{ "meta": { "title": "European AI Risk Index 2026", "publisher": "Future Proof Intelligence", "version": "1.0", "date_published": "2026-06-13", "date_modified": "2026-06-13", "description": "Machine-readable companion to the European AI Risk Index 2026. Structured data covering EU AI Act obligation deadlines, the seven agent risk dimensions, the liability case record, and the current state of the AI liability insurance market.", "jurisdiction": "European Union", "language": "en-GB", "license": "https://creativecommons.org/licenses/by-nc/4.0/", "legal_notice": "This is a methodology and assessment framework published by Future Proof Intelligence. It is not a government accredited certification body, a licensed insurance provider, or an official EU registry. It is an independent evaluation intended to support organisational risk management and third party due diligence. Consult qualified professionals before making compliance, procurement, or coverage decisions based on it." }, "deadlines": [ { "id": "DL-001", "date": "2024-08-01", "label": "EU AI Act enters into force", "instrument": "Regulation (EU) 2024/1689", "source": "OJ L, 12 July 2024", "omnibus_affected": false }, { "id": "DL-002", "date": "2025-02-02", "label": "Art. 5 prohibited practices enforceable. Art. 4 AI literacy obligation applies.", "instrument": "Regulation (EU) 2024/1689, Articles 4 and 5", "source": "OJ L, 12 July 2024", "omnibus_affected": false }, { "id": "DL-003", "date": "2025-08-02", "label": "Art. 53 and 55 GPAI obligations apply. Governance framework, AI Office mandate, and penalty regime operational.", "instrument": "Regulation (EU) 2024/1689, Articles 53 and 55", "source": "OJ L, 12 July 2024", "omnibus_affected": false }, { "id": "DL-004", "date": "2026-08-02", "label": "Original enforcement date for Annex III high-risk obligations (Art. 6, 8 to 15, 26, 27, 43, 50, 72, 73). Provisionally deferred to 2027-12-02 under Digital Omnibus agreement of 7 May 2026. Formal OJ publication not yet confirmed as of 2026-06-13.", "instrument": "Regulation (EU) 2024/1689, Articles 6 and 8 to 15", "source": "OJ L, 12 July 2024; Digital Omnibus provisional agreement 7 May 2026", "omnibus_affected": true, "omnibus_revised_date": "2027-12-02", "omnibus_status": "Provisional political agreement reached 7 May 2026. Formal adoption and OJ publication pending as of 2026-06-13. Original 2026-08-02 date remains legally binding until formal publication." }, { "id": "DL-005", "date": "2026-08-02", "label": "Art. 50 transparency to natural persons. Not deferred by Omnibus. Chatbot and conversational AI deployers must disclose AI interaction.", "instrument": "Regulation (EU) 2024/1689, Article 50", "source": "OJ L, 12 July 2024", "omnibus_affected": false }, { "id": "DL-006", "date": "2026-12-09", "label": "Directive (EU) 2024/2853 (revised Product Liability Directive) transposition deadline. Applies to products placed on the market after this date. AI software is explicitly a product.", "instrument": "Directive (EU) 2024/2853", "source": "OJ, 18 November 2024", "omnibus_affected": false }, { "id": "DL-007", "date": "2027-08-02", "label": "Original enforcement date for Annex I high-risk obligations (AI embedded in regulated products under Union harmonisation legislation). Provisionally deferred to 2028-08-02 under Digital Omnibus. Same OJ publication caveat as DL-004.", "instrument": "Regulation (EU) 2024/1689, Article 6(1) and Annex I", "source": "OJ L, 12 July 2024", "omnibus_affected": true, "omnibus_revised_date": "2028-08-02", "omnibus_status": "Same Omnibus provisional agreement. Formal publication pending." } ], "obligations": [ { "id": "OBL-001", "label": "Prohibited practices", "article": "Art. 5, Regulation (EU) 2024/1689", "who_binds": "Both", "date": "2025-02-02", "penalty_ceiling": "EUR 35 million or 7% of worldwide annual turnover", "prohibited_categories": [ "Subliminal manipulation below conscious awareness causing harm", "Exploitation of vulnerabilities of specific groups causing harm", "Social scoring by public authorities", "Real-time remote biometric identification in public spaces by law enforcement except three authorised purposes", "Post-hoc remote biometric identification except specific exemptions", "Biometric categorisation inferring sensitive attributes from biometric data", "Emotion recognition in workplaces and educational institutions", "Untargeted scraping of facial images to build recognition databases" ], "evidence": [ "Written product and deployment inventory confirming no system falls within any Art. 5 category", "Documented screening process applied to any new AI procurement before deployment", "Legal review sign-off on any biometric-adjacent use case" ], "source": "ref:1" }, { "id": "OBL-002", "label": "AI literacy", "article": "Art. 4, Regulation (EU) 2024/1689", "who_binds": "Both", "date": "2025-02-02", "penalty_ceiling": "No direct financial penalty in isolation; underlying obligation breach triggers Art. 99", "evidence": [ "Training log showing who received AI literacy instruction and when", "Role-differentiated curriculum covering front-line users, supervisors, technical staff, senior management", "Records of contractors covered under the programme", "Evidence of periodic refresh as systems change" ], "source": "ref:1" }, { "id": "OBL-003", "label": "Risk management system", "article": "Art. 9, Regulation (EU) 2024/1689", "who_binds": "Provider", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "evidence": [ "Written risk management plan covering the system full lifecycle", "Risk register identifying each known and foreseeable risk with likelihood and