How E&O, cyber and PI policies treat AI agent errors: a coverage framework
An AI agent error rarely fits cleanly into one policy. The same incident can read as a professional mistake, a security failure, and a product defect at the same time, and each of those framings points at a different insurance line with different wording, different exclusions, and a different appetite. This framework takes one realistic AI agent failure and traces it through professional indemnity, errors and omissions, cyber, and general liability cover. It explains where each responds, where they overlap, and where the 2026 generation of AI exclusions removes the protection a buyer assumes is there.
Key takeaways
- The three policy lines answer three different questions. Professional indemnity and errors and omissions cover faulty advice and economic loss from professional services. Cyber covers data breach, network interruption, and extortion. General liability covers bodily injury and property damage. An AI agent error can satisfy more than one of these at once, which is what makes coverage allocation contentious.
- The Verisk ISO generative AI exclusions, CG 40 47, CG 40 48 and CG 35 08, carry a 01 26 (January 2026) edition date and sit on commercial general liability forms. CG 40 47 excludes Coverage A and Coverage B; CG 40 48 limits the exclusion to Coverage B. They do not directly amend PI, E&O, or cyber wordings, so a buyer must check each line separately.
- When two policies both respond, other-insurance clauses, anti-stacking provisions, and differing retentions decide which pays first. Splitting AI cover across insurers who each disclaim toward the other is the practical failure mode, not the absence of any policy.
- The EU Product Liability Directive (Directive (EU) 2024/2853) treats software and AI as products, applies to products placed on the market after 9 December 2026, and makes a failure to supply security updates a potential defect. This raises strict-liability exposure on the product and general-liability side, exactly where the new ISO AI exclusions are concentrated.
- EIOPA's Opinion on AI governance (EIOPA-BoS-25-360, 6 August 2025) is risk-based and grounded in existing law. The downstream effect for buyers is that underwriters increasingly want governance evidence. Documentation aligned to ISO/IEC 42001, the NIST AI Risk Management Framework, or AIUC-1 is the most useful thing a buyer brings to reduce broad carve-outs.
The three questions each policy line actually answers
Insurance lines are not organised around technologies. They are organised around the type of harm they indemnify, and that is the only reliable starting point for working out which policy responds to an AI agent error. Before looking at any AI-specific wording, it helps to fix what each line is for.
Professional indemnity (PI) and errors and omissions (E&O) respond to financial loss suffered by a third party because of a negligent act, error, or omission in the insured's professional services or advice. In the European market the term professional indemnity dominates; in the London and US markets errors and omissions is the more common label. For the purposes of an AI agent error the two are functionally the same line: they are the home for pure economic loss flowing from a wrong answer, a bad recommendation, or a missed step in a professional process.
Cyber responds to harm arising from a failure of information security: data breach, unauthorised access, network business interruption, cyber extortion, and the response costs that follow. Cyber is event-driven and security-driven. If there is no security failure and no data event, a cyber policy is usually the wrong place to look, however much the underlying technology involved a computer.
Commercial general liability (CGL) and product liability respond to bodily injury and property damage caused to third parties, plus, under a separate coverage part, certain personal and advertising injury. This is the line where physical-world harm from an AI agent lands, and it is also the line carrying the new ISO generative AI exclusions described below.
A clean way to hold the distinction: PI and E&O ask did the advice or service go wrong, cyber asks did security fail, and general liability asks did something get hurt or damaged. A single AI agent incident can answer yes to more than one of those questions, and that is where coverage stops being simple.
One error, traced through all three lines
Take a concrete scenario. A mid-sized European advisory firm runs an autonomous client-facing AI agent that answers questions and takes some actions without human approval. An attacker crafts a prompt-injection input that causes the agent to (1) disclose another client's confidential file, (2) give the questioning client materially wrong regulatory advice, and (3) auto-execute a settings change that takes the firm's portal offline for a day. The client acts on the wrong advice and suffers a quantifiable financial loss; the disclosed client threatens a privacy claim; the outage interrupts the business.
