For much of the past decade, artificial intelligence has been framed by cyber insurers as a “force multiplier,” a tool that enhances malicious actors’ capabilities.
This assumption is becoming outdated as a new generation of autonomous systems – so-called agentic AI – can perform multi-step tasks across enterprise environments with limited human oversight.
While earlier AI deployments largely supported discrete human-led tasks, such as analyzing data and drafting content, today’s AI systems are interacting directly with applications and datasets. For the cyber insurance market, this could usher in changes in how threats unfold.
“We are in a defining moment where AI is moving from a copilot era to an autonomous agent era,” said William Altman (pictured), director of cyber threat intelligence services at CyberCube, in a recent webinar. “Artificial intelligence potentially changes the nature of technology use and cyber risk in enterprise environments.”
AI adoption is accelerating rapidly across industries. According to Darktrace, 78% of organizations already use generative AI in at least one business function, while more than 80% are expected to deploy AI models or applications in production environments by the end of 2026. At the same time, autonomous agents are beginning to execute “multi-step operational workflows from end to end,” effectively embedding themselves within core business processes.
CyberCube’s H1 2026 threat briefing characterizes AI agents as a new “privileged execution layer,” capable of interacting directly with critical systems. “AI agents introduce new enterprise cyber risk pathways by enabling direct interaction with systems and data,” the report said.
One area of concern is that, unlike traditional software, these agentic AI can execute harmful actions while appearing to follow instructions or propagate errors across interconnected systems. Even without external attackers, autonomous failures can trigger outages or data loss.
The transition to AI autonomy is equally evident on the offensive side. CyberCube’s analysis showed that AI is increasing the “speed, scale and coordination of attacks,” allowing criminals to exploit common vulnerabilities (such as identity misconfigurations and unpatched systems) more quickly.
“AI is compressing the cyberattack lifecycle… enabling impact to occur before detection and containment are effective,” Altman said.
The exposures that come with agentic AI systems mean traditional cybersecurity controls hinged on prevention may be insufficient. Recovery capability, or the ability to restore systems and data quickly, is emerging as a critical determinant of loss severity, according to specialists.
As agentic AI adoption grows, underwriting approaches are also beginning to evolve. CyberCube highlighted three areas that insurers are watching:
At the same time, the autonomous nature of these systems raises novel questions for coverage. Incidents triggered by AI behavior, such as prompt manipulation or unintended data exposure, may blur the line between cyber events and operational failures.
What are the implications for risk management? Altman stressed robust identity security and regular patching. “The fundamentals still matter,” he said. “AI does not introduce entirely new weaknesses; it amplifies existing ones.”
Despite these concerns, agentic AI is not yet fully embedded across most enterprise environments. Adoption remains uneven, and in many cases, the technology is still used in a limited or experimental capacity.
Cyber specialists have said widespread catastrophic losses linked directly to AI remain unlikely in the near term. But as AI becomes more deeply embedded in business operations, insurers are grappling with concentration risks.
“As AI becomes more deeply embedded in critical business operations… the potential for portfolio aggregation risk may rise,” Altman said.
