What AI Agent Insurance Will Actually Cover: A 2026 Guide

For the past two years, the question most European risk managers have asked about their emerging fleet of AI agents has been a version of the same line: are we covered under what we already buy? The answer, almost everywhere, is that existing cover was not written with autonomous systems in mind and is being amended to exclude them. What is arriving in its place is a new class of insurance, with its own wordings, its own underwriting questions, and its own mental model of how harm is caused.

This piece walks through what the first wave of AI agent insurance will actually cover. It is not speculative. It draws on wordings that already exist in the market, including the AIUC-1 reference standard published by the AI Underwriting Company, the Munich Re aiSure product schedules, Armilla's AI policy form, and the draft AI endorsements circulating at Lloyd's of London. The specifics will evolve, but the structure has already settled.

Why AI agents need their own class of cover

An AI agent is an autonomous software system that can take action on behalf of a person or organisation inside a defined operational scope. The definition matters because most existing business insurance assumes a human is in the loop at the moment of decision. Professional indemnity and errors and omissions cover attach to the work of a professional. Cyber cover attaches to the unauthorised acts of a third party. Technology errors and omissions cover attaches to the failure of software supplied to a customer.

An autonomous agent does not fit cleanly into any of those. It is not a professional, it is not a third-party attacker, and it is often not software sold to a customer. It is a decision-making system operating inside the insured's own business, acting on its own authority. When it causes loss, the policy question is not only who pays, but who decided and what was the decision against.

That is the gap the new class of cover is designed to fill. The emerging wordings separate the underlying technology risk from the action risk and allow insurers to price them independently.

The five categories of loss

1. Hallucination-driven financial loss

The first category addresses the losses that arise when an agent produces output that is factually wrong, fabricated, or unsupported, and a person or system acts on it. This can be a quotation that cites a price that does not exist, a contract clause that references a non-existent jurisdiction, a research note that fabricates a source, or an agent summary that misstates a regulatory obligation. In each case the loss is not caused by a cyber event or an act of negligence by a professional. It is caused by a generation mistake by the agent itself.

The AIUC-1 standard, in section 4.2 of its published reference text, treats hallucination loss as a distinct insured peril and requires the insured to maintain a policy-defined level of human-in-the-loop review for specified workflow classes. Munich Re's aiSure product addresses the same class of loss under Schedule B, with defence costs and direct loss indemnity where the output can be shown to be the proximate cause.

The important subtlety is that hallucination cover is not a guarantee of correctness. It is a transfer of financial loss in cases where the agent's output has been used inside an authorised workflow in the way the operator agreed with the insurer. Losses that arise where review was required and not performed are excluded.

2. Data leakage and privacy infringement

The second category covers third-party liability arising from unauthorised disclosure of personal or commercially sensitive information by an AI agent. The conventional cyber market has addressed data leakage for years, but AI agents create leakage in ways that cyber underwriters have not previously priced. Prompt injection can cause an agent to reveal information from its context window. Training data exposure can leak sensitive content that was not anticipated at the time of fine-tuning. Cross-tenant contamination can occur when a shared deployment fails to isolate customer data correctly.

Armilla's AI policy form, in its version two release, treats these as distinct trigger events and explicitly sets out how they relate to the GDPR's article 82 liability for damage. The cover typically extends to regulatory claims, data subject claims, forensic investigation, and notification costs.

The exclusions are where the subtlety sits. Leakage resulting from the failure to apply a published vendor security patch is usually excluded. So are breaches originating outside the AI agent perimeter, where a classical cyber event is the proximate cause. The line between the two is precisely where underwriters will spend the most time during a claim.

3. Intellectual property infringement

The third category addresses claims that AI-generated output infringes a copyright, a trade mark, a design right, or a database right. The operators most exposed to this risk are those whose agents produce customer-facing content, code, imagery, or technical documentation. An agent that generates marketing copy can inadvertently reproduce a protected phrase. An agent that writes code can pull a recognisable pattern from its training set. An agent that drafts technical specifications can incorporate a protected diagram.

