AI Cyber Insurance: The Coverage Gap Your Agent Will Find First

A coding agent merges a change at 2 a.m. that takes a customer's production database offline for ninety minutes. A customer-support agent fans out and sends fourteen thousand misworded refund-denial emails before the loop is killed. An autonomous reconciliation workflow charges 2,800 cards twice. The damages are real, the audit trail names your company, and your finance team files the claim against the cyber policy that was renewed six weeks ago. The carrier's response is a polite letter explaining that the policy covers "unauthorized access by malicious third parties" and "social engineering of an employee" — and the agent was authenticated, the action was authorized, and no employee was deceived. Coverage denied. The loss sits on your balance sheet.

This is not a hypothetical edge case. It is the modal claim profile for the next eighteen months, and the insurance industry knows it. Cyber, E&O, and D&O policy language was calibrated against a threat model where breach severity is a function of records exfiltrated and incident response is a function of forensic hours billed. Agentic AI does not produce that shape of incident. It produces a shape the underwriter has no actuarial baseline for, and the carrier's first instinct — when the actuarial baseline is missing — is to write the exposure out of the policy entirely.

The teams shipping agents in 2026 are operating in a coverage vacuum that almost nobody has audited, and the discovery happens at claim time, when the audit is too late.

The shape of the new claim

Traditional cyber policy triggers depend on intent and identity: an external actor obtained unauthorized access, a phishing email tricked a user, ransomware encrypted a system. Agent incidents fail every one of these tests. The agent had legitimate credentials. The agent was authorized to call the tool. The agent's action was logged, attributed, and within its declared scope. There was no intruder, no deception, no malware. There was just an autonomous system that did the wrong thing very quickly, at scale, under your name.

Several distinct loss patterns are already showing up at brokers' desks. An agent with banking-system access is manipulated by a prompt-injection payload buried in a vendor invoice and initiates a wire transfer that looks indistinguishable from a sanctioned one. A multi-agent workflow cascades into a self-amplifying loop and exhausts a six-figure inference budget over a weekend. A retrieval-augmented assistant cites a document that no longer exists and gives regulated advice that triggers a compliance investigation. A code-writing agent merges a change that meets the linter, passes the tests, and breaks a customer's SLA at the protocol layer. None of these map cleanly to the policy language drafted in 2022.

The gap is not subtle. It is the difference between "a third party did this to us" and "our system did this on our behalf, and now someone is sending us a bill." The first is what cyber insurance was built for. The second is what your roadmap is now optimized to produce.

What carriers are actually doing about it

Two opposite movements are happening at the same time, and most buyers see only one of them.

The first movement is exclusion. Major carriers have introduced what brokers are calling "absolute AI" clauses — broad endorsements that exclude any claim "based upon, arising out of, or attributable to" the use of AI, in any role, by anyone in the chain of causation. The drafting is intentionally expansive: it sweeps in claims where AI played a minor or even tangential role, and it pre-empts the silent-AI assumption that coverage exists because nothing explicitly excludes it. D&O, E&O, and Fiduciary towers are the loudest, but cyber is following. The pattern is familiar from prior emerging-risk cycles: when actuaries cannot price an exposure, they exclude it until they can.

The second movement is the affirmative endorsement. A handful of carriers are now offering AI-specific add-ons that explicitly cover agent actions, hallucination-driven liabilities, and prompt-injection scenarios. Cowbell announced its Prime One product in April with affirmative AI and quantum coverage. Coalition rolled an affirmative AI endorsement into its base cyber policy after a year as an opt-in. Axa XL added an endorsement aimed at organizations training their own generative models. Specialty AI insurers are writing standalone policies that name the exposures the absolute exclusions are pushing out.

The buyer's problem is that these two products are sold by different teams, often through different brokers, and the renewal cycle does not auto-translate "you used to be covered" into "you are now affirmatively covered." A team that does not actively shop the AI endorsement at renewal often discovers, on the next claim, that they were quietly excluded eighteen months ago. The endorsement is a procurement decision now, not a policy footnote.

The contract surface that compounds the gap

The insurance gap does not live alone. Most enterprise customer agreements were also drafted before agents had tool access, and they have their own version of the same problem.

Master service agreements typically allocate liability for "system-generated" outputs as if "system" meant deterministic code with bounded behavior. When the system is an LLM-driven agent that can take a thousand different actions in response to the same input, the contract's indemnity clauses still read literally — but the risk allocation they encode no longer matches the risk being created. The customer believes they bought a service. The vendor believes they shipped software. The agent did something neither party drew on the whiteboard, and the contract has no clause that anticipates it.

Vendor T&Cs for the upstream model are even more lopsided. Most foundation-model providers disclaim responsibility for accuracy, fitness, and downstream consequences. The customer of the customer of the model is wearing the residual risk by default. When the chain breaks, the carrier looks at the contract stack and sees a clear allocation of liability — to your company.

