When an AI-driven process produces a bad decision, a data breach or reputational damage, the company that deployed it could be liable regardless of whether the error was human or algorithmic, according to Paige Cheasley (pictured), national technology practice leader at Gallagher.
"Ultimately, it would be the company that would have to own this," Cheasley said. "They have the relationship with the customer. They have to own it and assume liability for it."
Any claim against the technology supplier is a separate, downstream matter, she said. The customer-facing organization bears the immediate responsibility.
"Whether they have any recourse against their AI provider whose product failed is a behind-the-scenes kind of story for them," she said.
Cheasley said the liability question is less novel than it appears. A company that uses AI to conduct research and then issues an incorrect opinion based on the output is in the same position as one that relied on a flawed spreadsheet or a junior employee who made a mistake.
"How much different is it from making a mistake in an Excel spreadsheet that gives you the wrong number at the end?" she said.
She said that logic applies to professional liability as well. If a company uses AI to reach a conclusion that turns out to be wrong, the error still falls on the company — and the policy that covers professional mistakes should still respond.
"Your professional liability coverage, whether you were using AI or not to help you get to the result that was incorrect, shouldn't necessarily be excluding that sort of a claim," she said.
That said, the boundaries across other lines are far from settled. Cheasley said she has not yet seen specific AI exclusions in commercial policies, but the question of which policy responds when something goes wrong remains open. Depending on the allegations, a single AI-related claim could land on more than one line at once.
"There are concerns under the cyber, directors and officers, professional liability potentially, but it will really depend on the allegations and the specific situation," she said.
Some policies are clearly not designed to address AI and would likely not be triggered, she said. But many others sit in uncertain territory.
"There's a lot of gray zone on other policies," she said.
She said D&O exposure is particularly broad because of where the decision to deploy AI sits within a company.
"You can say that almost any claim could trigger a D&O policy," Cheasley said. "Because ultimately it always comes back to management decisions in one way or another."
The claims, however, are no longer hypothetical. Gallagher's 2026 AI Adoption and Risk Survey found that one in five insurance industry respondents said a client had experienced a loss or claim due to AI-related risks in the past year. The firm's separate Cyber Insurance Market Outlook identified more than 200 active legal cases involving AI and machine learning, spanning data bias, privacy liability, discrimination and regulatory risk.
Cheasley said carriers are watching those cases closely but, by her account, in no hurry to act.
"Exclusionary language around AI risks may be coming in classes like Errors and Omissions and general liability, but we haven't seen anything specific yet," she said in the Gallagher report. "Carriers are likely to be hesitant to be the first one out of the gate to exclude and would rather wait to see what claims come in."
She added that some movement is underway on the policy language side, but the pace of change in the technology itself makes it difficult to pin down.
Insurers are considering including clearer language around AI risks across a range of policies to be able to better understand the total cost of risk, she said. "However, the wordings could prove challenging given that AI is constantly evolving."
The question of whether standalone AI liability policies will emerge alongside existing lines is already being tested. Cheasley said some products are available in certain markets, but a dedicated AI policy would not replace the need for traditional coverage.
"Even if there was a specific AI policy, it wouldn't necessarily negate triggering other policies," she said.
The range of applications makes a blanket answer impossible, she said. A tool that drafts a polished email carries a fundamentally different risk profile than one used to diagnose a problem or inform a professional opinion.
"Whether it's to help you write nice-sounding emails or is it helping you diagnose something, is it helping you to design something, is it helping to research for you – and are you double-checking it?" she said.
"It's hard to know who or what was making the decision," she said. "I think that's where it's going to come into play, and we'll have to see what the claims look like."
