Cyber insurance renewal season in 2026 looks different from 2025. Across brokers and underwriters, a new category of questions has appeared on AI governance, questions that did not exist in most renewal applications eighteen months ago. Some insurers are adding them as supplemental riders. Others are folding them into the core application. All are treating the answers as underwriting criteria.
This is not surprising. The data connecting ungoverned AI deployments to breach events is now substantial enough that insurers cannot ignore it. What is surprising to the organisations fielding these questions is how specific they have become, and how difficult they are to answer honestly without purpose-built AI governance infrastructure.
$4.44M
Average cost of a data breach
IBM, 2025
89%
YoY growth in AI-enabled adversary operations
CrowdStrike, 2026
$2.22M
Breach cost saved: mature AI security vs without
IBM, 2025
158 days
Average time to identify a breach
IBM, 2025
The five questions appearing in 2026 renewal applications
1. Do you maintain a complete, retrievable log of AI interactions?
The fundamental question. Insurers want to know whether you can reconstruct what your people were sending to AI systems before an incident. Not in principle. In practice. A 'yes' requires that every prompt submitted across your organisation is logged somewhere retrievable, with timestamps, user identifiers, and the content that was actually transmitted to the model.
For organisations using consumer AI tools directly (ChatGPT, Copilot, Claude.ai), the honest answer is no. Those tools do not provide organisational audit logs. For organisations using a governed AI gateway, a yes is achievable. The gap between these two situations is the underwriting risk the insurer is pricing.
2. Can you demonstrate that personal data is not transmitted to external models in raw form?
This is the PII scrubbing question, and it is increasingly framed not as 'do you have a policy prohibiting this' but 'do you have a technical control that prevents it.' The policy framing leaves the insurer uncertain whether the control is actually exercised. The technical control framing has a clear answer: either something in the data path scrubs personal information before it reaches the model, or it doesn't.
Reliance on employee behaviour (training programmes, acceptable use policies, terms of service agreements) is no longer considered an adequate technical control by underwriters pricing AI-related risk. The question is whether the scrubbing is automated.
3. Have you assessed what categories of data reach your AI systems?
Data classification at the AI layer. Do you know whether your employees are submitting commercially sensitive information, health data, client financial details, or material subject to professional privilege? Most organisations that have not deployed a governed AI gateway cannot answer this with confidence. The usage happens in browser tabs and chat interfaces that leave no organisational record.
Insurers asking this question are probing for whether the organisation has genuine visibility into its AI exposure surface, or whether it is operating on the assumption that employees exercise appropriate judgment. That assumption is the risk being priced.
4. Do you have documented, enforceable controls over AI access and procurement?
Shadow AI is a specific underwriting concern. If employees can access any AI tool with a credit card and an email address, the organisation's AI footprint is unbounded. Insurers want to see that AI access is provisioned through a governed channel. Not that employees are prohibited from using AI, but that sanctioned tools route through a system that enforces the organisation's data handling policy.
A practical test: if an employee used an unapproved AI tool to process client data last Tuesday, would your IT team know? If the answer is no, the honest answer to this underwriting question is also no.
5. Can you produce an incident reconstruction within 72 hours of a reported AI-related breach?
The audit trail question in its most operational form. An incident reconstruction requires knowing: which user, which session, what content was submitted, what the model received after any processing, and at what time. Without a purpose-built audit record, this reconstruction is not possible, even if the organisation has a general sense of what AI tools its people use.
Seventy-two hours is not a generous window. Insurers have learned from breach events that organisations that cannot reconstruct incidents quickly tend to have higher remediation costs, longer breach timelines, and more significant regulatory exposure. The audit trail has become the primary indicator of AI governance maturity in underwriting assessments.
The pattern in these questions is deliberate
Look at the five questions together. They describe a technical architecture: a logging layer, a PII scrubbing layer, a data classification layer, an access control layer, and an audit trail. Insurers writing these questions are not asking whether you have good intentions around AI. They are asking whether you have built the infrastructure to back them up.
What organisations are discovering at renewal
The organisations finding these questions easiest to answer are, with few exceptions, those that routed AI access through a governed gateway before the renewal cycle started. The organisations finding them hardest are those that deployed AI tools individually, department by department, without a centralised governance layer. That describes the majority of mid-market enterprise AI programs in 2025 and 2026.
The gap between 'we have an acceptable use policy' and 'we have a technical control that enforces it' is the gap now appearing in premium adjustments, coverage exclusions, and in some cases declinations. It was not visible at the point of AI adoption. It has become visible at the point of insurance renewal.
If you cannot answer these questions with confidence, you are not alone
Most organisations cannot. Yet. OBEL gives you the infrastructure to answer all five: a complete interaction log, automated PII scrubbing, real-time data classification, governed access control, and a tamper-evident reconstruction trail. If your renewal is coming up, that conversation is worth having now.
References
- [1]IBM - "Cost of a Data Breach Report 2025" (July 2025)
- [2]CrowdStrike - "2026 Global Threat Report" (February 2026)
- [3]Marsh McLennan - "Cyber Insurance Market Trends: AI Underwriting" (Q4 2025)
More in Intelligence Brief