All insights
Building6 min read

The Uninsured Agent

Vishal Sachar

Vishal Sachar

Co-Founder & CEO of CLRT

Ask your broker one question this week: if an AI agent acting on our systems causes a loss, which of our policies responds? Most executives have never asked it, because the answer was assumed. Insurance covers operations, agents are now part of operations, therefore agents are covered. Since January 2026 that assumption has been quietly falling apart. Insurers in the United States can now attach standard exclusions that strip generative AI liability out of general liability policies, the cyber and errors-and-omissions policies most firms hold were never designed for agent failures, and cover for AI is being rebuilt endorsement by endorsement, case by case. The default state of an agent deployment in mid 2026 is uninsured, and the market has not sent a letter announcing it.

Jan 20261
new ISO exclusions can strip generative-AI liability from standard general-liability policies
Risk & Insurance, 2026
~47,0002
downloads of a poisoned LiteLLM release in the three hours it sat live on PyPI
Help Net Security, 2026
89%3
of agent teams have observability in place; only 37.3% run online evals in production
LangChain, 2026
01THE QUIET EXCLUSION

The mechanics matter, because they show how deliberate this is. ISO, the body that drafts the standard policy language most American insurers build on, introduced endorsements available from January 2026 that exclude bodily injury, property damage, and personal and advertising injury arising out of generative AI from commercial general liability policies. Attorneys tracking the forms report similar absolute AI exclusions appearing in directors-and-officers and professional liability lines. Cyber policies, where most boards assume this risk lives, typically do not respond to hallucinations that cause financial loss, to defamation by an AI output, or to intellectual property infringement. Technology errors-and-omissions cover is written for the vendors who build AI tools, not the enterprises that deploy them. Carriers including Coalition, AXA XL, Hiscox and Beazley are clarifying their boundaries through endorsements and sector products, which is a polite way of saying that cover is now decided case by case, priced on facts about your deployment that most buyers cannot yet evidence.

FIG. 01Nowhere to land
02NO LONGER HYPOTHETICAL

It would matter less if agent-caused losses were still a thought experiment. They are not. In March 2026 a poisoned release of LiteLLM, the gateway library that sits underneath many production agent stacks, went live on PyPI and was downloaded roughly 47,000 times in the three hours before it was pulled. In May, Microsoft's security team disclosed remote-code-execution-class prompt injection paths in agent frameworks including its own Semantic Kernel: a crafted input that becomes a shell on your infrastructure. OWASP now maps prompt injection to six of the ten categories in its agentic top ten, and there are credible reports of malicious skills appearing by the hundreds on public agent marketplaces. None of these are model failures in the familiar sense. They are failures of the supply chain, the permissions, and the verification around the model, which is precisely the surface insurers cannot yet price and are therefore excluding.

03WATCHING IS NOT VERIFYING

Against that backdrop, the industry's own numbers describe an uncomfortable posture. LangChain's State of Agent Engineering survey, vendor research but the largest sample available at 1,340 practitioners, found that 89 percent of organisations have observability in place for their agents. Only 52.4 percent run offline evaluations against test sets, and 37.3 percent run online evaluations against live production behaviour. Read that as an underwriter would. Nine in ten teams can watch their agent fail. Barely more than a third have machinery that would catch the failure before or as it happens. The same survey names quality as the single biggest blocker to production, which is exactly what you would expect from a population that monitors far more than it tests.

FIG. 02Watching versus verifying

The distinction sounds academic until the claim arrives. Observability is a record of what happened; verification is a control on what is allowed to happen. When a loss lands and cover is contested, the questions asked are an underwriter's questions: what could the agent touch, what checked its output before the action became real, what evidence exists that the checks actually ran. A dashboard that watched the failure is not a control, it is a witness, and in a dispute it testifies against you, because it proves you could see the risk class and ran anyway. The wider governance picture is no better. On IBM's data, only 37 percent of organisations have a policy in place to detect shadow AI at all, so most firms cannot even enumerate the agents they would need to defend. The gap between watching and verifying is not an engineering nicety. It is the precise coordinates of where the uninsured losses of the next two years will land.

FIG. 03The shadow-AI blind spot
A dashboard that watched the failure is not a control. It is a witness, and it testifies against you.

A deeper dive

The insurance market has run this play before, and the precedent tells you how the next three years go. A decade ago the problem was called silent cyber: policies written before ransomware neither clearly covered nor clearly excluded it, and for years the ambiguity quietly favoured the buyer. Then the large losses arrived, most famously the NotPetya claims fought through the courts under war exclusions, and the market's response was not generosity. It was clarity. Cyber risk was expelled from every policy that had been silently carrying it and rebuilt as an affirmative, separately priced product with its own application form, and that form is why penetration tests, patching discipline and multi-factor authentication went from engineering hygiene to boardroom line items: they became the difference between insurable and not. Generative AI is now at the start of the same cycle. The January 2026 ISO endorsements are the expulsion step, and the case-by-case AI endorsements now being written are the first drafts of the affirmative product. Which means the application form is coming, and it is not hard to predict what it asks, because underwriters price controls: what the agent is permitted to touch, what gates an action before it becomes real, what evaluation coverage exists offline and online, how dependencies like the gateway underneath your framework are pinned and verified, and what stops the loop when it drifts. Teams that can evidence those controls will buy their cover back at a sane premium. Teams holding a monitoring dashboard and a screenshot of a demo will find the market has, quite literally, priced their engineering posture.

It is worth being precise about why so many teams sit on the wrong side of that line, because it is not laziness. Observability is easy to adopt: it is a product you buy, it requires no opinion about your business, and it produces reassuring screens from day one. Verification is the opposite in every respect. An offline evaluation only means something if someone has defined what wrong looks like for this workflow in this business, which is judgment work no vendor can package. An online evaluation only means something if it runs against live behaviour with the standing to gate or roll back an action, which is systems work most teams defer because it slows the demo. Supply chain verification, the discipline that would have caught a poisoned gateway release inside its three-hour window, means treating your agent's dependencies with the suspicion a bank applies to counterparties. Each layer is unglamorous, specific to the organisation, and invisible in a boardroom demonstration, which is why the survey numbers fall exactly as they do: 89, then 52, then 37, in strict order of how much thinking each practice demands. The uninsured window will close one of two ways for any given firm: either it builds the verification layer and becomes insurable, or a loss arrives first and settles the question the expensive way.

Key terms

Silent AI
AI risk that a policy neither clearly covers nor clearly excludes, so nobody knows whether a claim would pay until it is tested, usually in court. The market's historical answer to silent risk is exclusion first, then a separately priced affirmative product.
Online evals
Automated checks that score an agent's live production behaviour continuously, with the standing to gate or roll back an action, as opposed to offline evals, which test the agent against a fixed set before release.

Work with CLRT

Closing that gap is CLRT's work. We do not sell dashboards. We build the verification and governance layer around agents: the one that decides what they may touch, checks their work before it becomes real, and leaves the evidence trail a buyer, a regulator or an underwriter will one day ask for. If you are running agents today, or about to, talk to us before the market prices your posture for you. The firms that build verification now will be the insurable ones, and insurability is about to become a competitive line item.

Vishal Sachar

Vishal Sachar

Vishal Sachar is the Co-Founder and CEO of CLRT, where he helps UAE businesses make sense of applied agentic AI and put it to work. He writes on agentic systems, AI governance, and the economics of automation. Reach him at vishal@clrtstudio.com or on LinkedIn.

Start here

Skip the reading. See where your leverage leaks.

Ascent is our free diagnostic. Ten minutes, and you have the one workflow worth building first.