The Matrix

At the same time, the commercial insurance market is not merely lagging behind AI risk—it is actively beginning to retreat from it. Industry developments in 2025 and 2026 show insurers increasingly limiting or excluding coverage for AI-related losses, reinforcing the same structural gap identified in the Gallagher report.

For technology lawyers and commercial teams negotiating AI vendor agreements, this creates a critical question: When a vendor's contractual indemnification obligations lack adequate insurance backing, what is that indemnity actually worth?

The Gallagher study confirms what many technology lawyers already know: AI vendor contracts heavily favor vendors. Courts and regulators are increasingly treating AI-driven failures as the responsibility of the deploying business, not the technology vendor (though liability generally requires a showing of fault). The result is a market dynamic where the party with the least control over the underlying technology, the enterprise customer, is expected to absorb the downstream liability.

Standard AI vendor agreements include indemnification for third-party IP claims, but these protections are structurally limited. Most agreements cap total liability, including indemnification, at 12 months of fees. For an enterprise paying $100,000 annually, that means a $100,000 ceiling regardless of actual damages that could reach into the hundreds of millions.

Technology Errors & Omissions policies, the coverage most relevant to AI vendors, often exclude the very risks AI systems create: hallucination-related losses, IP infringement, and data disclosure through outputs. Coverage outcomes are jurisdiction- and policy-dependent, but when a vendor agrees to indemnify, it may have no insurance to fund that obligation.

Critically, enterprise customers cannot look to their own insurance policies to fill this gap. Tech E&O coverage is designed for vendors and suppliers of technology—companies providing technology services to their customers. An enterprise deploying an AI vendor's tool to serve its own customers or improve its own operations is not providing technology services; it is using someone else's technology. Its Tech E&O policy, if it has one, likely does not respond to claims arising from that deployment.

In 2025, the Insurance Services Office (ISO)—the primary developer of standardized policy forms for the U.S. property and casualty market—introduced optional generative AI exclusions for 2026 commercial general liability policies. These endorsements exclude coverage for “bodily injury,” “property damage,” or “personal and advertising injury” “arising out of generative artificial intelligence.” The definition of generative AI is notably broad, encompassing nearly any machine-based system capable of producing text, images, audio, video, or code.

This development is significant: insurers are not merely clarifying existing coverage; they are signaling that AI-related risks were never contemplated and may now be affirmatively carved out. Several major carriers have already adopted these exclusions or similar language, and parallel exclusions are emerging in other lines, including directors’ and officers’ liability policies. For example, some D&O forms now include optional exclusions to exclude claims “arising out of” any use, development, or disclosure relating to AI, a formulation broad enough to capture governance failures, regulatory inquiries, and disclosure-based claims.

The breadth of these exclusions, particularly the “arising out of” standard, creates acute exposure in sectors such as healthcare, where AI is deeply embedded in clinical workflows, diagnostic tools, and medical devices. AI systems are now used for clinical documentation, imaging analysis, medication safety, and treatment recommendations—functions that directly implicate patient outcomes and liability risk.

Traditional enterprise insurance fares no better. Commercial general liability policies typically exclude technology-related professional services and increasingly contain AI-specific exclusions. Professional liability coverage for the enterprise's own industry—legal, medical, financial—may exclude claims arising from reliance on third-party AI tools. Cyber policies focus on data breaches and network security, not AI performance failures, hallucinations, or IP infringement. The result is that enterprise deployers face a coverage gap that makes vendor indemnities not merely preferable, but often their sole source of recovery.

Real-world incidents reinforce that this risk is not theoretical. Early AI-related failures demonstrate a recurring pattern: system-level errors rather than isolated malfunctions. Emerging claims data aligns with this pattern. Early reports indicate that one in five commercial insurers reported an AI-related loss in 2025, and only about half of those losses were fully covered. More than 200 active legal cases involving AI already implicate multiple coverage lines, including cyber, employment, product liability, and professional liability. These trends suggest that AI risk is both cross-functional and difficult to contain within traditional coverage silos.

This has practical implications for contract negotiations. First, the vendor's indemnity may be your only protection—unlike other vendor relationships where contractual indemnities serve as a backstop to your own insurance. Second, requiring certificates of insurance is insufficient; you must confirm that the vendor's coverage actually applies to AI-related claims and does not contain exclusions for hallucinations, IP infringement, or bias. Finally, recognize that most AI liability effectively sits on the enterprise's balance sheet unless contractual indemnities are both well-drafted and backed by a financially sound vendor with applicable insurance.

