Underwriting the state: insurance, reinsurance and the silent governance of Australia’s AI deployment

The practical regulator of AI embedded in critical infrastructure is the global insurance and reinsurance industry, that we have not yet factored into national security planning.

In my last two to three years inside government, I participated in a lot of discussions on the regulatory requirements of the Security of Critical Infrastructure Act 2018. The conversations I expected were about hazard registers, supply chain assurance, personnel security and the cyber baselines. The conversation I did not expect was the one that kept turning up, quietly and generally once the formalities were concluded. A general counsel or a chief risk officer would raise an emerging AI use case in a hospital, a port, an electricity distributor, or a state water utility. Someone would say: the insurer will not write that. Or: the insurer will write it, but only on warranties we cannot meet. Or: the broker has told us to wait, because the underwriting market is moving. The conversation kept arriving at the same place. It was not the Commonwealth deciding what the critical infrastructure entity would deploy. It was the underwriter.

In the eighteen months since I let government, I have been in board rooms and offices across critical infrastructure, the prudentially regulated financial sector and the defence industrial base. The pattern has not gone away. It has hardened. The Australian debate on artificial intelligence, as it is being conducted in the National AI Plan, the Voluntary AI Safety Standard, and the consultations on the new Australian AI Safety Institute, is being held in the language of state design. Inside the entities that actually run Australia’s critical infrastructure, the closest regulator is not at the state level. It is the insurance and reinsurance layer.

Regulatory decisions are being taken in London, Munich and Zurich that are now shaping what Australian critical infrastructure operators can deploy, how they deploy it, and on what terms.

The forces

Insurance has always governed. The ‘insurance as governance’ tradition is well known to lawyers and to the sociology of risk, less so to the strategic studies discipline. Omri Ben-Shahar and Kyle Logue argued in 2012 that insurers, working on rich loss data and continuous underwriting feedback, can outperform the state at setting safety standards and policing compliance. They called this outsourcing regulation. Tom Baker and Anja Shortland extended the analysis to ransomware, showing how governments, even when they do not legislate, stand behind insurance governance and rely on it to maintain insurability of risks the public sector cannot itself absorb. Shauhin Talesh published Insuring Cyberinsecurity, arguing that cyber insurers have become de facto regulators of cybersecurity, with all the strengths and pathologies that delegation implies.

The literature is now arriving at the same point about AI. A December 2025 paper by Cristian Trout, When Does Regulation by Insurance Work? The Case of Frontier AI, is the first principled framework for assessing when insurance uptake produces a net regulatory effect on frontier model developers. A companion paper, The Insurability Frontier of AI Risk, codes fifty five AI threat classes against twenty six insurance products and identifies a four tier insurability frontier: affirmatively insured perils, silent AI exposures, actively excluded perils, and perils that sit beyond conventional private insurance altogether. A May 2025 paper, Catastrophic Liability, proposes mandatory insurance for “Critical AI Occurrences”, borrowing from the nuclear precedent that an earlier study had already drawn. The Geneva Association, the global reinsurance and insurance think tank, surveyed six hundred corporate insurance decision makers across six economies in late 2025 and found that nine in ten want explicit AI cover.

These are not the publications of a market that is waiting for legislators. They are the publications of a market that is writing the rules.

The 2026 exclusion wave.The most consequential move in the past twelve months is the quietest. In January 2026 the United States Insurance Services Office filed three new generative AI endorsements for commercial general liability cover: CG 40 47, CG 40 48 and CG 35 08. CG 40 47 is the wide form: it excludes bodily injury, property damage, and personal and advertising injury arising from generative AI outputs. CG 40 48 is narrower, leaving bodily injury and property damage in. CG 35 08 attaches to the products and completed operations coverage part. The endorsements are optional in form. In effect they end the silent AI era, in which standard liability cover responded to AI losses by default. They give every underwriter an off the shelf instrument for closing AI exposure on a portfolio. They were adopted immediately by multiple national carriers including AIG and W. R. Berkley. The Verisk endorsement defines “generative artificial intelligence” as a machine based learning system that is trained on data and that produces content. The definition is wide enough to capture almost any deployed large model.

The mirror image of the exclusion is the affirmative cover. Munich Re has been the most public mover, with its aiSure product family that indemnifies AI providers for losses arising from model performance failures, drift and hallucination. Munich Re underwrites the model, not the industry of the insured. In March 2026 its subsidiary HSB launched an AI liability product for small business. At Lloyd’s, the broker backed Armilla writes affirmative AI cover with capacity from Chaucer and Axis, up to USD25 million per risk, on terms that include warranties on AI governance maturity. Swiss Re’s sigma 1/2026 report names liability from algorithmic failure and biased decision making, intellectual property disputes and non physical business interruption as the AI claim heads of the next insurance cycle. The same report flags concentration risk in foundation models and the small group of hyperscale cloud providers as the systemic exposure that may sit beyond the appetite of any single underwriter. Reinsurance Business reported in May 2026 that the cyber reinsurance market had reached a new high as AI risk reshaped the underwriting frame.

The Lloyd’s Market Association has not yet released a dedicated AI clause set, but its existing cyber war language and silent cyber endorsements, LMA5400 and LMA5410, already define ‘computer system’ to include software, and AI is software. The LMA is actively researching AI loss scenarios. A purpose built clause is, on the analyst’s read, a question of when rather than whether.

Australia, finally, gets there. On 30 April 2026 the Australian Prudential Regulation Authority released a letter to industry on artificial intelligence and finalised targeted amendments to Prudential Standard CPS 230 Operational Risk Management. The letter is, in regulatory voice, an unusually blunt document. It states that current governance, risk management, assurance and operational resilience practices are not keeping pace with the scale, speed and complexity of AI adoption inside APRA’s regulated population. It names four governance failures: AI systems being deployed without inventory; lifecycle ownership unclear; post deployment monitoring weak; decommissioning processes largely absent. It then sets out, for the first time, structured AI specific expectations on each of those points. The targeted CPS 230 amendments come into force on 1 July 2026.

APRA’s posture has shifted from ‘the existing framework covers AI’ to a position closer to the European Union’s risk based supervisory frame, where there is a class of AI uses that draws heightened scrutiny by virtue of the use, not the technology. It has done this without legislation and without ministerial direction, by issuing a letter and a Prudential Standard amendment. That is the regulatory signal. The underwriting signal is louder, earlier and operating across more jurisdictions.

The underwriting committee as a national security desk

Insurance becomes national security policy at the moment three conditions are satisfied. First, the insurance decision determines whether the underlying activity proceeds at all. Second, the activity is one the state would otherwise be expected to regulate in the national interest. Third, the body taking the insurance decision sits beyond the state’s effective political accountability. All three are now visible in the AI underwriting frontier.

Condition one: insurance decisions determine deployment.

In Australian critical infrastructure the Security of Critical Infrastructure Act 2018 and the Critical Infrastructure Risk Management Program rules require responsible entities to maintain operational resilience. They do not require those entities to carry insurance. They do not need to. Boards do not deploy material new technology into production systems without a defensible position on insurability, because directors carry section 180 duties under the Corporations Act 2001 and because the chief financial officer carries audit and disclosure obligations that ride on the answer. When the upstream underwriter excludes a class of AI use from cover, the downstream deployment decision in a hospital, a port operator, an electricity distributor or a Tier 1 logistics provider gets harder to defend. The Cyber and Infrastructure Security Centre’s Artificial Intelligence Factsheet tells operators to consider AI risk inside their CIRMP. It does not tell them how to underwrite it. The market does.

Condition two: the use cases sit in the national interest.

The list of AI use cases under active underwriting attention reads as a list of Australian critical infrastructure subsectors. AI clinical decision support inside hospitals. AI scheduling and load balancing in electricity distribution. AI control logic in port and rail operations. AI generated content in financial advice and superannuation member communications. AI driven fraud detection inside payment rails. The international guidance, including the joint Principles for the Secure Integration of Artificial Intelligence in Operational Technology released by the Australian Signals Directorate with CISA in December 2025, identifies operational technology as the sharp end. Insurance is the practical filter on what gets through.

Condition three: the decision sits beyond Australian political accountability.

