The Insured Agent

When software begins to act with real economic consequence, the binding question stops being whether it can act and becomes who carries the loss when it does. That question is answered at a root the law does not contain.

Future Proof Intelligence. Research. No. IX. MMXXVI

Abstract

There is a comfortable assumption that the central problem of autonomous software is a technical one: how capable an agent can be made, how reliably it can be steered, how its errors can be reduced. This paper argues that the binding problem is not technical and not about capability at all. The moment software stops advising and starts acting with economic consequence, signing, transacting, allocating, deciding, the operative question relocates. It is no longer whether the system can act. It is who carries the loss when it does, and on what evidence anyone agrees to carry it. We trace the real 2026 state of that question. The European Union withdrew its bespoke fault-based AI Liability Directive and, in the same period, extended a strict, no-fault product liability regime over software and AI with the claimant's evidential path eased. Liability did not soften. It relocated into a stricter regime and now attaches by default. In parallel, and ahead of the public regulatory layer, an AI insurance and warranty market formed on commercial time: affirmative cover from a Lloyd's coverholder and a major reinsurer on one side, broad generative-AI exclusions filed across general liability on the other. Both halves of that market resolve to one missing object: a credible, portable attestation that a system is what it claims to be. No insurer underwrites what it cannot assure. This paper describes why assurance, not capability, has become the precondition of autonomous economic action, and what it means to already be operating at that root.

1. The premise: agency relocates the question

1.1 The question everyone is asking, and the question that binds

Most of the serious attention on autonomous software is pointed at a single question, asked in many forms. How capable can an agent be made. How far can it be trusted to act without a human in the loop. How can its failure rate be driven down. These are real questions and they have real engineers working on them. They are also, for the purpose of this paper, the wrong question, or rather a question that has already been overtaken by a different one without most operators noticing the substitution.

Here is the substitution. As long as software only advises, the binding question is indeed about capability, because a human stands between the software and the consequence. The human reads the recommendation, exercises judgement, and acts. If the recommendation was wrong, the human's judgement is what failed, legally and practically, and the software was an input to a decision a person made and owns. Capability is the whole game because capability is all the software contributes.

The moment software acts, that structure collapses. An agent that books, transacts, allocates, files, signs, or refuses is not contributing an input to a human decision. It is the decision. There is no longer a person between the system and the consequence whose judgement absorbs the loss. The consequence lands somewhere, on a counterparty, a customer, a third party, the deploying institution, and the question that now binds is not how good the agent is. It is who carries that consequence, and what anyone will require as evidence before they agree to carry it. That second question is the subject of this paper, and it is a question about liability and insurance, not about capability.

1.2 Economic agency is the threshold, not intelligence

It is worth being precise about what the threshold actually is, because the public conversation tends to set it in the wrong place. The threshold is not intelligence and it is not autonomy in the abstract. A system can be extremely capable and still pose none of the problem this paper describes, as long as a human owns the decision it informs. A system can be quite limited and pose the whole problem the moment it is permitted to act with economic consequence. The threshold is economic agency: the point at which software's behaviour produces a binding, costly, attributable outcome in the world without a human decision standing between the software and the outcome.

This matters because economic agency is arriving faster than autonomy in the dramatic sense. The agents being deployed across operations in 2026 are not science-fiction minds. They are systems wired into payment rails, procurement, scheduling, customer commitments, supply chains, and screening, granted scoped authority to execute rather than recommend. New protocol families for agent payments and agent-to-agent interaction are being built specifically so that software can transact on its own account. The relevant change is not that the software became brilliant. It is that the software was handed the chequebook. The instant it holds the chequebook, the binding question is the one in the title of this paper, and no amount of capability work answers it, because it is not a capability question.

1.3 The loss has a destination whether or not anyone has named it

There is a tempting third position, distinct from the two above, that needs to be closed before the argument proceeds, because it is the position most sophisticated operators actually hold and it is the most dangerous of the three. It runs: yes, the system acts; yes, a human no longer stands directly between it and the consequence; but the loss, when it occurs, will sort itself out through the ordinary machinery of contract and insurance and litigation, the way every novel commercial risk eventually has. There is no need to do anything special in advance. The market will allocate the loss after the fact, as markets do.

