Four years ago, days after Mark Zuckerberg debuted the Metaverse, I wrote a Six Things commentary that began: "The vision of a metaverse laid out by Mark Zuckerberg last week is bonkers. Nutso on steroids. It won't be realized in my lifetime, yours or his, even if some of the wildest claims about longevity come true and we all live to be 150."

Since then, the Metaverse group within the company Zuckerberg renamed after what I referred to in that commentary as "a fever dream for gamers" has racked up $70 billion in losses, and Bloomberg and the New York Times reported last week that he is planning to cut staff by between 10% and 30%, possibly in January.

So, in retrospect, I'm just sorry I pulled my punches. :)

Trashing the Metaverse on Day One was not a remotely hard call, because it violated one of the cardinal rules of innovation: As much as possible, an innovation has to fit within the existing work environment or lifestyle of the prospective user. Yet the Metaverse required radical changes in how individuals interact — with, as far as I could discern, no appreciable benefits.

It's worth taking a minute to look at where Meta went wrong, because the mistake is awfully tempting for all of us. 

The Metaverse assumes that people want to live online a huge percentage of the time. You have to produce an avatar to act as you and learn all sorts of new behaviors to interact with other avatars and with everything else that populates the online world. (I tried this a couple of years into the Metaverse experiment, courtesy of a consulting firm that was enthusiastic about its prospects, and it was still quite hard just to maneuver, let alone to talk with others' avatars or to conduct a transaction.) 

The rule of thumb in Silicon Valley is that an innovation has to be 10 times better than anything it is intended to replace, yet the Metaverse was far less useful than the Zoom calls and other technologies we already used, while requiring huge changes in people's routines. 

Apple made a similar mistake with its Vision Pro virtual reality device — and yes, I trashed that, too, right after it was announced at the beginning of last year. I wrote: "There's simply no reason to strap a 1 1/2-pound device to your face (nearly the weight of a quart of milk) and put a three-quarter-pound battery in your back pocket so you can type with your two index fingers in mid-air while strangers or officemates gawk at you. Not when some combination of today's laptops, tablets and phones will do just fine."

The Vision Pro has been a dud for precisely the same reasons the Metaverse has flopped. 

By contrast, Metaverse has a budding hit with the AI it has built into Ray-Ban "smart display" sunglasses. The capabilities are still pretty limited but are enough to get started: You can use voice commands to snap photos, record videos, send messages, make calls, and ask questions of Meta's AI. And Meta isn't asking customers to do anything out of the ordinary. Just about everybody wears sunglasses. Besides, Ray-Bans look cool.

When you look at the history of major technology innovations, they almost all replace something similar. Smartphones replaced iPods, which replaced the Walkman, which replaced transistor radios. Smartphones also replaced early cellular phones, which replaced hardwired phones in homes. There was almost no need for changes in behavior; everything just became easier and better.

Note that once you get a new device into people's lives, like a smartphone, you can start to get them to change behaviors that have nothing to do with the original purpose — when I first saw a smartphone demo, some 25 years ago, I had no idea I'd be doing my banking and shopping on a phone, or listening to podcasts on it and having it monitor my driving.

The insurance industry seems to mostly get this principle, that innovation has to fit into existing behaviors. That's why we're seeing so many dashboards that incorporate the advances in generative AI, gathering information and making evaluations in the background and presenting them to underwriters, claims professionals or agents and brokers as part of their normal workflow. I think chatbots were initially seen too much as a standalone technology but are now being integrated much better into the customer experience.  Whisker Labs' Ting device has taken off because a customer simply has to plug it into a wall socket to have it monitor for electrical issues and prevent home fires. Roost built another Predict & Prevent business by offering batteries that can be plugged into existing smoke detectors and ping a customer's cellphone when an alarm sounds, in case they aren't at home to hear it.

Still, the principle is worth keeping in mind, because the temptation — which I've witnessed across industries in my decades of writing about innovation — is to think that what you're doing is so useful that people will adapt to you, freeing you from worrying about how to adapt to them. 

If Meta and Apple can make that mistake, you can, too.

Cheers, 

Paul

P.S. While I've patted myself on the back for dumping on the Metaverse and Vision Pro right out of the gate, I need to acknowledge that I've made mistakes, too. While I can't recall a time when I savaged an idea or product and been wrong, I've certainly been too optimistic about how quickly change would happen. I try to live by the Silicon Valley dictum that "you should never confuse a clear view for a short distance," yet, well, I sometimes do.

For instance, I wrote an article in 1991 or 1992 that said paper forms no longer had a reason to live, given that we could all input information into personal computers connected to whomever or whatever needed the data. That was more than three decades ago, and, hmmmm....

But at least the article only ran on the front page of the second section of the Wall Street Journal, so only a few people read it, right? 