AIUC-1 addresses intellectual property risk in section 6. The draft Lloyd's AI endorsement, circulated for consultation in early 2026, provides a broadly comparable framework and is being watched closely by both carriers and reinsurers.

Cover usually extends to defence and indemnity for infringement claims, reasonable settlement costs, and mitigation expenses. It will exclude deliberate reproduction of copyrighted material on explicit instruction from the operator, and the use of models trained on data that the operator already knows to be unlicensed.

4. Regulatory penalty indemnity

The fourth category is the one that most European compliance officers ask about first. It covers administrative fines and penalties imposed under the AI Act, the GDPR, and the revised Product Liability Directive, together with the legal costs of defending the regulatory process. Indemnity for regulatory penalties is only available where the underlying law permits it. In several member states it does not. The policy wording has to be read with the national implementation of each regulation in mind.

The AI Act creates administrative fines of up to EUR 35 million or seven per cent of global turnover for the most serious breaches. The GDPR provides for fines of up to EUR 20 million or four per cent of global turnover. The revised Product Liability Directive does not itself impose administrative fines, but it creates new liability exposures that flow into civil claims. A fully drafted regulatory penalty section will cover supervisory authority investigations, notice of intent proceedings, defence counsel, technical expert witnesses, and corrective action planning.

5. Autonomous action liability

The fifth category is new. It covers claims that arise when an AI agent, acting within its authorised scope, executes a transaction or a decision that causes loss. This is the cover that most operators running customer-facing or market-facing agents will need. It is the category that most clearly distinguishes AI agent insurance from cyber or professional indemnity.

The scenarios addressed are concrete. A procurement agent that issues a purchase order against the wrong supplier. A customer service agent that commits the organisation to a refund it was not authorised to make. A trading agent that routes an instruction outside the approved venue list. A documentation agent that approves a filing that should have been escalated. Munich Re's aiSure addresses autonomous action claims under Schedule D, which in early 2026 was extended to cover procurement agents specifically.

Exclusions are tight. Actions executed outside the certified scope of the agent are excluded. Deployments lacking the audit telemetry required by the policy schedule are excluded. Circumvention of approval gates is excluded. In effect, the insurer will pay for a mistake within the scope of what was authorised, but will not pay for the consequences of running an agent beyond what was agreed.

The four underwriting questions

Every insurer writing AI agent cover in the European market is asking, in different words, the same four questions. An organisation preparing for the Q3 2026 coverage window should be able to answer them before the first submission.

What is the scope of authorised action? The insurer wants a written definition of what each agent is allowed to do, against whom, and under what circumstances. A vague answer produces vague cover. A precise answer produces a policy schedule.

What is the governance around the agent? Who approves new capabilities, who reviews incidents, and who signs off on model upgrades. Underwriters want to see a named owner and a named escalation path.

What audit telemetry is retained? The insurer wants a tamper-evident record of agent inputs, decisions, and outputs, retained for the period specified in the policy schedule. Without it there is no way to reconstruct the chain of causation during a claim.

What independent certification exists? The fastest route to favourable pricing is third-party certification against a recognised framework. The Agent Certified reference certification is one such framework, and is explicitly set up to feed into underwriting reviews for the platform.

What to do now

The honest answer for any European operator with agents in production is to start documenting the answers to those four questions today. Underwriting review is an expensive moment to discover that nobody has written the scope down, nobody is keeping the telemetry, and nobody has mapped the agents to a published framework. Organisations that approach the Q3 2026 window with those artefacts in hand will get meaningful quotations. Organisations that arrive without them will spend the autumn preparing to submit rather than preparing to buy.

Agent Insured exists to support that preparation. The coverage framework sets out the five categories in more detail. The pre-launch registration places an organisation in the queue for underwriting review. The weekly Agentic Liability Monitor tracks the market developments that will matter to any buyer heading into the autumn.

For research on the underlying European liability regime, the sister sites agentliability.eu and agentliability.co track the AI Act, the revised Product Liability Directive, and their implementation across member states and beyond.