The treaties that govern global reinsurance capacity are written by the four largest European reinsurers, with the United States retrocessional markets and a Bermuda layer behind them. The wordings are negotiated through Lloyd’s, the Reinsurance Association of America, and the Global Federation of Insurance Associations. The decision to add a generative AI exclusion to a commercial general liability portfolio, or to require AI governance warranties before binding affirmative cover, is taken inside private bodies. The Australian Treasury and APRA have visibility into Australian insurers’ practices but they have only attenuated influence on the global pricing and capacity decisions that determine what is on offer to Australian risks. Treasury runs a terrorism reinsurance scheme through the Australian Reinsurance Pool Corporation, and runs a cyclone reinsurance pool of similar architecture. There is no equivalent Australian pool for AI correlation risk. The closest analogue, the Lloyd’s state backed cyber attack exclusion mandated from 31 March 2023, sits outside Australian jurisdiction.

That third condition is the heart of the argument. The Australian state has been a participant in the cyber war exclusion conversation, mostly through the attribution machinery and through the Department of Foreign Affairs and Trade’s public attribution statements. It has not been a participant in the AI exclusion conversation. It is not yet clear that Treasury has scoped the systemic implication. It is even less clear that Home Affairs has scoped the national security implication.

The four channels of shadow regulation

The mechanism by which the underwriting layer becomes shadow national security policy operates through four distinct channels. Naming them matters because each is amenable to a different policy response.

First channel: silent AI inherits silent cyber. The lesson the reinsurance industry took from NotPetya is well known. In 2017 a state attributed cyber operation against Ukrainian targets propagated globally and caused approximately USD10 billion of loss. Merck claimed under ‘all risks’ property cover. Its insurers refused, citing a hostile or warlike action exclusion. The New Jersey appellate division held in 2023 that the war exclusion did not apply, on the basis that the language was directed at armed conflict between states and could not be stretched to cover a cyber operation against a commercial party not engaged in hostilities. The judgment was a victory for the policyholder. It was also a signal to the reinsurance market that war wording needed to be rewritten, and Lloyd’s promptly did so. The 2020 Carnegie Endowment report by Jon Bateman, War, Terrorism, and Catastrophe in Cyber Insurance, called for traditional war and terrorism exclusions to be abandoned for cyber and replaced with a purpose built catastrophic exclusion. The Lloyd’s 2023 exclusion mandate took most of that recommendation and made it market practice.

Silent AI is the present incarnation of the same problem. The Swiss Re Institute warned in September 2024 that the industry should “prevent repetition of the same mistakes” from silent cyber. The Verisk endorsements of January 2026 are the prevention attempt. The Australian implication is that loss arising from AI failure inside critical infrastructure may fall into the same gap that NotPetya did before the Merck judgment: covered, then suddenly excluded, with the gap closing fastest on the cases that most resemble a national security loss.

Second channel: attribution privatised. The Lloyd’s war exclusion in its Version A form tied attribution to a competent state authority determination. The Version B form removed that requirement and gave the insurer the call. Either way, an insurer is taking what is properly a national security judgement: was this attack attributable to a state, and which state. The Australian Government has, through ASD and the Department of Foreign Affairs and Trade, been one of the more forward leaning attribution actors in the Indo Pacific. It has made public attributions against North Korean and Russian state actors. Those attributions carry weight in policy. They are not binding on Lloyd’s underwriters. The same logic now extends to AI: an exclusion that turns on whether a model failure was the product of an adversarial state operation, a foreign supplied training data poisoning, or a foundation model defect, requires a privatised attribution decision. That decision shapes who pays and, more importantly, what gets built next.

Third channel: correlation risk and foundation model concentration. The most novel insurability frontier identified by the Trout paper and the Insurability Frontier paper is concentration in foundation models. A small number of upstream models supply a large fraction of downstream commercial AI use. If one of those upstream models fails, or is breached, or generates a class of harmful outputs, the losses correlate across many cedents at once. This is the same problem that property catastrophe reinsurance solved for natural hazard through reinsurance capacity and government pools. The market is testing whether it can solve the same problem for foundation models without a state guarantee behind it. Swiss Re’s view, in sigma 1/2026, is that AI driven disruption will reallocate insurance demand rather than expand the pie, and that systemic concentration in cloud and AI service providers is a layer beyond conventional pricing. If that view holds, the Australian implication is that capacity for AI underwriting will be tighter and more expensive than the local market has assumed, and the underwriting frontier will set the deployment frontier.