Workers’ compensation insurers are turning to generative AI to improve injured worker outcomes, strengthen performance, and build safer workplaces—here’s how:

Read Now

Sponsored by ITL Partner: PwC

From ROI and productivity gains to AI adoption and new market entrants, every signal influences how much trust you place in insurtech today.

Share your perspective in this anonymous survey about the insurtech your company relies on. Have a say in determining where trust is built and where it breaks.

Take the 5-minute survey

Sponsored by Benevolent Marketing

The insurance industry is facing a critical challenge driven by significant staffing shortages and rising turnover rates. Data from the U.S. Bureau of Labor Statistics suggests the industry is expected to lose nearly 400,000 workers through attrition. This trend highlights the urgent need to backfill an aging workforce and bridge the worker gap, especially as retaining employees for tedious back office work becomes increasingly difficult amid shifting regulatory and customer requirements.

While there has been plenty of hype surrounding artificial intelligence (AI), the real opportunity today lies in using AI agents to strategically fill this impending claims management workforce shortage. By focusing on practical, proven use cases, carriers can determine what tasks can be automated, what will remain a human function, and how AI agents can interact to maximize the benefits for the workforce and overall back-office throughput. The goal is to incorporate the human-in-the-loop so that AI is safe and actually used. Let AI agents do the boring, repetitive tasks so adjusters can focus on judgment, negotiation, and empathy. Humans will be kept in command via review queues and escalation rules.

Here are three ways AI is actually changing claims management and where humans still matter most:

1. AI Handles the Clerical, So People Handle the Critical

The biggest gains in efficiency come from removing friction so that claims professionals can spend more time on strategy, empathy, and problem solving. AI is currently adding real value in focused, repetitive areas and big data applications. Success can be measured by metrics such as intake resolution rate (% calls/emails fully handled by agent), AHT (average handle time) delta (minutes saved per claim) and error rate on field extraction (when extracting knowledge from data).

Key practical and proven use cases where AI is delivering value today include:

• Omnichannel claim intake across email, SMS, and telephony, with entity capture (name, policy, plate/ID) and automatic case creation.
• Knowledge-mining and data processing over large document sets per claim/patient; agents extract tasks and schedule nudges for upcoming visits or missing paperwork.
• Risk signals and fraud triage by comparing millions of claims to spot outliers for SIU review.
• Subrogation and recovery automation: detect subrogation opportunities from facts, generate demand letters, track recoveries.

These applications highlight the concrete ways AI can address the rising difficulty of retaining employees for back-office work.

2. Keeping AI Safe and Trusted Through Human-in-the-Loop Design

As AI systems handle more aspects of the claims process, it is paramount that organizations design systems where humans stay in control, ensuring both safety and trust. This approach is known as human-in-the-loop design, where the AI assists but the human remains in control.

To keep AI safe and trusted, organizations must prioritize the following design principles:

• Confidence Thresholds and Guardrails: These are necessary to decide when AI acts independently versus when it escalates the task to a human. (For example: LLM as a judge "license-plate number ≥0.95, name ≥0.90"→ auto-apply vs queue)
• Designing the Handoff: Claims leaders must focus on designing the precise interaction and transition between the human and the AI, rather than just the underlying model. An incremental adoption example of this is seen in IVR systems with forwarded calls serving as human escalations.
• Trust as a Feature: Transparency, explainability, and auditability must be prioritized at every step. This means showing the sources for information, not just providing answers.

3. Driving Adoption – Because Tools Only Matter If They're Used

AI tools can only deliver strategic advantage and address the workforce gap if they are actually incorporated into daily workflows. Focusing on adoption over mere availability is crucial. Successful incorporation depends on leveraging behavioral and cultural levers.

Agents should join like a new teammate: they sit in channels, see only the data they're allowed to see, and can @mention humans when confidence is low. Companies that route people to a separate 'AI dashboard' will lose adoption; companies that embed agents into existing flows win.

The drivers of real adoption can be broken down into three areas:

• Ability: AI solutions must meet users in their existing workflows; employees should not be asked to change tools. For example, AI functionality should be integrated within claims management systems or email platforms like Outlook.
• Motivation: Organizations must identify champions within the workforce and highlight peer success stories to drive internal motivation.
• Prompts: Adoption can be encouraged through in-workflow nudges, such as prompting a claims adjuster when creating a plan of action note. Other effective reminders include in-system messages, like "You saved 2.5 hours using AI drafting this week," or social/peer prompts sharing success stories.

By focusing on these three foundational approaches, the insurance industry can strategically leverage AI to address its critical staffing shortage and elevate the remaining workforce to focus on high-value, strategic functions.

A Note about Privacy, Security, and Governance

AI in claims is cultural, not just technical: every claimant is a human with an inviolable right to privacy. Agents should be designed to honor that first, then apply industry controls.

