The "Silent AI" era ended January 1, 2026. EPC Group is the first Microsoft consulting firm to build a dedicated AI Insurance Readiness practice — producing the audit-grade governance evidence underwriters now require before they will renew cyber, Tech E&O, D&O, or EPLI coverage that touches AI.
Key Facts
- ISO released three generative-AI exclusion endorsements (CG 40 47 broad, CG 40 48 limited, CG 35 08 products/completed-operations) effective January 1, 2026.
- Cyber carriers including Beazley and QBE are introducing AI sublimits at approximately 10% of policy limits.
- An affirmative AI-coverage market — Munich Re/Mosaic aiSure, Armilla at Lloyd's, Counterpart, Testudo — underwrites on documented governance evidence.
- Six controls cluster across every AI underwriting questionnaire: kill switch, HITL inventory, data provenance, named accountable executive, deepfake-resistant authentication, and Microsoft-stack enforcement evidence.
- Standards mapped: NIST AI RMF, ISO/IEC 42001, AIUC-1, plus EU AI Act Article 9 for multinational exposure (timeline in flux).
- EPC Group is not an insurance company, broker, or producer — we build the governance evidence; your broker and carrier handle the policy.
The Four-Front Squeeze
For three years your insurance covered AI losses by silence, not by grant. That era ended on January 1, 2026. The squeeze is now four-front, simultaneous.
Standard market writes AI out
ISO CG 40 47 (broad) and CG 40 48 (limited) exclude loss "arising out of" generative AI — available at every CGL renewal since January 1, 2026.
Cyber policies add AI sublimits
Beazley and QBE introducing AI sublimits near ~10% of policy limit. QBE draft: an LLMjacking loss capped around $250k on a $5M policy.
Affirmative market gated on governance
Real AI cover exists — Munich Re/Mosaic ($15M), Armilla at Lloyd's ($25M+), Counterpart, Testudo — but is granted and priced on documented governance evidence.
Regulation hardens the paperwork
NAIC Model Bulletin adopted in 24 states. EU AI Act Article 9 sets a documented lifecycle risk-management standard for high-risk systems (timeline in flux post Digital Omnibus deferral).
The Receipts — Four Losses, Four Coverage Lines
Underwriters do not price fear. They price costed loss scenarios. Each lands on a different coverage line — which is precisely why no single policy was built to cover them all.
Bartz v. Anthropic
Liability from data PROVENANCE, not training. Judge Alsup ruled training on lawfully bought books was "quintessentially transformative" fair use — but downloading pirated copies was not. The distinction cost $1.5 billion.
Moffatt v. Air Canada
The British Columbia tribunal: "It makes no difference whether the information comes from a static page or a chatbot." The airline argued the chatbot was a separate entity. The tribunal called that submission "remarkable" — and not as a compliment.
Mobley v. Workday
Federal court certified a nationwide collective alleging AI hiring software screened out applicants by age. The court: "Drawing an artificial distinction between software decisionmakers and human decisionmakers would potentially gut anti-discrimination laws."
Hasbro Q1 2026
CFO Gina Goetter disclosed on the Q1 call: approximately $20M one-time remediation expense plus $40-60M in delayed Q2 consumer-products revenue. Trade coverage noted it remained unclear what costs Hasbro would ultimately recover through insurance.
The Six Controls Carriers Now Require
Not software you buy — evidence you produce. Each control maps to NIST AI RMF, ISO/IEC 42001, and AIUC-1.
Documented Human Kill Switch
A named human can pause or revoke any autonomous AI action — with an escalation path and a recent test on file. The single most-requested control across every carrier I met with.
Human-in-the-Loop Checkpoint Inventory
Every autonomous AI decision touching a customer, employee, financial control, or regulated data — mapped to its trigger threshold and the named person authorized to override.
Data Provenance & Classification Audit
Where the data feeding your AI came from and how it is labeled — the most expensive blank on the AI E&O application after Bartz v. Anthropic. "We think it is fine" does not get a policy quoted.
