Cyber insurance renewals are getting harder. Not because the forms are longer - though they are. Because the questions are different.
For years, renewal applications asked about firewalls, multi-factor authentication, patch management, and incident response plans. Those questions are still there. But in 2025 and accelerating into 2026, a new section appeared on applications from carriers across the market: AI governance.
If your business is using AI tools - ChatGPT, Copilot, Gemini, Grammarly AI, or any other generative AI product - your underwriter wants to know what controls you have in place. And if the answer is "not much," your coverage may not be what you think it is.
Here are the 7 questions showing up in AI risk assessments at renewal. For each one, I'll explain what your insurer is actually trying to find out - and what the right answer looks like.
Why Insurers Started Asking About AI
This shift did not happen slowly. AI tool adoption among small and mid-sized businesses went from negligible to near-universal in roughly 18 months. Employees started using ChatGPT to draft customer communications, summarize contracts, write code, and handle tasks that previously required a person. That happened with or without organizational approval, and in most cases without any training or policy.
Insurers noticed. The claim pattern that emerged: employees inadvertently disclosing confidential data by pasting it into public AI tools, AI-generated content containing errors or fabrications that created liability, and unapproved AI tools creating shadow IT risk the organization didn't know it had.
81% of cyber insurers now include AI governance questions in renewal applications. The industry's response is to price and underwrite AI risk explicitly - which means your answers to these 7 questions directly affect your premium, your sublimits, and in some cases your ability to renew at all.
Question 1: Do You Have a Written AI Use Policy?
This is the baseline. It shows up early in almost every AI governance section.
What your insurer wants: a document. Not a verbal policy. Not an informal understanding. A written policy that defines which AI tools employees are permitted to use for business purposes, what categories of data may not be entered into those tools, and what the expectations are for AI-generated output.
The policy needs to exist, be dated, and be accessible to employees. If you don't have one, the rest of the questions are harder to answer.
A free template is available at aisafeiq.com/free-policy - it covers the core provisions most underwriters are looking for.
Question 2: Are Employees Trained on AI Misuse?
Having a policy and ensuring employees actually understand it are two different things - and underwriters know the difference.
What your insurer wants: documented evidence that employees received training on AI safety. Not an email pointing to a PDF. Not a mention in the onboarding checklist. Structured training with a completion record.
The reasoning is straightforward: if an employee causes an AI-related data exposure and you cannot show that training occurred before the incident, your insurer's position is that you did not take reasonable precautions. That is a defensible denial reason.
Training documentation - completion records, certificates, timestamps - is what moves the answer from "yes, we told them" to "yes, here is the proof."
Question 3: Can You Document It?
This question follows the training question and is where many businesses hit the wall.
Your insurer is not asking whether training happened in some informal sense. They are asking whether you can produce documentation. A stack of completion certificates, a training completion report, a policy acknowledgment for every employee - a paper trail that survives a claims investigation.
If your training consisted of a Zoom call or a Slack message, there is nothing to produce. From the underwriter's perspective, undocumented training is indistinguishable from no training. The documentation is the training, in terms of what matters at claims time.
Question 4: Do You Have an AI Risk Assessment on File?
This question appears more frequently in mid-market and enterprise applications, but is filtering down to small business renewals in regulated industries - healthcare, financial services, legal.
An AI risk assessment is a documented evaluation of which AI tools your organization uses, what data they can access, and what controls are in place to manage that exposure. It does not need to be a 50-page document. It needs to exist and be dated.
For many small businesses, a simple inventory - approved tools, data classification for each, access controls - is sufficient. The point is that someone in the organization thought through the AI risk exposure systematically and wrote it down.
Question 5: Is AI Governance Part of Your Security Program?
This question is asking whether AI is managed as part of your information security infrastructure or handled informally as a one-off concern.
Organizations that have integrated AI governance into their existing security policies - defining AI tool approval processes, data classification requirements for AI interactions, incident reporting procedures for AI-related disclosures - demonstrate a fundamentally different risk posture than those treating it as a standalone policy document.
What your insurer wants to see is that AI is not a gap in your security program. That someone owns it. That there is a process for it. That it is not invisible to the people responsible for your organization's security posture.
Question 6: Has AI Been Involved in Any Prior Incidents?
This question catches unprepared organizations off-guard.
If an employee submitted PII to a public AI tool, or used an AI system in a way that resulted in unauthorized data disclosure - and you did not document and investigate it as an incident - you now have two problems. The original exposure, and the failure to identify and report it.
Underwriters are specifically looking for undisclosed AI-related incidents. This applies to situations your organization may not have classified as an "incident" at the time - an employee pasting customer contact information into ChatGPT, or a contractor using an unapproved AI tool to process company data.
If an event like this occurred and surfaces during a claims investigation, and it was not disclosed during the renewal application, coverage can be voided. Answering this question accurately requires knowing what has happened - which in turn requires incident reporting procedures that actually capture AI-related events.
Question 7: Do You Audit AI Tool Usage?
The final question is about ongoing governance, not just a policy and a training event.
Are you monitoring which AI tools are in active use across your organization? Is there a process for approving new AI tools before employees start using them? Do you have any visibility into whether your approved tool list reflects reality - or whether employees are using unapproved consumer AI tools for business purposes?
Expectations scale with organization size. A 15-person company is not expected to have a sophisticated AI tool auditing infrastructure. But even at that scale, having a documented approved tool list and a quarterly review process puts you significantly ahead of the default - and signals to your underwriter that AI risk is managed rather than ignored.
The Sublimit Problem
Here is what most business owners do not know about their current coverage: many cyber insurance policies now contain AI-specific sublimits.
A sublimit means your full policy coverage amount does not apply to certain categories of claims. A $5 million cyber policy might cap any claim arising from an AI-related incident at $500,000. That 90% coverage gap does not show up until you file a claim - and by then, there is nothing you can do about it.
The way to avoid punishing sublimits - or at minimum to negotiate better terms - is to demonstrate AI governance at application time. Insurers reduce sublimits for organizations that can show documented training, a written policy, completion records, and evidence of ongoing governance. The documentation is negotiating leverage. Organizations without it have none.
The Insurance Proof Pack
AISafeIQ's Growth plan and above includes what we call the Insurance Proof Pack: a documentation bundle purpose-built for the underwriting conversation.
It contains everything your broker needs to answer the 7 questions above:
- Your company's signed AI Use Policy
- Individual completion certificates for every trained employee (UUID-verified)
- A training completion report with timestamps and names
- Policy acknowledgment records for HR documentation
This is not a general compliance folder. It is structured specifically for the renewal application process. When your broker asks what AI governance documentation you have, this is what you hand them.
What to Do Before Your Next Renewal
If your renewal is 6 months out, you have time to build proper AI governance infrastructure. If it's 90 days out, you need to prioritize it. If it's 30 days out, you need to move immediately.
The minimum viable AI governance package for a cyber insurance renewal:
- A written AI Use Policy - signed or acknowledged by employees, dated, and on file
- Documented employee training with completion records per employee
- A log of which AI tools your organization uses and has approved
AISafeIQ delivers all three in under 10 minutes per employee. See pricing - the Growth plan includes the Insurance Proof Pack.
Do not find out at claims time that your governance gap was also a coverage gap.