• Privacy principles: Data minimization by default; purpose-bound processing; least-privilege access; explicit consent for recordings; subject access and deletion flows.
• Security controls: Encryption in transit and at rest; envelope key management with regular rotation; short, business-justified retention windows; immutable audit trails; per-tenant isolation and row-level security; tamper-evident logs for model/tool outputs.
• Governance: Data Processing Agreements and BAAs where required; vendor due diligence; model/version change logs; approved "never-autonomy" actions; periodic access reviews.
• Regulatory alignment: Designed to align with HIPAA principles for PHI, GDPR for EU data rights, and SOC 2 control families for security and availability.
• Human accountability: High-impact actions require human approval; overrides and escalations are attributed to specific users; exceptions are reviewed in weekly ops.

With all the copy I read through every week as I decide which pieces to publish here at ITL, I'm noticing an odd trend. 

For the past couple of years, tons of the articles submitted to me gloried in the insurance industry's "transformation" and "disruption." In recent months, though, lots warn that insurance is at a "crossroads" or an "inflection point" — often dressed up with ominous adjectives so the situation becomes a "major" crossroads or a "crucial" inflection point.  

Why the doom and gloom? And is it justified?

The one issue that could potentially merit the inflection point talk for the whole industry is generative AI. In the three years since ChatGPT announced itself to the world, it has already created numerous opportunities for efficiency, and AI agents hold the prospect of far more profound change. If you can get to the point where you say to your AI, "Gather all the information I need for this claim by contacting all the relevant parties," you would, in fact, have a crossroads. Those who figured out how to take advantage of that sort of AI agent would go one way, toward paradise, while everyone else would head in the wrong direction.

But we aren't there yet, and I think it'll take time for us to get there. The Silicon Valley ethos may be to "move fast and break things," but insurance companies don't get to do that.  We're not allowed to break things. Too many people get hurt if we do. 

The insurance industry faces plenty of other big issues, too: the increased number and intensity of natural disasters, uncertainty and rising prices because of the on-again, off-again Trump tariffs, federal policy that is reducing aid to states following natural disasters and may mean the elimination of the Federal Emergency Management Agency (FEMA), and so on. 

But does that mean we're at an inflection point? I don't think so. I think those issues just show that insurance is a complex, dynamic world, of the sort we've been dealing with, mostly effectively, for a long time. The supply chain disruptions because of COVID certainly caused a crisis, for instance, but insurers have already recovered enough that I recently published an article with the title, "Are Auto Insurers Now TOO Profitable?"

Besides, most of the claims of impending crisis I see are about far less comprehensive issues than GenAI. They're about the need to update legacy systems, to clean data, to adopt some more efficient approach to underwriting or handling claims, and so on. 

I agree with all the points those thought leaders are making. I also understand the need for innovators to create what is often referred to as "a burning platform." At the Wall Street Journal, I covered IBM in the '80s and '90s, a period during which the very smart executive leaders knew they needed to change to keep up with the increasing pace of innovation in the industry but couldn't quite bring themselves to do anything radical, because IBM had been the most profitable company in the world for so long. Only once the company started taking multibillion-dollar writeoffs and laying off tens of thousands of people — having prided itself on never laying off a single person in its 80-year history — did the company have the burning platform that Lou Gerstner used so effectively to change the culture.

I even accept that some parts of the industry are at inflection points. For instance, I recently published a piece by Stephen Applebaum and Alan Demers, "Embedded Insurance Nears Tipping Point" — because they're right; embedded insurance has been percolating as a possibility for years now and may be about to have its breakout moment, especially in auto insurance. I even published a piece in September with the headline, "Insurance at an Inflection Point." That was before I started seeing the term so often that I became allergic to it, and I wouldn't use it in a headline today, but the article makes a smart point about a potential new business model for insurers. 

But we have to maintain our credibility, and we can't be deluding ourselves. We likely aren't doing that if every fifth piece or so that I read claims the industry is at a crossroads/inflection point. (I recently opened a proposed article whose first sentence was, "The insurance industry is at an inflection point," and the next article began, "The insurance industry is at a critical inflection point.") 

There is loads of important change happening in the insurance industry, and GenAI will surely get us to an inflection point. But let's not oversell what's happening now. 

Not every problem is a make-or-break moment. Not every bit of progress is a game-changer.

Cheers,

Paul

P.S. I seem to need to cleanse my soul every six to 12 months with a piece like this. Here are some of my favorite previous rants, which I think hold up just fine: "Let's Stop With the Gibberish," "May I Rant for a Moment?" and "Two Words We Must Stop Using." 

I get riled up just rereading them. Please share with any colleague you think could use a nudge — or maybe a chuckle. 

Cyber insurance remains a cornerstone for managing digital risk, yet the market is evolving in ways that may surprise many organizations. By 2026, policies are expected to provide less certainty than policyholders have come to assume. Insurers are introducing new exclusions, enforcing stricter underwriting standards and responding to the rapid emergence of complex threats such as AI-driven vulnerabilities, zero-day exploits and connected Internet of Things exposures. 

