- ep 13
- 9 min read
- May 6, 2026
AI Just Got Carved Out of the Commercial General Liability Policy, and Almost No One Noticed
Hosted by Katie Dowson and Grace Schmidt, with guest Marek Suscak
Three of the largest carriers in the country just won approval to walk away from a major category of commercial risk, and it has barely been covered in the news. This month Chubb, Berkshire Hathaway, and Travelers all got the green light from state regulators to start excluding AI related damages from the standard commercial general liability policy. On this episode of The Advocate Insurance Desk, hosts Katie and Grace broke down what is being quietly removed, brought in Advocate's head of infrastructure and security to give the operator's view, and landed on a simple rule: visibility first, coverage second.
Key takeaways
- AI exclusions are clearing fast. Chubb, Berkshire Hathaway, and Travelers have regulator approval to exclude AI related damages from standard commercial general liability (CGL) coverage, and more than 80% of these filings are reportedly getting approved.
- The standard-form machinery is moving too. ISO, the body whose policy language most carriers follow, released two AI exclusion endorsements that went live on January 1, so this is becoming a market default, not a one-off.
- This is the cyber insurance playbook again. A new risk emerges, loss data is hard to model, carriers carve it out, and most buyers do not notice until they have an uninsured claim.
- Almost every business is exposed. A property manager using AI for tenant communications, a firm using AI in deal analysis, a broker generating quote summaries: all of them can be touched, even if they do not think of themselves as an AI company.
- The fix is not broader CGL coverage. Carriers are not going to add AI back. The answer is visibility into your exposure, then specialty coverage (tech errors and omissions, cyber, standalone AI policies) matched to how you actually use AI.
What did the carriers actually get approved to do?
Quick level set first. Commercial general liability, or CGL, is the foundational policy almost every business in the country carries. It responds when someone sues your business for things like bodily injury, property damage, or advertising injury. It is the baseline. What these carriers are doing is taking AI related claims out of that baseline.
The practical effect is broad. As Katie put it on the show:
If your company uses an AI tool and that tool causes harm, whether that is an output that defames someone, infringes on intellectual property, or gives bad advice to an employee, your standard CGL policy may not respond anymore.
This is not aimed only at the AI labs. The carriers are not just walking away from coverage for the model builders. They are walking away from coverage for any business using AI to make decisions or generate content. If you are a property manager using an AI tool to draft tenant communications, you are exposed. If you are a firm using AI in deal analysis, you are exposed. If you are a broker using AI to build quote summaries or pitch decks, you are exposed.
Why is this moving so fast?
Speed is the part that should get attention. In less than four months, these AI exclusions went from brand new to regulator approved to in use by the biggest insurers in the country. For an industry famous for its glacial pace, where coverage shifts usually play out over years rather than months, that is striking.
Two things are driving it. First, the carrier filings themselves, clearing regulators at a high rate. Second, the standard-form layer: ISO, which writes the policy language most carriers build from, released two new AI exclusion endorsements that went live on January 1. When the standard forms move, the whole market tends to follow. The fact that so many carriers are already filing their own versions tells you how worried the market is about AI as a risk category.
To be fair to the carriers, this is not unreasonable. The risk is real, the loss data is genuinely hard to model, and reinsurance does not yet have a clean way to handle the kind of aggregated AI losses that keep underwriters up at night: one AI system failing and triggering thousands of losses at once. Chubb, for its part, has said it will still handle individual AI claims on a case by case basis. The decision is defensible from the carrier's side. It is a lot less comfortable from the insured's side.
What does this look like from inside a company that runs AI?
Katie and Grace can talk about the insurance side all day, but neither sits in the seat deciding which AI tools a business actually deploys. So they brought in Marek, Advocate's head of infrastructure and security, who makes exactly those calls: what AI tools the company runs, what data those tools can touch, and which integrations get approved. He is the kind of decision maker these exclusions are aimed at.
