Skip to content

Your cyber underwriter is starting to ask about AI.

Six question categories now appearing in 2026 mid-market cyber submissions, mapped to the 10-Layer AI Governance framework. Operator-grade brief, free, anchored on Marsh / Aon / Lockton / NYDFS citations. The answer you'd give if you wanted your broker to take you seriously.

Download brief (PDF) 10-Layer Assessment →

Prefer plain text? Markdown source

Free. No email required. The framework belongs to you whether or not you ever work with JieGou.

§1 — Why this matters now

Underwriters are formalizing AI questions. Insurers are launching affirmative AI coverage. Regulators are requiring AI oversight.

The structural change happened between mid-2024 and early 2026. Four named broker firms publicly identify AI as a 2025-2026 underwriting focus. Carriers (Coalition, AXA XL, Cowbell) are launching affirmative AI coverage endorsements — which means they've formalized the questions that price the coverage. ISO CGL forms CG 40 47/48/35 08 went live January 2026 with 80%+ state regulator approval, adding AI exclusions to commercial liability; cyber lines are reportedly next.

In parallel, regulators have moved. NYDFS issued an October 2024 Industry Letter on AI cybersecurity requiring Senior Governing Body oversight. The NAIC Model Bulletin on AI Use by Insurers has been adopted by 24 states as of 2026. The Lloyd's Market Association launched an AI Adoption Toolkit. The EU AI Act creates downstream pressure on any organization with EU operations. Regulatory pressure on insurers becomes underwriting-question pressure on insureds — that translation is now load-bearing.

What we can credibly say today: documented AI governance maturity is becoming a stated underwriting factor at mid-market scale, attributed to named brokers and regulators. What we cannot say: any specific premium-reduction number tied to vendor-specific frameworks. The brief is structured to give you the defensible answer surface without the overclaim.

§2 — Six AI underwriting question categories (2026)

What carriers are asking. Synthesized from Aon, Marsh, Lockton, WTW, Coalition public materials + NYDFS framework.

1

AI Use Inventory & Acceptable-Use Policy

Sample question

Do you have a written AI acceptable-use policy? Are employees trained on it?

Asked by

Coalition, Cowbell, mid-market questionnaires

10-Layer coverage

Layer 7 (Compliance) + Layer 1 (Identity & Access — technical enforcement)

Why this matters

Shadow AI exclusion language emerging in 2025-2026 — unauthorized AI use can be treated as gross negligence if no written policy exists.

2

AI Governance Framework & Senior Oversight

Sample question

What governance framework do you use? Who in your organization owns AI governance at the senior level?

Asked by

Aon, Lockton, NYDFS-regulated carriers

10-Layer coverage

Layer 7 (Compliance) + Layer 9 (Observability) + Layer 10 (Incident Response)

Why this matters

Lockton (Dec 2025): "Underwriters are scrutinizing board and senior management oversight of AI governance."

3

Access Controls & Per-Agent Identity

Sample question

Do AI agents have separate identities from human users? Is SSO/SAML configured for your AI tooling?

Asked by

All major carriers in 2026

10-Layer coverage

Layer 1 (Identity & Access) + Layer 6 (Tool Governance)

Why this matters

Per-agent identity makes audit reconstruction possible. Without it, "the AI did it" collapses into a single audit subject and breach forensics break down.

4

Audit Trail & Evidence Emission

Sample question

Can you produce an audit trail for any AI-driven decision? Can you export evidence to your SIEM?

Asked by

Coalition, At-Bay, all carriers post-2024 incident wave

10-Layer coverage

Layer 2 (Audit Trail) + Layer 9 (Observability)

Why this matters

Post-breach, the claims process turns on "what did the AI do, when, on whose authority, with what data?" Carriers underwrite the answer, not just the existence of logging.

5

Vendor Risk & LLM Provider Register

Sample question

Do you maintain a vendor risk register for AI providers? What's your exit strategy if a primary provider becomes unavailable?

Asked by

Lloyd's, NYDFS Industry Letter Oct 2025 emphasis

10-Layer coverage

Layer 5 (Model Governance) + Layer 3 (Data Governance) + Layer 10 (Incident Response)

Why this matters

Lloyd's (2025): high concentration of insurers using same cloud providers + similar LLMs is an operational resilience concern. The corollary: carriers ask insureds about provider diversity + exit plan.

