AI Risk 2026: What Business Leaders Need to Know

AI Risk 2026: What Business Leaders Need to Know
March 25, 2026 12 mins

AI Risk 2026: What Business Leaders Need to Know

AI Risk 2026: What Business Leaders Need to Know

The accelerating role of artificial intelligence in organizational decision making in 2026 is redefining exposure — from fraud to operational resilience. Leaders must strengthen controls, build clear accountability, and ensure their risk and insurance programs keep pace with AI‑driven threats.

Key Takeaways
  1. AI-enabled fraud is becoming far more convincing — AI-generated phishing shows ~54% click-through rates versus ~12% for traditional attacks — reinforcing the need for stronger verification and awareness across the organization.
  2. Fast-moving and fragmented AI regulation is increasing compliance pressure and the need for clear governance and board level oversight.
  3. AI‑related risks now span privacy, IP, operational and reputational exposures, transforming how organizations assess insurance needs and evaluate alignment with emerging loss scenarios.

Table of Contents

  1. Introduction

  2. Where AI Creates New Exposures

  3. Insurance in 2026: How the Market is Navigating AI‑Driven Risk

  4. Defining the Real Meaning of AI Risk

  5. Regulation and Governance: What Leaders Need to Know

  6. Building Confidence Around Emerging AI Risk

  7. Turning Insight into Strategic Advantage

Artificial intelligence (AI) has moved rapidly from experimentation to enterprise‑wide adoption with advancements in Generative AI. In 2025, 88% of organizations reported using AI in at least one business function, up from 78% the previous year. This rise reflects how deeply embedded AI is now in operations and decision making.1

At the same time, risk leaders continue to rank cyber risk as the number one enterprise threat, a position it holds and is projected to maintain through 2028, according to Aon’s latest Global Risk Management Survey. AI‑driven attack techniques, including advanced phishing and deepfakes, are among the top concerns for security and risk teams — and for good reason.

AI accelerates the speed and scale of attacks, increases the complexity of operational failure and amplifies dependencies on third‑party systems. Early governance, clear accountability and resilient controls are now non‑negotiable for business leaders.

Evidence of this growing exposure is clear: The Stanford AI Index recorded 233 harmful AI‑related incidents in 2024, a 56% increase year‑on‑year, demonstrating how quickly AI‑enabled risks are expanding across sectors and geographies.2

Threat actors are also evolving their methods. According to CrowdStrike’s 2025 analysis, AI‑crafted phishing emails have shown click‑through rates of around 54%, compared with approximately 12% for traditional attacks.3 Vishing (voice phishing) incidents have also surged, and high‑profile deepfake impersonation frauds — including a widely reported $25 million case4 — highlight the operational and financial consequences of AI‑enabled deception.

Where AI Creates New Exposures

1) People and Process: Convincing Fraud at Scale

The shift: AI has transformed traditional social engineering attacks. Threat actors can now generate highly personalized emails, messages and even real‑time voice or video impersonations that imitate trusted individuals with convincing accuracy. This shift has moved fraud from isolated, opportunistic attempts to high‑volume, AI‑driven campaigns capable of bypassing standard controls and exploiting moments of pressure or ambiguity inside organizations.

What leaders should do:

  • Strengthen out-of-band verification for payments and data requests.
  • Require multi-person authorization for unusual transactions.
  • Train employees to detect synthetic media.
  • Test response plans for “live” deepfake scenarios.
2) Technology: Models, Agents and Data Pipelines can be Compromised

The shift: AI is introducing new technical pathways for compromise. In 2025, researchers uncovered malicious machine learning models (nullifAI) on a public platform5 and identified a text-to-SQL library vulnerable to prompt injection that could trigger remote code execution.6 These examples show that AI models, data pipelines and plugins require the same rigor as any software component.

