The CIO's new liability

ABBY

This is Agent Mode AI. I'm Abby. Every Sunday we pick one claim from the Holding-up ledger and walk through it. Today we're checking two: AM-116 and AM-119. They're sibling claims because they describe the same enterprise risk surface, observed from opposite ends of the insurance market.

MATT

I'm Matt. Set the frame for me. What's the dual signal?

ABBY

Two insurance markets are repricing AI risk on the same enterprise in 2026. The directors' and officers' market is rewriting renewal language to flag AI supervision at the board level. The reinsurance market is repricing AI tail risk into 2026 cyber treaties. Different products, different buyers, different time horizons. Same underlying risk surface. When underwriters reprice the same risk on both ends of the stack, the price signal is the cleanest market read on AI risk you'll get this year.

MATT

Right. Let's start with the D&O side. Walk through AM-116.

ABBY

The claim in AM-116 is that a class of derivative actions is forming around board failure to supervise AI deployments, and D&O carriers are responding at renewal with explicit AI questionnaires and emerging exclusions. The legal anchor is the Caremark line of doctrine.

MATT

Hold on. Explain Caremark for anyone who doesn't sit through Delaware case law for fun.

ABBY

Fair. The doctrine traces to In re Caremark International Inc. Derivative Litigation, decided by the Delaware Court of Chancery in 1996. The court held that a director's duty of loyalty includes a good-faith obligation to ensure that an information and reporting system exists for matters central to the company's operations. A board can be liable not for what it knew, but for what it should have made sure it would know.

MATT

So Caremark is about systems of oversight, not specific decisions.

ABBY

Right. And the standard was substantially elevated in 2019 in Marchand v. Barnhill, decided by the Delaware Supreme Court. Marchand involved a listeria outbreak at Blue Bell Creameries that killed three people. The court held that boards must actively monitor "mission-critical" risks and that the absence of a board-level reporting system on such risks can sustain a derivative claim past a motion to dismiss.

MATT

And the post-Marchand line has been consistent.

ABBY

Consistent. Cases have involved food safety in Marchand itself, opioid distribution in Clovis Oncology, and most recently AI-adjacent technology decisions in 2024 and 2025 derivative actions. When an issue is mission-critical and the record shows no board-level oversight system, plaintiffs survive dismissal.

MATT

Why does agentic AI now meet the mission-critical threshold?

ABBY

Three things have shifted in the last twelve months that most boards have not fully internalised. First, agentic AI is moving from an experimental category to a mission-critical one in many enterprises. That's the threshold that triggers the elevated Caremark standard. Second, the documented in-the-wild failure cases are now substantial enough that "we did not foresee this" stops being a credible board defence. Third, regulatory exposure under the EU AI Act has moved from anticipated to enforceable. Article 9 of Regulation 2024/1689 requires a documented risk-management system for high-risk AI deployments, with enforcement beginning August 2026.

MATT

So a high-risk AI system the board does not oversee is a structural Caremark gap.

ABBY

Exactly that. The regulator has named the obligation. The company has the deployment. The board has no oversight artefact. That triangle is what plaintiffs build a complaint around.

MATT

Now the D&O market reads the same case law and prices accordingly.

ABBY

Three patterns are visible at renewal in 2026. The first is AI-specific application questions. Marsh's quarterly D&O market reports, Aon's commercial insurance updates, and Willis Towers Watson's directors-and-officers commentary have all flagged AI-related questions appearing in renewal applications. The questions typically ask which AI deployments are classified as material, who oversees them at board level, and whether the company has a documented AI risk-management system.

MATT

What happens if the answers are weak?

ABBY

The premium moves, or the carrier adds an endorsement narrowing the cover. The second pattern is emerging exclusion language for "failure to supervise AI" claims, similar in shape to the post-2002 oversight exclusions that followed Sarbanes-Oxley. The third is a heightened underwriting interest in board-level documentation of AI oversight.

MATT

Translation for the CIO listening.

ABBY

The board's existing oversight posture is being read against a 2026 baseline. Two-year-old governance documents that were acceptable in 2024 are not acceptable now. Boards reading their oversight artefacts against this baseline find gaps they did not have to fill in 2022.

MATT

Good. Now switch to the reinsurance side. AM-119.

ABBY

AM-119 is the upstream piece. Primary cyber-insurance carriers are not the source of the 2026 cyber-renewal tightening. The reinsurance market behind them is. Lloyd's of London, Munich Re, and Swiss Re have been recalibrating their assumptions about cascading agent-failure scenarios since 2024, and the rate signal travels downstream to the policy your General Counsel is renewing this quarter.

MATT

For people who don't live in this market: what is reinsurance, briefly.