6

Incident Response & Exclusion-Language Risk

Sample question

Do you have an incident response plan covering AI-specific failures? Have you tabletop-tested an AI-related scenario in the last 12 months?

Asked by

All carriers; especially urgent for orgs in regulated industries

10-Layer coverage

Layer 10 (Incident Response) + Layer 4 (Human Oversight) + Layer 8 (Cost Controls)

Why this matters

ISO CGL forms CG 40 47/48/35 08 went live Jan 2026 with 80%+ state approval — AI exclusions in commercial liability. Cleanest defense is documented AI-specific IR.

Full answer templates for each category in the brief §4.

§3 — What named brokers and regulators are publicly saying

Seven citations underpin this brief. Operator-honest sourcing, not vendor marketing.

"Underwriting reviews are now sharply focused on control maturity, vendor dependencies, AI use, and privacy practices."

Aon, cyber & E&O market commentary, 2026. source →

"Underwriters are focusing more on AI exposures and have had to adapt how they underwrite to AI exposure, trying to better understand how insureds utilize AI by asking a broader range of questions."

Marsh, Q4 2024 US Cyber Market Update. source →

"Underwriters are scrutinizing board and senior management oversight of AI governance. Insurers are not only asking questions about documented policies regarding AI usage but also innovating around AI and clarifying policy language."

Lockton, December 2025 Cyber Market Update. source →

"The Senior Governing Body... exercise[s] oversight of cybersecurity risk management, and regularly receive[s] and review[s] management reports about cybersecurity matters (including reports related to AI)."

NYDFS, Industry Letter Oct 16, 2024. source →

"Underwriting questions evolved from "Do you use AI?" to "What models are you currently utilizing? How did the business decisions get made to utilize these models? What checks and balances are in place?""

Insurance Business, AI risk era for cyber, 2026. source →

"AI may heighten cyber security risks and pose challenges in terms of professional and product liability... [there is] potential increased risk to operational resilience because of the high concentration of insurers using the same cloud providers and similar Large Language Models."

"Coalition's Affirmative AI Endorsement introduces important clarity around how incidents are covered when AI is involved."

Coalition, Affirmative AI Endorsement announcement, March 2024. source →

§3.5 — The AI exclusion landscape (2026 filing-verification update)

Two distinct AI exclusion styles. Carriers conflate them in marketing; you can't afford to in your renewal preparation.

Style A — ISO narrow exclusion

CGL line, generative AI only

ISO forms CG 40 47, CG 40 48, CG 35 08 — effective January 1, 2026 multistate. Used by hundreds of US carriers via ISO licensing.

Definition: "machine-based learning system or model that is trained on data with the ability to create content or responses, including text, images, audio, video, or code."

  • CG 40 47: Coverage A (BI/PD) + Coverage B (P&AI) — broadest CGL
  • CG 40 48: Coverage B only (P&AI)
  • CG 35 08: Products / Completed Ops only

Triggers only when loss arises from generative output. Predictive AI, recommendation systems, fraud detection arguably outside scope.

Style B — Berkley "Absolute" exclusion

D&O / E&O / Fiduciary, ALL inference-based AI

WR Berkley form PC 51380 00 (06-24) — filed in Connecticut and rolling state-by-state. Materially broader than ISO.

Definition: "any machine-based system that... infers... predictions, content, recommendations, or decisions..."

  • Use, deployment, development of AI
  • Chatbot statements + virtual agents
  • Inadequate AI policies / training
  • AI-related regulatory disclosures
  • AI-incorporated products + services

Captures non-generative inference: algorithmic credit-scoring, recommendation systems, decision-support — even without any GenAI involved.

Verbatim from verified state filings:

"A. This insurance does not apply to: 'Bodily injury' or 'property damage' arising out of 'generative artificial intelligence'. B. This insurance does not apply to: 'Personal and advertising injury' arising out of 'generative artificial intelligence'."

ISO CG 40 47 01 26 (broadest CGL form; both Coverage A + Coverage B). Verbatim via PropertyCasualty360 / FC&S Bulletins. FC&S Bulletin →

"This insurance does not apply to: 'Personal and advertising injury' arising out of 'generative artificial intelligence'."

