'But the AI Told Me To Do It!'

As AI reshapes decision-making in insurance, the industry faces a critical question: Who holds liability when algorithms influence consequential outcomes?

AI Liability

I once wrote a presentation called: "It wasn't me. AI told me to do it!"

At the time, it was half joke, half warning.

Certainly feels less comical now.

Every organization adopting AI is moving toward the same uncomfortable question. When an AI-assisted decision causes harm, who carries the liability?

Clearly not the model. Models do not sign contracts, settle claims, bind risks, approve suppliers or accept regulatory responsibility. Maybe not the vendor, whose terms will usually say that you, the customer, remain responsible for how outputs are used. Not necessarily the employee, if they were using an approved tool in an approved process. Not necessarily the committee, if it says it relied on the employee's professional judgment.

Everybody, somebody and nobody.

This is not an anti-AI argument. I use AI. Most of us now do. In most cases it is harmless enough: drafting an email, summarizing a meeting, turning scrappy notes into something coherent. No sensible firm should build a heavy governance process around every prompt. That would be maddening and almost unenforceable.

But some uses are different.

If AI helps tidy up a launch invite, nobody cares. If it helps route a claim, draft an underwriting rationale, influence a supplier decision, interpret a compliance obligation or shape a board paper, then we are in different territory. We are talking about authority.

Insurance already understands authority. A junior underwriter cannot bind whatever they like. A claims handler has limits. A TPA works within a delegated claims authority. A coverholder operates within a binder. If something goes wrong, the questions are familiar: who had authority, what was the limit, was the decision escalated, and where is the evidence?

AI does not change those principles. It just makes them harder to see.

Take claims. An AI tool triages first notice of loss, summarizes the facts and recommends settlement within a low-value authority band. A handler reviews the screen and clicks through. Months later, a pattern emerges: the tool has been routing a class of claims too generously, too harshly, or inconsistently with the carrier's authority schedule.

At that point, the question is not simply whether the model was accurate. It is whether the settlement sat within authority, who accepted it, whether the handler actually reviewed it, and whether the firm can produce a record created at the time rather than a reconstruction after the complaint lands.

The same issue appears in delegated underwriting. An MGA uses AI to draft endorsements, referrals or risk summaries. The final document may still pass through a human. But did the output stay within binder authority? Did the right person approve it? Could a coverholder audit see the trail without piecing it together from emails and meeting notes?

These are not exotic technology questions. They are ordinary insurance questions, just wearing new clothes.

The problem for underwriters is that today's AI conversation is still too blunt. A proposal form might ask, "Do you use AI?" The insured says yes. Another insured says yes. Both attach an AI policy. On paper, they look broadly similar.

But they may be completely different risks.

One firm may let staff paste AI-generated analysis straight into consequential decisions with little more than a policy telling them to be careful. Another may classify the decision, check the user's authority, require escalation, capture sign-off and preserve the evidence. Those firms should not be priced as though they are the same.

At the moment, they might be.

This is because a policy is not proof. Training is not proof. A statement that "humans remain accountable" is useful, but only if you can identify the human, the decision, the authority and the record.

The missing artefact is a decision record.

For an AI-assisted decision that matters, an insurer should be able to ask: who requested the output, what was it used for, did the person have authority, was it escalated where needed, who accepted responsibility, and can the firm prove all this without reverse-engineering the story later?

That last part matters. After a loss, everyone becomes a process expert. People remember the governance policy. They remember the meeting. They remember the human in the loop. But insurance does not work on vibes. It works on evidence.

The answer, in my view, is not more slogans about responsible AI. It is the boring stuff insurance has always understood: authority, escalation, sign-off and evidence.

The 95% of routine AI use should stay fast. Let people summarize, draft and explore. But the consequential minority needs a different track. If an output is going to move money, affect a customer, change a risk position, influence a regulatory judgment or commit the firm, someone has to own it. Not in theory. Not in a policy. In the record.

"It wasn't me. AI told me to do it" may work as a joke in a presentation. It will not work in a claim file.

The firms that can show who made the decision, who had authority and what evidence exists will look different from the firms that cannot. At some point, insurers will price that difference.

The only question is whether they do it before the first major AI-accountability claim forces the issue.

Read More