The fix is not a one-time legal sprint. It is a renewal-cycle discipline: every customer MSA touched by an agent surface gets a contractual review whose first question is "what does this contract say about an action initiated by an autonomous system operating under our credentials?" Anything that answers "the contract does not contemplate this" is a finding, not a footnote.

What the underwriter is now asking

Cyber underwriters have rewritten their AI questionnaires twice in the last twelve months. The questions used to be "do you use AI, and how?" They are now closer to a security audit:

• Which models are in production, by version, and which call sites are pinned to which version?
• What is your prompt registry, and how do you version, review, and roll back prompts?
• What approval gates exist for tool actions, and how is the approval matrix mapped to the risk class of the underlying tool?
• How do you log, retain, and replay agent traces? What is the integrity guarantee on those logs?
• What is your eval coverage on the surfaces that ship to customers, and what is the regression budget when a model upgrades?
• How quickly can you freeze an agent in production when a regression is detected?

These are the same questions a competent CISO would ask before greenlighting an agent rollout. They are now also the questions that determine your premium and the breadth of your endorsement. The answer "we have logs" is not enough; underwriters want to know that the logs are operation-level, attribution-complete, and tamper-evident, with retention durations that satisfy the regulatory envelope the agent operates inside. The duty-of-care standard the policy will demand at claim time is being built into the application form right now.

This has a perverse and useful consequence. The work the security team is already doing to satisfy enterprise CISOs in pre-sales also moves the insurance premium. The artifacts are the same: the model registry, the prompt registry, the approval-gate matrix, the eval coverage report, the audit-log architecture diagram. Treating these as one document set rather than two is the leverage point.

The record-keeping standard the carrier will demand

When the first six-figure incident lands, the question the carrier's adjuster will ask is not "did this happen?" It is "can you prove what happened, in a form a court would accept?" That question has a specific technical answer.

The audit trail must be created at the moment of the agent action, not reconstructed from telemetry afterward. It must record the operation, the data touched, the human authorization that ultimately backs the action, the policy decision the agent made, the model and prompt versions in effect, and the timestamp — for every consequential call. It must be tamper-evident, which in practice means cryptographic chaining or write-once storage. And it must be retained on a schedule matched to the regulatory envelope: six months for EU AI Act high-risk systems, six years for HIPAA-touching agents, seven years for SOX-relevant ones, twelve months for PCI-DSS.

A team that cannot produce this record in the first hour of an incident has a much harder time arguing that the loss was a covered event under any policy, affirmative or silent. A team that can produce it has the artifact that turns "we think the agent did X" into "the agent did X at this timestamp, with this model version, under this user's session, after this approval gate fired" — and that is the difference between a paid claim and a denied one.

What to do this quarter

Three concrete moves, in priority order.

First, run a coverage audit. For every cyber, E&O, D&O, crime, and fiduciary policy in force, write down the answer to one question: "does this policy cover, exclude, or remain silent on a loss caused by an autonomous agent operating under our credentials?" Send the question to the broker in writing and require a written answer. Silence in the policy is not silence in the answer; the broker will tell you whether the carrier reads it as covered or excluded under current case law.

Second, push the AI endorsement onto the renewal agenda before the next renewal date. Treat it the same way you treat a cyber-tower limit increase: shop it, compare wordings, and budget for the premium. The carriers that are writing affirmative AI cover today are the ones that have done the actuarial work and want the business; the carriers that are excluding are signaling they have not. Your buying decision is also a vote.

Third, build the audit-log architecture as if your insurer has already issued a duty-of-care notice. Even if no one has named it yet, the standard is forming, and retrofitting tamper-evident logging onto a fleet of in-production agents is a year-long project. Doing it now, before the first claim, costs less than doing it after.

The architectural realization

AI risk is not yet a priced product on the insurance market. The exclusions are widening faster than the affirmative cover is, the actuarial baselines are missing, and the contract stack downstream of every agent surface still reads as if the agent is a CRUD endpoint. The company that operates as if the risk is fully transferred will discover at claim time that it was self-insuring without intending to — and the discovery will be a board-level event, not a procurement note.

The companies that move first are not the ones buying the most coverage. They are the ones treating the insurance question as a forcing function for the engineering work they already need to do: versioned models, versioned prompts, risk-classed tools, tamper-evident logs, replayable traces, and a written answer to the question "who pays when the agent is wrong?" That work makes the agent safer to ship, easier to govern, and — incidentally — insurable. The order of operations matters. The carrier writes coverage against the artifact, not the intent.

The insurance market will catch up. It always does. The interim, where the policies and the agents are not yet on speaking terms, is where the losses get booked.