AI Regulation Tracker / Insurance
ISO generative-AI exclusions take effect January 1, 2026, giving carriers a tool to exclude AI losses
Verisk's ISO has published standard endorsements that strip generative-AI losses out of commercial general liability coverage, while cyber carriers add AI sublimits. Any firm using AI should audit its policies and document governance before renewal.
The Insurance Services Office, the standard-forms arm of Verisk that publishes the policy language most US insurers build on, has released generative-AI exclusion endorsements that carry a January 2026 edition date. The forms let a carrier remove losses connected to generative AI from a commercial general liability policy. For any business that has folded AI into its operations without telling its insurer, the change closes a gap that used to work in the policyholder's favor.
From "silent AI" to explicit exclusion
Until now, most AI risk sat inside policies without being named. Insurers call this "silent AI," coverage that neither confirmed nor denied AI exposure and left the question to be argued at claim time. The new ISO endorsements end that ambiguity by naming generative AI directly. The forms define it as a machine-based learning system or model trained on data with the ability to create content or responses, including text, images, audio, video, or code. Once an insurer attaches the endorsement, the ambiguity that sometimes favored policyholders is gone.
What the three forms do
The endorsements are not identical, and the distinctions matter at renewal. CG 40 47 is the broad form. It excludes bodily injury, property damage, and personal and advertising injury arising out of, or attributable to, generative AI, reaching both Coverage A and Coverage B of the standard policy. CG 40 48 is narrower and removes only Coverage B, the personal and advertising injury grant that covers claims such as defamation and copyright infringement in advertising. CG 35 08 applies the exclusion to the products and completed operations coverage part. Commentators note that the "arising out of" language is broad and can apply even when generative AI is only one contributing factor to a loss, and even when the insured relied on AI indirectly through a vendor or consultant.
What it does not do
These are standard forms, not a mandate. ISO writes the language, but each carrier decides whether to attach an endorsement, to which policies, and on what terms. The forms do not automatically strip AI coverage from every policy on January 1, and they do not bar an insurer from offering affirmative AI coverage instead. What they do is give underwriters a ready tool to exclude, limit, or price AI exposure deliberately. The result is likely to be fragmentation, with coverage varying by carrier, industry, and how much the applicant can show about its own AI use.
The cyber market is moving in parallel
The shift is not limited to general liability. On the cyber side, carriers are reported to be capping AI exposure rather than excluding it outright. The Financial Times has reported that insurers including Beazley and QBE are introducing AI sublimits set near 10 percent of the overall policy limit. A sublimit of that size means a firm carrying, for example, a 10 million dollar cyber tower could see AI-related losses capped at roughly 1 million dollars, a ceiling that may sit far below the actual exposure from an AI-driven incident. The two paths, exclusion on the liability side and sublimits on the cyber side, point the same direction. Insurers are pricing AI as a named risk and shifting more of it back to the policyholder. A buyer who reads only the headline limit, and not the endorsement schedule and sublimit table, can walk away believing the firm is covered for an exposure the policy has quietly carved out or capped.
What risk managers should do now
The practical response is documentation, not alarm. A firm that can describe where it uses generative AI, what controls sit around it, and how it manages vendor AI is in a far stronger position at renewal than one that treats the subject as invisible. That means inventorying the AI tools in use across the business, including the ones embedded in software the firm licenses rather than builds, and recording who approved them and how their outputs are reviewed. It also means asking each carrier directly whether a generative-AI exclusion or sublimit will attach at renewal, and if so, whether affirmative coverage can be negotiated back in. The alternative is worse than a higher premium. Undocumented AI use can convert into a formal exclusion, a low sublimit, a steeper rate, or what brokers describe as a quiet no, coverage that appears intact on paper but fails when a claim tied to AI is filed. Reading the endorsement schedule before signing, and bringing written AI governance to the underwriting conversation, is now part of buying insurance.
Frequently Asked Questions
What changed with ISO and generative AI insurance?
ISO, part of Verisk, published standard endorsements with a January 2026 edition date that let insurers exclude generative-AI losses from commercial general liability policies. CG 40 47 is the broad exclusion across Coverage A and B, CG 40 48 limits it to Coverage B, and CG 35 08 applies to products and completed operations. Carriers choose whether to attach them.
Who is affected by this?
Any US business that carries commercial general liability or cyber coverage and uses generative AI, directly or through vendors. That reaches risk managers, insurance buyers, general counsel, CFOs, and brokers across most industries, since the endorsements sit in the standard forms that most US insurers use.
Does this mean my AI losses are automatically excluded now?
No. ISO writes the forms, but each carrier decides whether to attach an exclusion, to which policies, and on what terms. Some insurers may exclude, some may apply sublimits, and some may offer affirmative AI coverage. You have to read your own endorsement schedule to know what applies to your policy.
What are the cyber AI sublimits being reported?
The Financial Times has reported that carriers including Beazley and QBE are introducing AI sublimits near 10 percent of the policy limit. Rather than excluding AI outright, this caps how much of a cyber tower is available for AI-related losses, which can leave a large gap between the sublimit and the real exposure.
What single step should a risk manager take first?
Pull every current liability and cyber policy and check the endorsement schedule for a generative-AI exclusion or sublimit before the renewal date, then document where the firm and its vendors use AI so that governance can be presented to the underwriter.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.