Many insurers, and the businesses they cover, are still treating artificial intelligence (AI) risk as if it were cyber risk cloaked in a costume. That instinct is understandable since AI systems process data, rely on vendors, create operational dependencies, and sit inside digital infrastructures. However, early litigation is showing why that framing is likely incomplete. The claims are not only arising from security hacks, ransomware, or data exfiltration, but from ordinary business activity: a customer call, a chatbot exchange, a healthcare consultation, a meeting transcript, or a vendor system setting that was enabled by default long before anyone examined its legal effect.
The real exposure sits in the gap between what the business thinks it is doing with AI and what its AI-enabled systems are actually doing. A notice saying “this call may be recorded” may not answer whether the call is being transcribed in real time, analyzed for content, retained by a third party, or used to improve a vendor’s model. A procurement approval may not show whether customer content was opted into training. A vendor contract may not explain whether the vendor is merely supplying a tool or independently receiving, enriching, and using the data flowing through it. That distinction can affect consent, privacy obligations, regulatory exposure, and even which insurance coverage applies.
The companies that get ahead of these issues will be the ones that stop asking whether AI is secure and start asking how AI changes the legal scope of their relationships with customers, patients, employees, vendors, and regulators. They will document what users were told, what settings were active, what vendor terms applied, and what data was used for which purpose. AI risk is not just a cyber control problem, it’s a governance, consent, procurement, evidence, and business conduct problem. The market correction will favor organizations that understand that difference before the claims start arriving.