mitigation", "Minutes showing the risk management system was reviewed and updated after material change", "Evidence the system was not deployed until residual risks were judged acceptable" ], "source": "ref:1" }, { "id": "OBL-004", "label": "Technical documentation", "article": "Art. 11 and Annex IV, Regulation (EU) 2024/1689", "who_binds": "Provider", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "annex_iv_elements": [ "General description and intended purpose", "System components, development process, and design choices", "Training, testing, and validation datasets with origin and quality measures", "Human oversight measures", "Pre-determined performance metrics and testing results", "Known or foreseeable risks and measures taken", "Post-market monitoring plan" ], "evidence": [ "Complete Annex IV documentation package for each high-risk AI system", "Version control records showing documentation is current", "Confirmation that documentation was prepared before deployment" ], "source": "ref:1" }, { "id": "OBL-005", "label": "Transparency to deployers", "article": "Art. 13, Regulation (EU) 2024/1689", "who_binds": "Provider", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "evidence": [ "Instructions for use or deployment guidance document provided before deployment", "Confirmation the document addresses each Art. 13(3) element", "Audit trail showing deployers received and acknowledged the documentation" ], "source": "ref:1" }, { "id": "OBL-006", "label": "Human oversight design", "article": "Art. 14, Regulation (EU) 2024/1689", "who_binds": "Provider (design); Deployer (operational duties under OBL-009)", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "evidence": [ "Product design documentation showing how Art. 14 requirements are implemented", "Test results demonstrating oversight interface works as specified", "Confirmation the system includes a halt or override mechanism" ], "source": "ref:1" }, { "id": "OBL-007", "label": "Accuracy, robustness, and cybersecurity", "article": "Art. 15, Regulation (EU) 2024/1689", "who_binds": "Provider", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "evidence": [ "Accuracy and robustness benchmarks from pre-deployment testing", "Adversarial testing results or red-team exercise records", "Cybersecurity assessment or penetration testing report", "Fallback plan documentation", "Records showing system was retested after any significant update" ], "source": "ref:1" }, { "id": "OBL-008", "label": "Conformity assessment", "article": "Art. 43, Regulation (EU) 2024/1689", "who_binds": "Provider", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "routes": [ "Internal control (Annex VI) for most Annex III use cases", "Third-party assessment by notified body (Annex VII) for biometric systems in Annex III point 1 and certain cases where harmonised standards not fully applied" ], "evidence": [ "Completed conformity assessment file", "EU Declaration of Conformity signed by an authorised representative", "CE marking applied", "Notified body certificate where third-party route was required" ], "source": "ref:1" }, { "id": "OBL-009", "label": "Deployer operational obligations", "article": "Art. 26, Regulation (EU) 2024/1689", "who_binds": "Deployer", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "sub_obligations": [ "Use system within provider instructions (Art. 26(1))", "Assign human oversight to competent natural persons with authority to exercise it (Art. 26(2))", "Verify input data is relevant and representative (Art. 26(4))", "Monitor operation, report serious incidents, suspend use where risk identified (Art. 26(5))", "Retain automatically generated logs for at least six months (Art. 26(6))", "Inform worker representatives and workers in employment contexts (Art. 26(7))", "For public authority deployers: register in EU database before deployment (Art. 26(8))" ], "note": "None of these obligations are delegable through contract.", "evidence": [ "Written deployment policy referencing provider instructions", "Job description for named human oversight function with evidence of training and halt authority", "Input data governance procedure", "Incident management log", "Log retention policy with evidence of six-month minimum retention", "Worker notification records for employment deployments", "EU database registration confirmation for public authority deployers" ], "source": "ref:1" }, { "id": "OBL-010", "label": "Deployer reclassification as provider", "article": "Art. 25, Regulation (EU) 2024/1689", "who_binds": "Deployer (who becomes Provider on trigger)", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "reclassification_triggers": [ "Placing own name or trademark on a high-risk AI system already on the market", "Making a substantial modification to a high-risk AI system not foreseen in the original conformity assessment", "Modifying the intended purpose of a non-high-risk system causing it to become high-risk" ], "practical_note": "Prompt-layer customisation, retrieval augmentation, fine-tuning, or system integration can trigger reclassification depending on the scale of modification.", "evidence": [ "Change management policy triggering reclassification assessment before significant modifications", "Legal assessment confirming use remains within original provider conformity scope", "Records of reclassification decisions and resulting compliance steps" ], "source": "ref:1" }, { "id": "OBL-011", "label": "Fundamental rights impact assessment", "article": "Art. 27, Regulation (EU) 2024/1689", "who_binds": "Deployer (specific subset: public bodies, private operators providing public services, deployers