Around 87% of New Zealand organisations are already using AI in some capacity, according to research from technology services firm Datacom - yet the frameworks governing that adoption, including regulation, governance and insurance, have not kept pace. A new report from Gallagher Insurance warns that New Zealand businesses are facing a fast-emerging silent risk from AI liability that echoes the uncertain early days of cyber insurance, when exposures sat within traditional policies in ways that only became visible once losses occurred.
New Zealand's approach to AI regulation remains deliberately light-touch, with policymakers favouring broad principles over AI-specific legislation. Existing frameworks, particularly the Privacy Act, continue to apply - the Office of the Privacy Commissioner has confirmed that privacy obligations extend across the full AI lifecycle, from data inputs through to outputs and decisions. The Reserve Bank of New Zealand has separately flagged concerns that AI could amplify financial, operational and cyber risks, particularly where third-party providers are involved.
The gap between adoption and governance is where the liability exposure sits. The Gallagher report identifies where the most immediate risk lies: not in outright AI system failure but in over-reliance on AI outputs without sufficient challenge or validation. Governance frameworks and oversight mechanisms lagging behind adoption - rather than the technology itself - are the primary exposure for most New Zealand businesses at this stage.
AI risk does not sit neatly within a single insurance category. A flawed AI output or recommendation can simultaneously raise issues across professional advice, customer outcomes, operational performance and governance - meaning potential claims could trigger professional indemnity, cyber and directors' and officers' liability simultaneously, or fall between all three.
Most businesses do not build AI systems in isolation, instead relying on networks of external providers, platforms and data sources. This creates shared and at times unclear accountability across supply chains. Globally, disputes have most often arisen when contractual protections and insurance responses were not aligned in advance - a pattern that mirrors the early cyber insurance experience, where policies became more explicit over time only as claims emerged.
GlobalData senior insurance analyst Ben Carey-Evans said the hesitation among insurers about AI reflects a genuine unresolved question. "Regulation has not yet caught up and uncertainty remains over who is liable when AI makes mistakes," he said. A separate global poll of more than 100 insurance professionals published in May found roughly a quarter of respondents believe AI itself is not yet ready for widespread use in the industry.
The international insurance market's response to AI liability is already moving in a direction New Zealand businesses and their brokers need to monitor. From January 2026, the US Insurance Services Office issued new generative AI exclusion endorsements for commercial general liability cover, which carriers adopted within weeks. Berkley Insurance filed an absolute AI exclusion across directors and officers, errors and omissions, and fiduciary lines.
These are US developments - but if the exclusion pattern follows the trajectory of cyber, equivalent wordings will eventually appear in New Zealand policy language.
Gallagher said the priority for businesses is not to slow AI adoption but to ensure risk, governance and insurance strategies evolve alongside it - including mapping where AI is used within operations, understanding how decisions are made and tracing how exposures could flow into existing insurance programmes. The question of whether current policy wordings respond to an AI-related loss is one that needs to be tested before a claim arises rather than after.