Enterprises should also be cautious about relying on additional insured status as a risk transfer mechanism. Being named as an additional insured on a vendor's policy only provides protection to the extent the underlying policy actually covers the loss. If the vendor's Tech E&O, CGL, or cyber policies exclude AI-specific risks—hallucinations, IP infringement, algorithmic bias, or AI-generated content claims—then additional insured status on those policies provides no meaningful protection against those very risks. This can create false comfort: the contractual requirement appears robust on paper, but when an AI-specific claim arises, the policy may not respond. Rather than treating additional insured status as sufficient protection, enterprises should focus on verifying the scope of the vendor's actual coverage and ensuring that indemnification obligations are adequately funded.

AI vendors also routinely disclaim performance warranties, leaving deployers without recourse when AI systems underperform or hallucinate. Deployers lack visibility into model training and reasonably resist accepting full responsibility for AI-generated harm, yet standard contracts place them in exactly that position.

From the vendor's perspective, aggressive limitation of liability provisions are essential risk management given the absence of adequate insurance. If a vendor cannot insure against AI-native liabilities, it will limit contractual exposure through sub-caps on indemnity obligations, consequential damages waivers that exclude the harms AI systems most commonly cause (reputational damage, lost profits, regulatory penalties), and performance warranty disclaimers.

For deployers, understanding that these provisions reflect the vendor's own uninsured risk position changes the negotiation calculus. The vendor is not merely seeking favorable commercial terms; the vendor is attempting to pass uninsurable risk downstream.

These dynamics are further complicated by regulatory uncertainty. In sectors, uneven oversight, particularly with respect to model updates, post-market monitoring, and real-world performance, has left both insurers and enterprises without a clear baseline for assessing risk or standard of care. Where risk cannot be reliably quantified, insurers tend to respond conservatively, favoring broad exclusions over tailored underwriting.

This does not mean the situation is static. Two important caveats apply. First, some legal questions remain unsettled, including how data protection rules apply to generative AI and whether training on copyrighted material constitutes infringement. Second, the insurance market is responding: standalone AI coverage is emerging, and some insurers have introduced AI-specific endorsements. But these products are new, uptake is limited, and many vendors have not yet obtained them.

For some organizations, particularly those with captive insurance structures, this environment presents both risk and opportunity. Captives may need to determine how AI-related claims will be treated, including decisions around capital allocation, underwriting criteria, and alignment with governance frameworks and reinsurance layers. Captives that proactively collect AI incident data and integrate governance expectations into coverage design will be better positioned to address gaps left by the commercial market.

Enterprise customers have more leverage than vendors typically acknowledge. The following practice tips can help you use it:

• Before signing, require vendors to produce insurance certificates and confirm coverage for AI-native risks (hallucinations, output liability, IP infringement, algorithmic discrimination). If coverage is absent, you bear the risk that indemnification is unfunded.
• Demand IP indemnification outside general liability caps. According to the Gallagher study, IP and copyright claims represent over 23% of GenAI litigation, making this a high-exposure area where you have legitimate grounds to insist on robust protection.
• Make AI-specific insurance a contract condition. If the vendor cannot obtain adequate coverage, that signals something about the risk you are being asked to accept.
• Carve out third-party claims arising from AI outputs from any consequential damages waiver. Without this protection, you may have no recovery for reputational harm, regulatory penalties, or lost business.
• Reject blanket performance warranty disclaimers. You are entitled to know what the AI will do and to hold the vendor accountable when it fails. Insist on specific accuracy thresholds, service levels, or remediation obligations.

The importance of these steps is underscored by the litigation landscape. According to the Gallagher study, U.S. generative AI lawsuits exceeded 700 by early 2025, with filings up nearly tenfold since 2021. Year-over-year growth is accelerating, and legal exposure is expanding faster than regulatory or insurance frameworks can adapt.

The dominant claim categories (patent infringement, copyright, and personal injury) align with the coverage gaps identified above, reinforcing the need for contractual protections that do not depend on insurance.

AI vendor contracts allocate risk in ways that favor vendors. For technology lawyers, this creates both risk and opportunity.

On the risk side, standard vendor agreements may provide indemnification that is functionally illusory, capped at modest amounts and unsupported by insurance coverage. On the opportunity side, sophisticated commercial teams can differentiate by understanding these dynamics and negotiating protections accordingly.

The question is no longer whether AI will create liability, but whether contractual risk allocation will reflect the true distribution of recoverable damages when that liability materializes.