of Annex III points 1, 2, 3, 5a, 6, 7, and 8 systems)", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "fria_required_content": [ "Description of deployment process and use case", "Categories of natural persons likely affected", "Specific risks of harm to those persons including to fundamental rights", "Human oversight measures and persons responsible", "Mitigation plan if risks materialise" ], "enforcement_note": "National DPAs have signalled FRIA is the first document requested in an enforcement inquiry.", "evidence": [ "Completed FRIA for each in-scope deployment", "Version history showing FRIA is reviewed and updated", "Evidence FRIA was completed before first deployment", "Confirmation of who holds responsibility for maintaining the FRIA" ], "source": "ref:1" }, { "id": "OBL-012", "label": "Transparency to natural persons", "article": "Art. 50, Regulation (EU) 2024/1689", "who_binds": "Both", "date": "2026-08-02", "omnibus_affected": false, "penalty_ceiling": "EUR 15 million or 3% of worldwide annual turnover", "requirements": [ "Chatbot and conversational AI deployers must disclose AI interaction to users unless obvious from context (Art. 50(1))", "Providers of emotion recognition and biometric categorisation must design systems to inform operators (Art. 50(2) and (3))", "Providers of systems generating synthetic content must ensure machine-readable marking or watermarking where technically feasible (Art. 50(4) and (5))", "Natural persons depicted in synthetic content must be informed unless use is legitimate artistic or satirical purpose with disclosure" ], "evidence": [ "Disclosure notice or mechanism in every chatbot or agent-facing interface", "Technical specification confirming AI-generated outputs are watermarked where required", "Deep fake and synthetic media policy covering when disclosure is triggered", "Records showing disclosure notices were present at time of user interaction" ], "source": "ref:1" }, { "id": "OBL-013", "label": "Post-market monitoring", "article": "Art. 72, Regulation (EU) 2024/1689", "who_binds": "Provider (primary); Deployer must cooperate and share relevant data", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "evidence": [ "Post-market monitoring plan as part of Annex IV technical documentation", "Evidence monitoring data is collected and reviewed on a regular schedule", "Records showing monitoring findings feed back into risk management", "Log of corrective actions triggered by monitoring" ], "source": "ref:1" }, { "id": "OBL-014", "label": "Serious incident reporting", "article": "Art. 73, Regulation (EU) 2024/1689", "who_binds": "Provider (primary); Deployer must notify provider immediately on awareness (Art. 26(5))", "date": "2026-08-02", "omnibus_provisional_date": "2027-12-02", "reporting_timeline": "No later than 15 days after establishing a causal link or reasonable likelihood", "serious_incident_definition": "An incident that directly or indirectly leads to or may plausibly lead to the death of a person, serious damage to health, or significant disruption to services of critical importance (Art. 3(49))", "evidence": [ "Incident management policy with defined escalation path from deployer to provider to market surveillance authority", "Incident log covering all operational issues assessed against the serious incident definition", "Records of statutory notifications including date, authority notified, and incident description", "Evidence that deployer-to-provider notification occurs promptly upon detection" ], "source": "ref:1" }, { "id": "OBL-015", "label": "GPAI baseline obligations", "article": "Art. 53, Regulation (EU) 2024/1689", "who_binds": "Provider of a GPAI model", "date": "2025-08-02", "four_baseline_obligations": [ "Prepare and maintain technical documentation (Annex XI)", "Provide downstream providers with documentation on capabilities and limitations (Annex XII)", "Establish and implement a copyright policy compliant with Directive (EU) 2019/790", "Publish a training data summary using the AI Office template" ], "gpai_code_of_practice": "AI Office published the final GPAI Code of Practice on 10 July 2025. Three chapters: Transparency, Copyright, Safety and Security. Compliance creates a presumption of Art. 53 conformity.", "evidence": [ "Annex XI technical documentation, current and versioned", "Annex XII downstream-provider information package", "Copyright policy document and evidence of implementation", "Training data summary published on provider website or AI Office registry", "Code of Practice sign-on or equivalent compliance mapping" ], "source": "ref:1" }, { "id": "OBL-016", "label": "GPAI systemic risk obligations", "article": "Art. 55, Regulation (EU) 2024/1689", "who_binds": "Provider of a GPAI model with systemic risk", "date": "2025-08-02", "systemic_risk_threshold": "Cumulative training computation exceeding 10^25 floating-point operations, or AI Office designation based on qualitative capability assessment", "five_obligations": [ "Perform model evaluation including adversarial testing against standardised protocols", "Assess and mitigate systemic risks including downstream misuse risks", "Report serious incidents to AI Office and national competent authorities immediately after establishing a causal link", "Adopt corrective measures proportionate to identified risks", "Implement and maintain cybersecurity protections proportionate to risks" ], "evidence": [ "Model evaluation reports including red-team exercise records", "Systemic risk assessment document and mitigation plan", "Serious incident log and statutory notification records to AI Office", "Cybersecurity assessment specific to model and infrastructure", "Sign-on to GPAI Code of Practice Chapter 3 (Safety and Security)" ], "source": "ref:1" }, { "id": "OBL-017", "label": "Product liability", "article": "Directive (EU) 2024/2853", "who_binds": "Manufacturers, importers, authorised representatives, and deployers who substantially modify a product", "date": "2026-12-09", "key_changes": [ "Software including AI software is explicitly defined as a product", "Digital manufacturing files and updates are covered", "Burden of proof is reversed: defendant must demonstrate product was not defective", "Confidentiality claims cannot obstruct claimant access to evidence", "Defective definition can encompass failure to provide mandatory security updates" ], "expanded_damage_categories": [ "Destruction or corruption of data", "Medically recognised psychological harm", "Physical damage and property damage retained from the 1985 regime" ], "interaction_with_ai_act": "AI Act compliance is strong but not conclusive evidence of non-defectiveness. Documented conformity assessment, risk management system, and post-market monitoring plan are the primary factual record for a defendant.", "evidence": [ "Product safety documentation for every AI-enabled product placed on the market", "Evidence that mandatory software updates are planned, communicated, and delivered", "Documentation policy ensuring technical records are retained for duration of potential claims", "Legal assessment confirming the product definition analysis" ], "source": "ref:2" } ], "penalty_tiers": [ { "id": "PEN-001", "infringement": "Art. 5 prohibited practices", "ceiling": "EUR 35 million or 7% of worldwide annual turnover", "article": "Art. 99(3), Regulation (EU) 2024/1689", "source": "ref:1" }, { "id": "PEN-002", "infringement": "High-risk and GPAI obligation breaches (Art. 26 deployer duties, Art. 53, 55, etc.)", "ceiling": "EUR 15 million or 3% of worldwide annual turnover", "article": "Art. 99(2), Regulation (EU) 2024/1689", "source": "ref:1" }, { "id": "PEN-003", "infringement": "Incorrect, incomplete, or misleading information to notified bodies or competent authorities", "ceiling": "EUR 7.5 million or 1% of worldwide annual turnover", "article": "Art. 99(4), Regulation (EU) 2024/1689", "source": "ref:1" }, { "id": "PEN-004", "infringement": "SME and start-up proportionality", "note": "Art. 99(6) requires supervisors to set penalties with regard to economic viability of small operators", "article": "Art. 99(6), Regulation (EU) 2024/1689", "source": "ref:1" } ], "dimensions": [ { "id": "D1", "name": "Trust and Safety", "weight": 18, "standing": "Highest", "definition": "The measurable prevention of unsafe, unauthorised, or harmful actions by the agent in production, and the discipline with which unsafe outputs are detected, contained, and remediated.", "failure_modes": [ "Treating model-level content filters as equivalent to organisation-level guardrails", "Red team exercises conducted once at launch with no subsequent cadence", "Kill switches that require engineering access to activate, rendering them inaccessible in time-critical events" ], "evidence_artifact": "A dated red team exercise report with findings tracked to a remediation register, paired with a verified kill switch access record showing non-engineering staff can trigger it.", "ai_act_article": "Art. 15 (accuracy, robustness, cybersecurity), with Art. 9 (risk management) and Art. 14 (human oversight)", "underwriting_line": "Catastrophic-loss line: high-frequency adversarial probing against uncapped severity", "insurer_gaps_closed": ["Verification gap", "Governance gap (secondary)"], "nist_ai_rmf": ["Govern 1.1", "Manage 4.1", "Manage 4.2"], "iso_42001": ["Clause 8.4", "Annex A.6"], "source": "ref:3" }, { "id": "D2", "name": "Context Integrity", "weight": 14, "definition": "The quality of the information the agent reasons over, covering provenance, freshness, lineage, and the controls that prevent poisoned, stale, or unauthorised data entering the agent's working memory or retrieval pipeline.", "failure_modes": [ "Retrieval pipelines where document origin is not recorded, preventing attribution of erroneous outputs", "Live data sources with no freshness checks, leading the agent to present outdated information as current", "User-supplied context passed directly into retrieval or reasoning without sanitisation, enabling indirect prompt injection" ], "evidence_artifact": "An end-to-end data lineage diagram from source to reasoning output, under version control, with evidence of automated staleness alerting in production.", "ai_act_article": "Art. 10 (data and data governance)", "underwriting_line": "Hidden-liability line: routine hallucination and rising indirect-injection risk against quietly severe wrong-decision loss", "insurer_gaps_closed": ["Verification gap", "Standards gap"], "nist_ai_rmf": ["Map 1.6", "Map 3.1", "Govern 6.1"], "iso_42001": ["Annex A.7"], "source": "ref:3" }, { "id": "D3", "name": "Distribution Control", "weight": 12, "definition": "The controls that determine who can invoke the agent, under what authority, and how its downstream actions are bounded. It is where identity, authorisation, and blast radius meet.", "failure_modes": [ "API keys shared across multiple callers, preventing attribution of misuse to an individual", "Development agent instances with production-level tool access", "Blast radius assessed only in theory, never tested against actual tool behaviour under adversarial conditions" ], "evidence_artifact": "A per-tool blast radius assessment with maximum impact quantified, backed by role-based access control mapped