Skip to main content

D&O insurance · AI governance · AI washing

D&O Underwriting Questions for AI Governance: A 2026 Renewal Reference

The specific questions D&O insurance underwriters are asking about AI governance at 2026 renewals — what carriers want to see, the documentation patterns that work, and how to negotiate around AI-specific exclusions and sublimits.

14 min read

Summary

D&O insurance underwriters in 2026 are systematically asking about AI governance during renewal cycles. Carriers including AIG, Chubb, Travelers, Beazley, AXA XL, and the Lloyd's syndicates have standardized AI-specific questions covering AI inventory, governance policy, board oversight, state-law compliance (Illinois HB 3773, Colorado AI Act, NYC LL 144, EU AI Act), incident history, disclosure controls, and independent advisory review. Companies that cannot answer these questions, or that answer them poorly, face premium increases of 15-40%, AI-specific exclusions that carve out coverage for "AI washing" and similar AI-related claims, sublimits on AI-related coverage, or reduced overall limits. Companies that answer affirmatively with documentation typically secure favorable renewal terms.

Most asked

Are AI-related claims covered under standard D&O policies?

Generally yes — standard D&O policies cover wrongful acts by directors and officers, which would include alleged failures of AI oversight under Caremark/Marchand and AI-related representations in periodic reports. However, carriers are increasingly adding AI-specific exclusions or sublimits at 2026 renewals. Companies should review policy language carefully and push back on broad AI exclusions with documented evidence of AI compliance posture.

What is "AI washing" and why does it create D&O exposure?

"AI washing" describes a company's materially false or misleading statements about its AI capabilities, AI use, or AI-driven results. The SEC has brought enforcement actions for AI washing — including against Delphia, Global Predictions, Presto Automation, and Nate Inc. — and parallel securities class actions have been filed against Apple, GitLab, C3.ai, Reddit, DocGo, and Innodata, among others. AI washing creates D&O exposure because alleged misrepresentations typically come from senior officers and are alleged to have caused investor losses, fitting squarely within the wrongful-acts definition in standard D&O policies.

How are carriers pricing AI risk in 2026 vs. 2025?

Carriers' approach has evolved meaningfully from 2024-2025 (when AI questions were preliminary and pricing impacts were modest) to 2026 (when AI questions are standardized and pricing impacts are material). Companies with strong AI governance documentation are generally seeing flat-to-modest renewal pricing. Companies with weak documentation are seeing 15-40% increases, AI-specific exclusions, sublimits of $5-25 million on AI claims, or reduced overall limits. The differentiation between strong and weak AI documentation is now one of the largest variables in 2026 renewal pricing for mid-market and large companies.

More questions ↓

Overview

The D&O insurance market is a particularly direct mechanism for operationalizing AI governance at scale. Where regulation imposes legal obligations and litigation creates exposure after-the-fact, D&O underwriting creates immediate, dollarized pressure on boards and management teams to document AI governance posture. A company that cannot answer underwriter questions about AI faces immediate, quantifiable financial consequences at renewal — consequences that hit the financial statements long before any AI-related litigation arrives.

This reference catalogs the AI-specific questions appearing in 2026 D&O renewal questionnaires across major carriers, explains what carriers are evaluating with each question, and provides documentation patterns that satisfy underwriter expectations. It is intended for chief financial officers, general counsel, risk managers, and D&O brokers preparing for renewal — and for boards seeking to understand what the renewal pressure is doing to governance posture across the corporate market.

Why D&O underwriting is the practical pressure point

The pattern is recognizable from the cybersecurity arc of the past decade. Cybersecurity governance became a board-level priority not because boards spontaneously elevated it, but because underwriters started asking detailed questions about cybersecurity at every renewal, and companies that could not answer the questions paid materially higher premiums. Within five years, every public company had a documented cybersecurity program, named board oversight, and a regular reporting cadence — primarily because the renewal questionnaire forced it.

