AI assistant — not human

Enterprise governance + technical controls + evidence pack that AI-specific cyber liability insurers require before writing coverage. NIST AI RMF + ISO 42001 mapped. EPC Group practice launched July 2026.
Last updated July 9, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
AI insurance readiness is the enterprise governance + technical + evidence discipline required for AI-specific cyber liability coverage. Seven control domains: governance framework, inventory + classification, data governance, model + provider governance, human-in-the-loop controls, monitoring + incident response, evidence documentation. Six 2026 drivers: traditional cyber policies excluding AI, EU AI Act enforcement, board oversight requirements, insurer market growth ($8-$15B by 2027), Copilot deployment scale outpacing governance, first-wave AI liability lawsuits. EPC Group AI Insurance Readiness practice launched July 2026 as productized fixed-fee service.
AI insurance readiness is the set of enterprise governance controls, technical safeguards, incident response capabilities, and evidence documentation that AI-specific cyber liability insurers require before writing or extending coverage. As AI systems create new risk surfaces (data leakage via Copilot, model hallucination liability, IP infringement risk in generated content, algorithmic bias claims, autonomous agent decision liability), traditional cyber policies exclude AI-related incidents from coverage. AI insurance readiness is the discipline of building + documenting the controls that make an enterprise insurable for AI risk. Similar to how SOC 2 or ISO 27001 evolved as insurability benchmarks for traditional cyber, AI insurance readiness is emerging as the standard for AI-era cyber coverage. EPC Group's AI Insurance Readiness practice launched July 2026 as a productized service to help enterprises achieve insurability status before AI incidents occur.
Seven control domains AI insurers currently require or evaluate: (1) Governance framework — documented AI governance policy, approved by executive committee, mapped to NIST AI RMF or ISO/IEC 42001. (2) Inventory + classification — complete inventory of all AI systems in use (approved + shadow) with risk classification (low / medium / high / prohibited use cases per EU AI Act tiers). (3) Data governance — Microsoft Purview or equivalent for AI-accessible content, sensitivity labels enforced, DLP for AI system prompt + response, retention on AI conversations. (4) Model + provider governance — approved AI provider list, contractual protections, data residency confirmations, model risk assessments. (5) Human-in-the-loop controls — approval workflows for high-risk AI decisions, override capabilities, appeal processes. (6) Monitoring + incident response — AI-specific incident detection, tabletop exercises for AI incidents, escalation paths, forensics capability. (7) Evidence documentation — auditable evidence pack demonstrating operating effectiveness of each control across 6-12 month period.
Six drivers making AI insurance readiness urgent in 2026: (1) Traditional cyber policies excluding AI incidents — insurers writing exclusions faster than clients realize; renewals in 2026 include new AI-exclusion language most brokers don't yet flag. (2) Regulatory backdrop — EU AI Act enforcement (Aug 2026), U.S. state AI laws (Colorado, California), NAIC AI regulation framework driving insurer scrutiny. (3) Board oversight requirements — Delaware Caremark liability doctrine + SEC cyber disclosure rules increasingly apply to AI incidents. (4) Insurer market — AI-specific policy market ($8-$15B by 2027 projected) requires controls before writing. (5) Copilot deployment scale — most enterprises rolled out M365 Copilot in 2024-2025 without governance controls; insurers now catching up. (6) Litigation trajectory — first wave of AI liability lawsuits (misclassified insurance claims via AI, biased hiring AI, hallucinated legal citations, IP infringement) creating claims history insurers must underwrite against.
Six-phase fixed-fee methodology (typical $65K-$185K, 8-14 weeks): (1) Phase 1 Discovery + Baseline — inventory all AI systems in use, classify by EU AI Act tier, gap analysis vs insurer requirements + NIST AI RMF, produce baseline readiness scorecard (25 controls scored). (2) Phase 2 Governance Framework — draft or update AI governance policy, executive committee approval, RACI matrix, incident response playbook. (3) Phase 3 Technical Controls — Microsoft Purview + Defender + Conditional Access configuration for AI systems, Copilot governance controls, agent oversight configuration, monitoring + alerting rules. (4) Phase 4 Human-in-the-Loop — approval workflow implementation for high-risk decisions, override capabilities, escalation training. (5) Phase 5 Evidence Pack — 6-12 month evidence collection methodology, audit-ready documentation, insurer-facing narrative. (6) Phase 6 Insurer Engagement Support — coordinate with insurance broker + underwriter, produce technical response to underwriter questionnaire, participate in insurer technical review calls. Deliverables include insurer-facing evidence pack + audit-ready control documentation.
Six size tiers based on organization complexity: (1) Mid-market enterprise (500-2,500 employees, single geography, 1-3 AI systems) — $65K-$95K, 8-10 weeks. (2) Large enterprise (2,500-10,000 employees, single geography, 3-8 AI systems including Copilot + custom agents) — $95K-$155K, 10-14 weeks. (3) Multi-geography enterprise (multi-region, multi-tenant, 5-15 AI systems) — $155K-$245K, 12-18 weeks. (4) Regulated-industry enterprise (healthcare / financial services / defense adds compliance overlay + evidence for regulatory reporting) — additional $35K-$85K on top of tier. (5) Ongoing insurer-facing evidence retainer — $8K-$25K/month covering ongoing evidence collection + insurer periodic review support. (6) Post-incident triage (if AI incident occurs before or during readiness engagement) — $35K-$95K rapid response engagement. Fixed-fee model.
EPC Group's AI Insurance Readiness practice is led by Errin O'Connor (Founder & Chief AI Architect), a Microsoft Press bestselling author of four Microsoft technology titles and pre-release program participant for both SharePoint (Project Tahoe, 2001) and the Power BI lineage (Project Crescent). Errin was an invited contributor to the first U.S. CIO Vivek Kundra's 25-Point Plan to Reform Federal Information Technology Management (Obama administration) and has 29 years of Microsoft ecosystem consulting delivery. The AI Insurance Readiness practice draws on EPC Group's Microsoft Purview + Defender + Conditional Access depth (all six Solutions Partner designations including Security), 20+ M365 security accelerator engagements, and cross-industry AI governance experience across healthcare (HIPAA), financial services (SOC 2), defense (CMMC), and government (FedRAMP) verticals.
AI insurance readiness is a subset of AI governance focused specifically on insurability + risk transfer. AI governance is the broader discipline covering strategy, ethics, technical controls, oversight, training, and evolution. Six differences in emphasis: (1) Insurance readiness prioritizes controls that materially reduce insurer risk (data leakage, hallucination, IP infringement, bias claims); AI governance covers those plus non-insurance concerns (ethics, employee training, strategic AI direction). (2) Insurance readiness requires evidence pack (auditable operating effectiveness over 6-12 months); AI governance requires framework but not always evidence pack. (3) Insurance readiness is transactional (produces insurable status); AI governance is continuous (ongoing operating discipline). (4) Insurance readiness scope is defined by insurer questionnaires; AI governance scope is defined by NIST AI RMF or ISO 42001. (5) Insurance readiness deliverables include insurer-facing narrative; AI governance deliverables include board-facing risk reporting. (6) Insurance readiness engagement duration 8-18 weeks; AI governance engagement duration is ongoing.
30-min qualification. Phase 1 Discovery + Baseline scorecard within 2 weeks. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day