This is wrong in a way that is precise and worth stating, because the error is not in the optimism but in the timing. It is true that the loss will be allocated. It is false that the allocation happens after the fact. A loss from an autonomous act has its destination decided before the act, by the arrangements that were or were not in place when the system was deployed: the contractual allocations between the parties in the chain, the exclusions in the policies they hold, the assurances they could or could not produce, the cover they did or did not secure. By the time the loss occurs, the question of who carries it has already been answered by the state of those arrangements. The litigation that follows is not the allocation. It is the enforcement of an allocation that was set, silently, much earlier. The operator who plans to let the market sort it out afterward has not declined to make a decision. They have made one, the worst one, by default, and they will discover its content only when the loss lands.

That is the precise reason this paper is not a survey of how AI disputes will be resolved. It is an account of where the loss is sent before anything goes wrong, because that is where the question is actually decided.

It is worth registering how concrete the chequebook has become, because the abstraction hides the speed. Through 2025 and into 2026 the infrastructure for software to transact on its own account moved from proposal to deployment. Protocol families for agent payments, for agent-to-agent interaction, and for connecting models to tools and to commerce systems were standardised and adopted, and a major model provider introduced autonomous purchasing with a transaction fee attached, which is the clearest possible signal that software acting on a person's economic behalf is now a priced commercial product, not a research demonstration. An international financial institution published analysis in 2026 on how agentic systems reshape payments. This is not a forecast about a future in which software might act. It is a description of plumbing that already exists, into which authority is already being granted. Every one of those rails carries, at the far end, a loss that will land somewhere when the agent on it does something wrong, and none of those rails ships with an answer to where. The rails were built first. The answer to where the loss goes is being built now, at the root this paper is about, and it is being built more slowly than the rails, which is the entire reason there is a window and the entire reason it matters who is operating in it.

1.4 This is the sibling of a structural argument

This paper has a sibling. A companion argument has been made that the governance of artificial intelligence is decided not in the visible statute but in a load-bearing layer beneath it, standards, conformity, codes of practice, certification, and that this layer is soft now and about to set. That argument is about the standards root. This paper is about the root next to it: the insurance and liability root. The two roots are not the same and the difference is the reason this paper exists. The standards root governs how systems are built and placed on a market. The liability and insurance root governs who pays when a system that was built and placed nonetheless causes loss, and what anyone requires before they will stand behind it. The first root decides what is permitted. The second decides what is fundable, deployable, and survivable when it goes wrong. A serious operator can be fully inside the first, every box of the preventive regime ticked, and entirely exposed at the second, because nothing in the permitting regime guarantees that anyone will agree to carry the loss when a permitted system nonetheless fails. Compliance answers may I. Insurability answers will anyone stand behind me when I do. The two questions have different answers, decided in different places, and the gap between them is exactly where this paper lives. The rest of it is an account of where, precisely, the second root is in 2026, why it is forming faster than the law, and what it already requires of anything that acts.

2. Liability did not soften. It relocated and hardened

2.1 The two legs the European approach was meant to stand on

For several years the European response to harm caused by artificial intelligence was expected to rest on two legs, and understanding both is necessary because the public story records only the leg that was removed.

The first leg was preventive: the body of law that regulates how AI systems are built and placed on the market, the risk management, documentation, oversight, and conformity machinery. That leg regulates conduct before harm. It is the subject of the sibling argument and not the subject here.

The second leg was meant to be corrective: a bespoke instrument that would harmonise, across Member States, the rules under which a person harmed by an AI system could actually bring a claim and recover. This was the proposed Artificial Intelligence Liability Directive, introduced on 28 September 2022. Its purpose was specific and, for victims, significant. In a domain where the defendant holds essentially all the technical knowledge and the claimant holds almost none, the directive would have eased the claimant's path: a rebuttable presumption of causality in defined circumstances, and a power for national courts to order disclosure of evidence about high-risk systems. It was an attempt to make AI harm provable by a person who could not see inside the system that harmed them.

2.2 The leg that was removed

That second leg is gone. The Commission signalled the withdrawal of the AI Liability Directive in its 2025 Work Programme, published on 11 February 2025, with the stated reason that there was no foreseeable agreement, and the proposal was confirmed scrapped during 2025. The bespoke, AI-specific, fault-based liability instrument was abandoned for want of consensus and in the name of simplification.

An operator scanning headlines could be forgiven for filing this under good news, as the rules getting lighter, the special burden lifting. That reading is wrong, and the way it is wrong is the hinge of this section. Something visible was withdrawn, so the structure looks lighter. The structure is not lighter. The load moved.