AI is now in the early stages of the same arc, but compressed. The cyber arc took roughly five years to standardize. The AI arc is moving faster — a two-to-three year compression — because carriers have learned from cyber and because AI-specific regulation (Illinois HB 3773, Colorado AI Act, EU AI Act) has accelerated the legal-exposure timeline.

The result is that AI questions appearing in renewal questionnaires in 2025 are now standardized in 2026. By 2027, they will be as granular and consequential as cybersecurity questions. Companies that build robust AI governance documentation now will save materially on premiums for the next five years and will be insulated from the AI-specific exclusions that increasingly appear in renewals where documentation is weak.

The standard 2026 questionnaire

Carrier questionnaires vary in specifics, but the typical 2026 D&O renewal questionnaire covers AI governance in approximately fifteen to twenty discrete questions, organized into six categories:

  1. AI governance policy and committee oversight
  2. AI inventory and risk classification
  3. State-law-specific compliance posture
  4. Incident and claims history
  5. Disclosure controls and AI representations
  6. Independent advisory review and certification posture

The next sections walk through each category — the specific questions, what carriers are evaluating, and what good answers look like.

AI governance and inventory questions

Typical questions include:

  • Does the company have a documented AI governance policy approved by the board or a board committee?
  • Which board committee has primary oversight of AI governance?
  • How frequently does the committee receive AI-related reports?
  • Does the company maintain an inventory of AI systems used internally and in customer-facing products?
  • How is the AI inventory maintained and updated?
  • Has the company classified its AI systems by risk tier?
  • Does the company have a written AI vendor due diligence framework?

What carriers are evaluating: whether AI is being treated as a board-level governance topic with appropriate infrastructure, or whether it is being treated as a management-only operational matter. Boards that have placed AI under a committee with quarterly reporting and have an inventory of AI systems they update regularly are signaling mature governance. Boards without these elements are signaling that AI governance is informal — which carriers correctly read as elevated risk.

Strong answers demonstrate: a written policy, named committee oversight, regular reporting cadence (quarterly or more frequent), a maintained AI inventory, written risk classification methodology, and a vendor due diligence process with documented outputs.

State-law-specific compliance questions

Carriers in 2026 are increasingly asking specific questions about compliance with state and international AI laws:

  • How is the company addressing Illinois HB 3773 (effective January 1, 2026)?
  • How is the company addressing the Colorado AI Act?
  • How is the company addressing NYC Local Law 144 (where applicable)?
  • How is the company addressing California's Automated Decision-Making Technology regulations?
  • How is the company addressing the EU AI Act (where the company operates in or sells into the EU)?
  • What documentation supports the company's compliance posture under each applicable law?

What carriers are evaluating: whether the company has a jurisdiction-by-jurisdiction view of its AI compliance obligations or is treating AI compliance as a single undifferentiated topic. The granularity matters because each jurisdiction's compliance failure carries different exposure profiles — strict liability under HB 3773, audit penalties under NYC LL 144, impact assessment requirements under the Colorado AI Act, and the most rigorous bar under the EU AI Act for companies in scope.

Strong answers demonstrate: a written compliance posture summary for each applicable jurisdiction, documentation of specific compliance steps taken, and identification of any open compliance gaps with remediation timelines.

Incident and claims history

Typical questions:

  • Has the company experienced any AI-related incidents in the past 24 months?
  • Has the company received any AI-related customer complaints?
  • Has the company received any AI-related regulatory inquiries?
  • Is the company aware of any pending or threatened AI-related litigation?
  • Has the company maintained an incident log for AI-related matters?

What carriers are evaluating: both the substance of any incidents and the maturity of the company's incident response infrastructure. A company that has experienced an incident and has a documented response is in a stronger position than a company that claims no incidents but has no infrastructure for detecting them.

Strong answers: candid disclosure of incidents (carriers will discover them anyway through public sources, and underwriters penalize concealment), a documented incident log even if no significant incidents have occurred, evidence of incident response procedures.

