly. It sits beside the work covered in the proportionate AI risk register for a 5 to 50 person business, and beside the disclosure question covered in disclosing AI use to customers.

If your professional indemnity renewal is closer than you would like and you have never had this conversation with your broker, book a conversation.

Sources

- European Commission and EU Parliament (2024). Artificial Intelligence Act, Article 50, Transparency Obligations. Underlying regulation that insurers reference when scoping disclosure and AI-use requirements for clients with EU exposure. https://artificialintelligenceact.eu/article/50/ - Lloyd's Market Association (2024). Generative AI in the Insurance Industry. Lloyd's market analysis of AI as an emerging insurable risk, including coverage gaps in mainstream wording. https://www.lmalloyds.com/LMA/News/Releases/LMA_releases_innovative_report_on_Generative_AI_in_the_insurance_industry.aspx - Beazley Group (2024). Spotlight on Cyber and Technology Risks 2024. Insurer guidance tying continued cyber cover to documented AI governance and naming generative AI as a material risk category. https://www.beazley.com/en-001/news-and-events/spotlight-on-cyber-and-technology-risks-2024/ - Hiscox (2024). The Hiscox Cyber Readiness Report and AI risk briefings. Underwriting position on AI in commercial cover, including questions Hiscox now asks SMEs at renewal. https://www.hiscoxgroup.com/cyber-readiness-report - AIG (2024). Generative AI, A Risk Manager's Perspective. AIG briefing on how AI exposure maps across cyber, professional indemnity, E&O and commercial liability lines. https://www.aig.com/business/insights/generative-ai-a-risk-managers-perspective - Allianz Commercial (2024). Allianz Risk Barometer 2024. Annual cross-industry analysis, identifies AI and cyber as top emerging risks for SMEs and larger enterprises. https://commercial.allianz.com/news-and-insights/reports/allianz-risk-barometer.html - Information Commissioner's Office (2024). Generative AI and data protection guidance. UK regulator's position on processing personal data through cloud AI tools, directly relevant to cyber cover and disclosure obligations. https://ico.org.uk/about-the-ico/what-we-do/our-work-on-artificial-intelligence/generative-ai-and-data-protection/ - Munich Re (2024). aiSure, Insuring Artificial Intelligence. Specialist AI liability and performance cover, illustrative of where the AI-specific product market is heading. https://www.munichre.com/en/solutions/for-industry-clients/insure-ai.html - Armilla AI (2024). AI liability and warranty insurance for AI vendors and users. InsurTech specialist offering tailored AI cover, useful benchmark for SMEs with material AI exposure. https://www.armilla.ai/ - British Insurance Brokers Association (2024). BIBA Manifesto and broker guidance on emerging risks. Trade body view on the broker's role in surfacing AI exposure to SME clients at renewal. https://www.biba.org.uk/press-releases/biba-2024-manifesto-launched/

Frequently asked questions

Does my professional indemnity policy already cover AI-assisted advice?

It depends on the wording, the insurer, and whether you have disclosed AI use. Most mainstream UK professional indemnity policies as of 2025 remain silent on AI-assisted service delivery, which is not the same as covered. Some insurers are now adding AI-specific exclusions, others are asking detailed underwriting questions, and a small number have written AI-inclusive wording subject to documented governance. Treat existing cover as uncertain until your broker confirms in writing what the policy actually responds to.

If a staff member pastes client data into ChatGPT and there is a breach, will cyber insurance pay?

Often no, or only partially. A growing number of UK cyber policies explicitly exclude losses arising from uncontrolled use of public cloud AI tools, on the grounds that uploading client data to a third-party system without contractual safeguards is closer to gross negligence than an insured cyber event. Beazley published guidance in 2024 that ties continued cover to documented AI governance. The pragmatic move is to have a written staff policy on what can and cannot be put into public AI tools, and to ask your broker in writing whether your current cyber wording covers this scenario.

Should an SME buy a specialist AI insurance product?

For a typical SME in the 5 to 50 person bracket, the answer is no, or not as the first step. Specialist products like Munich Re aiSure, Armilla and Vouch are real and growing, but they are sized for businesses with substantial documented AI exposure. The cheaper and usually sufficient move for a typical owner-operated firm is to ask the existing broker to review current policies, identify the gaps, and propose targeted wording amendments or endorsements. Specialist cover becomes worth pricing only when AI is central to the service the business sells.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

An owner at her desk with two printed documents in front of her, a tools register and a policy, a pen resting on the page and a mug of tea nearby

The audit trail an SME actually needs, and the one it does not

Enterprise content tells SMEs to log every AI prompt and response. The proportionate audit trail for a 12-person firm is two pages of standing documentation plus a short per-incident note.

A founder and an operations lead at a meeting table with a printed two-page draft between them, two coffee mugs and a notebook, mid-conversation

Your minimum viable AI policy as a small business

Many published AI policy templates are sized for HR and legal teams. The version that fits a 5 to 50 person firm is two pages, plain language, five sections, drafted in ninety minutes. Shorter than expected, longer than the typical SME currently has written down.

A woman at her office desk in late afternoon writing in a notebook with four hand-drawn columns labelled UK, EU, US, Canada, a closed laptop and a half-drunk mug of tea to one side

Serving customers across borders, the multi-jurisdiction AI compliance picture for SMEs

Owners running across UK, EU, US and Canadian customers are managing four overlapping AI rulebooks at once, often without realising it. Here is the proportionate response, with the cases where it does not work.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd