Commercial renewals in the last few years: cyber exclusions showing up in policies that never used to mention cyber at all. That shift had a name, silent cyber. Traditional property and liability forms weren't written with cyber in mind, so coverage was "silent," neither clearly in nor clearly out. When big losses hit, courts and arbitrators sometimes found coverage anyway. Insurers and regulators decided that was untenable. They made coverage explicit. They added exclusions.
The same playbook is running for AI now. Starting in 2026, general liability and related forms are getting explicit generative-AI exclusions. If you assume your GL policy still responds to AI-related claims because it doesn't say otherwise, you may be wrong by mid-year.
What Actually Changed: ISO and the 2026 Forms
The Insurance Services Office (ISO) publishes the standard forms that drive a large share of U.S. commercial general liability. ISO doesn't force anyone to use them, but when ISO files new endorsements, carriers often adopt them. In 2025, ISO filed a set of endorsements with a proposed effective date of January 1, 2026. Among them are three that take aim at generative AI.
CG 40 47 amends the standard CGL coverage part. It adds an exclusion for bodily injury and property damage (Coverage A) and for personal and advertising injury (Coverage B) when the injury or damage "arises out of" "generative artificial intelligence." CG 40 48 is narrower: it only adds the same exclusion to Coverage B (personal and advertising injury). If your carrier uses 40 47, both liability buckets can be off the table for AI; if they use 40 48, you might still have an argument for Coverage A, but not for advertising injury, defamation, or IP-type claims tied to AI. CG 35 08 does the same thing for the Products/Completed Operations coverage part: bodily injury and property damage arising out of generative AI are excluded.
The term generative artificial intelligence is defined in the endorsements: "a machine-based learning system or model that is trained on data with the ability to create content or responses, including but not limited to text, images, audio, video or code." That's broad. It doesn't require "GPT" or "LLM"; it catches any trained model that generates content. A lot of what businesses now call "AI" falls in.
Because these are optional underwriting tools, not every policy will get them at renewal. But ISO forms sit behind a large portion of U.S. P&C business (often cited in the low 80% range for policies that follow ISO language). When your carrier gets a new form set and is worried about unquantified AI exposure, the path of least resistance is to attach the endorsement. The days when AI was simply "not mentioned" are ending.
Why Insurers Are Doing This (It's Not Just Hype)
Silent cyber became a problem for carriers for a few concrete reasons. Losses that were never priced into property or liability policies (NotPetya, for example) ended up in front of courts. Merck won a $1.4 billion ruling against its property insurer after NotPetya; the court said the war exclusion didn't apply to that cyberattack. Mondelez and Zurich fought over a similar claim and eventually settled on confidential terms. Whatever the final contract said, the message to the market was clear: traditional forms could be read to respond to cyber events in ways underwriters never intended. Regulators, including at Lloyd's and the UK PRA, started pushing for "silent cyber" to be eliminated: either affirmatively cover cyber or explicitly exclude it. Many carriers chose to exclude.
AI looks to insurers like a repeat. The exposure is hard to model: correlated failures (one bad model, many policyholders), rapid change in how AI is used, and liability theories that are still evolving. A single generative-AI incident (hallucinated defamation, biased hiring output, bad code that causes physical harm) could be argued under traditional GL or advertising injury coverages. Rather than wait for the first big AI verdict under a "silent" form, carriers are preemptively taking the option off the table. Some have gone further than ISO. WR Berkley, for example, has circulated an "absolute" AI exclusion that bars coverage for "any actual or alleged use, deployment, or development of [Artificial Intelligence]," including inadequate AI policies or training and violations of AI-related laws. That's broader than the ISO generative-AI wording and, if applied blindly, could create disputes about what counts as "use" of AI (e.g., a vendor's tool in the stack).
Not every insurer will use the harshest form. But the direction of travel is one-way: from silent to explicit, and often toward exclusion unless you buy back coverage or secure it elsewhere.
Who's Actually Exposed
Any organization that uses generative AI in a way that could cause third-party harm is in the zone. That's not only tech companies. Marketing teams that use AI copy or imagery, HR that uses AI-screening tools, operations that use AI for summaries or recommendations, and product teams that embed LLMs or image generators are all creating potential liability that could be argued under bodily injury, property damage, or personal and advertising injury. If your GL policy is amended with CG 40 47 (or an equivalent), those claims may be excluded even if the rest of your operations look like "normal" GL territory.
Small and mid-size businesses are often the least prepared. They may not have a dedicated risk or insurance function; they may assume "we have general liability" covers third-party claims from AI outputs. After 2026, that assumption is dangerous. The ISO forms are optional, but adoption is likely to spread as carriers roll out 2026 form updates. The time to look at your policy and your renewals is before the endorsement appears, not after a claim is denied.
What to Do Before Renewal
See what you're actually using. If you're not sure where generative AI is in your products, operations, or vendor stack, you can't have an informed conversation with your broker or carrier. Map use cases: customer-facing chatbots, internal drafting or coding tools, marketing assets, screening or scoring tools, anything that "creates content or responses" from a trained model. That map drives both risk and insurance strategy.
Read the renewal. When your GL (and any products/completed operations) renewal comes in, check for new endorsements. Look for "generative artificial intelligence," "AI," or "artificial intelligence" in the exclusion section. If you see CG 40 47, CG 40 48, CG 35 08, or non-ISO language that has the same effect, assume that AI-related claims under those coverages are excluded unless the carrier has given you a separate, affirmative grant.
Ask for options. Carriers and brokers are still feeling their way. Some may offer buybacks or sublimits for AI; some may point you to tech E&O, cyber, or emerging "AI" products. There is no standard market yet. Pushing back on an absolute or overly broad exclusion (for example, limiting it to generative AI rather than "any" AI) is reasonable. So is asking whether the carrier will attach the endorsement at all if your exposure is low and you can describe it.
Treat governance as a risk and underwriting signal. Insurers are more likely to offer terms, or to refrain from the harshest exclusions, when they see that you know where AI is used, what controls and policies you have, and how you handle incidents. That doesn't guarantee coverage, but it makes a conversation about carve-backs or affirmative coverage more plausible.
Silent cyber taught the market that "we didn't think about it" is not a sustainable basis for coverage when the loss arrives. Silent AI is being closed out the same way: by making the form say "no" unless you've arranged for "yes." 2026 is when that shift lands in standard GL wordings. Plan for it now.