Fourth channel: governance warranties shape model conduct. The affirmative AI cover on offer at Lloyd’s and at Munich Re is not unconditional. It is gated on AI governance representations. The Armilla policy underwritten by Chaucer requires the insured to demonstrate model governance maturity. Munich Re’s aiSure underwrites the model itself and the contractual performance warranties on its outputs. The Geneva Association report found that the bar that affirmative cover sets for insureds is a more demanding bar than any voluntary standard issued by an OECD government. The market is, in effect, doing standards setting for AI deployment, in the way it has done it for occupational health and safety and for cybersecurity since the 1990s. Australia’s Voluntary AI Safety Standard and the National Artificial Intelligence Centre guidance are designed to nudge entities into good practice. The underwriting warranty is designed to refuse cover if they do not adopt it. The latter is the harder constraint.

Why this is a national preparedness and resilience problem

The strategic studies literature on AI risk has, with a small number of exceptions, treated the question through the frames of capability, competition and frontier model safety. That framing is necessary. It is not sufficient. The national security stake in the insurance question is not the frontier model. It is the operational stack inside the hospital, the substation, the rail control room, the regional water utility and the payments rail. That is the layer at which Australian preparedness either holds or fails.

I have argued previously that the missing layer in Australian strategic policy is national preparedness: the standing capacity of the country to absorb a shock, sustain essential services and recover, across the full hazard spectrum from natural disaster to high intensity conflict. The Nordic and Finnish total defence tradition rests on the same conviction. A serious preparedness posture does three things. It makes the resilience of essential services a national obligation, not a sectoral hobby. It builds the institutional muscle to anticipate and operate under irreducible uncertainty. And it embeds the disciplines of risk transfer, redundancy and recovery into the operating model of every critical infrastructure entity, public and private. The insurance and reinsurance layer sits at the intersection of all three.

The resilience layer the state cannot supply alone. The Commonwealth cannot self-insure the entire critical infrastructure base. No state can. The market exists, in part, because catastrophic and correlated losses are pooled across jurisdictions, currencies and risk classes that no single government balance sheet could absorb. The terrorism reinsurance pool through ARPC and the cyclone pool are explicit recognitions of where the market alone fails. Preparedness against an AI driven cascading failure in critical infrastructure depends on the underwriting layer continuing to function in the cases where the market is willing to write, and on the Commonwealth supplying capacity where it is not. The same logic that underwrites resilience against terrorism and cyclone, underwrites resilience against AI correlation risk. There is presently no instrument to do it.

The CIRMP regime presumes an insurable counterparty. The Critical Infrastructure Risk Management Program rules require responsible entities to design, implement and report against an all-hazards risk management programme. The implicit assumption running through the regime is that the residual risk left after the controls are in place is transferred to a willing insurer at a defensible premium. When the underwriter excludes AI risk, that assumption fails. The residual risk reverts to the entity, to its shareholders, and ultimately to the public that depends on the service. The Australian preparedness model thus has a silent precondition: that the global underwriting layer continues to write the categories of risk the model assumes are transferred. AI is the first major category where that assumption is visibly breaking.

Total defence and the insurance limb. The Finnish, Swedish and Singaporean total defence models all treat the insurance industry as a partner, formally or informally, in national preparedness. The Finnish National Emergency Supply Agency pools state and private resources, including industry preparedness obligations and a designated set of insurance arrangements, to maintain the country’s essential functions under serious disturbance. The Singaporean Total Defence frame treats civil, economic, social, psychological, military and digital defence as a single integrated posture, and Singaporean financial supervision sits inside that posture. The Australian model has no equivalent. APRA supervises insurers prudentially. Treasury runs the reinsurance pools. The Cyber and Infrastructure Security Centre runs the CIRMP regime. None of them treats the insurance layer as a preparedness partner. The shadow regulation argument is the proof case that they should.