Named Accountable AI Executive
A name, a title, a signature — not a committee. Delivered through EPC Group's Virtual Chief AI Officer (vCAIO) for organizations that cannot justify a full-time Chief AI Officer.
Deepfake-Resistant Authentication
Out-of-band verification for the workflows your AI agents now touch. Email and video calls are no longer accepted as proof of identity — the deepfake threat model is baseline, not exotic.
Microsoft-Stack Enforcement Evidence
Entra workload identity for every AI agent. Microsoft Purview grounding enforcement at Copilot answer time. Defender and M365 audit logs configured to capture what every agent read, returned, and touched.
Meet the AI Insurability Officer
Every few weeks another "new roles for AI" chart goes viral on LinkedIn — Chief AI Officer, AI Risk and Governance Specialist, Agent Engineer, Head of AI. They are useful maps. But look closely and you will notice the same thing in every one: the entire governance function — the part that now decides whether you are insurable — gets compressed into a single word at the end of the lifecycle. Govern. One icon. One box out of thirty.
That box is where your insurance renewal now lives. And there is a seat inside it that no org-chart infographic has drawn yet: the person accountable not just for governing AI, but for proving — to an underwriter, on paper, signed — that it is governed well enough to cover.
Call it the AI Insurability Officer. The role barely has a name, and almost no enterprise can justify a full-time hire. We deliver the function through our Virtual Chief AI Officer (vCAIO) — so a named, accountable human owns your insurability without a full-time hire. The org chart caught up to AI. The carriers caught up to the org chart. The evidence didn't — and that gap is the practice.
Multiple Models. One Truth.
The exposure is multi-model. The evidence has to be too. Our governance architecture extends the readiness package across every major model your enterprise runs — not just Copilot.
Best For
Why EPC Group — The Firm in the Seam
Your insurance broker understands the policy, but cannot build the technical governance evidence inside your Microsoft tenant. Your law firm understands the liability, but cannot configure Microsoft Purview label propagation or Entra workload identity. Your CISO is stretched thin holding the perimeter. And generic Microsoft partners have never sat across a table from an AI underwriter.
EPC Group stands in that seam. As best we can tell, we are the first Microsoft consulting firm to build a dedicated AI Insurance Readiness practice — built on the Governed AI on Microsoft framework and delivered as a new spoke under our AI Center of Excellence.
Federal-grade governance discipline (eDiscovery for the Federal Reserve Bank of New York under Congressional oversight during TARP; federal advisory team on the U.S. CIO's 25-point IT reform plan) — no longer overkill for the private sector. The insurance market just made it the floor.
THE EPC GROUP LIFECYCLE
What We Are — and Are Not
EPC Group is not an insurance company, broker, or producer and does not sell, place, or provide insurance. We build the AI governance evidence; your broker and carrier handle the policy. We do not guarantee any coverage outcome — no consultant ethically can. What we deliver is the evidence the underwriter requires, assembled to the standard they recognize, signed and dated, so your broker walks into the renewal with documentation instead of speculation.
The Full Evidence Package — Source-Verified
The complete breakdown: every carrier action, every court ruling, every control mapped to NIST / ISO 42001 / AIUC-1 — with the source ledger so your General Counsel can verify every receipt.
Frequently Asked Questions
What changed in AI insurance in 2026?
On January 1, 2026, the Insurance Services Office (ISO) released three generative-AI exclusion endorsements (CG 40 47 broad, CG 40 48 limited, CG 35 08 products/completed-operations) that any U.S. carrier can attach at Commercial General Liability renewal. The "arising out of generative AI" trigger language is broad enough to reach embedded AI in everyday SaaS — not just custom models. Cyber carriers including Beazley and QBE are also introducing AI sublimits around 10% of policy limits, while an affirmative AI-coverage market (Munich Re/Mosaic aiSure, Armilla at Lloyd's, Counterpart, Testudo) underwrites on documented governance evidence.
