Terms for Understanding AI
A Risk Management Framework for Emerging Technology Liabilities
Deep-Fake & Data Poisoning
Autonomous Decision-Making Algorithms
Generative AI & Hallucination
Jailbreaking
Prompt Injection
Indirect Prompt Injection
Model Drift & Systemic AI Dependency
Governance Structure, Human Oversight & Regulatory Oversight
Risk Framework Guide
Flip through our executive narrative directly on the page below.
⚓ Mitigating Complex Enterprise Technology Exposure
In 2026, Six major carriers have filed AI exclusions in their policy wordings. The Lloyds Market Association LMA blueprint sets the bar for what “good” AI governance looks like in the Lloyd’s market. If you cannot evidence the three things below, you are not arguing about price at renewal. You are arguing about whether cover exists at all. This worksheet covers four pillars from the LMA blueprint.
1 AI Tool Inventory
2 Model Risk
3 Data Governance
4 Accountability
How to use the worksheet:
01 One pass, right people Your IT lead, your DPO or equivalent, and the SMF who will own AI risk — in the room together.
02 Be specific Vague answers fail. Name the tool, name the person, name the date.
03 Log the gaps Where you cannot answer, write “gap” and add it to the action log at the bottom.
04 Refresh on cadence Review quarterly. Refresh fully four weeks before renewal.
S ECT I O N 1 · AI tool inventory
Before you can govern anything, you need to know what is in the building. List every AI tool used by anyone in the business — including the ones the Managing Director MG does not officially know about, free tools, browser extensions, and anything embedded in a wider platform.
|
|||||||||||||||||||||||||||||||||||
|
Tools to actively check for — the ones brokers usually miss: ChatGPT, Claude, Gemini, Perplexity, Copilot (personal & business) AI note-takers on Teams, Zoom, Meet (Otter, Fathom, Granola, Read) Email assistants and reply generators CV screening or recruitment AI Quote accelerators or rating engines with embedded or fraud detection tooling, Marketing AI (image, copy, scheduling) Any browser extension your team installed themselves
|
|||||||||||||||||||||||||||||||||||
S ECT I O N 2 · Model risk
For each AI tool from Section 1, you need a file an underwriter will read. One row per tool.
|
Notes on each column Decisions or outputs: be specific. “Drafts client emails”, not “helps with admin”. “Flags suspicious claims for human review”, not “claims support”. How tested: vendor documentation, internal pilot, sample testing on historic cases, or no testing (write gap). Reference the document or person who can produce evidence. Review cadence: weekly spot-check, every output reviewed, monthly audit, or none (write gap). When it gets it wrong: documented incident log, rollback procedure, manual override, named escalation contact, or none (write gap).
Materiality filter Not every tool needs the same depth. Rank each one:
High Touches pricing, claims decisions, customer-facing output, or personal data. Full evidence required.
Medium Internal productivity but with customer data exposure. Evidence of testing and review required.
Low No customer data, no decision influence. Light-touch entry on the inventory.
S ECT I O N 3 Data governance
For each high- or medium-materiality tool from Section 2, complete this row:
| Tool | Data going in (categories) | Data sources (systems it pulls from) | Where the data physically lives (region / vendor) Who | Who controls access | Vendor retrains on your data? | Contract clause ref. |
Data categories to check for. If any answer is “I do not know”, that is a gap.
Log it.
Personal data (names, contact details, DOB)
Special category data (health, criminal records)
Financial data (claims history, premiums, banking)
Commercial confidential (client plans, contracts)
Third-party data (shared by insurers / intermediaries)
Retraining & contract questions to answer:
Does the vendor’s standard contract permit retraining on your inputs?
Have you opted out in writing?
Where is the data processed and stored geographically?
Sub-processors named and reviewed?
Deletion rights and timelines documented?
If any answer is “I do not know”, that is a gap.
Log it.
S ECT I O N 4 · Accountability
A Senior Management Function SMF must own AI risk. A named individual — not a function title.
Named SMF accountable for AI risk:_____________________
Date appointed:______________________
Sign-off recorded where?_________________________________________________________
(board minute, governance log, statement of responsibilities)
Deputy or cover
Reporting line to the board (frequency)
Last board paper on AI risk (date & reference)
Roles below theSMF:
| Role | Named person | What they own |
| AI tool owner (per high-materiality tool) | Day-to-day review, incident logging | |
| IT or technology lead | Vendor due diligence, technical controls | |
| Data protection lead (DPO or equivalent) | DPIAs, ROPA entries, ICO compliance | |
| Compliance lead | FCA and SMCR mapping
|
|
| Training owner | Staff awareness, prompt hygiene, acceptable use policy | |
Policy documents the SMF should be able to produce:
AI acceptable use policy (signed by every employee)
DPIA for each high-materiality tool
Incident log with at least one entry
Vendor due diligence file per tool
Training register
Board minute approving the framework
Polestar Insurance: Analytics Driven Protection.