For risk managers and insurance brokers, anticipating these exclusions and developing strategies to address coverage gaps is essential. Misalignment between perceived protection and actual policy coverage can expose organizations to significant operational disruption and financial loss. 

The next section examines why insurers are introducing these new exclusions and what drives their focus on high-uncertainty, potentially catastrophic exposures.

Why Exclusions are Escalating

Claims metrics in 2025 show relative stability, with reports indicating that both the number and average severity of large cyber claims have remained largely unchanged compared with prior years. On the surface, this might suggest that insurers are not under pressure. However, the surge in exclusions is driven less by historical claims and more by emerging, high-uncertainty risks that could produce catastrophic losses. 

Insurers are increasingly concerned about exposures without established actuarial history, including AI-driven attacks, zero-day vulnerabilities, connected IoT systems and state-sponsored cyber operations, according to a 2025 report by Allianz. 

Even isolated events, such as the 2024 CrowdStrike outage affecting multiple Fortune 500 companies, illustrate the accumulation risk insurers now face—where a single incident can affect numerous policyholders simultaneously. 

This combination of unquantified risk, potential for systemic loss and regulatory uncertainty has prompted insurers to tighten coverage and add exclusions to protect against scenarios that could produce outsized financial consequences.

Emerging Exclusions to Expect in 2026

Risk managers should anticipate new categories of exclusions that will redefine what traditional cyber insurance covers. Understanding the rationale behind each exclusion and its potential impact is critical for preparing organizations.

Artificial Intelligence Risks

Artificial intelligence is becoming ubiquitous, yet insurers are increasingly excluding claims linked to its use. Policies may deny coverage for errors or omissions in AI systems, misleading outputs or regulatory violations tied to AI implementation. 

A notable concern is the breadth of some exclusions, which may apply not only to a company's own AI systems but also to third-party platforms used in business operations. This expansive scope creates uncertainty about whether claims will be honored when AI played even a minor role. Risk managers must scrutinize AI-related language in policies and assess whether existing coverage aligns with emerging liabilities, according to an article in the Harvard Law School Forum on Corporate Governance and Financial Regulation.

State-Sponsored Cyberattacks

Following global geopolitical developments, insurers are expanding war or cyberwar exclusions to cover state-backed attacks, according to Mitigata. The impact can be profound, as even incidents occurring in peacetime may fall within the exclusion if a government is implicated. This is particularly significant for organizations operating in critical infrastructure sectors or with extensive international digital networks. Awareness of the scope and triggers of these exclusions is essential for preparing mitigation strategies and considering supplementary coverage.

Catastrophic and Widespread Events

Insurers are increasingly defining "widespread events" or "catastrophes" in ways that limit aggregate exposure from systemic incidents, according to an article by Chubb. These exclusions may restrict coverage when multiple policyholders are affected simultaneously, such as through a coordinated ransomware attack targeting a popular cloud provider. For organizations, this can mean delayed payouts or denied claims when the event's scale triggers a policy exclusion. Clear understanding of these terms is necessary to plan alternative risk strategies.

Web Tracking and Regulatory Liabilities

Policies are tightening language around website tracking, data privacy and compliance with evolving regulatory regimes. Failure to satisfy underwriter inquiries regarding tracking technologies can lead to broad exclusions. Similarly, coverage for fines, penalties and reputational harm is often limited. Organizations must ensure that their security posture, privacy practices and compliance measures are fully documented to avoid coverage gaps.

Enforcement of Existing Exclusions

Even long-standing exclusions are being applied more rigorously, the 2025 Allianz report found. Insurers are denying claims for failure to meet minimum security requirements, including missing multi-factor authentication, unpatched vulnerabilities or outdated incident response protocols. Insider threats, third-party vendor risks, contractual liabilities and regulatory fines are also increasingly scrutinized. For risk managers, this means that maintaining robust, documented controls is not optional but a condition for coverage.

Managing Exclusions

To navigate this tightening environment, organizations should align coverage with actual risk. Key actions include:

• Implementing and documenting robust controls, including multi-factor authentication, endpoint detection and response systems and formal incident response readiness.
• Being transparent during underwriting by accurately representing security posture and addressing known vulnerabilities.
• Conducting regular risk assessments to ensure IT infrastructure aligns with coverage requirements.
• Reviewing policy language closely, with attention to definitions for catastrophes, state-sponsored attacks and minimum security requirements.
• Collaborating with specialized brokers who understand the nuances of cyber policies and can advocate for coverage clarity.

These measures help reduce the likelihood of denied claims and ensure policies reflect actual organizational risk. Insurance remains necessary, but it must be coupled with proactive risk management to be effective.

Filling Gaps with Alternative Risk Transfer

When traditional policies leave high-severity, low-frequency risks uncovered, alternative risk transfer solutions can provide supplementary protection.

Captive Insurance

A captive is a subsidiary insurance company established to underwrite risks for its parent organization. Captives allow coverage of exclusions such as state-backed cyberattacks, AI liabilities, or reputational loss. This approach enables customized protection, keeps premiums and underwriting profits within the organization and provides certainty where commercial markets may be constrained.

Parametric Insurance

Parametric policies pay out based on predefined triggers rather than measured losses. For example, a payout may be tied to a specific number of exposed records or a defined system downtime period. Parametric insurance ensures rapid access to capital for business interruption costs, even if the primary cyber policy contains restrictive exclusions.

Capital Market Solutions

Cyber risks can also be transferred to capital markets through insurance-linked securities such as catastrophe bonds. These instruments attract external capital to cover peak risks, including systemic cyber events, and can expand overall capacity for insuring niche exposures that traditional policies exclude.

Conclusion

Cyber insurance exclusions are expanding in response to evolving threats and increasing claims severity. By 2026, risk managers and brokers must recognize that traditional policies alone may not provide full coverage, particularly for AI-related liabilities, state-sponsored attacks and catastrophic events. Proactive strategies, including robust documentation, controls, regular risk assessments and complementary alternative risk transfer solutions, are essential to bridge coverage gaps. Aligning insurance with operational realities ensures that organizations maintain resilience, protect enterprise value, and respond effectively when cyber incidents occur.

For decades, data quality has been treated as a technical problem—something to be solved through better databases and more rigid validation rules. Yet data quality has become a competitive weapon. 

When data teams can ensure clean, consistent, and contextualized information flows through their organization, everything improves: underwriting decisions become sharper, fraud detection catches sophisticated schemes earlier, and claims get processed faster. Two powerful forces—artificial intelligence models and semantic ontologies—are rewriting what's possible for data teams willing to embrace them.

The Real Cost of Data Quality Problems in Insurance

Before diving into solutions, it's worth understanding just how expensive bad data becomes. The insurance industry processes enormous volumes of information daily, from application submissions to claims documentation to policyholder records. Each piece flows through multiple systems, passes through different hands, and gets interpreted by various teams. When data enters at a broker's desk—sometimes handwritten on paper that gets scanned—errors creep in quickly. These aren't just minor inconveniences. Poor data quality directly undermines the foundation that AI models depend on. When machine learning models train on flawed historical data, they learn to recognize the wrong patterns. They optimize for mistakes rather than truth. The consequence? Models make worse decisions, often confidently.

Consider the downstream damage. Inaccurate underwriting data leads to mispriced policies. Claims teams inherit messy customer histories and struggle to match new claims to existing policies. Fraud detection systems flag legitimate claims as suspicious because they can't reliably recognize patterns through the noise.

How AI Models Are Transforming Data Quality Assurance

Rather than viewing AI as yet another consumer of data, forward-thinking insurance organizations can deploy AI specifically to improve the data that other AI models will eventually use. This creates an interesting dynamic: machine learning becomes both problem and solution simultaneously.

Automated Data Profiling and Anomaly Detection

The first wave of improvement comes from automated systems that profile datasets at scale. Rather than manual spot-checking or waiting for problems to surface downstream, AI systems continuously scan data streams looking for deviations from expected patterns. These systems use various mathematical approaches—from classical statistical methods to modern neural networks—to understand what "normal" looks like within specific data domains. When new data arrives, it gets compared against these learned patterns. If something seems off—a claim amount 500% higher than average for that customer, a date that appears to be in the wrong format, or a relationship that doesn't align with historical context—the system flags it immediately.

What makes this different from traditional validation rules is the adaptability. A hard-coded rule might check "ensure claim amounts are between $0 and $1,000,000." This catches obvious errors but misses the subtle cases where everything looks valid but seems contextually wrong.

Real-Time Data Quality Rules Generation

Another emerging capability involves AI systems that actually generate the validation rules themselves, rather than requiring data stewards to manually write them. Generative AI models can analyze historical datasets and automatically create metadata and quality rules tailored to an organization's specific terminology and standards. This matters more than it might initially seem.

Many insurance organizations have legacy systems that lack proper metadata—documentation about what data means, where it came from, and what constraints should apply. Rather than spending months manually documenting these systems, organizations can point an AI system at the data and have it generate initial documentation and rule sets. Humans then review and refine these suggestions. The result? Metadata standards get created faster, and they're grounded in actual data patterns rather than abstract governance theory.

Natural language processing for unstructured data

Insurance organizations have unstructured data everywhere: claims notes, adjuster observations, medical records, police reports, and customer communications. Traditional data quality approaches struggle here because they're designed for structured, tabular information. Natural language processing (NLP) changes this equation. NLP systems can read through thousands of claim descriptions and identify inconsistencies, flag unusual language patterns, extract structured facts from unstructured text, and even spot potential fraud signals hidden in prose.