One incident, three distinct harms, and each harm points at a different line.
| Harm from the incident | Policy line that naturally responds | Why | 2026 exclusion risk to check |
|---|---|---|---|
| Wrong regulatory advice causing client financial loss | Professional indemnity / E&O | Pure economic loss from a negligent professional act | AI-generated-output carve-out; autonomous-operation exclusion |
| Disclosure of a third party's confidential file | Cyber (and possibly PI privacy extension) | Data breach and privacy liability | AI sublimit inside the cyber limit; prompt-injection treated as insured peril or not |
| Portal outage and lost income | Cyber (business interruption section) | Network interruption from a security event | Whether an autonomous self-inflicted change counts as a covered security failure |
| Any physical or property damage (not present here) | Commercial general liability / product | Bodily injury or property damage | ISO CG 40 47 / CG 40 48 generative AI exclusion |
The point of the table is not that the firm is uninsured. It is that recovery depends on three separate wordings holding at once, with no gap between them and no double counting. The failure mode is rarely total absence of cover. It is the seam between policies, where the cyber insurer argues the loss was professional advice and the PI insurer argues it was a security event, and the claim sits unallocated.
Where the lines overlap, and who pays first
When two policies could each respond to the same loss, the contracts contain machinery to decide priority. Three provisions do most of the work.
Other-insurance clauses state how a policy behaves when other cover exists for the same loss. A policy can be primary (pays first), excess (pays only after other cover is exhausted), or contribute rateably. If a PI policy and a cyber policy both contain excess language pointing at the other, the result is a circular standoff that has to be resolved by negotiation or, occasionally, litigation.
Anti-stacking provisions prevent a single loss from being recovered in full under multiple policies or multiple years. They protect the insurer against double recovery, and for the buyer they mean that holding three policies does not multiply the available limit for one event.
Retentions and deductibles differ by line. A buyer can find that the line which responds carries a far higher retention than the line they expected to respond, so the economics of which policy applies are not neutral.
The practical consequence is that fragmentation is the enemy. An AI cover programme assembled from a PI policy with one insurer, a cyber policy with a second, and a standalone AI policy with a third is more exposed to allocation disputes than a coordinated programme placed by one broker who has read all three wordings against the same agent. This is the operational case for treating AI cover as a programme, not a stack of unrelated renewals. The PI and cyber decision guide on this site works through the line-selection logic in more detail, and the first-party and third-party article separates the loss types each line is built for.
What the 2026 AI exclusions actually change
The most concrete shift in the 2026 renewal market is the arrival of standardised generative AI exclusions on general liability forms. Verisk, the parent of the Insurance Services Office, introduced a set of endorsements with a 01 26 edition date. Three are central.[1]
| Endorsement | Form type | What it excludes | Scope |
|---|---|---|---|
| CG 40 47 | Commercial general liability | Bodily injury, property damage, and personal and advertising injury arising out of generative AI | Broad: applies to Coverage A and Coverage B |
| CG 40 48 | Commercial general liability | Personal and advertising injury arising out of generative AI | Limited: Coverage B only |
| CG 35 08 | Commercial general liability (companion form) | Generative AI exposures within the relevant coverage part | Used alongside the above as the market standardises |
Two facts matter most for a buyer building a coverage framework. First, the trigger language is broad: the exclusion can apply where generative AI is only one contributing factor to a loss, and where the AI is used indirectly through a vendor or consultant rather than by the insured directly. Second, these are general liability forms. They do not by their own terms amend a professional indemnity, errors and omissions, or cyber policy. Those lines carry their own, separate AI wordings, which vary by insurer and syndicate and are far less standardised than the ISO CGL forms.[1]
The consequence is that a single business can hold a CGL policy carrying CG 40 47, a PI policy with a narrower autonomous-operation carve-out, and a cyber policy with an AI sublimit rather than an exclusion, all at the same time. There is no single AI coverage position. There are three, and they have to be read against each other, not assumed to move together. By April 2026 major carriers including W.R. Berkley, Chubb, Travelers, Berkshire Hathaway, and Cincinnati Financial had filed to adopt the ISO endorsements or proprietary AI exclusion language, so the spread across the market is rapid rather than marginal.[1]