to the organisation's identity provider and per-caller spend and quota limits.", "ai_act_article": "Art. 26 (obligations of deployers)", "underwriting_line": "Blast-radius line: common access misconfiguration against tail severity bounded only by the most consequential reachable tool", "insurer_gaps_closed": ["Liability chain gap", "European data gap"], "nist_ai_rmf": ["Govern 1.7", "Map 2.2"], "iso_42001": ["Annex A.9"], "source": "ref:3" }, { "id": "D4", "name": "Product Maturity", "weight": 14, "definition": "The degree to which the agent behaves as a production-grade system rather than a prototype, covering reliability, regression discipline, evaluation coverage, and the engineering practices that keep behaviour predictable over time.", "failure_modes": [ "Prompt versioning absent despite code versioning being in place, so the most consequential configuration variable is uncontrolled", "Regression suites that test only happy-path scenarios, missing edge and adversarial cases", "Model upgrades applied automatically by the provider without triggering an operator-side regression run" ], "evidence_artifact": "A version history for prompts, model configuration, and tool definitions with change attribution, paired with a regression evaluation suite specification (test count, coverage rationale, run frequency) that runs on every change.", "ai_act_article": "Art. 15 (accuracy, robustness, cybersecurity), with Art. 12 (record-keeping)", "underwriting_line": "Drift line: near-certain configuration drift against the exposure that the system at claim is not the system at bind", "insurer_gaps_closed": ["Verification gap", "Standards gap"], "nist_ai_rmf": ["Measure 1.1", "Measure 2.5", "Manage 2.2"], "iso_42001": ["Clause 9.1", "Annex A.6"], "source": "ref:3" }, { "id": "D5", "name": "Governance", "weight": 16, "standing": "Second", "definition": "The institutional scaffolding around the agent. The evidence that the agent is known to the board, owned by a named accountable senior role, policed by documented policy, and logged in a way that will survive an audit.", "failure_modes": [ "Accountability assigned to the team that built the agent rather than to a senior business owner", "AI risk policy written at a generic level that does not address autonomous agent behaviour specifically", "Audit trails that capture outputs but not reasoning steps, making root cause analysis impossible" ], "evidence_artifact": "Board or risk-committee minutes from the prior twelve months referencing the agent or AI risk category, alongside a risk register extract showing the agent as a live entry with a named owner.", "ai_act_article": "Art. 9 (risk management system), with Art. 27 (deployer obligations) and Art. 12 (record-keeping)", "underwriting_line": "Survivability line: prevalent weak governance against high second-order severity (decides whether a claim is defensible)", "insurer_gaps_closed": ["Governance gap", "Liability chain gap"], "nist_ai_rmf": ["Govern 1.1", "Govern 1.2", "Govern 4.1", "Govern 5.1"], "iso_42001": ["Clause 5", "Clause 6", "Annex A.2"], "source": "ref:3" }, { "id": "D6", "name": "AI Integration", "weight": 12, "definition": "How the agent sits inside the organisation's existing systems of record, identity, approval, and escalation. Integration maturity determines whether the agent extends institutional memory or bypasses it.", "failure_modes": [ "Agent actions written to a proprietary log that is inaccessible to the compliance or risk function", "Escalation paths that route to generic email addresses, producing no named accountability", "Identity propagation that collapses at the API boundary, so all downstream systems see one service identity" ], "evidence_artifact": "A sample audit trail extract from a real agent-initiated action showing end-to-end attribution (agent identity, timestamp, action provenance) co-located in the organisation's centralised observability stack.", "ai_act_article": "Art. 14 (human oversight), with Art. 26 (deployer obligations)", "underwriting_line": "Attribution line: common shadow integration against severity landing at the moment of claim where no evidence trail means no defence", "insurer_gaps_closed": ["Liability chain gap", "Verification gap"], "nist_ai_rmf": ["Govern 6.2", "Measure 4.1", "Manage 3.1"], "iso_42001": ["Annex A.8", "Annex A.9"], "source": "ref:3" }, { "id": "D7", "name": "Autonomy Envelope", "weight": 14, "standing": "Critical", "definition": "The explicit, documented boundary between what the agent may do without human confirmation and what requires a human in the loop. It is the single clearest determinant of the agent's operational risk profile and the first element insurers and regulators examine.", "failure_modes": [ "Autonomy policy written at a high level of abstraction that does not map to actual tool capabilities, making it unenforceable", "Human-in-the-loop thresholds set at levels of convenience rather than impact, allowing consequential actions to proceed without review", "Revocation documented but requiring engineering access, making it inaccessible during an out-of-hours incident" ], "evidence_artifact": "A written Autonomy Envelope policy classifying every action class the agent can take as fully autonomous, threshold-gated, or permanently prohibited, with technical enforcement evidence and a dated quarterly sign-off from the named accountable owner.", "ai_act_article": "Art. 14 (human oversight measures), with Art. 26 (deployer obligations)", "underwriting_line": "PML line: live boundary-breach risk where unenforced against open-ended unilateral severity. The closest available proxy for