Why we name AI-agent risk on the policy

Most cyber policies have an "Artificial Intelligence" section now. Read it. It is an exclusion.

The pattern is consistent across every wholesale market we have surveyed in 2026. A carrier adds the section to look responsive, then defines AI broadly enough that any autonomous workflow, any tool-using model, any non-deterministic process by a software vendor of the insured, is carved out of the grant. The buyer thinks they bought a thing. They bought a press release.

We took the other path. AgentShield Pro is the only US wholesale form we have seen, and we have looked, that names the AI-agent risk inside the insuring clause rather than outside it.

What "named" means, precisely

A named-risk policy lists what is covered. Anything not listed is not covered. The opposite is an all-risk-minus-exclusions policy, which covers everything except what is explicitly carved out. Cyber has historically been all-risk-minus-exclusions because the threat surface evolves faster than any list can keep up. Naming the risk was considered impossible.

Naming AI-agent risk is harder than it sounds because the loss vectors are not what most boards expect:

1. Tool-call exfiltration. An agent with file-read or API-access tools reads more than it was supposed to and ships it somewhere it should not.
2. Prompt-injection cascade. A document the agent reads contains hidden instructions that redirect the agent.
3. Hallucinated authority. The agent generates a contract, a payment instruction, or a customer message that the recipient acts on.
4. Workflow drift. The agent runs a routine well 999 times, then runs it differently once. The variance is the loss.

A general "cyber event" trigger does not pay on any of these reliably. We rewrote the trigger.

The buyer thinks they bought a thing. They bought a press release.

Why every other carrier said no

Three reasons. Two are real, one is a tell.

Reason one, real. AI-agent losses are not in the actuarial data. The carriers price off five years of history. There is no five years of history. The market is twelve months old at production scale. So the underwriting move is to exclude, wait for the data, then offer coverage at the back end of the cycle. Patient capital. Sound underwriting. Bad for buyers.

Reason two, real. The vector keeps moving. An LLM that hallucinates today gets fine-tuned next month. An MCP server that leaks today gets patched next week. A risk that is moving is a risk you cannot price with a fixed retention and a fixed limit. So you exclude it.

Reason three, the tell. The carrier does not understand what their own insured is running. We have read four 2026 cyber proposals from name-brand markets that ask the buyer to disclose "any artificial intelligence systems in use." The right question is which agents have which tools, with what scopes, against which data stores, under what guardrails. A carrier that does not ask that question cannot price the risk. So they exclude it.

How we got to yes

AgentShield Pro names the four loss vectors above and pairs each with a retention, a sublimit, and a defined trigger. The trigger references the action the agent took, not the agent's nature. That sounds small. It changes everything. The dispute moves from "is the LLM at fault" (unanswerable) to "did the action match a covered scope" (answerable from logs).

We also wrote a coverage architecture that does not require the insured to run a specific LLM. The form is model-agnostic. Anthropic, OpenAI, Meta, in-house, all covered, provided the action is traceable to an enumerated scope.

That last sentence is the entire form distilled. The agent is covered for the action, not the agent.

What we will not cover

We are not going to pretend the form is everything. We exclude:

• Agents running on consumer plans without organization controls.
• Agents whose tool scopes are not logged or are logged to a system the insured does not control.
• Losses originating from intentional misuse by an authorized human operator. That is a human risk. There are policies for that.

Excluding what we cannot price is honest. Excluding everything was the alternative we refused.

What you do with this

If you are a board member, ask your carrier what their AI-agent grant looks like. If they hand you an exclusion, you have an answer. If they hand you a clause that names the action, the trigger, and the sublimit, you have a policy.

If you are a wholesale broker, you can quote AgentShield Pro through Jencap-Bind today. The form is bindable in under 90 seconds for accounts under EUR 5M revenue, with a Coalition-style coverage card returned in the browser.

If you are an AI builder, the policy exists because we believe what you are shipping. We will name the risk because we know it is real.