What leaders should do:

  • Vet external models before integration.
  • Isolate model evaluation.
  • Enforce strict permissions for automated agents.
  • Filter inputs and outputs to reduce prompt injection and data leakage risk.
3) Ecosystem: Rising Dependency on Third-Party AI Services

The shift: Organizations are increasingly reliant on AI‑as‑a‑service providers for model hosting, inference, analytics and automation. Independent research has highlighted misconfigurations and architectural weaknesses across some fast‑scaling AI platforms, which can expose organizations to outages, data leakage or loss of service integrity.7 These dependencies introduce concentration risk and underscore the importance of supply chain resilience in AI environments.

What leaders should do:

  • Include AI-specific controls in vendor reviews.
  • Require transparency about training data and incident processes.
  • Ensure AI suppliers feature in resilience and business continuity planning.
4) Behavior: ‘Shadow AI’ Remains a Persistent Driver of Data Leakage

The shift: Despite increased controls, employees continue to use personal AI accounts for work tasks, including uploading sensitive data. Although usage has dropped from 78% to 47% over the past year, shadow AI remains a significant source of unmonitored data exposure and compliance risk.8 Unapproved tools can easily bypass enterprise security and create blind spots in incident response processes.

What leaders should do:

  • Provide safe, approved AI options.
  • Set clear “do not paste” rules.
  • Require dedicated credentials for AI tools.
5) Legal and Reputational: Privacy, IP and Hallucination Risk

The shift: AI has also exacerbated legal and reputational risk exposure. Organizations have faced numerous privacy‑related investigations, including over the creation of unauthorized facial recognition databases.9 Copyright disputes are increasing as publishers, artists and media companies challenge the use of their material in training datasets.10 Meanwhile, AI hallucinations — where systems generate inaccurate or fabricated content — have resulted in incorrect legal citations, misinformation and reputational damage.11

What leaders should do:

  • Implement human-in-the-loop review for high-stakes AI outputs.
  • Monitor legal developments and update risk and compliance processes as necessary.

Insurance in 2026: How the Market is Navigating AI‑Driven Risk

AI is reshaping risk at speed, but the insurance market is not responding with broad exclusions or sharp retrenchment. Instead, 2026 is defined by clarification, targeted adjustments and a deeper focus on how AI modifies exposure within established lines. Capacity remains available, but underwriting scrutiny is rising.

Against this backdrop, three distinct market approaches are emerging that illustrate how insurers are adapting in practice:

1) Clarifying and Selective Exclusions

Insurers are drafting AI‑related endorsements that can be deployed case‑by‑case, particularly where exposures are severe or poorly understood. Some endorsements exclude risk explicitly; others appear merely clarifying but introduce silent limitations that narrow what was previously covered. As with early “ silent cyber ,” careful policy language review is essential.

2) Affirmative Coverage Through Existing Policies

Insurers are also offering affirmative AI coverage via endorsements to cyber, E&O, media liability and EPLI programs. These can:

  • Provide clarity without adding a new line of cover
  • Avoid “other insurance” disputes
  • Leverage deeper capacity in established markets

But not all endorsements expand cover; some introduce new exclusions or narrow the insuring clause. Clarity must not come at the expense of protection.

3) Standalone AI Products: Clear Scope, Limited Scale

New AI‑specific products — from Armilla, Munich Re’s AiSure, AXA XL, Vouch, Testudo and others — offer targeted protection for:

  • Modeling underperformance or hallucination
  • IP and training‑data exposures
  • Regulatory compliance failures (e.g., EU AI Act)
  • Data poisoning and prompt‑based attacks

Yet capacity remains limited, coverage is narrow and adoption will likely follow the slower path seen in previous digital shifts like silent cyber or cloud computing.

Quote icon

When developing new AI-related insurance products, markets need to be clear, deliberate and focused on their value — particularly given the pace at which these products must evolve.

David Molony
Head of Cyber Solutions, Europe, Middle East and Africa

Defining the Real Meaning of AI Risk

AI is not a single risk. It overlays — and amplifies — existing risks across cyber, professional services, employment, intellectual property, product liability and D&O. Like cloud and IoT, AI blurs the boundaries traditional insurance relies on. This makes governance and documentation central to underwriting confidence.