One practical application: property damage claims often include written descriptions. NLP systems can extract key details (property type, damage description, estimated repair cost), compare these against the claim's structured fields, and flag mismatches automatically. If an adjuster describes "minor water damage" but the structured claim shows a $500,000 payout, that contradiction gets surfaced for immediate review.

Ontologies and Semantics: Building the Language of Insurance Data

Data quality ultimately depends on shared understanding. The same term—"policyholder," "coverage," "claim"—might mean slightly different things across different systems, departments, or companies. This semantic ambiguity creates a ceiling on how much automation and AI can help. You can throw perfect algorithms at messy semantics, but the output remains limited. This is where business ontologies become transformative.

What Makes Ontologies Different from Traditional Data Models

An ontology is fundamentally different from a traditional data model or database schema. Where a schema defines table structures and fields, an ontology captures meaning. It specifies not just what fields exist, but what they mean, how they relate to business concepts, what synonyms matter, and what business rules should apply. In insurance, an ontology might define that "policyholder" connects to specific attributes (name, address, risk profile), that it relates to policies through an "owns" relationship, and that certain business rules apply (a policyholder must be of legal age, must have a valid address, etc.).

Ontology-Powered Data Integration

Here's where ontologies enable something previously difficult: intelligent data integration. When ingesting data from multiple systems, traditional approaches rely on explicit mappings—field A from system one maps to field B in the warehouse. If a new data source arrives, someone must manually create all new mappings. With semantic ontologies, different systems can describe their data in terms of common business concepts. A policy administration system might use field "POL_STAT" while a claims system uses "CLAIM_POLCY_STATUS," but both can be mapped to the ontology's "policy_status" concept. This semantic layer enables automatic discovery and integration.

The "Enterprise Brain": Knowledge Graphs Built on Ontologies

The most sophisticated implementations combine semantic ontologies with graph database technology to create what some describe as an "enterprise brain"—a knowledge graph that captures not just the data, but the meaning and relationships within the business domain. This goes far beyond traditional data warehouses. In a knowledge graph, entities (customers, policies, claims, agents, providers) become nodes, and relationships become edges. Rather than storing "John Smith has policy 12345," a knowledge graph stores this as a relationship with properties: John Smith (subject) — owns (relationship) — Policy 12,345 (object).

The power becomes apparent in use cases. In claims processing, a knowledge graph can instantly answer complex questions: "Show me all claims filed by customers who have had five or more claims in the past two years AND live within 20 miles of a recent catastrophic event AND have files with identical repair cost estimates in the past six months." This type of query, which might take hours or days in traditional systems, executes in seconds against a well-designed knowledge graph.

Overcoming Implementation Challenges

The journey toward AI-enabled data quality and semantic ontologies isn't frictionless. Three categories of challenges emerge consistently: cultural, regulatory, and technical.

Culturally, data teams and business stakeholders don't always have the same priorities. Data governance teams focus on compliance and consistency. Business units want speed and flexibility. These incentives can conflict. The solution involves establishing cross-functional collaboration frameworks where compliance, risk, and business units align on shared governance structures and standardized communication. When they do, institutions achieve faster issue resolution, stronger controls, and smoother product delivery.

Regulatory challenges run deep. Regulators now scrutinize AI extensively, particularly around explainability. A "black box" model that makes decisions without showing its reasoning creates compliance risk, so organizations may need documentation across all models to address it.

Technically, many organizations face fragmented systems. Core data lives in legacy on-premises systems running alongside newer cloud platforms. Building semantic ontologies and knowledge graphs across this fragmented landscape requires careful architecture. The industry is gradually standardizing on cloud data platforms like Snowflake, Databricks, Palantir or BigQuery which offer better scalability for knowledge graph implementations.

The Convergence: AI and Ontology Working Together

The most exciting developments emerge when AI and semantic ontologies combine. AI systems can learn from data at scale and identify patterns humans would miss. Semantic ontologies provide the business context that AI systems need to make those patterns meaningful. Together, they create a feedback loop: ontologies guide how AI models interpret data, and AI systems suggest refinements to ontologies based on what the data reveals. This is fundamentally more powerful than either approach alone and creates immense value for any data organization.

Ransomware has always been a moving target but is now entering a period of volatility unlike anything we've seen before. Tactics are shifting rapidly, tools are becoming more sophisticated and more widely available, and the threat-actor landscape is splintering into a chaotic mix of groups, affiliates and opportunistic newcomers. For insurers, this fragmentation and instability is rewriting assumptions about predictability, frequency and severity.

