Cyber insurance for AI startups: what it covers and what it doesn't
In-depth analyses of real-world cyber incidents and emerging threat trends, authored exclusively by our analysts.
Most startups buy cyber insurance, tick the box, and assume they are covered if something goes wrong with their AI product. For a growing number of AI companies, that assumption is becoming dangerously wrong. The insurance industry is in the middle of a significant shift in how it treats AI risk, and if you have not looked closely at your policy recently, there is a real chance it excludes exactly the kind of claim your AI product is most likely to generate.
This article explains what cyber insurance typically covers for an AI startup, what it increasingly does not, why that gap is opening up right now, and what to actually do about it. It is not legal or insurance advice, and coverage genuinely varies by policy and insurer, so the practical next step at the end matters as much as the explanation.
What cyber insurance generally covers
Cyber insurance was built to respond to data breaches and cyber attacks, and for the core scenario it is still designed for, it remains valuable. A typical policy provides support for things like the costs of investigating a breach, notifying affected customers, legal and regulatory costs, and business interruption following an attack. If your AI product suffers a conventional data breach, a compromised database, a ransomware attack, a hacked account, cyber insurance is generally the right place to look, and most insurers continue to affirm coverage for these AI driven or AI adjacent attacks.
Alongside cyber, AI startups typically also carry a handful of other policies worth knowing about, because AI specific claims can fall between them. Technology Errors and Omissions, often shortened to Tech E&O, covers claims that your product failed to perform as promised or caused a client financial harm. Directors and Officers insurance protects your leadership personally, and is often a hard requirement once you bring on investors or senior hires. General liability covers broader third party harm claims.
What it increasingly does not cover, and why
Here is the part that has changed recently and that most founders have not caught up with. Insurers are moving quickly to explicitly exclude AI related claims from standard policies, rather than leaving the question ambiguous. In the United States, the body that drafts standard policy language for much of the market introduced new endorsements in 2026 specifically designed to let insurers exclude claims tied to generative AI outputs from general liability policies. Multiple major carriers adopted similar exclusion language across general liability, and increasingly in directors and officers and professional liability policies too.
The practical effect, even outside the US market, is a broader industry signal worth taking seriously. Insurers globally are recognising that AI introduces a category of risk they historically priced without meaning to, sometimes called silent AI exposure, in the same way cyber risk once sat unpriced inside general policies before a dedicated cyber insurance market emerged. The direction of travel is the same everywhere. Ambiguous, silent coverage is being replaced by explicit exclusions first, followed later by separate, affirmatively priced AI coverage. UK and European insurers are watching this shift closely and beginning similar reviews, even if the exact policy language differs from the US forms.
The kinds of AI specific claims most likely to fall into this gap include the following.
- Prompt injection incidents, where a manipulated AI discloses data or takes an unintended action. It is unclear under many traditional policies whether this counts as a breach at all, since no conventional hacking occurred.
- Harmful or inaccurate AI outputs, such as a hallucinated answer a customer relied on, which can sit awkwardly between cyber, Tech E&O, and general liability, with each policy potentially pointing to the others.
- Discriminatory or biased AI decisions, for example in hiring, lending, or pricing tools, which increasingly carry regulatory exposure under laws like the EU AI Act as well as liability exposure.
- Claims arising from a third party model provider's behaviour, where the failure originates in a model you did not build but relied on.
The uncomfortable truth is that many founders are carrying policies that were adequate for a pre AI product and have not been reviewed since AI became central to what they sell. Coverage that exists in principle but is untested against an AI specific claim, or explicitly excluded, provides little real protection when a claim actually arrives.
What to actually do about it
You do not need to panic, but you do need to check, and it takes less effort than most founders assume.
- Review your existing policies for AI exclusions. Ask your broker directly whether your general liability, Tech E&O, cyber, and D&O policies contain any AI related exclusion or narrowing language, since it is increasingly common and not always obvious on a first read.
- Ask specifically about prompt injection and AI output claims. Do not accept a general assurance that you are covered. Ask how the policy would respond to the specific scenarios above, because that is where the real gaps tend to hide.
- Consider affirmative AI coverage where it exists. A small but growing number of insurers now offer AI specific endorsements or standalone AI liability products built for exactly this gap, and for an AI dependent business the cost is often modest relative to the exposure it closes.
- Understand that good security is what makes you insurable. Insurers are increasingly underwriting AI risk based on the controls a company actually has in place. Being able to show you test your AI product for prompt injection, that you log agent behaviour, and that you have a genuine security programme is becoming the difference between being quoted a fair price and being declined or excluded outright.
Why this connects to more than your insurance bill
This is not only a finance and insurance question. Enterprise buyers are starting to ask about your insurance position as part of their due diligence, alongside your security certifications, precisely because they understand the exposure an AI vendor carries. Investors are asking similar questions, since a gap in coverage is a gap in the company's own risk management that reflects on the team's maturity more broadly.
The connection to your underlying security work is direct. An insurer's willingness to affirmatively cover your AI risk, and the price they charge for it, both depend on your ability to demonstrate real controls, testing, and evidence, not just a policy on paper. The startups that have actually tested their AI product against the specific ways it can fail are the ones best placed to secure meaningful coverage, at a reasonable price, when the rest of the market is tightening.
The honest takeaway
Cyber insurance still matters for an AI startup, but it is no longer safe to assume your existing policy covers the risks your AI product actually creates. The market is moving quickly toward explicit AI exclusions, echoing exactly how the cyber insurance market itself developed a decade ago, and the gap is opening faster than most founders have noticed.
Talk to your broker specifically about AI exclusions and AI specific coverage, not just cyber cover in general. And treat the underlying security of your AI product as part of the same conversation, because the strength of your controls increasingly determines whether you can get covered at all, and what it costs when you do.
Want your AI security posture to hold up to a buyer, or an insurer?
Book a free review and we'll show you where your AI product is genuinely exposed.
AI Security Insights
Cyber insurance for AI startups: what it covers and what it doesn't
Most startups buy cyber insurance, tick the box, and assume they are covered if something goes wrong with their AI prod…
Read articleSecurity questions investors ask AI startups before they invest
Most conversations about AI security focus on enterprise buyers, and for good reason, since that is where security most…
Read articleAI red teaming: what it is and how it differs from a normal pentest
If you have started researching security testing for your AI product, you have likely run into two terms that sound sim…
Read articleModel theft and IP protection: can someone steal your fine-tuned model
You have spent months and a meaningful amount of compute fine-tuning a model on your proprietary data, your domain expe…
Read articleMore insights, delivered monthly
Get the latest insights on AI security and compliance.