Directors & Officers Liability: AI Elevates Governance Exposure

AI is accelerating the expectations placed on boards, particularly around oversight, documentation, safety and risk assessment, and the responsible deployment of high‑impact systems. Courts and regulators increasingly expect directors to understand how and where AI is used in their organizations, ensure appropriate governance and demonstrate that risks — including model failure, data misuse and third‑party dependency — have been considered and addressed.

For boards, the most material D&O exposures include:

  • Governance and oversight failures where, for example, inadequate controls, human‑in‑the‑loop processes or model testing lead to financial, operational, reputational or regulatory impacts
  • Disclosure and reporting risk, particularly where AI‑driven transformation is material to financial performance or operational resilience
  • Regulatory scrutiny and compliance with nascent and constantly evolving regimes across the globe, as authorities take varying approaches to evaluate how organizations manage high‑risk AI use cases, data governance, safety testing and incident reporting
  • Shareholder litigation, especially arising from the governance and disclosure risks noted above, such as AI‑related misstatements accompanying losses in value, as well as claims of insufficient oversight

Insurers are already signaling increased interest in AI governance maturity within D&O underwriting — including how companies vet their public disclosures, and how boards approach oversight, integrate AI into risk registers and manage third‑party exposures.

Demand for AI‑Related Protection is Rising Sharply

Recent market research shows that more than 90% of insurance decision makers now consider AI‑driven incidents a material concern and expect insurance products to evolve accordingly.12 Underwriters increasingly expect:

  • Clear evidence of AI governance
  • Documented model testing
  • Robust third‑party oversight
  • Safeguards against data leakage and manipulation
  • Scenario analysis that incorporates AI‑driven failures

Organizations that can demonstrate maturity in these areas will secure cleaner terms, greater capacity and more favorable outcomes.

Regulation and Governance: What Leaders Need to Know

AI regulation is accelerating across major markets — but in vastly different ways. In Europe, the EU Artificial Intelligence Act is progressing through phased implementation from 2025 to 2027, introducing structured obligations around documentation, monitoring, traceability and human oversight for high-risk systems.

The United States, by contrast, has moved toward a more innovation-focused approach. A new federal Executive Order sets out a “minimally burdensome” AI policy aimed at speeding deployment and strengthening national competitiveness. Rather than expanding compliance requirements, the Order seeks to streamline governance and reduce friction for U.S. companies.

With Europe tightening controls and the U.S. federal government easing them, governance expectations are diverging. Many organizations are responding by aligning internal controls to the National Institute of Standards and Technology (NIST) AI Risk Management Framework, which offers practical guidance on identifying, measuring and governing AI risk — including documentation practices, oversight points, testing disciplines and monitoring. For boards and executives, NIST provides a shared language that can unify conversations across risk, compliance, technology and insurance teams.

For leaders navigating these shifts, the takeaway is clear: AI governance must be both evidence-driven and adaptable. While regulatory trajectories differ, the expectation for traceability, assurance and transparent controls is rising globally. As Adam Peckman, Aon’s Global Practice Leader of Cyber Risk Consulting, Head of Risk Consulting & Cyber Solutions, Asia Pacific notes, “The organizations that get ahead of AI risk are the ones that treat governance as a living discipline — something that evolves with the technology, not after it.”

Building Confidence Around Emerging AI Risk

As AI reshapes fraud, operations and governance, business leaders are increasingly focused on understanding how these shifts change their exposure and what practical steps will help them stay ahead. Organizations that take a structured, evidence‑driven approach can strengthen resilience, improve decision making and ensure their insurance programs evolve in step with AI‑driven threats.

