According to Gallagher, almost half of US states have developed AI governance laws, which have the impact of compliance and risk management.
Gallagher risk bulletin reports that while almost half of US states propose or adopt artificial intelligence (AI) governance laws, federal and international regulations continue to evolve, with a major impact on cyber insurance coverage as organizations deploy AI systems.
The AI regulatory environment is becoming increasingly complex in multiple jurisdictions, the report says.
The state of Colorado has emerged as the forefront of the Colorado Artificial Intelligence Act, which came into effect on February 1, 2026, and the Colorado Artificial Intelligence Act, which establishes individualized liability for high-risk systems that affect employment, funding, health services, housing and insurance decisions, among other things. Developers need to maintain accountability for known risks and report algorithmic discrimination, but deployment of AI in risk systems requires implementing risk management programs and providing mechanisms for individuals to challenge decisions.
Other state-level AI regulations focus primarily on four key areas:
Consumer protection against algorithmic profiling. Employment-related AI use. Deceptive media (deepfake). Creating a task force to analyze the impact of AI.
“We hope that, ultimately, the AI regulation trajectory will reflect the recent evolution of data privacy laws across the United States,” said John Farley, managing director of cyber responsibility practices at Gallagher.
The report says that at the federal level, more than 100 AI-related bills have been introduced into Congress, the most highlighted. Certain industries are attracting targeted attention as they publish guidelines on AI transparency and the National Institute of Standards and Technology (NIST), which develops key governance frameworks.
Industry-specific regulations are also implemented. The Portability and Accountability Act of Health Insurance (HIPAA) includes AI-specific guidelines for healthcare applications, but the Financial Industry Regulatory Authority (FINRA) has introduced considerations for financial institutions to implement robust risk management frameworks. Meanwhile, ISO international standards address AI applications in multiple sectors focusing on safety, quality control and ethical use.
New challenges for cyber insurance coverage
According to Gallagher, the surge in AI regulations presents a major challenge for organizations seeking comprehensive cyber insurance coverage.
Once AI systems are integrated into business operations, insurance providers are rethinking coverage parameters to address AI-specific risks, such as algorithm identification and failures in high-risk systems, the report says.
The scope of potential losses from AI systems extends beyond traditional cyber policies and potentially implies employment practice liability, product liability, medical malpractice, and director and executive liability insurance contracts, Gallagher noted. This risk-wide outlook requires organizations to reevaluate their entire insurance portfolio, rather than focusing solely on cyber coverage.
Some cyber insurers have already begun changing their policy language to limit or exclude coverage for certain incidents related to regulatory investigations, litigation, settlements, and fines resulting from AI use. This trend is likely to accelerate as regulations become more stringent and wider, the report says.
“Most cyber insurance offers free or discounted risk consulting services. These policies may be adapted to cover several costs associated with compliance with new AI regulations, including AI risk assessments and reporting requirements,” Farley said.
Particularly troublesome issues include determining the responsibility between AI system developers and deployers. For example, Colorado AI Act can establish clear liability for each party, complicating claim awards and scope of coverage decisions. With similar laws spreading, insurance providers and policyholders need to be clear about where the liability is and how the coverage applies, according to the report, if multiple parties share liability.
Read the full report here. &