His first reaction was that none of this was surprising. He framed it as the cyber insurance story repeating:
We have been watching the cyber playbook for years, and this is that same movie running a second time.
On the aggregated-risk fear, he agreed it maps to real-world events. He pointed to the wave of software supply chain attacks that hit the tech world late last year, including one that spread through a widely used package library: a compromised component could update silently inside a developer's tools and quietly exfiltrate credentials, with no deliberate action by the victim. One weakness, many losses, hard to contain. That is the shape of exposure underwriters are now pricing for.
He also made a sharper governance point that operators can act on immediately. Before granting any AI tool access to a system, his team asks what data that system holds and how broad the tool's access would be. He described declining an internal request to give an AI assistant access to a calendar and email account, because that account also touched sensitive operational documents, and read versus write access changes the risk profile entirely. His standing line, only half a joke, is that good security is supposed to be a little bit annoying. If it is annoying, it is doing its job.
What should operators actually do on Monday morning?
Marek's practical list was refreshingly unglamorous, and it starts before insurance. Inventory where AI is actually being used across the business, then audit what each of those tools can access and whether that access is read only or write enabled. Most companies cannot cleanly answer the simple question of where AI lives in their operations, and you cannot evaluate a risk you cannot see.
Grace tied it back to coverage:
You cannot evaluate any of your AI risk until you can answer one question: where is AI actually being used in your company? The smallest tool can create the largest exposure.
That is the whole reason the exclusions are dangerous. AI usage is harder to inventory than a discrete event like a workplace injury or a security breach, because it is scattered across tools the business never built. And the exclusions are broad: defamation from an AI output, IP infringement from AI generated content, even physical damage you could trace to an AI error can all be carved out of a CGL policy. The result is a buyer who does not know what they are exposed to, working with a broker who often cannot say either, because the answer depends entirely on how that specific client uses AI.
How do you fill the gap if you cannot just buy the coverage back?
You do not get it back inside the CGL policy. That coverage is not coming back, and waiting for it is the wrong plan. What tends to happen instead is what happened with assault and battery, and again with cyber: once a risk gets carved out of the baseline, the market spins up new, purpose-built product lines to cover it. Expect the same pattern for AI.
In the meantime, the gap gets filled with a combination of specialty products rather than one catch-all policy. The candidates discussed on the show were technology errors and omissions (a form of professional liability insurance), cyber, and the standalone AI policies now starting to appear. A quick caution on instinct: an umbrella policy is not the answer here. An umbrella sits over the underlying coverages, so if the loss is excluded underneath, the umbrella does not magically reach down and cover it. The right combination depends on the AI inventory you just did.
This is also where the broker's role expands rather than shrinks. A broker who is only shopping the CGL policy at renewal is not doing the job this market now requires. The valuable work is year round: running a coverage gap analysis, identifying which exclusions actually apply to a given client, and assembling the specialty policies that close the gaps. Not every broker is set up for that, and the buyers who are best served right now are the ones whose broker is tracking how carrier policy language is shifting underneath them.
The bigger pattern: the terms are the coverage
The thread running through this episode is the one the show keeps returning to. The headline number on your declarations page is not your coverage. The terms are your coverage, and in this case the terms just changed for an entire new category of risk, largely in silence. There has been little press on these carve-outs, which means a business can carry a CGL policy, assume it is covered for an AI related claim, and only discover the exclusion when the claim is denied.
The declarations page can say one thing while the actual coverage says another, and most buyers will not know the difference until they have a claim.
That gap, between when a carve-out happens and when a buyer notices, is exactly where the exposure sits. The carriers have moved fast, the approvals are clearing, and the risk is now sitting on the buyer's side of the table, mostly unannounced. The buyers who come through this well will be the ones who get visibility first and build coverage second.
FAQ
Didn't find your answer?
If you couldn't find the answers you need, feel free to reach out to the host.
