The Willis Research Network’s May 2026 Risk and Resilience Review finds AI exposure quietly accumulating across general liability, professional indemnity, cyber, EPLI, and D&O — often with no policy language addressing it. For independent agents, the parallels to “silent cyber” are hard to miss.
The Willis Research Network (WRN), the not-for-profit research arm of Willis, a WTW business, has published the May 2026 edition of its Risk and Resilience Review, titled AI in Action: The Road to Responsible Adoption. Drawing on academic partnerships, sector benchmarking, and incident data, the review documents how artificial intelligence has moved from a back-office productivity tool into a decision-making engine embedded in underwriting, claims, cyber defense, and operational judgment.
The Willis Review’s central argument is that AI is not creating an entirely new category of insurance risk. Instead, it is increasing the likelihood of losses under existing coverages such as E&O, cyber, EPLI, D&O and general liability. According to the Review, AI-related losses are surfacing in general liability, professional indemnity, technology errors and omissions (Tech E&O), cyber, employment practices liability (EPLI) and directors and officers (D&O) coverage — frequently in policies that contain no language addressing AI at all. The report draws the explicit analogy to the pre-2019 “silent cyber” era, when ambiguity felt convenient until claims and litigation forced the question.
How does this land on the agent’s desk
Much of the report addresses issues for corporate risk managers, insurers, and reinsurers. But two threads run directly through an independent agency’s book of business.
- The agency’s own professional exposure. Agencies are themselves adopting AI to draft correspondence, summarize policies, compare quotes, and field client questions. Every one of those uses is a potential professional liability touchpoint. The review highlights “automation bias,” the tendency to accept an AI output without verifying it, as a distinct liability signal. Its sharpest illustration comes from the courts: judges have sanctioned attorneys for filing briefs containing AI-fabricated citations. The same dynamic maps cleanly onto an agency that relies on an AI summary of a coverage form, a renewal exposure, or a certificate request without a human checking the work.
- The clients’ silent-AI gaps. An agency’s commercial insureds are deploying AI across hiring, customer communications, pricing, and operations — and most of their existing policies were written before AI was contemplated. That is precisely the coverage ambiguity the report warns about. An agent who understands where AI exposure is accumulating is positioned to raise it at renewal, document the conversation, and steer clients toward affirmative cover where it exists. An agent who does not may find the question asked for the first time during a claim.
How courts are sorting the liability
The report’s most useful contribution for legal-minded readers is its account of where liability is actually landing as AI incidents move from theory into litigation.
- Physical harm → traditional tort and product liability. When AI-enabled systems cause bodily injury or property damage — such as autonomous vehicles, automated industrial controls, and AI-assisted medical devices — courts are applying existing negligence and product liability law.
- Financial loss → contested attribution. Pure financial losses are harder to place. Responsibility is contested among model developers, data providers, system integrators, and end users. The pattern emerging from the decisions is that accountability tends to stay with the deploying organization and its human decision-makers.
- Regulatory breach → a separate, expanding exposure. Beyond civil damages, AI-driven regulatory missteps open the door to government investigations, penalties, and expensive remediation orders.
Four ways AI risk maps to coverage
To give risk-transfer discussions a common vocabulary, the review sorts AI exposure into four categories, each tied to different liability theories and policy triggers.
- Performance risk: incorrect, biased, or unstable outputs — including “hallucinations” and “data drift,” where a model’s accuracy decays as real-world conditions diverge from its training data. Depending on context, this can become misrepresentation, negligence, professional liability, or product liability.
- Misuse risk: deepfake-enabled fraud, automated social engineering, and employee “shadow IT” — for example, leaking proprietary or client data into public consumer tools. This category tends to drive attribution disputes and to straddle cyber, crime, and liability coverage.
- Governance risk: weak testing, monitoring, documentation, and vendor management. Underwriters are focusing here because governance quality is a strong predictor of how severe and how defensible a loss might be.
- Systemic risk: correlated losses at scale. Because so many enterprises depend on a small pool of foundation models and cloud providers, a single failure or outage could trigger concurrent losses across thousands of insureds and multiple lines at once — a direct challenge to the diversification assumptions underwriting rests on.
“Silent AI” and the market’s response
The coverage story is where the report becomes most concrete for brokers. Carriers are responding to silent-AI ambiguity in two directions at once. Some are tightening exclusions and definitions to make it clear that AI-related losses are not covered; others are introducing affirmative AI coverage language to specify what is covered. The review cites the March 2026 launch of HSB’s AI Liability Insurance — designed to fill gaps where standard general liability wording may not respond cleanly to AI-related bodily injury, property damage, or AI-generated content — as an early signal of an affirmative market taking shape.
Increasingly, the report notes, underwriting itself is being tied to AI governance: insureds with documented controls, testing, and vendor-risk monitoring may see more favorable terms, while limited transparency and weak controls may affect pricing, terms, or capacity. For agents, the practical implication is that an insured’s AI governance is becoming a submission item rather than an afterthought.
