Insights
All industries

AI Business Risk and Insurance Gaps

AI is moving faster than most organisations’ ability to govern it.What we’re seeing isn’t just rapid adoption - it’s a growing gap between how AI is used and how its risks are understood, managed and insured.The conversation is shifting from “Should we use AI?” to “Are we prepared for how it behaves in practice, and how can we be protected against key risks?” In this article, we explore how organisations can start closing this gap - from governance and operational readiness to how AI risk is assessed, managed and insured.

Industry
All industries
Functions
Cross Business
Technology
Methodology
AI-First Organisation
AI/GenAI CoE
Data-driven organisation
Author:
Peter Blackmore
Published in:
10.04.2026

In 2026, the Australian business landscape finds itself at a critical juncture. While Artificial Intelligence (AI) is transitioning from a boardroom curiosity to the "operating systems” of enterprise, fundamental questions include how to manage AI risk generally and in the context of insurance coverage and gaps. For Australian businesses, the potential for a "protection gap" is no longer theoretical. As AI risks become more sophisticated, the traditional insurance pillars of Professional Indemnity (PI), Cyber Liability, Directors and Officers (D&O), and Business Interruption (BI) are being tested in ways their original drafters never envisioned.

The primary challenge in insuring AI is that it doesn't fit neatly into a single "risk bucket." It is a cross-class peril. To better understand the extent of protection from existing and new AI-related insurance offerings, it is recommended that AI-specific risks be mapped against any of these offerings.

Mapping AI-specific risks

AI Governance and Risk Management is primarily addressed by two complementary ISO standards: ISO/IEC 42001 (the governance "shell") and ISO/IEC 23894 (the tactical "how-to"). Both standards are designed to integrate with ISO 31000 (the standard for general risk management) but adapt it for the unique, probabilistic nature of AI. Insurance features as a primary mechanism for Risk Transfer. It is recommended that AR risk mapping be done in accordance with these standards.

Examples of AI insurance-related risks include

  • Directors and Officers (D&O): Australian regulators, including ASIC and the OAIC, have made it clear: AI governance is a board-level responsibility. Underwriters are now demanding rigorous AI governance frameworks (aligned with the Australian AI Ethics Principles) as a condition of coverage. Without these, boards may find themselves personally exposed to "failure to supervise" claims.
  • Professional Indemnity (PI): traditionally, PI covers professionals for breaches of duty, negligence, or errors in their service. However, when a service is delivered or augmented by an AI, the definition of "negligence" shifts. Many standard PI policies in Australia still rely on the concept of a "human" professional's breach of duty. Insurers are beginning to introduce "AI endorsements," but there remains a grey area regarding whether an error caused by an autonomous system, without a direct human "touch", triggers the policy.
  • Cyber Liability Insurance: this is often the first place businesses look for AI protection, but the risks have evolved past simple data theft. While cyber policies are generally the most adaptive, they can exclude "reputational harm" from AI-generated misinformation or "system failure" that isn't caused by a malicious actor
  • Business Interruption (BI): BI insurance traditionally triggers after physical damage (like a fire). Digital BI has expanded this, but AI introduces "Model Drift" and "Systemic Failure." There are risks around reliance on "Agentic AI" (AI that acts autonomously). If a critical AI agent fails, it can halt a company’s entire supply chain or customer service department. Most BI policies still require a "triggering event." If an AI system becomes sluggish or produces unusable outputs (model drift) without a "crash" or "hack," the resulting financial loss may not be uninsurable under standard terms.
  • Standalone AI Liability Insurance: In response to these gaps, we are seeing the emergence of standalone AI Liability insurance. These policies are designed to cover the "Silent AI" risks that fall between the cracks of PI and Cyber. They can address:

- Algorithmic Malpractice: protection against errors in AI logic.

- Discrimination & Bias: Covering the legal costs of defending claims of "algorithmic bias" in hiring or lending.

- Intellectual Property (IP) Infringement: protection against claims that an AI was trained on copyrighted material without a license.

The Australian government’s 2026 transparency mandates (1) have forced insurers' hands. With new requirements for "explainability" in automated decision-making, insurers can no longer treat AI as a "black box" they don't understand. Underwriters are becoming more forensic, asking for "AI Risk Assessments" and "Transparency Statements" before quoting. In 2024, Visagio established a specialised business unit called VRisk with the purpose of harnessing its 20-plus years of AI experience gained from delivering more than 300 AI and Advanced Analytics projects internationally. Based on this  experience, the following VRisk strategies are recommended for consideration:

  • Shadow AI Mitigation: Addressing the fact that it is estimated 78% of users currently bring their own AI tools to work (2) by establishing an Enterprise AI Strategy to replace fragmented, insecure tools.
  • Operational Readiness: Helping bridge the gap between technical potential and organisational readiness, moving businesses from a "wait & see" posture to active risk management.
  • Practical Training: Through GenAI Use Case Mapping & Training, Visagio focuses on building employee confidence and identifying practical, day-to-day work applications to reduce the 63% rate of peer-observed inappropriate AI use (3).
  • Good Governance: Visagio’s AI Policy and Governance service is designed specifically to enable adoption while managing the risks of inappropriate use, providing the documentation often required by underwriters in 2026

AI Insurance and Risk & Mapping

Article content

Article references

(1) Policy for the responsible use of AI in government

(2) 2024 Work Trend Index Annual Report from Microsoft and LinkedIn

(3) 2025 Melbourne Business School Report

About the author

Peter Blackmore is one of the leaders of VRisk, the specialised business risk unit of Visagio Australia. VRisk provides a full suite of strategic and operational risk services across many industries, including supporting businesses and insurance brokers in mapping and managing AI risk and insurance gaps. Peter has held senior executive roles for many years in large risk advisory and insurance groups and is a former WA chair of the Risk Management Institute of Australasia.

‍

Related Insights

AI Business Risk and Insurance Gaps

Discover how organisations close the AI protection gap, from governance and operational readiness to how AI risk is assessed, managed, and insured.