Disclosure controls and AI washing

Given the AI washing enforcement landscape, carriers are increasingly asking about AI representations:

  • What controls govern AI-related statements in periodic reports?
  • Does the disclosure committee specifically review AI-related statements?
  • How does the company verify AI capability claims before public disclosure?
  • Are AI-driven revenue or performance claims supported by documented data?
  • Has the company received any SEC inquiries related to AI disclosures?

What carriers are evaluating: whether AI representations are treated with the same rigor as financial disclosures. The SEC's enforcement against Delphia, Global Predictions, Presto Automation, and Nate Inc., combined with private securities class actions against Apple, GitLab, C3.ai, Reddit, DocGo, Innodata, and others, has made AI representations a meaningful source of D&O exposure.

Strong answers: documented disclosure controls specifically addressing AI representations, evidence of substantiation procedures for AI claims, and integration with broader disclosure committee processes.

Independent advisory review

Increasingly common questions:

  • Has the company obtained independent advisory review of its AI compliance posture?
  • Is the company pursuing ISO/IEC 42001 certification?
  • Has the company conducted an external assessment of AI governance maturity?
  • What independent expertise informs the board's AI oversight?

What carriers are evaluating: whether the company's AI governance has been validated by sources outside management. Self-attestation by management is the lowest-credibility form of governance representation; independent review carries materially more weight because it reflects expert third-party scrutiny.

Strong answers: documented independent advisory review with a written deliverable (the deliverable can be summarized for underwriter purposes without full disclosure), evidence of pursuit of formal credentials such as ISO/IEC 42001, identification of advisors with relevant credentials.

How carriers evaluate the answers

Carrier evaluation generally follows a tiered framework:

Tier 1 — Mature governance

Companies that answer affirmatively with documentation across all six categories. Renewal pricing typically flat to slightly favorable. AI-related coverage maintained at standard policy terms. Carriers compete actively for these accounts.

Tier 2 — Developing governance

Companies with some affirmative answers, gaps in documentation, and a credible plan to close gaps. Renewal pricing typically modestly higher (5-15%). AI-related coverage maintained, possibly with a sub-limit. Carriers may request specific commitments to close documentation gaps before next renewal.

Tier 3 — Weak governance

Companies with mostly negative or non-responsive answers. Renewal pricing materially higher (15-40%). AI-related coverage often sublimited or excluded. Carrier may decline to renew, requiring a move to a less-preferred carrier.

Tier 4 — Material exposure with weak governance

Companies in high-exposure industries (healthcare, financial services, employment platforms) with weak AI governance. Renewal pricing may be prohibitive, AI claims may be excluded entirely, and coverage limits may be reduced. Specialty markets may decline the risk altogether.

Documentation patterns that work

The renewal package that consistently produces favorable outcomes has the following structure:

1. AI governance policy (3-8 pages)

A board-approved policy articulating principles for AI development, deployment, and oversight. Includes references to applicable laws (NIST AI RMF, ISO/IEC 42001, EU AI Act, relevant state laws), roles and responsibilities, escalation paths, and update cadence.

2. AI inventory summary (2-4 pages)

A current snapshot of AI systems by category (internal/external, customer-facing/back-office, employment/non-employment), risk tier, business owner, and vendor. Underwriters do not need full technical detail; they need evidence the inventory exists and is maintained.

3. Board oversight summary (1-2 pages)

Description of the board committee structure for AI oversight, reporting cadence, and recent agenda items. Excerpts from committee minutes (with appropriate redactions) demonstrate substantive engagement.

4. State-law compliance summary (3-6 pages)

Jurisdiction-by-jurisdiction summary of compliance posture for HB 3773, Colorado AI Act, NYC LL 144, California ADMT, EU AI Act, and any other applicable laws. For each, brief description of company exposure, compliance steps taken, and any open gaps with remediation timeline.

5. Incident summary (1-2 pages)

Description of any AI-related incidents, complaints, or regulatory inquiries in the past 24 months, plus evidence of the incident response infrastructure (incident log, escalation procedures, remediation outcomes).