The consumer-tier trap
One finding from a companion study merits mention because it directly affects agencies. In an evaluation co-conducted with Rutgers Business School’s Executive MBA team, eight leading AI assistants were put through more than 12,000 test runs across healthcare, legal, and financial prompts. None of the consumer-tier offerings met the study’s baseline “adequate” threshold for data protection: they lacked clear deletion guarantees, verifiable encryption assurances, and contractual commitments to keep submitted prompts out of future model training.
Translated for a Massachusetts agency: pasting a client’s name, address, Social Security number, or loss history into a free, consumer-grade chatbot is not a productivity shortcut — it is a potential breach of the Commonwealth’s data-security obligations, discussed below. The study’s other recurring theme, “non-determinism” (identical prompts producing different answers across runs), is a reminder that AI output is not a stable record and cannot be treated as one for compliance purposes.
The Massachusetts overlay
The Willis report describes the United States as a decentralized, “agency- and state-driven” regulatory environment. Massachusetts is a clear example. The Commonwealth has no comprehensive AI statute; its posture is enforcement-driven, built on laws already on the books.
On April 16, 2024, Attorney General Andrea Joy Campbell issued an advisory — the Advisory on the Application of the Commonwealth’s Consumer Protection, Civil Rights, and Data Privacy Laws to Artificial Intelligence — making explicit that existing Massachusetts law reaches AI just as it reaches any other conduct. Three statutory anchors stand out for the insurance community:
- Chapter 93A. The advisory, reinforced by 940 CMR 3.16, treats a range of AI conduct as unfair or deceptive — misrepresenting an AI system’s reliability, performance, or freedom from bias; supplying a system unfit for its advertised purpose; and using AI to deceive consumers. An agency’s own representations about AI-assisted services are not exempt.
- Chapter 151B. The Commonwealth’s anti-discrimination law applies to AI-driven decisions, and a 151B violation can itself constitute a 93A violation — a live concern wherever AI touches hiring, underwriting inputs, or any decision affecting a protected class.
- Chapter 93H and 201 CMR 17.00. The data-security law and its written-information-security-program regulation require reasonable safeguards for the personal information of Massachusetts residents — a standard that plainly extends to personal information run through AI tools. This is the statutory backstop to the consumer-tier problem above.
Agents should also keep the insurance-specific frameworks in view. To the extent carriers use AI in claims handling, the unfair-claim-settlement standards of Chapter 176D remain the governing yardstick regardless of whether a human or a model produced the decision. The throughline of the AG’s advisory is consistent with the Willis report: technology does not create a carve-out from long-standing legal duties.
Beneath the surface: claims, fraud and the leader-laggard gap
The report also surveys where AI is reshaping insurance operations.
In claims, carriers are using “long-document” language models to read entire claim files in seconds and shift from static rules to anticipatory triage — rescoring open files and routing likely high-severity claims to specialists before costs escalate. Fraud detection is moving from isolated transactions to network analysis that maps, for example, relationships among claimants, providers, repair shops, and intermediaries to discover possible claim fraud rings.
The cyber chapter cites IBM data indicating that fully deployed security AI cuts average breach costs by roughly a third and shortens containment: a differentiator that carriers are beginning to price into cyber underwriting.
A separate benchmarking study with the Wharton School compared AI adoption across aviation, financial services, and insurance. Its conclusion is not surprising: the gap between leaders and laggards turns not on technology budgets but on strategy, executive ownership, workforce literacy, and data governance. Organizations that layer AI tools onto poorly governed data, the report warns, mostly buy themselves more expensive errors to clean up later.
What it adds up to for an agency
The review does not prescribe a checklist, but a few practical questions follow naturally from its findings, and they are worth insurance agencies’ attention:
- Where, exactly, is AI already in use inside the agency — and is anyone verifying its output before it reaches a client or a carrier?
- What is being typed into which tools, and do those tools carry the contractual and security commitments that 93H and 201 CMR 17.00 effectively require?
- For commercial clients adopting AI, is the agency raising the silent-AI question at renewal and documenting it — and does it know which markets now offer affirmative AI cover?
- Is the agency’s own E&O carrier aware of how AI is being used, and would that use be covered by the agency’s current policy terms?
As the report puts it, the central question is no longer whether AI is used, but where reliance occurs and whether governance, controls, contracts, and coverage are aligned with the specific ways those uses can fail. For an independent agency, that use and alignment is both a professional liability risk and, increasingly, a client service advantage.
Report availability
AI in Action: The Road to Responsible Adoption (May 2026) is published by the Willis Research Network. The publication is available for free through WTW’s Willis Research Network insights page:
About the Willis Research Network
The Willis Research Network is a not-for-profit collaboration between science and the insurance, finance, and risk-management sector, established in 2006. Through long-term partnerships with more than 60 research organizations worldwide, it supports research aimed at improving the understanding and quantification of risk and at helping clients and society become more resilient.
