Terms for Understanding AI

A Risk Management Framework for Emerging Technology Liabilities

Deep-Fake & Data Poisoning

Autonomous Decision-Making Algorithms

Generative AI & Hallucination

Jailbreaking

Prompt Injection

Indirect Prompt Injection

Model Drift & Systemic AI Dependency

Governance Structure, Human Oversight & Regulatory Oversight

AI Stack Exposure Chart

Strategic Framework Architecture via AGGNE

Risk Framework Guide

Flip through our executive narrative directly on the page below.

⚓ Mitigating Complex Enterprise Technology Exposure

 

In 2026, Six major carriers have filed AI exclusions in their policy wordings. The Lloyds Market Association LMA blueprint sets the bar for what “good” AI governance looks like in the Lloyd’s market. If you cannot evidence the three things below, you are not arguing about price at renewal. You are arguing about whether cover exists at all. This worksheet covers four pillars from the LMA blueprint.

 

1 AI Tool Inventory

2 Model Risk

3 Data Governance

4 Accountability

 

How to use the worksheet:

01 One pass, right people Your IT lead, your DPO or equivalent, and the SMF who will own AI risk — in the room together.

02 Be specific Vague answers fail. Name the tool, name the person, name the date.

03 Log the gaps Where you cannot answer, write “gap” and add it to the action log at the bottom.

04 Refresh on cadence Review quarterly. Refresh fully four weeks before renewal.

 

 

S ECT I O N 1 ·    AI tool inventory

Before you can govern anything, you need to know what is in the building. List every AI tool used by anyone in the business — including the ones the Managing Director MG does not officially know about, free tools, browser extensions, and anything embedded in a wider platform.

 

# Tool name Vendor Used by (team / person) Business process it touches Customer data? (Y/N)   Date added
 

Tools to actively check for — the ones brokers usually miss: ChatGPT, Claude, Gemini, Perplexity, Copilot (personal & business) AI note-takers on Teams, Zoom, Meet (Otter, Fathom, Granola, Read) Email assistants and reply generators CV screening or recruitment AI Quote accelerators or rating engines with embedded or fraud detection tooling, Marketing AI (image, copy, scheduling) Any browser extension your team installed themselves

 

 

 

 

 

 

S ECT I O N 2 ·  Model risk

 

For each AI tool from Section 1, you need a file an underwriter will read. One row per tool.

 

Tool What decisions / outputs does it influence? How was the model tested before deployment? Who reviews outputs, and how often? What happens when it gets something wrong? Last reviewed date

Notes on each column Decisions or outputs: be specific. “Drafts client emails”, not “helps with admin”. “Flags suspicious claims for human review”, not “claims support”. How tested: vendor documentation, internal pilot, sample testing on historic cases, or no testing (write gap). Reference the document or person who can produce evidence. Review cadence: weekly spot-check, every output reviewed, monthly audit, or none (write gap). When it gets it wrong: documented incident log, rollback procedure, manual override, named escalation contact, or none (write gap).

 

Materiality filter Not every tool needs the same depth. Rank each one:

High Touches pricing, claims decisions, customer-facing output, or personal data. Full evidence required.

Medium Internal productivity but with customer data exposure. Evidence of testing and review required.

Low No customer data, no decision influence. Light-touch entry on the inventory.

 

S ECT I O N 3   Data governance

 

For each high- or medium-materiality tool from Section 2, complete this row:

Tool Data going in (categories) Data sources (systems it pulls from) Where the data physically lives (region / vendor) Who Who controls access Vendor retrains on your data? Contract clause ref.

 

Data categories to check for.  If any answer is “I do not know”, that is a gap.

Log it.

Personal data (names, contact details, DOB)

Special category data (health, criminal records)

Financial data (claims history, premiums, banking)

Commercial confidential (client plans, contracts)

Third-party data (shared by insurers / intermediaries)

 

Retraining & contract questions to answer:

Does the vendor’s standard contract permit retraining on your inputs?

Have you opted out in writing?

Where is the data processed and stored geographically?

Sub-processors named and reviewed?

Deletion rights and timelines documented?

 

If any answer is “I do not know”, that is a gap.

Log it.

 

S ECT I O N 4 ·    Accountability

A Senior Management Function SMF must own AI risk. A named individual — not a function title.

Named SMF accountable for AI risk:_____________________

Date appointed:______________________

Sign-off recorded where?_________________________________________________________

(board minute, governance log, statement of responsibilities)

Deputy or cover

Reporting line to the board (frequency)

Last board paper on AI risk (date & reference)

 

Roles below theSMF:

Role Named person What they own
AI tool owner (per high-materiality tool) Day-to-day review, incident logging
IT or technology lead Vendor due diligence, technical controls
Data protection lead (DPO or equivalent) DPIAs, ROPA entries, ICO compliance
Compliance lead FCA and SMCR mapping

 

Training owner Staff awareness, prompt hygiene, acceptable use policy

Policy documents the SMF should be able to produce:

AI acceptable use policy (signed by every employee)

DPIA for each high-materiality tool

Incident log with at least one entry

Vendor due diligence file per tool

Training register

Board minute approving the framework

Polestar Insurance: Analytics Driven Protection.