To understand why ransomware feels more volatile than ever, it's important to start with how organized these operations once were. Historically, major threat groups behaved with a degree of predictability. Their operations had a clear methodology and often resembled a supply chain. One group identified or acquired a zero-day vulnerability; another specialized in gaining credentials and access to victims' networks; a ransomware group purchased that access and deployed their malware; and another entity handled negotiations, payment facilitation and hosting on data-leak sites. While criminal, these actors operated within consistent roles.

Today, that methodology and structure has fractured. Law-enforcement pressure, internal disputes and simple profit incentives have splintered once-dominant ransomware groups. Nowadays there is not just one geography or one group that's doing everything from start to finish. It's now a combination of parties. Coupled with this, their tools, particularly the ransomware variants themselves, have leaked into the wild or been deliberately sold off. As a result, sophisticated malware that was once tightly controlled is now available to operators with minimal skill. Cheaper, less advanced variants such as Dharma and Crysis proliferate broadly, while more refined strains like Akira or LockBit remain selectively distributed, but even those find their way to multiple groups.

This "plug-and-play" ecosystem means that a threat actor with little technical capability can now operate at a level previously reserved for elite cybercriminals. The result is a wave of attacks that are increasingly unpredictable in both frequency and quality. Some are clumsy and quickly detected, while others unfold with alarming precision.

At the same time, attackers have become far more agile once inside an environment. Earlier ransomware operations often unraveled when attackers encountered unexpected security controls. Today, threat actors pivot rapidly. If endpoint detection and response (EDR) tools block one path, adversaries switch tactics, attempt to disable protections or even infiltrate the security tools themselves.

In a recent Akira-related incident, adversaries gained access to a victim's SonicWall EDR environment, used it to disable protections across the entire network and maintained persistent access. A lesser threat actor would have been stopped at the first hurdle. Today's operators adapt with remarkable speed.

This agility is compounded by AI-driven malware development. Threat actors are now capable of generating malware tailored to a victim's specific security gaps. By feeding reconnaissance data into AI coding engines, attackers can produce bespoke code that evades detection. As a result, EDR tools lose some of their efficacy, and traditional antivirus can become entirely ineffective.

AI-generated phishing is also affecting attacker capability. Previously, many phishing attempts were identified by grammar and spelling errors. Today, threat actors can generate credible, fluent communications that mimic native language use, making social engineering exponentially harder to detect. The potential for automated scaling, for example one threat actor deploying hundreds or thousands of simultaneous phishing attempts, also poses a challenge.

While tools and execution are evolving, so too are the extortion tactics, with threat actors now using multifaceted pressure strategies. When improved backups reduced victims' need for decryption keys, threat actors began stealing data and threatening to leak it and cause reputational harm. And when regulators and law enforcement discouraged companies paying for data deletion promises, promises criminals often broke anyway, attackers escalated further.

Recent incidents also show threat actors emailing victims' employees and customers directly, claiming the organization "does not care about your data," or triggering every printer in an organization to output ransom notes - ensuring employees, customers and potentially the media know about the breach. Even more concerning is a trend toward re-attacks, where threat actors revisit a network weeks after an incident to exploit newly discovered gaps and re-encrypt systems, leveraging continuing disruption as a negotiation tool and providing incentives to victims to pay the ransom.

This evolution raises the stakes for incident response and negotiation. Speed, visibility, and technical capability are more critical than ever - and so is insurer preparedness.

For insurance and risk professionals, several priorities stand out in this new environment.

1. Baseline controls are still non-negotiable

Multifactor authentication, managed EDR and reliable offline or immutable backups remain the strongest defenses against ransomware and help to ensure business continuity. These controls buy the time and visibility needed to detect intrusions early and recover without paying a ransom. But they must be properly managed. Too many insureds deploy security tools without the professional oversight required for them to function effectively, just to satisfy an underwriting requirement.

2. Deploy advanced protections

Beyond baseline controls, insureds should also adopt least-privilege models, zero-trust architectures and AI-enhanced security tools that dynamically detect "known good" and "known bad" behavior. Historically, organizations avoided these approaches due to complexity, but modern implementations are increasingly manageable and fill critical gaps left by traditional defenses.

3. Prepare for negotiation scenarios that are more aggressive and less predictable

Extortion is no longer a one-dimensional threat. Insurance companies must partner with response teams experienced in managing multi-vector pressure tactics, from public-facing harassment to second-wave attacks. These partners are capable of advising clients through highly fluid situations.

The ransomware landscape is transforming rapidly, driven by fragmentation, automation and unprecedented agility among threat actors. For insurers and their insureds, adaptability is now a core competence. Those who evolve their incident-response strategies alongside the threat landscape will be far better positioned to protect both their clients and their own business.

Residents don't want to search high and low for protection; they expect it to appear where it's most relevant. Insurance has always been about confidence, but during a digital buying journey, confidence depends on timing, relevance, and the ease with which protection blends into the experience itself.