probable maximum loss.", "insurer_gaps_closed": ["Verification gap", "Standards gap", "Enables PML calculation"], "nist_ai_rmf": ["Govern 1.4", "Govern 1.5", "Manage 1.3", "Manage 4.1"], "iso_42001": ["Annex A.8"], "source": "ref:3" } ], "scoring": { "formula": "Overall score = (sum of (raw_dimension x weight_dimension) / 1000) x 100, rounded to nearest integer", "max_weighted_total": 1000, "scale_per_dimension": "0 to 10 (integers)", "floor_rule": "Each tier sets a minimum raw score on every dimension. A lopsided agent is capped at the tier below its weighted total until the floor is met.", "tiers": [ { "id": "TIER-001", "name": "Elite", "score_range": "75 to 100", "dimension_floor": 8, "insurability": "Preferred risk. Every dimension floored at 8. Controls are tested and effective, governance is embedded in enterprise risk management, and the Autonomy Envelope is reviewed quarterly. PML is bounded and documented.", "mark_awarded": true }, { "id": "TIER-002", "name": "Advanced", "score_range": "55 to 74", "dimension_floor": 6, "insurability": "Standard, accept. Every dimension floored at 6. Foundational controls are strong. Sufficient for most standard AI liability coverage.", "mark_awarded": true }, { "id": "TIER-003", "name": "Certified", "score_range": "35 to 54", "dimension_floor": 4, "insurability": "Standard with conditions, or refer on autonomy. Essential controls and governance foundations exist. A supplementary questionnaire or referral is warranted above specified autonomy levels.", "mark_awarded": true }, { "id": "TIER-004", "name": "In Progress", "score_range": "20 to 34", "dimension_floor": null, "insurability": "Referral, decline autonomous-action cover for now. One or more dimensions sit below the Certified floor. Most operators reach Certified within three to six months of directed remediation.", "mark_awarded": false }, { "id": "TIER-005", "name": "Pre-Assessment", "score_range": "Below 20", "dimension_floor": null, "insurability": "Decline for now. Evidence base for a full assessment is not yet in place.", "mark_awarded": false } ], "source": "ref:3" }, "liability_cases": [ { "id": "CASE-001", "name": "Moffatt v. Air Canada", "citation": "2024 BCCRT 149", "court": "British Columbia Civil Resolution Tribunal", "date": "2024-02-14", "jurisdiction": "Canada", "outcome": "Liability established. Air Canada held liable for negligent misrepresentation by its chatbot. Award CAD 650.88 plus interest and fees.", "key_holding": "Operators cannot disclaim chatbot outputs by framing the AI as a separate entity. A consumer cannot be expected to cross-check one part of a company website against another.", "loss_mechanism": "Deployer verification gap. No human review of chatbot outputs before deployment, no accuracy monitoring post-deployment, no mechanism to flag and correct errors.", "eu_relevance": "Persuasive but not binding in EU jurisdictions. The principle maps onto the duty-of-care analysis a European court would conduct under existing tort frameworks and onto deployer obligations under Art. 26 of the EU AI Act.", "dimensions_implicated": ["D1", "D5", "D7"], "source": "ref:4" }, { "id": "CASE-002", "name": "Mata v. Avianca, Inc.", "citation": "No. 22-cv-1461 (PKC) (S.D.N.Y. June 22, 2023)", "court": "United States District Court for the Southern District of New York", "judge": "Judge P. Kevin Castel", "date": "2023-06-22", "jurisdiction": "United States", "outcome": "USD 5,000 sanctions imposed on attorneys Schwartz and LoDuca. Corrective letters required to every judge named in fabricated opinions.", "key_holding": "While AI tools are not inherently impermissible, attorneys retain an absolute gatekeeping duty over the accuracy of their filings. The duty cannot be delegated to an AI system.", "loss_mechanism": "Hallucination. Six non-existent case citations submitted to court. The AI produced fluent, formatted, credible but entirely fabricated outputs. No verification layer between output and act of reliance.", "fabricated_cases": [ "Varghese v. China South Airlines", "Martinez v. Delta Airlines", "Shaboon v. EgyptAir", "Petersen v. Iran Air", "Miller v. United Airlines", "Estate of Durden v. KLM Royal Dutch Airlines" ], "eu_relevance": "This is a professional misconduct case with AI as the instrument, not a product liability case against an AI company. EU framing would proceed under fault-based liability for the professional deployer, with potential strict liability arguments against the software provider under Directive (EU) 2024/2853 from December 2026.", "dimensions_implicated": ["D1", "D2", "D6"], "source": "ref:5" }, { "id": "CASE-003", "name": "Mobley v. Workday, Inc.", "citation": "Case No. 3:23-cv-00770 (N.D. Cal.)", "court": "United States District Court for the Northern District of California", "date_filed": "2023", "status": "In discovery as of June 2026. Preliminary collective action certification granted May 2025.", "jurisdiction": "United States", "key_ruling_july_2024": "First US federal court ruling applying agency theory to hold an AI vendor potentially directly liable for discriminatory outcomes. Claims that Workday acted as an agent of the hiring employer were allowed to proceed to discovery.", "key_ruling_may_2025": "Nationwide collective action certified under ADEA for all applicants over 40 rejected via Workday platform since 24 September 2020.", "note": "No merits ruling has been issued as of June 2026. Workday has not been found liable.", "significance": "If agency theory prevails at merits, an AI vendor could bear direct liability for discriminatory outcomes at scale across many clients simultaneously. This is the