ISO CG 40 48 01 26 (Coverage B only) © Insurance Services Office, Inc., 2025. SAMPLE PDF →

"The Insurer shall not be liable to make payment under this Coverage Part for Loss on account of any Claim made against any Insured based upon, arising out of, or attributable to: (1) any actual or alleged use, deployment, or development of Artificial Intelligence by any person or entity..."

WR Berkley PC 51380 00 (06-24), "Artificial Intelligence Exclusion (Absolute)." Hunton-hosted PDF →

"Organizations today do not need to panic that their coverage is in a position to deny an AI-related claim if it's for something that is already traditionally intended to be covered by the policy."

Coverage-line bifurcation — what's at risk where:

Insurance line AI exclusion status Confidence
CGL Coverage A (BI/PD)ISO CG 40 47 / 35 08 — narrow, GenAI onlyHigh
CGL Coverage B (Personal & Advertising Injury)ISO CG 40 48 — narrow, GenAI onlyHigh
CGL Products / Completed OperationsISO CG 35 08 — narrow, GenAI onlyHigh
D&O / E&O / FiduciaryBerkley PC 51380 "Absolute" — broad, all inference-based AIHigh
Management Liability (private company)Berkley + Hamilton Select pattern; comparable exclusions emergingMedium
CyberMoving OPPOSITE direction — affirmative AI coverage extensions (Coalition / Cowbell / AXA XL / QBE); draft sublimits (Beazley + QBE) NOT YET BOUND on in-force policies. No US cyber AI exclusion form publicly identified.High (negative finding)

The under-discussed angle

Definition arbitrage risk

ISO defines AI narrowly (creates content/responses). Berkley defines AI broadly (any system that infers predictions/recommendations/decisions). The same underlying AI system could be covered under your CGL renewal and excluded under your D&O renewal. An algorithmic credit-scoring model with no GenAI component would probably be outside ISO scope but inside Berkley scope. CIOs + General Counsel should compare exclusion definitions across all relevant lines — not just within a single line.

What this means for your renewal preparation:

  1. Identify your insurance lines specifically. CGL, D&O, E&O, Fiduciary, Cyber, Crime — each may have different exclusion exposure.
  2. Ask your broker for the AI exclusion endorsement(s) on file. Carriers often quietly attach these at renewal without flagging them. Request form numbers + verbatim text.
  3. Compare definitions across lines. If your D&O carrier uses Berkley-style "Absolute" language, your exposure differs materially from an all-ISO-language stack.
  4. Inventory your AI footprint by line. GenAI → ISO exposure. Predictive ML (scoring, recommendation, classification) → Berkley-style exposure.
  5. For management liability: if you use ML for any decision-influencing function (credit, hiring, claims adjudication), get the Berkley-style definition into the conversation early. Buying down or negotiating the exclusion is cheaper than discovering it during a claim.
  6. Document AI governance maturity. Even when exclusions are filed, demonstrable governance can sometimes get the exclusion modified or buy-down terms offered.

Full §3.5 with all verbatim quotes, additional carriers (AIG / Great American / Philadelphia Indemnity / Hamilton Select), and detailed sourcing in the brief (PDF) or markdown source. Companion essay: Two kinds of AI exclusion — and the one your CGL renewal won't tell you about.

§4 — What we do NOT claim

Operator-honest exclusion list.

  • We do NOT claim our framework reduces your premium by X%. No insurer publicly offers vendor-specific governance discounts as of May 2026. Premium impact depends on carrier, broker, full risk profile, and claims history.
  • We do NOT claim our framework guarantees coverage adequacy. AI exclusions are appearing in commercial liability and reportedly in cyber lines; documented governance helps avoid the worst tier but does not guarantee a specific coverage level.
  • We do NOT claim carrier-side endorsement. Some carriers may treat our framework as adequate documentation; others may insist on their own self-assessment tool. The framework's value is independent of carrier endorsement.
  • We do NOT recommend dropping any controls you already have. Adopting the 10-Layer framework is additive to existing SOC 2 / ISO 27001 / HIPAA / PCI-DSS programs.
  • We do NOT promise the questionnaire shape will be stable. This brief reflects the 2026 question landscape; v2 will follow when meaningful changes emerge.

