A decade ago, “silent cyber” forced the market to confront unintended, unpriced coverage lurking among traditional policy lines. The same dynamic is now playing out with artificial intelligence, and it is accelerating faster than policy language, underwriting questionnaires or claims protocols can adapt. The result is a growing category of “silent AI” exposure, being AI-related risks that are neither explicitly covered nor excluded under insurance policy wordings across multiple classes including professional indemnity, public liability, cyber and D&O.
For policyholders, this means potential coverage gaps at the moment of claim. For insurers, it means unmodelled risk concentrated around a small number of AI model providers (e.g. foundation model developers such as OpenAI, Anthropic and Google) affecting a broad client base.
Insurers are also managing AI risk within their own organisations and upstream/downstream service providers. In April and May 2026, the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC) each issued open letters to industry that AI governance failures and the increased risk of cyber threats are firmly in their sights. This is a stark wake-up call for boards, adding a further dimension to the risk profile that the insurance industry must consider.
Silent AI exposures: Beware the gap
Gallagher’s 2026 research found that one in five insurance professionals surveyed, reported that their insureds had already experienced losses linked to AI risk.1 Yet most policy wordings were never designed with AI liability in mind. In the absence of direct exclusions or affirmative language, policies remain silent, leaving insurers and policyholders exposed to uncertainty and potential claims disputes. The ambiguity spans multiple classes: cyber liability, professional indemnity, errors and omissions, employment practices liability, product liability and D&O.
Gallagher Re has identified that the AI ecosystem’s reliance on a small number of model providers makes systemic silent AI exposures more likely, creating correlated accumulation risk that mirrors the concentration concerns seen with cloud computing.
Affirmative language for cyber risks was mandated by Lloyd’s of London under Market Bulletin Y5258 in July 2019, requiring all policies to be clear on whether cover is provided for losses caused by a cyber event. Policies needed to either contain an exclusion or expressly grant cyber coverage. The first phase applied to first party property damage risks, and the next two phases related to liability and treaty reinsurance.
A Common misconception: Cyber risk is not AI risk
A common misconception is that a standalone cyber insurance policy provides adequate cover for AI-related liability. In practice, the two are distinct. Cyber insurance is primarily designed to respond to data breaches, network interruptions and privacy-related claims arising from unauthorised access or system failures. AI liability, by contrast, encompasses a far broader category of potential harm: algorithmic bias, model malfunction, flawed automated decision-making, intellectual property infringement, reputational damage caused by AI-generated content, and professional errors embedded in AI-assisted advice or services.
Insurers have recently begun to include sub-limits and exclusions for AI related losses under cyber, professional indemnity and D&O policies. As the exclusion landscape evolves and AI-specific wordings emerge, policyholders and their brokers should be aware that existing cyber coverage may not equate to AI liability protection.
Regulatory responses
APRA’s Letter: What the industry should know
APRA’s letter dated 30 April 2026 reminds insurers to not only deal with AI exposures in their insurance portfolios but also within their own organisations, in light of a rapidly evolving AI and cyber risk environment. APRA’s letter was issued to all regulated entities, including banks, insurers and superannuation trustees, following a targeted engagement conducted in late 2025. The findings are relevant across the insurance industry: governance frameworks are not operational in practice, information security practices are struggling to keep pace, ownership/accountability is unclear across the AI lifecycle, and post-deployment monitoring including model behaviour monitoring is weak. For industry participants deploying AI in underwriting, claims or pricing, these findings highlight the importance of maintaining robust monitoring frameworks having regard also to supplier risks.
APRA now expects boards to develop and maintain sufficient understanding of AI, to be able to set strategic direction and to provide effective challenge and oversight, as well as overseeing an AI strategy consistent with the entity’s risk appetite. APRA is also aware of the potential for increased cyber threats from high capability frontier AI models which have significantly altered the risk landscape. Where entities fail to adequately identify, manage or control AI risks proportionate to their size, scale and complexity, APRA has stated it will take stronger supervisory action and, where appropriate, pursue enforcement. Read more on APRA’s letter.
ASIC’s Letter: Frontier AI and cyber resilience
On 8 May 2026, ASIC Commissioner Simone Constant issued an open letter to all Australian Financial Services Licensees calling for urgent strengthening of cyber resilience as frontier AI intensifies the global cyber risk environment.
ASIC’s concern is that frontier AI drastically lowers the cost and complexity of executing sophisticated cyber attacks, including rapid exploitation of vulnerabilities. For those writing cyber and D&O cover, this development is notable because it may simultaneously increase the frequency and severity of insured events and can potentially expose companies and their boards to greater liability. Furthermore, it may also threaten insurers’ own operational resilience.
ASIC referenced the Federal Court of Australia’s judgment in ASIC v FIIG Securities Limited, emphasising that cyber risk management should be demonstrably effective and proportionate, supported by clear governance and adequate resourcing. In that case, ASIC was successful in seeking pecuniary penalties after a financial services licensee failed to protect clients from cyber security threats over a period of more than four years.
What next?
The convergence of silent AI exposures, emerging exclusionary language and explicit regulatory expectations in light of a rapidly evolving risk environment presents a multi-faceted challenge for the insurance sector. Insurers and policyholders alike, including their brokers, may wish to consider how existing insurance programs address AI risks, whether current wordings are clear on AI-driven losses, and what exclusions are being proposed or added at renewal. Furthermore, the effect of regulator expectations and enforcement following recent letters to industry remain to be seen. However, one thing is certain – silent AI is no longer a sleeper issue.
Footnotes
1 Not So Silent: Tackling the Complexities of AI Liability | Gallagher