multi-client systemic loss scenario relevant to AI liability insurance.", "dimensions_implicated": ["D3", "D5", "D6"], "source": "ref:6" }, { "id": "CASE-004", "name": "No decided EU AI liability cases", "date": "2026-06-13", "jurisdiction": "European Union", "note": "Research has found no decided European court judgment establishing AI-specific liability equivalent to the US and Canadian cases. EU litigation exists as pending complaints and regulatory investigations. The revised Product Liability Directive, the AI Act enforcement regime, and GDPR Art. 22 provide the legal instruments but the case law is not yet formed.", "source": "ref:7" } ], "insurer_landscape": [ { "id": "INS-001", "player": "AIUC (Artificial Intelligence Underwriting Company)", "role": "First pure-play AI agent certification and insurance standard", "status": "Active. Post-stealth since July 23, 2025.", "hq": "San Francisco, United States", "funding": "USD 15 million seed. Nat Friedman (NFDG), Emergence, Terrain, Ben Mann (Anthropic co-founder).", "standard": "AIUC-1. First security and risk framework built specifically for AI agents. Described as SOC-2 for AI agents. Certificates valid 12 months with quarterly technical testing required.", "aiuc_1_domains": ["Data and privacy", "Security", "Safety", "Reliability", "Accountability", "Societal risk"], "landmarks": [ "ElevenLabs first AIUC-1-backed insurance policy: February 11, 2026. Over 5,000 adversarial simulations. Exact carrier identity unconfirmed secondary source.", "UiPath AIUC-1 certification: March 9, 2026. Audit by Schellman. Over 2,000 technical evaluations." ], "european_status": "US-built standard, no European regulatory alignment to date.", "source": "ref:8" }, { "id": "INS-002", "player": "Armilla", "role": "Managing general agent and Lloyd's coverholder. Only MGA focused exclusively on AI liability.", "status": "Active. First standalone AI liability policy written at Lloyd's: April 30, 2025. Backed by Chaucer Group.", "hq": "Toronto, Canada", "coverage_limit": "Up to USD 25 million per organisation", "coverage_scope": ["Hallucinations", "Model drift", "Mechanical failures", "Deviations from expected behaviour", "Data leakage", "Regulatory violations"], "exclusions": ["Medical diagnostics", "Mental health AI interactions"], "key_partnerships": [ "Trustible partnership announced October 8, 2025: governance documentation plus liability coverage", "Vanguard AI with Chaucer: launched February 2026. Pairs Chaucer cyber and technology E&O with Armilla standalone policy." ], "european_access": "Via Lloyd's market through brokers. Not a European-native product.", "source": "ref:9" }, { "id": "INS-003", "player": "Munich Re aiSure", "role": "Parametric-style AI performance insurance from the world's largest reinsurer", "status": "Active and expanding.", "ai_coverage_history": "AI performance risk cover since 2018. LLM-specific coverage since approximately 2019.", "coverage_limit": "Up to USD 15 million (also available in EUR and CAD) via Mosaic partnership", "coverage_scope": ["Inaccurate outputs including hallucinations", "Bias", "Privacy failures", "IP infringement", "Performance shortfalls against defined SLAs"], "parametric_structure": "Claims triggered when predefined, objectively measurable performance threshold is breached, without requiring negligence allegations or lengthy investigation.", "february_2026_milestone": "Munich Re aiSure partnered with Mosaic Insurance on February 26 to 27, 2026, bringing the product to broader market access.", "european_access": "Available to European clients through Munich Re European offices and Mosaic broker network.", "source": "ref:10" }, { "id": "INS-004", "player": "Counterpart", "role": "Affirmative AI coverage in professional liability and technology E&O", "status": "Active. Affirmative AI Coverage launched November 21, 2025.", "target_market": "Businesses up to USD 10 million revenue and fewer than 250 employees", "coverage_scope": ["Inaccurate AI-generated reports", "Biased machine learning outputs", "Misclassified data in professional settings", "Hallucinations", "Hiring bias"], "backing": ["Aspen", "Markel", "Westfield Specialty"], "note": "Coalition (not Counterpart) added a Deepfake Response Endorsement in December 2025.", "source": "ref:11" }, { "id": "INS-005", "player": "Coalition", "role": "Cyber-focused insurer adding explicit AI endorsements", "status": "Active.", "december_2025": "Deepfake Response Endorsement added globally covering forensic analysis, legal takedown support, and crisis communications. Available in Australia, US, UK, Canada, Germany, Denmark, Sweden, and France.", "source": "ref:11" }, { "id": "INS-006", "player": "AIG, Great American, WR Berkley", "role": "Traditional carriers restricting AI coverage", "status": "Restricting. Filed in late 2025 to limit AI liability under standard E&O, D&O, and cyber policies.", "significance": "Traditional silent AI coverage is being removed. Mainstream carriers are withdrawing while the specialist market is growing. This bifurcation creates the structural demand that European certification and specialist insurance addresses.", "source": "ref:12" }, { "id": "INS-007", "player": "Allianz", "role": "European insurer. No standalone AI liability product as of June 2026.", "status": "Active in AI adoption internally. No public AI liability product equivalent to AIUC, Armilla, or Munich Re aiSure.", "source": "ref:13" }, { "id": "INS-008", "player": "AXA", "role": "European insurer. No standalone AI liability product as of June 2026.", "status": "Active in AI adoption. AXA CEO described AI as transforming the insurance