Reading time: 4 minutes

A line-by-line audit of your Silent AI exposure

This week we're launching a three-part Wednesday Intelligence series called The Six-Line Silent AI Audit.

It maps the core policy lines in your financial institution's program against the AI exposures the forms were never written to address.

• Part 1 covers D&O and EPLI, where "wrongful act" definitions assume a human made the decision and algorithmic discrimination doesn't map to your form's coverage trigger.
  ​
• Part 2 covers E&O and Cyber, where the professional/product liability boundary for AI-assisted advice is unsettled in every court, and deepfake wire fraud falls between three coverage sections without triggering any of them cleanly.
  ​
• Part 3 delivers fiduciary liability, crime and FI bond, the full audit framework, the four governance documents that are moving from underwriting preferences to conditions of coverage, and what underwriters at leading FI writers are asking for at renewal. The series draws on six active cases, enforcement actions, and regulatory frameworks already shaping how carriers and courts are drawing these lines.

Three reasons to follow this series.

First, every coverage trigger in your program was written for human actors, human decisions, and human-speed fraud, and AI breaks that assumption on all six lines simultaneously. Second, carriers are not issuing blanket confirmations on open AI coverage questions, which means the coverage position your institution holds is functionally undefined until you ask and document the answer. Third, the governance documentation described in this series is becoming the dividing line in the underwriting conversation.

The institutions that arrive at renewal with it are in a materially different negotiation than those that arrive without it.
​
Prefer to listen? Check out the audio version.

The D&O situation:

Every "wrongful act" definition in your D&O form assumes a person made the decision.

That assumption runs through two of your six core policy lines. Both have active litigation now. Both have live enforcement actions on the books. Both have state regulatory frameworks arriving in 2026.

AI-washing is an enforcement action, not a theory your board can table for next year.

The SEC settled In the Matter of Delphia (USA) Inc. in 2024. The charge: misrepresenting that AI drove the firm's investment process when it did not. The agency treated those misstatements as actionable securities fraud, not marketing puffery. Dozens of AI-related securities class actions have been filed in U.S. courts since.

D&O coverage responds to securities claims. But the trigger sits in contested territory. Carriers are beginning to probe whether AI capability misstatements in investor communications represent intentional misrepresentation or negligent disclosure. The distinction matters because it determines whether the conduct exclusion applies. Most D&O programs have not been reviewed for this specific exposure, and most boards have not asked their broker whether the form responds cleanly.

The EPL piece:

The second gap is quieter and may be larger.
​
AI governance is becoming a regulatory compliance matter at the state level. The Colorado Division of Insurance, the New York Department of Financial Services, and NAIC principles on AI governance all contemplate inquiries into how institutions manage, audit, and disclose their AI systems. D&O investigation cost coverage was written for financial examinations and securities investigations.

Whether a regulatory demand letter about your AI oversight program triggers that coverage section is an open question in most forms. The institutions facing state scrutiny in 2026 will find out whether their investigation coverage extends to AI governance inquiries.

The answer should be confirmed before renewal, not discovered during a regulatory response.

Algorithmic discrimination doesn't map to your EPLI form's definition of a wrongful employment act.

EPLI forms define the coverage trigger as a "wrongful employment act." That definition was written for human decisions: a manager who discriminates, a supervisor who retaliates, an HR department that terminates without cause. Algorithmic hiring tools, AI-assisted performance evaluation systems, and automated scheduling platforms produce disparate impact outcomes without any human making a discriminatory decision.

Whether an adverse AI output constitutes a wrongful employment act by the employer is unresolved in most form language.

State statutes are compounding the problem.

NYC Local Law 144 requires bias audits for automated employment decision tools and creates individual rights of action for non-compliance. Colorado's AI Act begins phased implementation in 2026. Illinois' AI Video Interview Act follows a related but narrower structure. These statutes create governance compliance claims. A plaintiff alleging your institution used an AI hiring tool without conducting the required bias audit has a cause of action that may not trigger the wrongful employment act definition at all.

The courts are already moving.

In Mobley v. Workday, Inc., a federal court allowed claims to proceed alleging that an AI-powered hiring platform functioned as an agent of employers under federal anti-discrimination laws. EEOC guidance from 2023 and 2024 explicitly addresses AI tools under Title VII, and plaintiffs' attorneys are building cases on that framework now. Your EPLI form was written before any of this existed. The vendor who sold you the AI hiring tool capped indemnification at 12 months of fees and disclaimed the accuracy of the model's outputs in the contract.

Your organization is the named defendant. The vendor is not.

The coverage questions:

Carriers are not issuing blanket written confirmations on open AI coverage questions.

No standard D&O or EPLI form has been systematically updated to address the exposures described above. The coverage position your institution holds on AI-reliant board decisions, algorithmic discrimination claims, and AI governance regulatory inquiries is functionally undefined until you ask and document the answer.

That documentation is what you are building.

Request and document your carrier's written position on whether "wrongful acts" include decisions made in reliance on AI-generated outputs. Negotiate investigation coverage language broad enough to encompass AI governance inquiries from state regulators. Ask your carrier to confirm that AI capability disclosures are within the securities coverage grant. On the EPLI side, ask whether the form's wrongful employment act definition covers adverse outputs from AI systems, and get your carrier's response in writing.

Have legal review every AI vendor contract for indemnification caps, model output disclaimers, and IP carve-outs before renewal.

None of these are guaranteed deliverables.

Carriers are in different positions on each question, and the answers will vary by program and by writer. What you are building is a documented negotiating record and a coverage positioning argument for the claim conversation you hope never happens. The institutions that arrive at their 2026 and 2027 renewals with this work completed are in a materially different underwriting conversation than those that arrive without it.

At leading FI writers, underwriters are incorporating AI governance documentation as part of their renewal evaluation. The preparation window for your next renewal is now.

This is Part 1 of a three-part series mapping all six lines. Part 2 covers E&O and Cyber. Part 3 delivers the full audit framework, governance documentation, and what underwriters at leading FI writers are asking for at renewal.

In case you missed it:

Last week's Friday Five Boardroom Brief covered one topic across all three articles: Silent AI. If you haven't read it, that brief is the primer for everything in this series.

The short version...Silent AI refers to AI-driven risks that are neither explicitly included nor excluded in your current program. According to data from Testudo, AI-related lawsuits surged 978% between 2021 and 2025, and most of the policies covering those defendants never mention the word AI.

Unlike silent cyber, which was a discrete new peril that could be surgically excluded, silent AI amplifies existing traditional risks across all six of your core policy lines simultaneously. Broad exclusions don't solve it. The brief defined the problem, mapped where the coverage cliff is forming line by line, and surveyed the standalone AI liability products now entering the market.

This Wednesday Intelligence series is the line-by-line audit that brief called for. If you want the vocabulary before the deep dive, start there. Read it here, or listen to it here.

Stay Covered Everybody,

TASH & FLIP
​​
P.S. Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​http://lionspecialty.ck.page/we-audited-six-policy-lines-for-silent-ai-gaps-every-definition-assumed-a-human

And if this briefing was forwarded to you, subscribe directly here.
​