These boundaries protect both sides. If a vendor claims a specific premium discount tied to their governance product, ask them which carrier publishes that discount tier in writing.

§5 — Three engagement paths

All free. The framework belongs to you regardless of whether you ever work with us.

Path A

Run it yourself

Download the brief. Use the answer templates for your next renewal. Cross-reference the 10-Layer framework for the deeper baseline. We don't need to hear about it.

Download brief (PDF) → .md source
Path B

45-min walk-through

30-min discovery + 15-min brief walk-through. We'll review your specific renewal context (carrier, broker, current submission stage) and identify gaps + quick wins. No sales pitch.

Schedule discovery call →
Path C

Broker advisory

If you'd like us to talk directly with your broker about your AI submission, email partnerships@jiegou.ai with broker name + renewal timing. We'll join the packet-prep call as technical advisor — no fee, no commitment.

Email partnerships →

§5.5 — When the free paths aren't enough

Renewal-Prep Engagement — broker-ready documentation in 3-4 weeks.

Discrete, fixed-fee, calendar-anchored. For CIOs / CISOs / Risk leaders with a cyber renewal 60-180 days out who need operator-grade documentation before their broker assembles the packet. Not a 90-day Phase 1 — a focused 3-4 week engagement producing the Carrier-Readiness Packet you hand to your broker.

Tier 2a — Single-line review
$15K fixed fee

3-4 weeks · 50/50 payment

  • One specific renewal in window (cyber OR D&O, not both)
  • Single carrier per line
  • Single AI footprint to document
  • Suitable for $50M-$200M revenue customers

Best for first-time engagement; narrower AI deployment.

Tier 2b — Multi-line review
$25K fixed fee

3-4 weeks · 50/50 payment

  • 2+ insurance lines in scope (typical: CGL + D&O + Cyber + E&O)
  • Multiple carriers across lines
  • Cross-line exposure analysis (ISO narrow vs Berkley broad definition arbitrage)
  • Suitable for $200M-$1B revenue customers

Best for mature AI deployment; multiple lines renewing in proximity.

What's included

  • · Existing submission packet review against the 6 AI question categories
  • · 10-Layer Governance Assessment facilitated with your team (2-3 sessions)
  • · Exclusion exposure matrix across your insurance lines
  • · Customer-specific AI section answers (using the templates in §4 of the brief)
  • · AI vendor risk register snapshot (from your existing procurement records)
  • · Carrier-Readiness Packet deliverable (12-18 pages, PDF + markdown, customer-branded if requested)
  • · Optional 45-min joint session with your broker (Path C)
  • · 30-day post-delivery check-in (no fee)

What's NOT included

  • ✕ Implementing remediation (separate Phase 1 Operations Partner engagement)
  • ✕ Direct carrier negotiations (broker territory; we equip them)
  • ✕ Insurance brokering or policy placement (we're not licensed producers)
  • ✕ Legal review of policy language (counsel territory)
  • ✕ Audit-trail engineering or hash-chain implementation
  • ✕ Long-term operating relationship (Phase 1+ territory)
  • Premium reduction guarantees — no insurer publicly offers vendor-specific governance discounts. Premium impact depends on your full risk profile, carrier, broker, and claims history. We provide documentation, not pricing outcomes.

Pricing-impact discipline: Tier 2 Renewal-Prep Engagement produces documentation supporting your cyber insurance underwriting submission. JieGou does not guarantee, predict, or claim responsibility for premium impact, coverage modifications, exclusion negotiations, or carrier acceptance of any specific framework. Premium and coverage outcomes depend on your full risk profile, claims history, broker relationship, and carrier discretion. No insurer publicly offers vendor-specific governance discounts as of May 2026.

Schedule 30-min discovery — we'll scope Tier 2 fit

Mention your renewal timing on the discovery form. If you're 60-180 days out, we'll quote Tier 2 within 48 hours. If not, we'll recommend the right path for your situation — could be the free walk-through, broker advisory, or a different conversation entirely.

FAQ

Questions CIOs and brokers ask about this brief.

Download the brief. Or schedule the discovery call.

Free, no email required. 10-Layer framework belongs to you regardless of whether you ever work with JieGou. The brief is the document we'd want to have on the desk if we were in your renewal position.

Download brief (PDF) 10-Layer Assessment