business at Full Year 2025 earnings call. No public product.", "source": "ref:13" }, { "id": "INS-009", "player": "Zurich", "role": "European insurer. No standalone AI liability product as of June 2026.", "status": "Active in AI adoption. No public AI liability product. Participating in discussions around AI safety through Road to the Global AI Summit Geneva 2027.", "source": "ref:13" } ], "market_size": [ { "id": "MKT-001", "segment": "AI liability insurance market (AI agents and systems as the insured risk)", "estimate": "USD 500 billion by 2030", "source_attribution": "AIUC founders, July 2025 launch materials", "quality_flag": "Founder projection, not an independent analyst estimate. Use accordingly.", "source": "ref:8" }, { "id": "MKT-003", "segment": "Category formation note", "estimate": "Not applicable", "note": "The AI agent liability insurance category did not exist as a standalone product before 2024. The pace of new entrants between July 2025 and February 2026 confirms structural demand.", "source": "ref:8" } ], "national_authority_status": [ { "id": "NAT-001", "member_state": "Germany", "status": "Most advanced legislative implementation in the EU as of June 2026.", "implementing_act": "Draft AI Market Surveillance and Innovation Promotion Act (KI-MIG) adopted by federal cabinet February 11, 2026. Before Bundestag and Bundesrat as of June 2026.", "designated_authority": "Bundesnetzagentur designated as market surveillance authority, notifying authority, and single point of contact.", "internal_body": "AI Market Surveillance Chamber (UKIM) established within the Bundesnetzagentur.", "designation_deadline_met": false, "source": "ref:7" }, { "id": "NAT-002", "member_state": "Italy", "status": "First EU Member State to enact national AI law complementing the EU AI Act.", "implementing_act": "Law No. 132/2025 enacted October 10, 2025.", "designated_authorities": [ "Agenzia per l'Italia Digitale (AgID): notifying authority for conformity assessment bodies", "Agenzia per la Cybersicurezza Nazionale (ACN): primary supervisory authority responsible for enforcement and sanction" ], "insurance_sector": "IVASS retains oversight of AI use in the insurance sector under Solvency II and EIOPA guidance.", "implementing_decrees_pending": "Decrees on AI training, civil redress, EU AI Act compliance detail, and criminal sanctions due by October 10, 2026.", "designation_deadline_met": true, "source": "ref:7" }, { "id": "NAT-003", "member_state": "Netherlands", "status": "Missed August 2025 designation deadline. Implementing legislation under consultation.", "implementing_act": "AI Act uitvoeringswet published for consultation April 20, 2026. Consultation closed June 1, 2026. Enactment before House of Representatives expected Q4 2026.", "proposed_authority": "Rijksinspectie Digitale Infrastructuur proposed as single point of contact. Ten sector-specific market surveillance authorities proposed. Autoriteit Persoonsgegevens expected to play central role.", "practical_note": "No single national competent authority formally designated as of June 2026.", "designation_deadline_met": false, "source": "ref:7" }, { "id": "NAT-004", "member_state": "France", "status": "No formal designation as of June 2026. Furthest behind among the four reference markets.", "implementing_act": "DDADUE bill contained competent authority designation provisions but these were withdrawn from the bill before Parliament submission.", "proposed_authorities": [ "CNIL: approximately fifteen AI use cases concentrated on data-processing and profiling", "ARCOM: AI in media and content", "DGCCRF: single point of contact and coordination body" ], "practical_note": "CNIL is the most operationally active body on AI matters in France through GDPR Art. 22 enforcement.", "designation_deadline_met": false, "source": "ref:7" } ], "reference_standards": [ { "id": "STD-001", "name": "ISO/IEC 42001:2023", "full_name": "Information technology. Artificial intelligence. Management system", "published": "December 2023", "role": "International standard for AI management systems. Compliance creates a presumption of conformity with certain Art. 9 and Art. 17 requirements.", "type": "Standard, not a regulation", "source": "ref:15" }, { "id": "STD-002", "name": "NIST AI RMF 1.0", "full_name": "NIST AI Risk Management Framework 1.0", "published": "January 2023", "role": "US reference framework. Widely used as a structured vocabulary for organisational AI risk governance.", "four_functions": ["Govern", "Map", "Measure", "Manage"], "source": "ref:16" }, { "id": "STD-003", "name": "NIST AI 600-1", "full_name": "NIST AI 600-1, Generative AI Profile", "published": "July 2024", "role": "Twelve named GenAI risk categories. Relevant to Context Integrity for memorization, synthetic data, and training-data contamination controls.", "source": "ref:17" }, { "id": "STD-004", "name": "EIOPA AI Governance Opinion", "full_name": "EIOPA Opinion on AI Governance and Risk Management (EIOPA-BoS-25-360)", "published": "2025-08-06", "role": "Sector-specific interpretive guidance for insurance undertakings. Covers data governance, fairness, explainability, human oversight, cybersecurity within Solvency II, IDD, DORA, and GDPR.", "type": "Interpretive opinion, not new regulation", "source": "ref:18" }, { "id": "STD-005", "name": "GPAI Code of Practice", "full_name": "AI Office Code of Practice for GPAI model providers", "published": "2025-07-10", "role": "Final Code of Practice for GPAI model providers. Three chapters: Transparency, Copyright, Safety and Security. Compliance creates a presumption of Art. 53 conformity.", "source": "ref:1" } ] }