That expectation is reshaping strategy across the industry. The State Of Embedded Insurance 2024 found that 94% of insurers view embedded insurance as a critical part of their future strategy. It's clear that insurers are no longer treating embedded insurance as only a distribution tactic but are treating it as a customer experience (CX) function.

Embedded insurance isn't new. What is new is the maturity of the technology and partnerships behind it. The next step is deepening trust and reducing friction at the emotional peaks of the journey.

TWO MOMENTS THAT MATTER THE MOST

In CX, timing is everything. Embedded insurance delivers its biggest impacts at two places in the customer journey: at checkout and right after purchase.

At checkout, customers are already in decision mode. They're focused and ready to act. When protection is offered right there, without extra steps or redirects, it feels like a natural extension of the transaction, rather than a separate sale. Subtle integration is essential. Research from BCG found that "conversion rates for traditional insurers that have embraced this model are already higher than for separate insurance for the same products," reinforcing the power of being present at the right moment.

The second moment is right after purchase, when the customer starts using what they bought. That's when peace of mind kicks in and becomes tangible. Knowing they're covered from day one reduces post-purchase anxiety and builds trust between buyer and brand. This connection ties into measurable CX gains with higher engagement and improved retention.

These moments also help explain why embedded insurance is expanding so quickly. As smoother, better-timed experiences become the norm, adoption rises. The embedded insurance market is projected to grow from $143.88 billion in 2025 to more than $800 billion by 2032, a CAGR of 28%. This steep trajectory is fueled partly by higher conversion rates and growing customer preferences for protection that appears naturally within the journey.

INSURANCE THAT FEELS LIKE CARE, NOT COMMERCE

For embedded insurance to actually enhance the CX, it has to feel like part of the service. That starts with seamless integration: no pop-ups, no redirects, and no disruption. Protection should appear inside the same interface the customer already trusts.

Clarity matters just as much as placement, so straightforward pricing, quick activation, and simple-language explanations reduce the mental load that often accompanies insurance decisions. The experience also extends beyond the sale. Claims, renewals, and continuing support must feel as intuitive as the initial purchase; otherwise, trust gained in the beginning evaporates quickly.

Four levers determine whether embedded insurance feels like care:

• Timing: Arriving at the ideal moment in the right emotional window. Too soon and it's irrelevant; too late, and the customer has already mentally moved on. But hit that perfect moment and attention can quickly become willingness.
• Personalization: This revolves around contextual relevance and offering coverage that fits the user's situation without demographic stereotypes or generic add-ons.
• Speed: Instant activation reinforces confidence; waiting undermines the very safety insurance is meant to provide.
• Claims: The ultimate test. A smooth, low-effort claim can turn a customer into a word-of-mouth marketer.

For example, a tenant signs a new lease through a property management portal. They're immediately directed to a co-branded insurance portal to either purchase coverage or upload proof of an existing policy. The transition is simple. If purchasing in the insurance portal, the tenant can then select appropriate limits or choose coverage that protects their personal belongings. And if a pipe bursts after move-in, the tenant can upload a few photos through their digital account and submit a claim within minutes, guided through each step instead of navigating stressful paperwork alone.

These moments define the experience much more than policy language. When embedded insurance removes friction, both emotional and practical, it stops feeling like an upsell and starts feeling like protection. The impact is clear in customer metrics. A 2024 study found a 17-point increase in customer satisfaction with digital insurance claims, driven largely by improvements in the range of services offered on mobile apps and websites, as well as visual appeal. Clearly, showing up with the right design and at the right time can shape customer sentiment at critical moments.

CX LIVES OR DIES IN THE PARTNERSHIP LAYER

No insurer or platform can deliver embedded insurance on its own. And any embedded insurance experience can fall apart if the system behind it isn't prepared and aligned. CX is co-owned: the insurer, the distribution platform, and the underlying technology all shape the moment a customer is offered protection. The strongest partnerships don't feel like transactional business deals; they operate like shared problem-solving.

A BCG report says that "to make the most of their opportunities, insurers will need to support and collaborate extensively with their business partners to become the provider of choice." This means teams jointly determine where insurance should appear in a workflow and how it should feel when it does. Technology, design, and messaging must blend seamlessly with the platform's brand so that customers only see a single experience, not two companies stitched together.

All of this work happens long before the first customer sees an offer. During discovery, both sides typically map the data already available in the platform's journey, such as lease information and account details, to the minimum information an insurer needs to provide a quote. When this is done well, eligibility questions shrink, quoting steps become simpler, and drop-off decreases. Clearer language replaces legal jargon, and forms become shorter and more intuitive. This way, the partnership shapes the ease customers feel long before they think about making a claim.

Customers remember the experiences that remove fear, not the ones that add friction. So the next step for embedded insurance will come from insurers and platforms working in sync and designing for real human moments. The future of insurance hinges on making every step intuitive, predictable, and easy at every touchpoint.