6. Disclosure controls summary (1-2 pages)

Description of the disclosure committee's procedures for reviewing AI-related statements, substantiation requirements, and coordination with general counsel and external auditors.

7. Independent review summary (1-2 pages)

If independent advisory review has been conducted, a brief summary of the scope, findings, and remediation plan. The full review deliverable does not need to be shared at this stage.

Total package: 12-25 pages. Submitted to the broker; the broker manages communication with the underwriter.

Negotiating around AI exclusions

When a carrier proposes an AI-specific exclusion, sublimit, or coverage carve-out, the response is not acquiescence but documented pushback. Specific tactics:

1. Request specific exclusion language

AI exclusions vary substantially in scope. Some exclude only affirmative AI-related claims (AI washing); others exclude any claim involving AI in any way. Request the exact proposed language before agreeing in principle.

2. Use documentation as leverage

Submit the renewal package described above. A carrier proposing an AI exclusion based on a generic concern about the AI risk landscape is harder to maintain when faced with documented evidence that the specific company has mature AI governance.

3. Compare across carriers

The D&O market is competitive. Carriers proposing onerous AI exclusions risk losing the business to competitors. The broker can surface alternative quotes from carriers offering less restrictive terms.

4. Sub-limit rather than exclude

Where coverage is tight, push for a sublimit (e.g., $5-25 million on AI-specific claims) rather than full exclusion. Sub-limits preserve some coverage while addressing the carrier's concern about aggregate exposure.

5. Negotiate retro-active coverage

For companies with longer histories, push to maintain coverage for AI-related claims arising from acts before a specified date. This preserves coverage for legacy AI representations while allowing the carrier to apply the exclusion only on a forward-going basis.

6. Time the renewal

Engage with the broker 90+ days before renewal. Late engagement limits negotiation leverage and forces compromises that would not be necessary with adequate runway.

This article was last reviewed on May 9, 2026. The D&O market's approach to AI questions is evolving rapidly; the article will be updated quarterly. Companies preparing for D&O renewals with AI exposure may also find the AI Risk and D&O Liability for Directors reference useful as foundation reading. The AI Securities Class Actions Tracker catalogs the specific cases carriers are pricing against at 2026 renewals. The ISO/IEC 42001 AI Management Systems and NIST AI Risk Management Framework references describe the voluntary standards carriers are increasingly using as the substantive benchmark behind their underwriting questions. For an organization-specific AI compliance review structured to support D&O renewal, see the AI Compliance Diagnostic or Multi-Jurisdictional Review services.