  1. Gaining Clarity on AI Use and Risk Exposure:

    Clients are prioritizing a clearer view of where AI sits within their business, how models are developed or procured, and how AI changes operational, legal and financial exposures. Mapping use cases — and identifying where existing controls may not be designed for AI-driven failure modes — has become a foundational step for confident risk management.
  2. Ensuring Existing Insurance Programs Remain Fit for Purpose:

    As AI adoption expands, many organizations are reviewing their cyber, E&O/PI, EPLI, crime and D&O programs to ensure coverage aligns with emerging loss scenarios. This includes understanding where cover is affirmative, where it may be silent or ambiguous, and where endorsements or exclusions could unintentionally narrow protection.
  3. Evaluating New Risk Transfer Options as the Market Evolves:

    While standalone AI products remain narrow in scope and early in maturity, risk leaders are actively monitoring new offerings and considering when alternative structures — such as umbrella or reinsurance solutions — may be relevant. The goal is to ensure future flexibility without compromising current resilience.

Turning Insight into Strategic Advantage

Many organizations are now using scenario analysis and financial modeling tools, like Aon’s Cyber Risk Analyzer, to quantify the potential impact of AI‑enabled incidents. This helps leadership teams prioritize controls, strengthen governance, and make more informed decisions about their insurance posture.

As Brent Rieth, Aon’s Head of Global Cyber Solutions, observes, AI is “changing the risk landscape faster than traditional frameworks can adapt, and the organizations that invest early in transparent governance, scenario analysis and insurance alignment will be best positioned to adopt AI safely — and to turn risk into a source of long‑term advantage.”

Aon’s Thought Leaders
  • Adam Furmansky
    D&O Product Leader — East, Financial Services Group, United States
  • David Molony
    Head of Cyber Solutions, Europe, Middle East and Africa
  • Adam Peckman
    Global Cyber Risk Consulting Leader, Head of Risk Consulting & Cyber Solutions, Asia Pacific
  • Nick Reider
    D&O Product Leader— West, Financial Services Group, United States
  • Brent Rieth
    Global Head of Cyber Solutions

1 The state of AI in 2025: Agents, innovation, and transformation, McKinsey
2 The 2025 AI Index Report, Stanford University
3 CrowdStrike 2025 Threat Hunting Report: AI Becomes a Weapon and a Target, CrowdStrike
4 ‘This happens more frequently than people realize’: Arup chief on the lessons learned from a $25m deepfake crime, World Economic Forum
5 Malicious AI Models on Hugging Face Exploit Novel Attack Technique, Infosecurity Magazine
6 Black Hat: Researchers demonstrate zero-click prompt injection attacks in popular AI agents, CSO
7 The 2025 AI Index Report, Stanford University
8 Cloud and Threat Report: 2026, Netskope
9 UK Upper Tribunal hands down judgment on Clearview AI Inc, ICO
10 The New York Times and Chicago Tribune sue Perplexity over alleged copyright infringement, Engadget
11 California Court Issues $10,000 ‘Warning’ Over Lawyer’s ChatGPT Brief, eWeek
12 Gen AI Risks for Businesses: Exploring the role for insurance, Geneva Association

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Client Trends 2025

Better Decisions Across Interconnected Risk and People Issues.

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Global Risk Management Survey

Better Decisions Across Interconnected Risk and People Issues.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Impact Report 2025

Explore Aon's corporate sustainability impact and strategy.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Industry Insights

These industry-specific articles explore the top risks, their underlying drivers and the actions leaders are taking to build resilience.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Human Capital Quarterly Insights Briefs

Read our collection of human capital articles that explore in depth hot topics for HR and risk professionals, including using data and analytics to measure total rewards programs, how HR and finance can better partner and the impact AI will have on the workforce.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Natural Resources and Energy Transition

The challenges in adopting renewable energy are changing with technological advancements, increasing market competition and numerous financial support mechanisms. Learn how your organization can benefit from our renewables solutions. 

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Transaction Solutions Global Claims Study

Better Decisions Across Interconnected Risk and People Issues.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner