AI moved into the business faster than the insurance market could keep up with it. Companies started using generative and agentic AI across hiring, marketing, customer service, and product delivery while their D&O, E&O, EPL, cyber, and general liability policies sat unchanged from the pre-AI world. The result was a stretch of silent coverage, where policies might respond to an AI loss and might not, and where carriers had every reason to find a reason to deny.
How to Contract hosted a webinar with Bradley Dlatt, Counsel at Lathrop GPM, and Bill Price, a three-time tech General Counsel now running his own subscription GC practice. Bradley represented policyholders in coverage disputes and brought the carrier-side perspective on how denials actually played out. Bill brought the in-house view from years of owning insurance as part of the GC role. Laura Frederick hosted and pushed the conversation into the contract drafting questions that mattered most.
The discussion worked through where AI risks were falling between existing policies, which contract terms moved that risk to the right place, the new AIUC-1 standard for agentic AI vendor diligence, and the governance habits that made the difference between a paid claim and a denied one.
Here are our top ten takeaways from the speakers' comments during the webinar:
The insurance market is in a silent coverage era for AI risks. Cyber, D&O, E&O, EPL, and general liability policies all might respond to an AI claim, and they all might not. The exclusions are moving in real time. Bradley flagged Berkley's absolute AI exclusion on D&O and professional liability, and the ISO generative AI exclusions on general liability that landed earlier this year. Treat any existing policy as ambiguous until someone has gone line by line through the endorsements with AI in mind.
Start with a risk map, not a policy review. Document how AI is used across the business externally and internally, including chatbots, hiring, sensitive personal information, and AI vendors. Only then run the gap analysis against your cyber, E&O, EPL, and D&O programs. Reversing that order means you measure your policies against the wrong risks and miss what your business is actually doing.
Build a three-headed coverage team. The in-house lawyer, an industry-specialized broker, and outside coverage counsel who represents policyholders rather than carriers are the three voices you need in the room. Bill described the brokerage litigator on staff as gold for the notice question alone, because that person could tell you how to put the carrier on notice without provoking an overreaction. If your broker cannot confidently tell you whether you have coverage for a given AI scenario, you have a gap.
Match contract risk transfer to magnitude, duration, and scope. Magnitude means the one-to-two-times-the-contract-value cap in a typical SaaS agreement does not match AI risk. Duration means insurance policies are annual snapshots, and claims-made coverage needs a tail that extends past the relationship. Scope means indemnity and insurance provisions must be drafted to harmonize rather than collapse into each other.
Additional insured status is usually weaker than it looks. Bill said most AI vendors hand additional insured status to every customer, which means you get in line behind every other claim and the limits get exhausted before you reach them. Named insured status is meaningfully better and rarely given. Push for it where the relationship and the risk justify it, and read the endorsement language carefully because standard additional insured forms often cap your coverage at the indemnity cap in the contract.
Indemnity and defense are different obligations with different triggers. A defense obligation triggers on what is alleged. An indemnity obligation triggers on the actual facts at the end of a claim. Most contracts merge the two and carry the same limitations through to both, which creates gaps the insurer exploits later. Drafting defense as a separate sentence or section keeps the concepts clear and protects access to coverage when it matters.
AIUC-1 is your new diligence floor for agentic AI vendors. Bill described it as SOC 2 for agentic AI, with quarterly governance and independent audits across six risk areas including security, safety, reliability, societal impact, and accountability. Schellman is currently the only accredited auditor. Even when your vendor is not certified, the framework gives your diligence team the right questions to ask.
Insurance notification belongs in the first hour of incident response, not the last. Bradley said the most common claim fight in a cyber matter is reasonableness of vendor costs and lack of insurer consent. Both are avoidable. Get vendors pre-approved by your cyber insurer at known rates before any incident, run the forensic vendor contract through outside counsel for privilege, and put insurance notice at the top of the response checklist.
Underwriting disclosure is your strongest defense at claim time. Bradley argued that affirmatively telling your insurer how you use AI, getting it blessed at underwriting, and documenting that history narrows the carrier's room to deny later. His financial crisis analogy held up. Policyholders who had submitted defaulted loans to their insurers for review before the crisis recovered. Those who had not, did not. Disclose now to preserve coverage later.
Governance is a coverage strategy, not just a compliance exercise. A documented record of human-in-the-loop review, training data controls, and use case approvals is what your coverage counsel uses to push back on the carrier's expected-or-intended-loss defense. The carrier's default in the AI context is to deny. The defense to that denial is built in advance through cross-functional governance that runs quarterly, includes legal, security, IT, product, and HR, and reports up to the board.
Subscribe to Stay in the Loop
How to Contract publishes a weekly newsletter that brings you the next webinar, the recap of the last one, and the kinds of practical insights covered above. Subscribe now so the next AI risk conversation lands in your inbox.
