The AI industry spends big on lobbying. OpenAI’s CEO personally argued against safety regulations and transparency requirements. The industry’s message was consistent. Regulation will kill innovation. A patchwork of state laws will fragment compliance. Let us self-regulate.
They possibly were fighting the wrong fight.
In January 2026, ISO (ISO stands for Insurance Services Office . For Rest of the World readers: not be confused with the International Organization for Standardization), the organization whose standardized forms underpin 82% of US property and casualty insurance policies, introduced two new endorsements. CG 40 47 excludes AI-related liability from bodily injury and personal injury coverage. CG 40 48 excludes AI-related personal and advertising injury. These are not proposals. They are live policy language that carriers can adopt immediately.
And they are adopting it. In the US: WR Berkley, Cincinnati Financial, Frederick Mutual, and Philadelphia Insurance have all filed their own AI exclusion wordings. Philadelphia Indemnity now excludes coverage for any claim involving generative AI-created content. Hamilton Select excludes any claim involving generative AI use, period. The same happens elsewhere in the world too.
This is what regulation looks like when it does not come from a legislature.
The mechanism is simple. Without liability insurance, a business cannot get a bank loan. Banks require it. Without a certificate of insurance showing adequate coverage, a business cannot become a vendor for any large enterprise. Procurement departments require it. Without coverage, a business in a regulated sector, banking, healthcare, manufacturing, cannot operate at all.
No amount of lobbying changes what an insurer writes into a contract. There is no congressional hearing, no public comment period, no executive order. An underwriter in Hartford or London looks at the risk, decides the price, and sets the terms. If the risk is too uncertain to price, they exclude it. Done.
We have seen this before. Cyber insurance is the template. In the early 2010s, companies treated cybersecurity as optional. Then insurers started requiring specific controls as conditions of coverage. Multi-factor authentication. Endpoint detection. Encrypted backups. Incident response plans. Companies that did not comply simply could not get insured. Within five years, the industry self-regulated, not because of any law, but because of a market mechanism that made noncompliance economically impossible.
The environmental liability precedent is even more dramatic. When insurers pulled coverage for asbestos-related claims in the 1980s, it effectively killed the industry. Companies that could not get insured could not operate. The market accomplished in a few years what regulators had struggled with for decades.
The EU adds a second front. The revised Product Liability Directive now extends strict liability to AI systems. Developers and importers are liable for harms without having to prove negligence. That liability has to be insured or absorbed. For most companies, absorbing it is not an option. They need coverage. And coverage now comes with conditions, or does not come at all.
Three things this means.
- First, stop watching, in the US Washington instead of Hartford. In the rest of the world figure out where the ISO equivalent sits. The regulatory action that will actually change your AI operations is coming from insurance underwriters, not legislators.
- Second, check your existing policies now. If your carrier has adopted the AI exclusions, your general liability coverage may already have a gap you have not noticed.
- Third, build governance before you are forced to. The cyber insurance playbook is clear. Companies that had controls in place before insurers required them got better terms. Companies that scrambled after the fact paid more, got less coverage, and lost contracts while they caught up.
The AI industry spent millions lobbying against regulation that legislators had not even written yet. Meanwhile, the regulation that actually matters was and is being written by actuaries.
Sources:
- ISO AI exclusion endorsements (CG 40 47, CG 40 48): Independent Agent/Verisk (2026)
- Carrier AI exclusion filings: Zelle Law (2026)
- Cyber insurance precedent: Stimson Center (2024), UCI Law
- EU Product Liability Directive: MIT/Harvard Digital Society Review
- AI lobbying spend: Nature (2024), MIT Technology Review (2025)
- Insurance as regulation mechanism: Modulos AI, NBC News
- Regulatory markets framework: Schwartz Reisman Institute, University of Toronto