Frequently asked questions

Are AI-related claims covered under standard D&O policies?
Generally yes — standard D&O policies cover wrongful acts by directors and officers, which would include alleged failures of AI oversight under Caremark/Marchand and AI-related representations in periodic reports. However, carriers are increasingly adding AI-specific exclusions or sublimits at 2026 renewals. Companies should review policy language carefully and push back on broad AI exclusions with documented evidence of AI compliance posture.
What is "AI washing" and why does it create D&O exposure?
"AI washing" describes a company's materially false or misleading statements about its AI capabilities, AI use, or AI-driven results. The SEC has brought enforcement actions for AI washing — including against Delphia, Global Predictions, Presto Automation, and Nate Inc. — and parallel securities class actions have been filed against Apple, GitLab, C3.ai, Reddit, DocGo, and Innodata, among others. AI washing creates D&O exposure because alleged misrepresentations typically come from senior officers and are alleged to have caused investor losses, fitting squarely within the wrongful-acts definition in standard D&O policies.
How are carriers pricing AI risk in 2026 vs. 2025?
Carriers' approach has evolved meaningfully from 2024-2025 (when AI questions were preliminary and pricing impacts were modest) to 2026 (when AI questions are standardized and pricing impacts are material). Companies with strong AI governance documentation are generally seeing flat-to-modest renewal pricing. Companies with weak documentation are seeing 15-40% increases, AI-specific exclusions, sublimits of $5-25 million on AI claims, or reduced overall limits. The differentiation between strong and weak AI documentation is now one of the largest variables in 2026 renewal pricing for mid-market and large companies.
Should we engage an independent advisor specifically for D&O renewal documentation?
For companies with material AI exposure that have not previously documented AI governance, yes. Independent advisory review produces three deliverables that serve different audiences: (1) the board (oversight discharge), (2) the underwriter (renewal documentation), and (3) defense counsel (defense file in the event of a future claim). The cost of a focused advisory engagement is typically 5-15% of the value of the premium reduction it produces, making it ROI-positive for most companies in the relevant size range.
What documentation should we share with the broker vs. the underwriter directly?
Generally, share with the broker first; let the broker manage the underwriter relationship. Brokers know their carriers' specific concerns and can sequence the documentation appropriately. Documentation typically requested at renewal: AI governance policy, AI inventory summary, board reporting cadence, state-law compliance summary, incident summary, vendor due diligence framework, independent advisory review (if completed). Detailed technical documentation (specific model architectures, training data sources) is generally not necessary at the underwriting stage and can be reserved for follow-up requests.
Does ISO/IEC 42001 certification reduce D&O premiums?
ISO/IEC 42001 certification is not yet a standard underwriting credit, but it is increasingly recognized by carriers as evidence of mature AI governance. The certification process produces documentation that maps closely to underwriter concerns and provides third-party validation that the company's AI governance has been independently evaluated. As ISO 42001 adoption grows, carriers are likely to formalize the credit; companies pursuing certification should expect modest favorable consideration in 2026-2027 and potentially formal premium credits in 2028+.
Are there AI-specific D&O policies emerging?
Several specialty insurers are developing AI-specific endorsements or stand-alone AI liability products, primarily for commercial liability and professional liability rather than D&O. The D&O market is, as of mid-2026, primarily addressing AI risk through standard D&O policies modified by AI-related exclusions, sublimits, or affirmative coverage grants. Companies with substantial AI exposure may benefit from layering specialty coverage on top of standard D&O, but the economics depend on specific exposure profile.
When should we start preparing for AI questions on the next renewal?
At least 90 days before renewal. The documentation process — building or updating the AI inventory, drafting the governance policy, securing independent advisory review, preparing the renewal package — typically takes 60-90 days when starting from a baseline. Engaging earlier creates time for productive negotiation and for carriers to compete for the account. Engaging later limits leverage and forces last-minute compromises on terms.

How to cite this article

APA

Abdullahi, K. M. (2026, May 9). D&O Underwriting Questions for AI Governance: A 2026 Renewal Reference. Techné AI. https://techne.ai/insights/do-underwriting-ai-governance-questions

MLA

Abdullahi, Khullani M. "D&O Underwriting Questions for AI Governance: A 2026 Renewal Reference." Techné AI, May 9, 2026, https://techne.ai/insights/do-underwriting-ai-governance-questions.

Plain text

Abdullahi, Khullani M. "D&O Underwriting Questions for AI Governance: A 2026 Renewal Reference." Techné AI, May 9, 2026. Available at: https://techne.ai/insights/do-underwriting-ai-governance-questions

Get the next piece

Regular analysis of AI governance, regulation, and the litigation landscape — written for boards, GCs, and the advisors who serve them.

Subscribe on Substack

About the author

Khullani M. Abdullahi, JD, is an AI governance and compliance consultant and the founder of Techné AI, an independent advisory firm based in Chicago. She submitted written testimony to the Illinois Senate Executive Subcommittee on AI and Social Media; the substance of one of her recommendations was incorporated into an AI-risk impact study bill. She authored the AI Governance & D&O Liability briefing now in active circulation among practitioners and underwriters, maintains the Illinois AI Legislative Ecosystem tracker, and hosts the AI in Chicago podcast. Techné AI is an advisory firm, not a law firm.

Schedule a conversation More insights