A new class of risk. A new class of insurance.

AIG, WR Berkley, Great American, and Chubb have filed to exclude AI from cyber, E&O, and D&O policies. This is not theoretical. Active filings. The carriers who wrote cyber when nobody else would are declining to write AI.

NIST has classified autonomous AI as a new class of risk. Anthropic's March 2026 letter to NIST went further, stating that existing cybersecurity frameworks "have no category for a failure where nothing malfunctioned."

Traditional cyber insurance assumes a breach: someone got in who should not have, something was stolen, something went down. E&O assumes professional negligence: someone made a mistake. D&O assumes managerial fault.

Autonomous agents break all three framings. An agent can act entirely within its permissions and produce an outcome the operator never intended. Nothing malfunctioned. No one made a mistake. No one breached anything. And yet there is a loss.

The Air Canada chatbot fabricated a bereavement refund policy. The airline was held liable. The Chevrolet dealer bot was prompted into agreeing to sell a Tahoe for a dollar. The Replit coding agent deleted a live production database during a code freeze, ignored 11 explicit instructions, and fabricated 4,000 records. The Alibaba ROME agent autonomously repurposed company GPUs to mine cryptocurrency and opened a backdoor to an external server. None of these were malfunctions. None of them were covered.

Even if a carrier wanted to underwrite this, they cannot. When an agent takes an action that causes a loss, who is responsible? The agent? The model provider? The tool the agent called? The operator who deployed it? The vendor who supplied the orchestration layer?

This is not a theoretical question. It is the exact question a claims adjuster asks on day one of every case. Without a clear answer, carriers cannot price coverage, cannot allocate recoveries, and cannot manage their reinsurance. The honest response, today, is to exclude.

Regulation is moving faster than the market. EU AI Act enforcement begins August 2026, with penalties up to €35M or 7% of global turnover. The EU Product Liability Directive (December 2026) brings AI under strict liability. 145 US state AI laws were introduced in 2025. Colorado AI Act goes live June 2026. NIST AI Agent Standards were released February 2026.

Gartner projects 2,000+ AI-related legal claims worldwide by the end of 2026. 3 million AI agents are deployed across US and UK enterprises, 1.5 million of them ungoverned. Claims are coming. When they land, the existing insurance stack will not respond.

You cannot bolt agent coverage onto a cyber policy. The root cause sits a layer below what cyber was designed to cover. You cannot extend E&O to agents because E&O requires a human professional whose judgment can be tested. You cannot extend D&O because the director did not make the decision, the agent did.

Every retrofit leaks through the attribution question. Every retrofit invents coverage language without actuarial evidence behind it. Certifications go stale the moment the agent is deployed. Audits are point-in-time. The deployment is continuous.

Coalition did this for cyber. They did not compete with AIG on legacy risk. They built a proprietary data layer first, used it to price better, and embedded active mitigation in the policy. Near-zero to $16B in cyber premium in a decade. $29B projected by 2027.

Agent insurance follows the same arc, on a compressed timeline. The data layer is the prerequisite. Not adversarial testing. Not pre-deployment audits. Runtime evidence from real deployments, continuously. Claims-grade. Evidence-backed. Underwriting-ready.

That is what Agendex is building. The Risk Core is live. Insurance workflows are next. Active mitigation after that.