Risk Professionals Grapple with Rapid Expansion of AI

The surge in generative AI tools has forced risk managers to move beyond ad‑hoc controls toward formalized governance. Leading insurers are assembling cross‑functional teams that include legal, privacy, information security and data‑science experts, and are adopting the National Institute of Standards and Technology’s AI Risk Management Framework as a common reference point. By codifying acceptable use policies, establishing AI "lounge" sandboxes, and insisting on human‑in‑the‑loop verification, firms aim to limit exposure while still leveraging AI’s productivity gains.

Regulatory momentum is accelerating on both sides of the Atlantic. The EU AI Act, effective August 2024, sets strict requirements for high‑risk AI systems, while five U.S. states—California, Colorado, New York, Utah and Texas—have already enacted AI‑specific statutes, with many others following suit. This patchwork of rules is prompting insurers to craft new policy language that covers compliance costs, fines and liability arising from AI misuse. Insurers such as Axa XL and Westfield Specialty report growing demand for blanket coverage that can adapt to evolving state and federal mandates.

Data governance sits at the core of the emerging AI risk discipline. Companies are increasingly ring‑fencing proprietary data, using enterprise‑grade subscriptions that prevent model training on confidential inputs, and negotiating vendor contracts that guarantee data segregation. These technical safeguards, combined with clear internal policies and regular staff training on prompt engineering, create a layered defense against inadvertent data leakage and regulatory breach. As AI adoption deepens, the convergence of robust governance, regulatory alignment, and disciplined data handling will define the competitive edge for insurers and their clients.