Does this affect us if we only use embedded AI like Copilot or Salesforce Einstein?
Yes. ISO's definition of generative AI — a machine-based system trained on data that can create content or responses including text, images, audio, video, or code — reaches embedded AI in everyday SaaS. You do not have to run a custom model to be exposed. The AI quietly riding inside Microsoft 365, Salesforce, your help-desk platform, and your marketing stack now sits inside the same exclusion trigger.
What is "Silent AI"?
Silent AI is the market practice — now ending — of covering AI-related losses through cyber and Tech E&O policies that never expressly referenced AI. Law firms including Fenwick and Browne Jacobson have published analyses warning that this framework is "rapidly reaching its end." Carriers are no longer willing to carry an unpriced, unbounded AI exposure on their books, so they are explicitly excluding it from standard policies and gating affirmative cover behind governance evidence.
What evidence do underwriters now require?
Six controls cluster across every AI underwriting questionnaire we have seen: (1) a documented human kill switch with a recent test; (2) a human-in-the-loop checkpoint inventory mapping every AI decision to its named override owner; (3) a data provenance and classification audit; (4) a named accountable AI executive — a signature, not a committee; (5) deepfake-resistant out-of-band authentication for AI-touched workflows; and (6) enforcement evidence on the stack you already own — Entra workload identity, Microsoft Purview grounding enforcement, and Defender/M365 audit configured for AI activity. These map directly to NIST AI RMF, ISO/IEC 42001, and AIUC-1.
What is AIUC-1?
AIUC-1 is an AI security, safety, and reliability standard from the AI Underwriting Company that maps to NIST AI RMF, ISO/IEC 42001, the EU AI Act, MITRE ATLAS, and OWASP. It is the standard used by AI insurers in the affirmative market (including Lloyd's syndicates) as their underwriting framework. EPC Group assembles your governance evidence package against the AIUC-1 structure so your broker can present it directly to underwriters in the format they recognize.
When is our deadline?
Your next cyber, Tech E&O, D&O, or EPLI renewal. The exclusions exist now. The affirmative market gatekeeps now. EU AI Act Article 9 high-risk obligations were originally scheduled for August 2, 2026 binding but face a proposed Digital Omnibus deferral into 2027 — the documentation standard itself is set regardless of which month it binds. If your renewal is six to nine months out, the documentation you need is not a two-week scramble; it is a program you start now or explain later in a worse negotiating position.
Can EPC Group guarantee our coverage will be renewed?
No — and any firm that promises a coverage outcome should be treated with caution. EPC Group is not an insurance company, broker, or producer and does not sell, place, or provide insurance. We produce the audit-grade governance evidence that underwriters require, assembled to recognized standards (NIST AI RMF, ISO/IEC 42001, AIUC-1, and mapped to EU AI Act Article 9 for multinational exposure), so that when your broker walks into the renewal you are answering "yes, here is the documentation" instead of "I don't know." Your broker and carrier handle the policy.
How does this run on our existing Microsoft environment?
It uses the governance stack you already own — Microsoft Entra workload identity, Microsoft Purview, Microsoft 365 and Defender audit — and produces the audit-grade documentation proving those controls are configured correctly. The controls are likely already in your tenant. The signed and dated record proving they meet the underwriter's standard is what almost no enterprise has yet produced. And although the evidence is anchored on the Microsoft stack, our "Multiple Models. One Truth." architecture extends the governance to every major model an enterprise runs — Claude, GPT/OpenAI, Gemini, Grok, Perplexity — so the readiness package covers all of them, not just Copilot.
Start Before the Renewal — Not After the Claim
Your renewal date is your real deadline. Your General Counsel already knows what month that is.
contact@epcgroup.net · 888-381-9725 · Multiple Models. One Truth.
Talk to Errin about your AI insurance readiness
Tell us your renewal month and your top three AI workloads. We respond within one business day.
Last updated 2026-06-30 · All services · AI Center of Excellence · Governed AI on Microsoft
