Something has shifted quietly on your cyber renewal, and most business owners only notice it when the number lands. Premiums are climbing again, and the driver this cycle isn’t just ransomware — it’s the swarm of AI tools your team has been quietly connecting to your data. Underwriters have caught up to the trend faster than most companies have, and they are pricing it in.
The tools themselves aren’t the problem. AI can be genuinely useful, and refusing to touch it isn’t a strategy. The problem is that most organizations have no idea how many AI services their employees have already granted access to their email, files, CRM, or customer records — and that visibility gap is exactly what carriers are now scoring you against.
What changed on the underwriter side
A cyber policy is a bet on how likely you are to have a claim and how expensive it will be if you do. For years, that bet turned on a familiar list: endpoint protection, MFA, backups, patching cadence, email filtering. Those still matter, but the 2025–2026 renewal cycle has added an entirely new column to the questionnaire: how the business is using — and governing — AI.
The reason is simple. When an AI writing assistant, a note-taking bot, a sales copilot, or a browser plugin gets connected to your data, it becomes an extension of your attack surface. If that vendor is breached, your data is exposed. If the tool is misconfigured, your confidential information can end up in a shared training corpus or a cross-tenant leak. Carriers are asking about it because the claims data is already showing it.
The shadow-AI problem
Most AI sprawl doesn’t come from a policy decision. It comes from an individual employee, working in good faith, signing up for a free tool that made their day easier — and clicking “allow” on a permission request they didn’t fully read. Multiply that by every person on the team over eighteen months and you have a shadow-AI estate: a growing collection of accounts, integrations, and data flows that IT never approved and leadership doesn’t know exist.
We’ve walked into companies with fewer than fifty employees and found forty distinct AI tools connected to their Microsoft 365 tenant. Some were dormant. Some had full read access to inboxes. A handful had write access. None had been reviewed against the vendor risk process, because there wasn’t one.
The questions your carrier is now asking
Every carrier is writing the questions a little differently, but a clear pattern has emerged across the applications and renewal supplements we’ve seen this year. Expect to be asked, in some form, about:
- AI inventory. Which AI tools does the business use, who approved them, and what data can they see.
- Data classification. Whether you have a written definition of what data is sensitive, and whether AI tools are restricted to non-sensitive material.
- Vendor due diligence. Whether you have a signed DPA (data processing agreement) with each AI provider that touches your data, and whether you’ve reviewed their SOC 2 or equivalent.
- Authentication. Whether AI tools are behind SSO with MFA, or whether employees are logging in with personal accounts.
- Prompt and output logging. Whether you retain a record of what was sent to AI systems and what came back — the equivalent of an email audit trail.
- Training-data controls. Whether your contracts explicitly prohibit the vendor from training on your data.
A blank answer, or a shrug, is a signal to the underwriter that they should either raise the premium or write a specific AI exclusion into the policy. Neither outcome is what you want.
Start with an honest AI inventory
Before anything else, get a real list of the AI tools operating in your environment. Not the list the leadership team assumes exists — the actual one. There are three places to look: your identity provider (Microsoft Entra or Google Workspace), the OAuth grant logs, and the expense reports. Between them, you will find the shadow inventory.
For each tool, capture five things: what it does, who signed it up, what data it can access, whether there’s a contract in place, and whether it’s still being used. Most of what you find will fall into three buckets — keep and govern, consolidate into something you already own, or retire because nobody uses it anymore. The exercise pays for itself in license savings before you even get to the risk conversation.
The five controls that move the needle
You don’t need a hundred-page AI policy. You need five controls that show a carrier — and, more importantly, protect the business — that AI is being used deliberately instead of accidentally.
- A written AI use policy. One page is fine. State which categories of AI tools are allowed, what data can be sent to them, and how someone requests a new one. Have every employee acknowledge it.
- SSO with MFA in front of every AI login. Personal accounts drift into shadow use immediately. Corporate SSO gives you a single place to revoke access when someone leaves.
- DPAs and no-training clauses on every vendor. If your AI provider won’t sign a data processing agreement or won’t contractually agree to keep your data out of their training set, you have your answer about the vendor.
- An approval path for new tools. A one-form intake that takes a day, not a month, so employees have a legitimate way to get what they need instead of going around IT.
- Logging you can produce on request. Prompt and output logs, or at minimum an activity log from the vendor, kept long enough to investigate an incident.
How to prepare for your next renewal
Renewal season is not the moment to start this work; it’s the moment to present it. Sixty days out from your policy anniversary, ask your broker for the current renewal questionnaire and any AI-specific supplements the carrier is now using. Work through them honestly, highlight the controls you have in place, and be candid about the ones you’re building. Underwriters can tell the difference between “we’re in progress on this” and “we’ve never thought about it,” and they price it accordingly.
A short written summary of your AI program — one page, plain English — submitted alongside the application often moves more numbers than a binder of policies. Carriers read submissions from small and midsize businesses in bulk; anything that helps yours stand out as a considered risk works in your favor.
Where a partner fits
Most of the businesses we work with don’t need a full-time security team to solve this; they need someone to run the inventory, stand up the five controls, and put a page in front of the carrier that reflects what’s actually true. That’s a couple of focused weeks, not a six-month program, and it usually pays for itself the first time your premium doesn’t jump.
If your renewal is coming up and the AI questions on the supplement have you a little uneasy, we’ll walk your environment with you, produce the inventory, close the biggest gaps, and hand you a submission your carrier will actually reward.

