Key Takeaways

• AI tools are being used across businesses, often informally, invisibly, and without clear ownership.

• The biggest risks aren’t in the code, they’re in the assumptions people make about what AI is doing, and how accurate or reliable it is.

• Liability can arise from decisions or documents shaped by AI, even when the business didn’t build the tool or approve its use.

• Insurers are starting to treat unmanaged AI use as a signal of poor operational control.

• Businesses don’t need to slow down, but they do need visibility, review processes, and basic governance in place.

A Quiet Shift

AI didn’t enter most businesses through the front door. It showed up gradually—embedded in writing assistants, analytics dashboards, CRM plug-ins, and slide deck generators. Often, these tools were adopted by individual teams without legal, risk, or leadership ever signing off.

Now those tools are shaping client proposals, investor presentations, pricing decisions, and even legal advice.

The risks aren’t always obvious. You didn’t build the model. You didn’t even know someone was using it. But if the output is wrong, or the information is fabricated, the liability still sits with you.

This article isn’t about what AI can do. It’s about what people assume it’s done—and what happens when those assumptions go unchecked.

So where are the exposure points that matter most?

Shadow AI

Many teams are using AI tools without going through procurement, legal, or security channels. A 2024 Cisco report found that nearly 70% of employees globally admitted to using generative AI tools at work without formal approval. The risks here aren’t just about data leakage or copyright infringement—they’re about loss of control. If something goes wrong, the company—not the tool—is usually held accountable.

✅ What to do:

Start by mapping your AI exposure. What tools are being used, by whom, and for what purpose? Shadow tools, plug-ins, and browser extensions rarely show up on risk registers, but they’re increasingly shaping what your business says, decides, and delivers.

Accidental Overpromises

AI-generated content is making its way into pitch decks, marketing materials, sales proposals, and even client deliverables, often without anyone reviewing it properly. The problem isn’t just tone or polish. It’s accuracy. If that output includes errors, outdated assumptions, or fabricated information, the liability still sits with you, and it may trigger a professional indemnity or E&O claim if advice is relied upon.

This isn’t theoretical. In January 2024, a New York-based law firm was sanctioned for submitting a court filing that included six fictitious legal cases—all generated by ChatGPT—which the lawyers had assumed were real.

In most businesses, the stakes may not be legal sanctions, but the same pattern applies. That creates risk—especially in sectors like consulting, finance, law, and professional services, where clients rely on your advice to make decisions.

It’s not just about what you claim. It’s about what your clients, customers, or stakeholders assume you’ve validated.

✅ What to do:

Treat AI-generated outputs as unverified drafts. Build human review into your workflows and be clear about when AI has been used — especially for anything client-facing or contractual. If the information’s wrong, the liability won’t fall on the tool.

Ownership and IP Ambiguity

Many generative tools are built on training data that may contain copyrighted content. If you’re creating commercial outputs—ads, code, strategies, reports—there’s a risk that someone, somewhere, will challenge the originality or ownership of the material.

A high-profile case in 2024 involved Getty Images suing Stability AI in the UK, alleging unauthorised use of its copyrighted images in training datasets. The suit is ongoing, but it’s already shaping how legal teams and insurers view generative tools in creative workflows.

✅ What to do:

Make sure your contracts with vendors and contractors clarify who owns outputs generated with AI. Avoid tools that can’t provide clarity on how their models are trained.

Algorithmic Accountability

From recruitment screeners and pricing engines to workflow automations and customer sentiment scoring, AI tools are increasingly being used to support decision-making. Many of these tools are embedded in off-the-shelf platforms, with little visibility into how they reach their conclusions.

That becomes a problem when decisions need to be explained—to customers, regulators, or insurers.

In April 2024, the Dutch government fined a financial institution €2.1 million for relying on an AI-driven credit model that disproportionately penalised certain applicants. The issue wasn’t just bias, it was the institution’s inability to explain how the model worked.

The same risk exists in any business using third-party tools to make or inform decisions. If you can’t explain why a candidate was filtered out, a client charged more, or a customer complaint prioritised differently, you may struggle to defend that outcome.

✅ What to do:

Ask vendors how their tools reach decisions. Prioritise systems that offer explainability and documentation. Internally, make sure someone is responsible for understanding what the tool is doing, not just whether it’s working.

AI Exposure: A Quick Health Check

Ask yourself:

1. Do you know which AI tools are in use across your business?
   ☐ Yes — we've mapped both approved and unofficial tools
   ☐ Partially — we track formal tools, but shadow use is likely
   ☐ No — we haven’t looked into it yet
   

2. Is there human review in place for AI-generated content or decisions?
   ☐ Yes — anything client-facing or high-stakes is checked
   ☐ Sometimes — depends on the team
   ☐ No — AI outputs are often treated as final
   

3. Do your vendor contracts address AI-specific risks?
   ☐ Yes — they cover IP, liability, and model transparency
   ☐ Partially — some references, but no consistency
   ☐ No — we haven’t updated contract language yet
   

4. Could someone explain how AI-influenced decisions are made in your business?
   ☐ Yes — we document model logic or vendor rationale
   ☐ Somewhat — we rely on vendors to explain it
   ☐ No — we assume it’s working and leave it at that
   

5. Do employees have clear guidance on how and when to use AI?
   ☐ Yes — we have a simple, accessible internal policy
   ☐ Informally — some teams have their own rules
   ☐ No — we haven’t put anything in writing

Insurance Is Waking Up to AI Risk

Insurers are starting to factor AI into how they price, underwrite, and limit liability across multiple lines of cover. Not through standalone AI policies (yet), but through tighter scrutiny of how AI affects existing risks.

In March 2024, Beazley issued updated cyber underwriting guidelines that flagged generative AI tools as potential “data leakage vectors,” prompting stricter controls on third-party SaaS usage. Around the same time, AIG warned in its Q1 market bulletin that failure to monitor or document AI decision-making could affect coverage under professional indemnity and tech E&O.

Some carriers have already begun adding exclusions for claims arising from AI-generated outputs where explainability or documentation is lacking. Others are quietly asking for more disclosure: how tools are used, where data goes, what contractual protections exist.

Expect tighter definitions, narrower triggers, and sharper questions at renewal.

🔍 What underwriters are looking for:

• Proof of human review or oversight in AI-assisted work

• Clear IP ownership of AI-generated outputs

• Internal policies that guide AI use

• Documented incident response plans that include AI-generated errors or hallucinations

Most businesses aren’t buying AI-specific cover — but the way you use AI still affects the policies you already have:

• Professional Indemnity / E&O: faulty advice or deliverables shaped by AI outputs

• Cyber: unauthorised tools creating exposure to data breaches or model injection

• D&O: failure to disclose or manage AI-related risk as part of governance

This doesn’t mean AI makes your business uninsurable. But it does mean that poorly governed AI can push you into higher-risk categories or create grey areas that slow down claims.

The Path Forward

No one expects a small business to have a full-time AI ethicist. But investors, partners, and insurers do expect clarity on how AI is being used, monitored, and governed across your business.

Innovation isn’t the risk. It’s what happens when you move fast without knowing where your exposures are. The companies getting this right aren’t slowing down, they’re just getting smarter about how they build.

The most forward-looking businesses aren’t just playing with AI—they’re pressure-testing it, documenting it, and building safeguards into its everyday use. Because in the end, how you govern AI is becoming a proxy for how you govern everything else.