America is building the AI supply stack. It has not yet built the risk‑transfer layer that lets enterprises deploy AI at scale.

The United States has aligned around a national objective: lead the world in artificial intelligence. Congress, federal agencies, national laboratories, technology companies, and investors are moving toward the same goal. The visible policy agenda is focused on compute, data, research access, technical standards, liability, and procurement. That work is necessary. It is still incomplete.

Senators Young, Heinrich, Rounds, and Booker reintroduced the CREATE AI Act¹ to establish the National Artificial Intelligence Research Resource as shared national research infrastructure for AI data, tools, and compute access. Senators Cantwell, Young, Hickenlooper, and Blackburn reintroduced the Future of AI Innovation Act² to strengthen U.S. AI innovation and authorize a federal role for AI standards and evaluation through NIST. Senators Durbin and Hawley introduced the AI LEAD Act³, a proposal to classify AI systems as products and create a federal cause of action for product liability claims when AI systems cause harm. The White House issued Executive Order 14365 and a National Policy Framework on AI. NIST CAISI⁴ is focused on AI measurement, evaluation, guidelines, and voluntary standards.

The shared objective is to strengthen American AI leadership. Many major technology waves moved from experimentation to scaled deployment only after the market developed ways to classify, price, transfer, or govern the financial consequences of failure. That layer is part of the national AI stack, and it does not yet exist for AI.

The AI deployment stack today

The case for action is not that AI is uniquely dangerous. It is that enterprise AI is being deployed faster than the market can classify, price, and transfer its operating risk. The risk changes when AI stops advising humans and starts triggering actions, shaping decisions, interacting with customers, or operating across business workflows.

Risk transfer infrastructure has often been the permissioning layer for technological scale.

The American economy does not scale risky technology on capability alone. It scales when the financial consequences of failure become understandable enough for boards to approve, lenders to finance, customers to trust, regulators to supervise, and insurers to underwrite. That does not mean insurance causes innovation. It means risk‑transfer infrastructure often determines when innovation can move from pilots into broad deployment.

The industrial analogy is especially important for AI. Boiler insurance and electrical underwriting did not merely reimburse losses. They helped create inspection routines, safety standards, and operating discipline around technologies that were powerful, productive, and dangerous when poorly controlled. AI needs the same kind of translation layer: not just governance language, but evidence that a system is being used, monitored, tested, and controlled in ways an underwriter can evaluate.

Cyber is the closest modern analog. Early cyber coverage began as a narrow specialty market with limited loss data, inconsistent policy language, and significant uncertainty about frequency and severity. Over time, breach events, regulatory duties, security frameworks, and underwriting evidence helped cyber become a recognized insurance market. AI is entering a similar stage, but on a compressed timeline and across more lines of coverage. Cyber market formation took more than a decade. AI adoption is moving faster, across more workflows, and with less time for the insurance market to learn slowly.

AI adoption is accelerating as insurers narrow silent AI exposure.

Effective January 1, 2026, ISO and Verisk introduced optional Commercial General Liability endorsements addressing generative AI exposure, including CG 40 47 and CG 40 48,⁵ along with related products‑completed operations language. These forms matter because ISO language often becomes a reference point for how carriers clarify emerging exposures across the commercial insurance market.

Several major insurers have filed or explored AI‑related exclusionary language across commercial lines, especially where generative AI could create unclear aggregation, professional liability, D&O, cyber, product, or general liability exposure. The direction is rational. Carriers are trying to avoid silent AI accumulation before the loss curve is understood. Gallagher Re documents that AI exposures can fall between the cracks of existing policies, or be increasingly excluded from general liability, professional indemnity, errors and omissions, and cyber coverage.

Emerging litigation and regulatory practice increasingly focus on the organization that deploys AI into real workflows, especially when harm arises from decisions, outputs, monitoring failures, or human oversight gaps. AI risk will not sit neatly inside one policy. Depending on the use case, it can implicate cyber, technology errors and omissions, professional liability, product liability, D&O, EPLI, media liability, fiduciary liability, crime, and regulatory defense. Standalone AI liability products are emerging from carriers including Munich Re and a wave of specialty entrants. These products are important early market signals, but they do not yet create a common underwriting language for enterprise AI risk.

Why the carve out is rational from the carrier perspective

Carriers are not rejecting AI as a technology. They are responding to underwriting uncertainty. AI can create correlated losses across sectors, unclear causation, blended cyber, professional, and product exposures, and hard‑to‑measure human oversight failures. In that environment, exclusionary language is a rational way to protect balance sheets until credible evidence, pricing, and accumulation controls exist.

Where the AI risk‑transfer mechanism breaks today

AI risk can only move from enterprise balance sheets into insurance markets if the exposure is visible, the evidence is portable, and the risk is priceable.

The deployer liability paradox: responsibility is expanding faster than risk‑transfer infrastructure.

The AI LEAD Act, introduced by Senators Durbin and Hawley, illustrates the direction of the liability debate. It would classify AI systems as products and create a federal cause of action for product liability claims when an AI system causes harm. Whether or not that proposal becomes law, the policy trend is clear. More attention is moving toward who is responsible when AI systems cause real‑world harm.

In practice, liability pressure will not stop at model developers. Enterprises that deploy AI into customer service, employment, healthcare, lending, insurance, claims, procurement, or safety‑sensitive workflows will still need to explain how the system was selected, tested, monitored, governed, and escalated. Policy is moving toward clearer accountability. The insurance market is moving toward narrower silent coverage. That combination leaves enterprises with a practical question. How do they prove the AI risk is understood, controlled, and insurable?

Cyber became insurable through a gradual market‑formation process: dedicated products, breach‑driven demand, security frameworks, underwriting evidence, and years of loss learning. AI is compressing that cycle. It crosses more policy lines, has less loss history, and is seeing exclusions emerge before a mature affirmative market has formed.

The deployment evidence concept

The missing layer is not simply an insurance product. It is a repeatable way to turn an AI deployment into a structured risk record.

Governance platforms can document policies, approvals, and controls. That is useful, but it is not the same as underwriting evidence. Underwriters need to understand exposure, failure modes, control reliability, evidence quality, and residual risk.

The missing layer is a shared evidence system for AI risk.

The closest analogy is not an insurance policy. It is a shared risk signal, similar in function to how credit scores became common inputs for lending. The score is not the product. It is a structured input that helps many market participants make decisions consistently.

The private market should build the layer. Policy should accelerate the rails.

The underwriting and risk‑transfer layer for AI should be built primarily by the private market. Enterprises, brokers, carriers, reinsurers, AI assurance providers, and risk analytics firms all have roles to play. The public‑sector role is not to mandate coverage, set prices, or choose a scoring vendor. It is to accelerate the rails private markets need: shared evidence standards, procurement pilots, risk‑data collaboration, and clearer pathways for consistent evaluation.

That distinction matters. A government‑mandated AI insurance requirement would be premature. A government‑supported evidence infrastructure would help private markets classify, price, and transfer AI risk more consistently while preserving competition and underwriting judgment.

Four things policymakers can do without mandating AI insurance