The polycrisis dimension. I have argued previously that Australian risk management has not caught up with the polycrisis condition under which the next decade of strategic risk will be lived. AI deployment in critical infrastructure is a textbook polycrisis vector. A single upstream model fault, or a single state attributed AI driven attack, can simultaneously degrade clinical care, electricity supply, port throughput and financial settlement. The insurability question is the early warning indicator for that risk. The underwriters, looking at correlation across cedents, see the polycrisis exposure before the public regulators do. Ignoring what they see is a preparedness failure, not just a market failure.

That is the gap, in one sentence: the Australian preparedness regime relies on an insurance layer it has not engaged with, in a category of risk that is currently being redefined without an Australian voice in the room.

The Australian blind spot

Most Australian academic writing on AI policy treats the regulation question as a contest between an EU style horizontal Act, a sectoral US style approach, and a UK style principles-based regime. That framing maps directly onto debates inside the Department of Industry, Science and Resources and inside the public consultation on the Voluntary AI Safety Standard. It maps poorly onto the actual mechanism by which AI deployment in Australia is being shaped. The strategic studies literature, in turn, has been preoccupied with frontier model risk, AGI timelines, the AUKUS Pillar 2 work programme and the AI race with China. The two communities, the regulatory community and the strategic studies community, look past one another on the issues of the insurance and reinsurance layer.

The ‘insurance as governance’ tradition supplies the conceptual mechanism for fixing that problem. The frontier AI insurability papers supply the data. The APRA letter and the 2026 ISO endorsements supply the present tense facts. The strategic studies discipline needs to learn to read underwriting committee minutes the way it has learned to read defence white papers. That is the missing chapter.

There is also a normative move. If a class of AI deployment is, in the underwriting market, becoming uninsurable or insurable only on affirmative terms with governance warranties, and if those affirmative terms are set by a Munich underwriter rather than by Canberra, the Australian state is delegating a national security judgement to a foreign party without admitting that it has done so. That delegation may be efficient. It may also be necessary, for now, because no public regulator can match the underwriting market’s velocity. It is not democratically accountable. The Trout paper notes the same point at the frontier model level. The point applies with greater force at the critical infrastructure deployment level, because the harms are concrete and proximate and the victims are Australian.

Recommendations: the insurance limb of the National Preparedness Framework

The implications point to a discrete set of actions. They cohere because they share the same underlying logic: the insurance and reinsurance layer is a national preparedness asset that the Australian state does not yet manage as one. Each recommendation builds the institutional muscle that national preparedness will need.

First: a public national security audit of AI underwriting capacity. Treasury and APRA, in partnership with Home Affairs and the Cyber and Infrastructure Security Centre, should commission a market study on the availability and terms of affirmative AI cover for the critical infrastructure subsectors named in the Security of Critical Infrastructure Act 2018. The study should map AI exclusions in force, the governance warranties attached to affirmative cover, the capacity available in the Australian and Lloyd’s markets, and the foundation model concentration risk facing Australian cedents. The Geneva Association’s October 2025 report is a useful template. The output should be public, in the manner of the Australian Energy Market Operator’s Integrated System Plan, so that Australian boards have a shared evidence base. This study sits at the foresight layer: it is the standing intelligence picture of where the country can transfer AI risk and where it cannot.

Second: a CIRMP disclosure obligation on AI insurability. The Critical Infrastructure Risk Management Program rules should be amended to require responsible entities to disclose to the Cyber and Infrastructure Security Centre, on an annual basis, the AI exclusions in force on their material insurance lines and the affirmative AI cover they have purchased. This is not a mandate to buy. It is a mandate to know. It places the system level picture of AI risk transfer in the hands of the Commonwealth, which presently has no visibility into it. Inside a preparedness regime it does what the CIRMP regime already does for hazard, personnel and cyber controls: it requires the entity to tell the Commonwealth what it has done and what residual risk has been transferred or retained. Without that disclosure, the Commonwealth cannot plan, and cannot respond.

