Kiran Bhujle: Global Head of Cybersecurity at SVAM International Inc, teaches at Columbia University ERM program.gettyPicture this: A mid-market company gets hit with ransomware. The CISO files a claim for a seven-figure loss, well within the policy limit. Three weeks later, the carrier comes back with a denial. During forensic review, investigators found that employees had been feeding customer data into a GenAI tool through personal accounts, with no access controls, no inventory and no documentation that the company even knew it was happening.The company had MFA and EDR on every endpoint. It had a written incident response plan and passed every traditional underwriting check. None of that mattered.The carrier denied the claim because the company couldn't demonstrate governance over its own AI use. That's the new fault line in cyber insurance, and most organizations are standing on the wrong side of it.The insurance industry just rewrote the rules—quietly.In January 2026, Verisk, the company whose standardized policy forms are adopted by carriers nationwide, released two new commercial general liability (CGL) endorsements: CG 40 47 and CG 40 48. These forms give carriers ready-made language to exclude AI-generated claims from standard CGL coverage. One covers both bodily injury and advertising injury, while the other narrows it to advertising injury only. Either way, the exit door is now built into the contract.W.R. Berkley introduced what the industry is calling an "absolute" AI exclusion across its D&O, E&O and fiduciary liability products—language broad enough to bar coverage for any claim "arising out of" AI use, deployment or development. AIG and Great American have reportedly sought regulatory clearance for similar exclusions. On the other side, carriers such as Coalition are issuing affirmative AI endorsements that clarify coverage for AI-related incidents. However, even affirmative coverage assumes you can demonstrate governance when the adjuster calls.The message from both sides of the market is the same: If you can't prove you govern your AI, your policy has a gap in it. Whether an exclusion or your own silence on the application placed that gap there, the outcome at claim time is identical.The numbers should keep you up at night.A Delinea survey of more than 750 security leaders found that 42% of respondents said their cyber insurance policies already include exclusions tied to AI misuse or liability. Meanwhile, CSO Online reported that carriers are now asking applicants directly how they're using AI in their organization, what controls are in place, who's allowed to use it and whether it's an efficiency tool or a core part of the end solution offered to clients.Most companies can't answer those questions because they don't know which AI systems are running in their own environments. The Netskope "Cloud and Threat Report 2026" found that 47% of surveyed GenAI users in enterprise environments still access tools through personal, unmanaged accounts. The IBM "Cost of a Data Breach Report 2025" found that organizations with high levels of shadow AI faced $670,000 in additional breach costs because AI expanded the blast radius and delayed detection.The 2026 "Allianz Risk Barometer" confirmed the market's anxiety: AI risk jumped from No. 10 to No. 2 globally, the biggest change in the year's survey.Regulators are tightening the same vise.Colorado's revised AI Act (SB 189), signed into law May 14, 2026, and effective January 1, 2027, replaced the state's original prescriptive framework with a disclosure-focused model, but deployers of automated decision-making technology must still maintain records, provide consumer notices when automated decisions produce adverse outcomes and face enforcement by the state attorney general. New York’s RAISE Act, signed in late 2025 and amended March 27, 2026, grants NYDFS rulemaking authority over AI safety, the same regulator that shaped cybersecurity standards for the financial sector. Underwriters read regulatory calendars. They're adjusting faster than most companies are preparing.What should you do before your next renewal?1. Build the AI inventory. Document the data that every AI tool, SaaS product with embedded AI and internal model can access and who approved it. This is now the MFA of AI governance, the baseline without which nothing else counts.2. Align to NIST AI RMF. No single law mandates it, but underwriters increasingly treat it as the benchmark for AI governance maturity, and Colorado's AG rulemaking process may yet incorporate recognized frameworks into its enforcement guidance. Don't invent your own.3. Update your vendor questionnaires. Add AI-specific questions about data handling, model training and subprocessor use. Your vendor's AI is your governance problem. When the carrier or regulator asks who approved the tool and what due diligence was performed, "our vendor handled it" isn't an answer.4. Run an AI tabletop exercise. Carriers are now asking when you last tested your incident response plan and whether AI-specific scenarios were included. An untested plan is an uninsurable plan.5. Enforce your AI use policy with evidence. The policy PDF isn't proof. Training records, access logs and exception documentation are what underwriters want to see.The question your board should be asking.Most organizations I work with across various industries can't answer the first question an underwriter will now ask: How many AI tools are operating in your environment, what data can they access, and who approved them? If you can't produce that answer at the time of the claim, the carrier has documented grounds for denial. If you can't produce it at the time of renewal, you may not get renewed at all.​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?