How European product liability raises the stakes on the general-liability side
The AI exclusions on general liability forms are not arriving in a vacuum. The revised EU product liability regime is expanding strict-liability exposure for software and AI at the same time. Directive (EU) 2024/2853 entered into force on 9 December 2024, must be transposed into national law by member states by 9 December 2026, and applies to products placed on the market or put into service after that date.[2]
The directive expressly widens the definition of product to include software, and software is understood to cover AI systems, whether standalone, embedded, stored on a device, accessed over a network, or supplied as software-as-a-service. A product is defective when it does not provide the safety the public is entitled to expect, and the directive is explicit that a manufacturer who can keep software free of defects and cybersecure through updates has an obligation to do so. Failing to supply those updates can itself render a product defective.[2]
For coverage allocation this matters because product liability and general liability are the lines exposed to strict-liability product claims, and they are exactly the lines absorbing the new ISO AI exclusions. The directive widens the exposure while the standard general liability wording is narrowing the cover. A buyer who relies on a CGL policy to backstop an AI product, without reading the AI endorsement, is most exposed precisely where the legal regime is tightening. The Product Liability Directive readiness article covers this interaction in depth.
The European supervisory backdrop, and why it reaches the buyer
European supervisors are not setting AI insurance terms directly, but their expectations shape underwriting behaviour. EIOPA published its Opinion on Artificial Intelligence governance and risk management (reference EIOPA-BoS-25-360) on 6 August 2025. The opinion is addressed to national competent authorities, follows a risk-based and proportionate approach, and grounds its expectations in existing sectoral law, principally Solvency II and the Insurance Distribution Directive, rather than creating a separate AI rulebook.[3]
The opinion is aimed at how insurers themselves use AI, but the indirect effect on buyers is real. Insurers formalising their own AI governance also formalise how they assess the AI risk they take on through policies. In practice that means underwriters increasingly ask, at submission, what AI systems a buyer runs, how they are supervised, and what controls and incident procedures exist. The quality of those answers moves terms.
Turning governance frameworks into underwriting evidence
The most useful thing a buyer brings to an AI insurance submission is not a longer description of the technology. It is documented evidence that the agent is governed against a recognised framework. Three are referenced most often, and they layer rather than compete.
| Framework | What it is | Status | Role in a submission |
|---|---|---|---|
| ISO/IEC 42001:2023 | AI management system (AIMS) standard | Certifiable international standard | Shows a governed, auditable management system around AI |
| NIST AI Risk Management Framework 1.0 | Voluntary AI lifecycle risk framework | Widely used, often run inside an ISO 42001 system | Shows lifecycle risk identification and mitigation |
| AIUC-1 | AI-agent-specific security, safety and reliability standard | Launched mid-2025; quarterly update cadence | Shows agent-level controls an AI underwriter can map to |
ISO/IEC 42001:2023 is the certifiable management-system standard for AI; the NIST AI Risk Management Framework 1.0 is a voluntary lifecycle framework that many programmes run inside an ISO 42001 system, so the two are complementary rather than alternatives.[4] AIUC-1 is narrower and newer: it is an AI-agent-specific certification from the Artificial Intelligence Underwriting Company, built with technical input from institutions including Stanford, MIT and MITRE and feedback from enterprise risk leaders, audited first by Schellman, with ElevenLabs as the first certified company. It is positioned as a familiar, actionable standard for AI agents, updates quarterly rather than annually, and explicitly sits on top of, rather than replacing, frameworks such as SOC 2 and ISO 27001.[5]
The reason these matter to a coverage framework is direct. The broadest AI carve-outs in the 2026 market exist because underwriters cannot yet price AI risk confidently. Evidence against a recognised governance framework is what lets an underwriter narrow a carve-out, raise a sublimit, or move from exclusion toward affirmative cover. Operators who have completed an Agent Certified assessment have already produced much of the documentation an AI underwriter asks for, which shortens the path from a defensive renewal to genuine cover.
A working framework for a buyer
Pulling the pieces together, a buyer assembling AI agent cover can work through five steps rather than relying on any single policy.
Step 1: Map the harm types your agent can cause. Wrong advice or service (PI / E&O), data or security failure (cyber), and physical or property harm (general liability / product). Most autonomous agents touch at least two.
Step 2: Pull the endorsement schedule for each policy and read the AI wording on each line separately. Do not assume the three lines move together. The CGL line is the most likely to carry a standardised ISO generative AI exclusion; PI and cyber carry bespoke wordings.
Step 3: Identify the seams. For each harm type, confirm exactly one policy responds without an exclusion, and check the other-insurance and anti-stacking language where two could respond.
Step 4: Where a line excludes or sublimits AI, decide whether a standalone affirmative AI policy closes the gap. The growth of carve-outs is precisely why affirmative AI products exist; the market tracker on this site follows who is writing them in Europe.
Step 5: Build the underwriting evidence once and reuse it. Governance documentation aligned to ISO/IEC 42001, NIST AI RMF, or AIUC-1 supports every line in the programme at once and is the single highest-leverage input a buyer controls.
The framework does not promise that every AI agent error is covered. It promises something more useful: a method for knowing, before a claim arrives, which policy is meant to respond, whether its wording still lets it, and where the gaps sit. In a market where the exclusions are spreading faster than the affirmative products, that knowledge is the coverage.
Frequently asked questions
Which policy responds when an AI agent gives a customer wrong advice that causes financial loss?
Pure financial loss from faulty advice is the territory of professional indemnity and errors and omissions cover, not cyber and not general liability. Cyber is built around data breach and network events, so a wrong-answer event with no security failure rarely triggers it, and general liability responds to bodily injury and property damage rather than economic loss. The 2026 risk is that the PI or E&O wording now carries an AI carve-out or autonomous-operation exclusion, so the line that should respond is the one most likely to have been amended at renewal. Read the endorsement schedule before assuming the advice claim is covered.
Do the ISO CG 40 47 and CG 40 48 generative AI exclusions apply to all my policies?
No. CG 40 47, CG 40 48 and CG 35 08 are Verisk ISO commercial general liability endorsements with a 01 26 (January 2026) edition date. CG 40 47 excludes generative AI losses under both Coverage A and Coverage B; CG 40 48 limits the exclusion to Coverage B. They are general liability forms and do not by themselves amend professional indemnity, errors and omissions, or cyber policies, which carry their own separate AI wordings. That is why one business can hold three policies with three different AI positions at the same time.
Can one AI agent error trigger more than one policy at the same time?
Yes, and this is the central complication. An autonomous agent manipulated through prompt injection can leak data and give bad advice in the same incident, touching cyber (the data leak and outage), professional indemnity (the faulty advice), and potentially general liability (if physical harm followed). When multiple policies respond, other-insurance clauses, anti-stacking provisions, and differing retentions decide which pays first. A coordinated programme placed by one broker reduces the risk of each insurer disclaiming toward the other while the claim sits unpaid.
Does the EU Product Liability Directive change which policy covers an AI agent failure?
Directive (EU) 2024/2853 entered into force on 9 December 2024, must be transposed by 9 December 2026, and applies to products placed on the market after that date. It treats software, including AI, as a product and can make a failure to supply security updates a defect. This expands strict-liability exposure on the product and general-liability side rather than the professional-indemnity side. It does not rewrite E&O or cyber wordings, but it raises the stakes on the lines where the new ISO AI exclusions are concentrated.
What does EIOPA expect European insurers to do about AI, and does that affect my coverage?
EIOPA published its Opinion on Artificial Intelligence governance and risk management (EIOPA-BoS-25-360) on 6 August 2025. It is addressed to national supervisors, takes a risk-based and proportionate approach, and grounds expectations in existing law such as Solvency II and the Insurance Distribution Directive rather than creating new rules. For a buyer, the indirect effect is that insurers are formalising how they assess AI risk, which increasingly means underwriters ask for governance evidence at submission. Documented controls aligned to recognised frameworks tend to produce cleaner terms.
How do ISO/IEC 42001, NIST AI RMF, and AIUC-1 fit into an insurance submission?
These are governance and assurance frameworks, not insurance products, but they feed underwriting directly. ISO/IEC 42001:2023 is a certifiable AI management system standard; the NIST AI Risk Management Framework 1.0 is a voluntary lifecycle framework many programmes run inside an ISO 42001 system. AIUC-1, launched in mid-2025 by the Artificial Intelligence Underwriting Company with input from Stanford, MIT and MITRE, is an AI-agent-specific certification audited first by Schellman, with ElevenLabs as the first certified company. Presenting evidence against these frameworks shows an underwriter the agent has documented controls, which is the most useful thing a buyer can bring to reduce AI carve-outs.
If my cyber policy has an AI sublimit, what does that mean for an AI agent claim?
An AI sublimit preserves coverage but caps recovery for AI-related events below the policy's overall limit. A cyber policy might carry a EUR 5 million aggregate limit while AI-related losses are subject to a EUR 500,000 sublimit inside it. The claim is still covered, but recovery stops at the sublimit even if the loss is larger. This is less visible than a total exclusion because nothing is removed from the schedule, so buyers often discover the cap only at claim time. Ask specifically whether any AI sublimit applies and how it relates to the general limit before binding.
References
- Verisk / Insurance Services Office (ISO). Generative artificial intelligence exclusion endorsements CG 40 47, CG 40 48, and CG 35 08 for commercial general liability, 01 26 edition. CG 40 47 excludes Coverage A and Coverage B; CG 40 48 limits the exclusion to Coverage B (personal and advertising injury). Broad trigger wording may apply where AI is one contributing factor or used indirectly through a vendor. By April 2026, carriers including W.R. Berkley, Chubb, Travelers, Berkshire Hathaway, and Cincinnati Financial had filed to adopt ISO endorsements or proprietary AI exclusion language. See industry analysis at Gallagher (ajg.com), Business Insurance, and Verisk filing summaries.
- Directive (EU) 2024/2853 on liability for defective products (Product Liability Directive), EUR-Lex (eli/dir/2024/2853). Entered into force 9 December 2024; member-state transposition deadline 9 December 2026; applies to products placed on the market or put into service after 9 December 2026. Definition of product expanded to include software and AI systems; failure to supply security updates may render a product defective.
- EIOPA. Opinion on Artificial Intelligence governance and risk management, reference EIOPA-BoS-25-360, published 6 August 2025. Addressed to national competent authorities; risk-based and proportionate; grounded in existing sectoral law including Solvency II and the Insurance Distribution Directive.
- ISO/IEC 42001:2023, Artificial intelligence management system (AIMS), certifiable international standard. NIST AI Risk Management Framework 1.0 (NIST AI RMF), voluntary lifecycle risk framework; commonly operated inside an ISO 42001 management system. See the NIST AI RMF to ISO/IEC 42001 crosswalk published via NIST (airc.nist.gov).
- AIUC-1, the Artificial Intelligence Underwriting Company (AIUC) standard for AI agents, launched mid-2025. Built with technical contributors including Stanford, MIT, MITRE, and Orrick, with feedback from enterprise risk leaders. First accredited auditor: Schellman. First certified company: ElevenLabs. Quarterly update cadence; positioned to sit on top of SOC 2 and ISO 27001 rather than replace them. See aiuc.com and the AIUC-1 specification. For operator documentation aligned to these frameworks, see agentcertified.eu.