Third: an AI correlation reinsurance pool through ARPC. The Australian Reinsurance Pool Corporation already underwrites terrorism and cyclone risk on principles that are directly transferable. The Commonwealth should legislate a contingent AI correlation pool, dormant until activated, modelled on the terrorism scheme. The pool would respond to systemic losses arising from upstream foundation model failure or from a coordinated AI driven attack on Australian critical infrastructure, on terms approved by the Treasurer on the advice of the Council of Financial Regulators. The argument is the same as the argument for the terrorism pool after September 2001: where the market cannot price catastrophic, state involved correlation risk, and where the underlying activity is in the national interest, the Commonwealth can supply the missing layer at a fraction of the cost of regulating the activity out of existence. The Trout paper, the Catastrophic Liability paper and the Geneva Association report converge on this conclusion in different idioms. Inside the preparedness frame, the pool is the financial limb of national resilience: it is what allows essential services to be restored after the kind of cascading loss the underwriting market cannot, on its own, absorb.

Fourth: a joint APRA and CISC supervisory standard for AI inside critical infrastructure. APRA’s targeted CPS 230 amendments and its 30 April 2026 letter are the prudential floor. The CIRMP rules are the national security floor. The two floors do not yet meet. A joint supervisory standard, issued jointly by APRA and the Cyber and Infrastructure Security Centre, would close the gap. It would identify the AI use cases that demand affirmative governance, the AI use cases that demand a mandatory insurability test before deployment, and the AI use cases that should not be deployed at all in critical infrastructure without a Ministerial sign off. The standard should be reciprocally readable by APRA’s regulated population and by the CIRMP responsible entities so that a single AI governance regime serves both. Inside the preparedness frame, this is the operating layer: it is what tells a board how the AI question is to be answered, and what tells a regulator how the answer will be tested. The National Support Coordination Board I have proposed elsewhere would be the natural convenor.

Fifth: an Australian voice at the Lloyd’s and IAIS AI wording table. The International Association of Insurance Supervisors is already examining AI as a global supervisory priority. APRA holds an IAIS seat. Australia should use it to argue, openly, that the AI exclusion wordings being developed at Lloyd’s and through ISO should treat critical infrastructure deployments as a distinct underwriting class, with capacity preserved for the public good uses that the affirmative cover providers identify. This is not a request for protectionism. It is a recognition that the existing wordings are being negotiated without an Australian critical infrastructure voice, and that the national interest case for keeping AI insurable in hospitals, ports, electricity and water is one that no Australian regulator is presently making. Inside the preparedness frame, this is the international representation layer: a middle power that is serious about its preparedness has to be in the rooms where the rules of the next economy are being written, and the underwriting rooms are exactly those rooms.

Sixth: a National Security mandate to read the underwriting layer. The national security function within PM&C should be tasked with continuous coverage of the insurance and reinsurance layer as a national security matter. Their brief should be the integration brief. It is the only Commonwealth entity equipped to take the picture that APRA, Treasury, Home Affairs and DFAT each see in part, and turn it into a coherent national posture. The underwriting layer needs an integrator. There is presently none.

The wider point

The ‘regulation is a state question’ assumption that runs through Australian AI policy is, in 2026, an error. It misreads the operating regulatory environment. It misses the underwriting decisions being taken every quarter inside the global reinsurers and inside the Lloyd’s syndicates. It misses the Verisk endorsements that have already shifted the United States commercial liability market. It misses the APRA letter that has, almost in passing, shifted the prudential standard in Australia. It misses, most importantly, the recognition that for a country with a small domestic insurance market, deep reliance on London and continental reinsurance capacity, and a critical infrastructure base that is now visibly dependent on AI tooling, the insurance layer is the proximate regulator.

It also misreads the preparedness problem. The Australian preparedness debate, where it exists, has fixed on the supply side: stockpiles, fuel reserves, sovereign manufacturing capacity, the question of how the country will run if the strait or the cable is cut. Those are the right questions. They are not the only questions. National preparedness is also about the institutional fitness of the systems that already serve the country every day, and about whether those systems will hold under stress. The insurance layer is one of the load bearing institutions in that picture. The strategic studies discipline does not yet read it that way. The legal academy, especially in the United States, is closer. The cyber insurance literature is closer still. The work to be done is to bring the analytic apparatus of ‘insurance as governance’ into the security and preparedness debate, and to bring the preparedness debate into the rooms where AI wordings are written.

That is the missing element, in one sentence.