ABBY

Reinsurance is the insurance the insurance companies buy. A primary carrier writes your cyber policy. To stay solvent if a catastrophic event hits a lot of their book at once, they cede part of their portfolio to a reinsurer. That reinsurer can be Lloyd's of London as a syndicated specialty market, Munich Re or Swiss Re as the largest reinsurers globally, or one of the broker intermediaries like Aon Reinsurance Solutions or Guy Carpenter.

MATT

So the primary carrier is constrained by what the reinsurer is willing to backstop.

ABBY

That's the structural read. Your primary carrier is a price-taker on the systemic-AI-tail piece of your premium. Negotiation against the primary carrier on AI-specific terms has limited room because the carrier's own reinsurance treaty caps what it can offer.

MATT

What did the reinsurance market actually do.

ABBY

The reinsurance response shows up in three places. Catastrophe-bond issuance for cyber risk has tightened terms and raised coupon spreads in 2025 and 2026. The cat-bond market is the cleanest price signal for tail-risk perception. Treaty renewal terms between primary carriers and reinsurers have added AI-specific exclusions, sub-limits, or aggregate caps. Per-event retentions at the reinsurer level have moved in the direction of higher first-loss layers staying with the primary carrier, which forces the primary to pass that retention back through into per-policy terms.

MATT

What does the published research say.

ABBY

Lloyd's of London publishes systemic-risk reports through its Futureset programme. The post-2023 systemic-risk content has explicitly treated AI as a category of emerging cyber tail risk, with attention to scenarios where automated decision-making in agent deployments produces correlated failure across many primary policy holders. Munich Re publishes its Cyber Insurance Risk Report annually. The 2024 through 2026 reports have consistently named AI as a catastrophic-scenario category, with technical loss-modelling frameworks that primary carriers reference. Swiss Re's sigma research and Swiss Re Institute publications similarly treat AI catastrophic scenarios explicitly. The 2025 publications on AI-related liability and cyber-physical convergence have shaped underwriter assumptions in the broader market.

MATT

And the timing of the signal travelling downstream.

ABBY

Six to twelve months. The primary carrier sees the treaty terms tighten at their own renewal with the reinsurer, and that flows into the primary's own renewal proposals to enterprise buyers a quarter or two later. If you negotiated a 2026 cyber renewal and felt that the terms tightened more than the visible loss data justified, the source is one layer upstream of where most enterprise risk teams look.

MATT

Now bring the two together. Why is this the editorial point.

ABBY

Both ends of the underwriting world are repricing the same enterprise AI risk surface in 2026. The D&O market reprices the board-level supervisory exposure. The reinsurance market reprices the catastrophic-loss tail. They're not coordinating. They're independent commercial decisions by independent underwriters reading the same risk surface from different angles.

MATT

When two independent markets reprice the same risk in the same direction.

ABBY

The price signal is harder to dismiss. A single market might be wrong about the underlying risk. Two independent markets reaching consistent conclusions is the cleanest read enterprise leadership will get on how AI risk is now seen by the people who have to put their own capital behind their assessment.

MATT

What's the call to action for a CIO listening.

ABBY

Three things. Read your D&O renewal application carefully when it lands. The new AI questions are the artefact you respond to in writing, and your answer becomes part of the record if a derivative claim ever arrives. Read your cyber renewal terms against the 2024 baseline. The tightening you see is upstream-driven, not arbitrary, and the broker can push on specific endorsements but cannot push on the underlying treaty constraints. And document the board-level AI oversight system. The same artefact serves the EU AI Act Article 9 audit and a post-Marchand court, on the same record.

MATT

Verdicts.

ABBY

AM-116 is Holding. The Caremark doctrine applies on its terms, the D&O market is responding at renewal in the direction the doctrine implies, and the EU AI Act enforcement timeline closes the regulatory anticipation gap in August 2026. We're watching for the first definitive AI-Caremark ruling, which will come in 2026 or 2027 as the documented incidents accumulate.

MATT

And AM-119.

ABBY

AM-119 is Holding. The reinsurance market signal is real, the published research from Lloyd's, Munich Re, and Swiss Re is consistent, and the downstream effect on primary cyber renewals is observable in the 2026 renewal cycle. Cadence on this claim is sixty days because reinsurance market signals move on a one-to-two quarter delay. We'll re-test against the Lloyd's market notices and the Munich Re and Swiss Re cyber publications on or before the thirtieth of June.

MATT

What would change either verdict.

ABBY

For AM-116: a definitive Delaware ruling that limits Caremark in the AI context, or a meaningful softening of the EU AI Act Article 9 enforcement posture. For AM-119: a coordinated reinsurance-market position that standardises AI-specific terms downward, or a material softening of AI capability gains that reduces the catastrophic-scenario probability the reinsurers are pricing.

MATT

Final word.

ABBY

The ledger has both claims with their full source lists, the corrections log, and the next review date. That's at agentmodeai dot com slash holding. The newsletter ships every Sunday with what moved on the ledger that week.

MATT

Holding-up. See you next Sunday.