Verisk's 2026 Gen AI Exclusion Splits P&C AI Liability Coverage: Pricing Two Products on Thin Data

Comparing ISO commercial general liability endorsement filings state by state this quarter, the generative AI exclusion has the fastest approval cadence of any CGL endorsement since the 2020 communicable disease language. Verisk's ISO gen AI exclusion endorsements took effect January 1, 2026, letting traditional carriers carve generative AI out of commercial general liability entirely. At the same time, a growing set of specialty markets and MGA programs, including Munich Re, Coalition, Armilla, and Vouch, now affirmatively cover hallucinations, prompt injection, model drift, and IP infringement from gen AI use. Three months in, the P&C AI liability market is bifurcating, and actuaries are being asked to price two very different products on thin loss data.

The coverage conversation so far has mostly focused on one side or the other: the exclusion narrative runs through trade press, and the affirmative coverage narrative runs through insurtech pitch decks. The actuarial problem is that both products sit on the same underlying loss distribution. When a law firm's gen AI tool fabricates a case citation that draws a sanction, either the firm's CGL responds (now unlikely under the ISO endorsement), a dedicated AI liability policy responds (if one was purchased), or the firm eats the loss. Pricing either product requires a loss-trigger taxonomy that maps gen AI failure modes to policy language, and neither the ISO filings nor the affirmative products have converged on a shared taxonomy. This article walks through the ISO endorsement structure, the affirmative coverage landscape, the pricing inputs available when there is no credible loss history, the European regulatory overlay, and the stress-test scenarios actuaries should be running before the 2027 renewal cycle.

The ISO Gen AI Exclusion: What the Endorsement Actually Says

Verisk's Insurance Services Office (ISO) filed a suite of generative AI exclusion endorsements with state insurance departments during the second half of 2025, targeting a January 1, 2026 effective date. The endorsements are optional: carriers that subscribe to the ISO CGL program can attach them to individual policies or apply them as a standard schedule amendment. The filings appear in SERFF under search terms including "generative artificial intelligence exclusion" and related ISO form codes. From tracking the approval cadence across the first sixteen states that cleared the forms, most approvals landed in a thirty-to-sixty-day window with minimal interrogatories, which is unusually fast for a coverage-narrowing endorsement and suggests regulators saw the filings as clarifying rather than restrictive.

The core trigger language in the primary endorsement excludes bodily injury, property damage, personal and advertising injury, and medical payments arising out of the "use of" generative artificial intelligence. The "use of" formulation is broader than it first appears. It reaches not only the insured's own deployment of gen AI tools, but any claim where the insured's conduct involved gen AI output in the causal chain. A marketing agency that uses a gen AI tool to draft ad copy containing a defamatory statement, a contractor that relies on a gen AI estimator that mis-specifies load-bearing requirements, and a retailer whose chatbot offers a warranty the company did not authorize would all face the same coverage question: was gen AI in the causal chain?

The endorsement architecture matters because it differs from how cyber-style exclusions typically work. A cyber exclusion usually carves out data breach, ransomware, and network intrusion losses, with explicit carve-backs for bodily injury and property damage to preserve traditional CGL coverage. The ISO gen AI exclusion is structured as a broad "arising out of" bar with narrow carve-backs, rather than a narrow bar with broad carve-backs. That structural choice transfers the coverage burden from the exclusion drafter to the insured: the insured must show the loss did not arise out of gen AI use, not the other way around.

"Use of" Versus Data Exfiltration and Cyber Carve-Backs

A meaningful subset of gen AI losses also triggers existing cyber policies. A prompt injection attack that exfiltrates customer data looks like a data breach under most cyber forms. A model trained on copyrighted material that produces infringing output looks like an IP claim under media liability. The ISO endorsement does not attempt to resolve these overlaps; it simply removes CGL coverage for anything arising out of gen AI use, leaving the insured to look to other specialized products for the pieces cyber or media covers.

This creates a coverage seam that brokers have been drawing attention to since the filings cleared. A gen AI-initiated data exfiltration event under the new endorsement structure may trigger a cyber policy for the breach response and regulatory costs, but the resulting defamation or bodily injury exposure from the exfiltrated information could fall outside both the cyber carve-back and the CGL exclusion. Filling that seam is the market opportunity the affirmative coverage products are targeting.

Affirmative Coverage Products: Four Different Models

While the exclusion side of the market is centralizing around the ISO form, the affirmative side is fragmenting. Four product architectures have emerged in the first quarter of 2026, each with different coverage triggers, underwriting inputs, and pricing logic.

Munich Re's insureAI (Performance Guarantee Model)

Munich Re's insureAI is a performance guarantee product rather than a liability policy. The AI developer or deploying enterprise agrees to a performance specification with its customer, and Munich Re backstops the financial consequences if the model fails to meet that specification. Coverage triggers are tied to model output accuracy, downtime, or deviation from contracted service levels. Because the trigger is contractual performance rather than tort liability, the pricing problem looks closer to surety or warranty than to standard casualty. Munich Re has been active in this space since well before the gen AI boom, with publicly reported deals backing AI vendor warranties since 2018. The 2026 growth is less about new product design and more about expanded capacity for gen AI-specific performance triggers such as hallucination rates and drift thresholds.

Coalition's Affirmative AI (Cyber-Adjacent Model)

Coalition, the cyber MGA backed by Swiss Re and several Lloyd's syndicates, extended its cyber policy wording in late 2025 to include affirmative AI triggers. The product covers prompt injection attacks, model theft, training data poisoning, and resulting third-party liability when a gen AI system deployed by the insured causes harm to a customer or counterparty. The underwriting questionnaire includes gen AI governance attestations: which models are in production, whether human review is mandatory for customer-facing outputs, whether adversarial testing has been performed, and whether the insured maintains a model inventory consistent with ISO 42001 or the NIST AI RMF. Pricing layers an AI load on top of the cyber base rate, with the load scaled by attestation quality.

Armilla Warranty (Third-Party Warranty Model)

Armilla, backed by a Chaucer-led Lloyd's consortium, offers a standalone AI warranty that pays out when a contracted AI model underperforms against pre-agreed benchmarks. Coverage triggers include accuracy below a specified threshold, bias amplification beyond a fairness floor, and hallucination rates above a negotiated limit. Armilla runs an independent model audit before binding, which produces the loss-frequency inputs used in pricing. The audit is the product's distinguishing feature: without it, there is no objective baseline for the performance guarantee to measure against. Armilla's model combines warranty pricing with model-assurance consulting fees, which is how it monetizes the audit effort.

Vouch and Specialty Insurtech (Bundled Tech E&O Model)

Vouch, which writes technology errors and omissions for startups, has embedded gen AI coverage into its tech E&O form rather than writing it as a standalone product. The form's media, breach, and professional liability components all include affirmative language for gen AI-assisted work. Because Vouch's customer base skews toward AI-native startups, the portfolio-level exposure assumptions are very different from those at a traditional CGL book. Vouch underwriters expect gen AI use across the entire insured population, rather than treating it as a peripheral risk. Pricing reflects that assumption by building gen AI into the base rate rather than charging a separate load.

Pricing Inputs When There Is No Credible Loss History

The core actuarial problem across both the exclusion side and the affirmative side is the same: there is no credible loss history. Gen AI in its current form is roughly three years old, enterprise deployment is younger than that, and the claim cycle has not run through enough reporting years to produce usable paid or incurred triangles. Actuaries pricing either product are working with a combination of surrogate data, expert judgment, and model-specific underwriting inputs.

Model-Audit Evidence

The most tangible pricing input available is the model audit. Armilla, Coalition, and several reinsurance-backed MGAs now require a pre-bind model assessment that measures accuracy on a benchmark dataset, fairness across protected classes, hallucination rate on a standardized prompt suite, and drift from a reference state. The audit outputs a score or a tier classification, and that classification enters the rating algorithm as a credibility-weighted exposure factor. An independently audited model with a high accuracy score and a documented governance program can receive a rate that is a meaningful discount off an unaudited peer.

The limitation of audit-based pricing is that the audit measures model behavior at a point in time. Gen AI models in production are updated continuously, either by vendor upgrades, by fine-tuning, or by prompt template changes. An audit conducted at policy inception may be stale at the midpoint of the policy period. Several carriers have responded by requiring quarterly re-attestation or by conditioning renewals on continued audit maintenance.

Third-Party Evaluations and Benchmarks

Public benchmarks such as Vectara's Hallucination Leaderboard, Stanford HELM, and academic fairness benchmarks offer loss-frequency proxies that can be used in pricing even when the insured's specific model has not been independently audited. A carrier can tier gen AI loads based on the benchmark performance of the underlying foundation model, recognizing that a customer running on a high-scoring model has lower base risk than a customer running on a low-scoring model. Benchmarks alone are insufficient for full credibility, but they provide a starting point when the insured does not have an audit to present.

Exposure Bases: Inference Volume and Model Size

Traditional casualty exposure bases (payroll, sales, units) translate imperfectly to gen AI risk. A company with $10M in revenue that runs all customer interactions through a gen AI chatbot has materially different exposure from a company with $10M in revenue that uses gen AI only for internal productivity. The affirmative coverage products are experimenting with alternative exposure bases:

Inference volume: Number of model calls or tokens processed during the policy period. This aligns exposure with activity and scales naturally with growth, but requires metering infrastructure the insured may not have.
Model size and capability tier: Larger, more capable models generally produce more confident and therefore more consequential outputs. Some rating plans include a tier factor tied to parameter count or benchmark capability score.
Deployment surface: Customer-facing, employee-facing, or internal-only. The ratio between these surfaces drives the expected loss frequency from external claims.
Regulated industry factor: Healthcare, financial services, and legal deployments carry incremental exposure from regulated advice claims, and most rating algorithms recognize this explicitly.

Exposure-Level Pricing Illustration

Exposure Profile	Indicative AI Load Factor	Primary Risk Driver
Internal productivity only, employee-facing	1.05x to 1.10x	Output leakage, copyright from training data
Customer service chatbot, non-regulated industry	1.20x to 1.40x	Defamation, unauthorized promises, prompt injection
Regulated advice (legal, medical, financial)	1.60x to 2.50x	Regulated advice liability, hallucinated citations
Autonomous agent with tool-calling in production	2.00x to 4.00x+	Tool misuse, cascading errors, unauthorized transactions

These ranges reflect indicative loads observed in early 2026 quoting activity, not a published rating manual. The spread within each tier is wide because underwriting judgment, audit evidence, and governance maturity move the load up or down significantly. Autonomous agent exposures, in particular, sit in a range the market has barely tested; early quoting activity treats them with the caution historically reserved for novel technology classes before a loss run emerges.

The EU AI Act Overlay: How European Cedents Are Reshaping Treaty Wordings

The exclusion-versus-affirmative divide is a U.S.-centric framing. In Europe, the EU AI Act has already reshaped the insurance conversation. The Act classifies AI systems by risk tier, imposes compliance obligations on "high-risk" systems, and creates statutory product-liability-style exposure through the parallel AI Liability Directive proposal and the revised Product Liability Directive. As Milliman has documented in its coverage of the Act's insurance implications, European cedents are asking treaty reinsurers to address gen AI exposure explicitly, rather than leaving it to fall into or out of coverage by silence.

The practical result is that European commercial lines treaties signed during the January 1, 2026 renewals frequently included either an affirmative AI coverage grant or an explicit AI exclusion at the treaty level, with premium loadings or ceding-commission adjustments negotiated accordingly. This is a faster convergence than the U.S. market, where the ISO endorsement is a facultative choice and treaty-level treatment remains inconsistent carrier by carrier. Actuaries at U.S. carriers with European books, or at European reinsurers with U.S. cedents, are navigating two regulatory logics simultaneously: a U.S. market where gen AI coverage is an endorsement decision, and a European market where it is a statutory compliance decision with treaty consequences.

The EU AI Act's high-risk classification drives much of the underwriting rigor. A system used for credit scoring, employment decisions, or essential services falls into the high-risk tier and must meet documentation, testing, and human oversight requirements. Insurers writing affirmative coverage for high-risk systems in the EU are effectively underwriting the insured's compliance posture, because a compliance failure frequently precedes a liability claim. The underwriting questionnaire becomes a mirror of the compliance obligation.

Loss Scenarios Actuaries Should Stress-Test

With no credible triangles, scenario-based stress testing is the most useful actuarial tool for either product side. From tracking gen AI loss reports across trade press, regulatory filings, and industry coalitions, five scenario classes have produced or come close to producing material claims in the last eighteen months.

1. Defamation from Fabricated Output

A gen AI system produces false, reputation-damaging content about an identifiable person. The Walters v. OpenAI suit in Georgia and the Starbuck v. Meta matter are early examples of the class. Actuaries should stress-test circulation (did the output reach third parties), identifiability (was a specific person named), and reasonable care (did the insured rely on the output without verification). Severity scales with circulation and the plaintiff's reputational standing.

2. Regulated Advice Liability

A gen AI tool provides output that functions as professional advice in a regulated domain: a law firm's filing tool produces a brief with fabricated citations, a wealth management chatbot gives an investment recommendation that departs from suitability requirements, or a healthcare assistant proposes a treatment that conflicts with clinical guidelines. The Mata v. Avianca sanctions case from 2023 established the pattern. Severity scales with the financial or medical harm to the end user and with the regulator's willingness to pursue the practitioner.

3. Copyright and IP Infringement

A gen AI system produces output that reproduces or derives closely from copyrighted training material. Ongoing litigation including New York Times v. OpenAI and Getty Images v. Stability AI is still shaping the doctrinal contours, but affirmative coverage products increasingly treat IP infringement as a named trigger. Severity in this class is bimodal: either the infringement is isolated and settles quickly, or it becomes a class or sector-level issue with multi-hundred-million-dollar exposure.

4. Tool Misuse in Agentic Deployments

An agentic gen AI system with tool-calling capability takes an action it was not authorized to take: purchases that exceed approved limits, external communications sent without human review, or access to systems that should have been gated. Agentic deployments are still early in enterprise production, but the potential severity is significant because each tool call creates a new action surface. Actuaries should stress-test the authorization architecture, the transaction limits, and the human-in-the-loop mechanism for consequential actions.

5. Prompt Injection and Adversarial Inputs

A third party supplies an input designed to manipulate the model into producing harmful output. The threat model includes data exfiltration, unauthorized disclosure of system instructions, and bypass of safety guardrails. Because the triggering event is the attacker's action rather than the insured's, coverage overlaps with cyber. Actuaries should stress-test the defensive architecture (input sanitization, output filtering, adversarial testing) and the attribution evidence the insured would be able to produce in a claim.

What the NAIC AI Model Bulletin and Vendor Registry Mean for U.S. Carriers

Carriers writing either side of this market in the United States are doing so against the backdrop of the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023 and now implemented in roughly two dozen states plus the District of Columbia. The Bulletin requires insurers deploying AI in underwriting, rating, claims, or other consumer-facing functions to maintain a documented AI program, perform ongoing monitoring, and manage third-party vendor relationships. A carrier writing affirmative AI coverage is itself a carrier using AI in underwriting: the audit scores, benchmark outputs, and risk-tier classifiers are AI systems by the Bulletin's own definition.

The third-party AI vendor registry framework advancing through the NAIC's Third-Party Data and Models (H) Working Group adds another layer. If the registry is adopted in its current form, a carrier pricing affirmative AI coverage using a third-party audit provider or a third-party model classifier would face registry-level scrutiny of that vendor. The NAIC AI Evaluation Tool pilot, running in twelve states through September 2026, produces the exam methodology that will surface these dependencies during routine financial and market conduct exams.

Carriers should also be tracking the NAIC's transition from bulletin to model law, which would convert the principles-based guidance into binding statutory language. A carrier that designs its AI liability coverage around bulletin-era assumptions about governance and vendor oversight may need to rework pricing and underwriting once the model law's specific requirements settle. The ASOP No. 56 governance gap for AI systems is particularly acute in this context because the actuarial practice standards have not kept pace with either the pricing problem or the regulatory infrastructure that increasingly shapes the product.

Implications for the 2027 Renewal Cycle

Three months of ISO endorsement use produces the first data on adoption rates, geographic distribution, and broker placement patterns. The picture so far suggests a bifurcation that will continue into the 2027 renewal cycle rather than resolve quickly.

On the exclusion side, adoption has been strongest among standard CGL carriers serving large and middle-market accounts where the underwriter has the leverage to insist on the endorsement at renewal. Small business and micro-account renewals have been slower to adopt, partly because the broker-carrier dynamic at that segment does not support significant form changes without material premium movement. Expect adoption to expand downmarket through 2026, driven by reinsurance treaty pressure rather than primary-carrier initiative.

On the affirmative side, the four product architectures described above will continue to compete on different underwriting philosophies. Munich Re's performance guarantee approach, Coalition's cyber-adjacent approach, Armilla's audit-based approach, and Vouch's bundled tech E&O approach are all viable, and the winning architecture probably depends on the customer segment. Enterprise buyers with mature AI governance programs are natural Armilla customers. AI-native startups are natural Vouch customers. Coalition's model fits any insured that already buys cyber and wants additive AI triggers. Munich Re's performance-guarantee wrapper fits deals where the insured is an AI vendor selling performance commitments to its own customers.

The pricing conversation will be driven by whichever product class produces the first significant claim. Until then, every rating plan is a judgment-based construct, and the right actuarial response is to document the judgment, disclose the uncertainty, and maintain the capital headroom needed for reserve volatility that could easily be one or two standard deviations beyond what the rating plan anticipates. That is what pricing two products on thin loss data looks like in 2026, and the actuaries doing this work well are the ones who can describe the uncertainty in a regulatory filing and a reserve certification without collapsing it to a false precision.