2.3 Where the load moved to

In the same period that the bespoke AI liability instrument was being abandoned, the European Union finished revising the instrument that had governed liability for defective products since the 1980s. The revised Product Liability Directive, Directive (EU) 2024/2853, repealing the 1985 directive, was published in the Official Journal of the European Union on 18 November 2024. Member States must transpose it into national law by 9 December 2026, and it applies to products placed on the market or put into service after that date.

The revision does something quietly decisive. It redefines a product to expressly include software, and within software it expressly includes AI systems, as well as digital manufacturing files and related digital services. It keeps strict, no-fault liability as its core principle. Under that principle a claimant does not have to prove that anyone was negligent. The claimant has to show that a product was defective and that the defect caused damage. The revision then goes further and eases even that, introducing duties on the defendant to disclose relevant evidence and rebuttable presumptions of defectiveness or causation where a case involves technical or scientific complexity that would otherwise make proof excessively difficult for the claimant. It also makes clear that a failure to provide the security updates a product needs can itself constitute a defect, which folds the ongoing behaviour of a system, not merely its state at release, into the liability surface.

Put the two moves together and read them as one. The Union dropped the fault-based AI liability instrument and, at the same time, pulled software and AI inside a strict, no-fault product liability regime with the claimant's path deliberately smoothed. That is not a softening of liability. It is a hardening of it, achieved by relocation. The single hardest thing for a person harmed by an opaque automated system to establish, fault, was not made marginally easier inside a special AI regime. It was removed from the equation, by routing AI through a regime where fault was never the question. Liability did not get smaller. It got simpler to impose, harder to escape, and it now attaches by default to anything that meets the definition of a defective product, which now expressly includes software that acts.

2.4 Why strict liability is the harder regime, not the gentler one

It is worth pausing to make explicit why a strict, no-fault regime is the more demanding destination for AI harm, rather than the more forgiving one, because the intuition often runs the wrong way. A fault regime sounds harsher: it speaks of negligence, blame, wrongdoing. A no-fault regime sounds gentler: no one need have done anything wrong. The intuition inverts the reality from the defendant's point of view.

Under a fault regime, the producer of a system that causes harm has a defence available that is, for AI, unusually strong: the harm was not the result of any failure of reasonable care, the system was built to the state of the art, the loss was an inherent and accepted residual risk of a technology that is probabilistic by nature. That defence is not frivolous. The reinsurance market itself, in pricing AI performance cover, has acknowledged in plain terms that even the best model retains a non-zero probability of error because that is in the nature of the models. Under a fault regime, that very fact, the irreducibility of model error, becomes a shield: if the error could not be eliminated by reasonable care, there may be no fault, and without fault there may be no liability.

A strict regime removes that shield entirely. It does not ask whether the residual error could have been prevented by reasonable care. It asks only whether the product was defective and caused damage. The irreducibility of model error, which was a defence under fault, becomes irrelevant under strict liability, or worse than irrelevant: a known, accepted, irreducible propensity to produce wrong outputs is precisely the kind of characteristic a claimant will point to in arguing the product did not provide the safety a person is entitled to expect. The probabilistic nature of the technology, the defendant's best argument under fault, is close to the claimant's best argument under strict liability. This is why the relocation is a hardening and not a softening, stated at the level of mechanism rather than assertion. The Union did not merely move AI from one liability regime to another of comparable weight. It moved AI out of the regime where its defining technical property was a defence and into the regime where the same property is an exposure.

2.5 The pattern, named once so it can be recognised again

This is the first appearance of a pattern this paper will meet more than once, and it is worth naming so the reader recognises it later without being told. A governance structure under pressure does not loosen uniformly. It sheds the parts that do not bear weight and reinforces the parts that do, and because the part it sheds is usually the most visible part, the shedding reads as relaxation to anyone watching the surface. The AI Liability Directive was the visible, contested, debated instrument. Its withdrawal was reported widely. The simultaneous extension of strict liability over software through a revised products directive was a quieter, more technical move, and it is the one that bears the load. An operator who concluded from the headline that the AI liability problem had receded would have drawn precisely the wrong inference from precisely the move that made the problem unavoidable. The same misreading recurs at every level of this structure, and a reader who fixes the shape of it now, the visible thing withdrawn while the load-bearing thing is reinforced, will need no further warning when it appears again in the insurance market and again in the standards beneath it.

3. The agency gap: why classical liability strains against software that acts

3.1 The assumption every liability rule was built on

Almost every liability framework in existence, fault-based or strict, was built on an assumption so basic it is rarely stated: that behind a harmful outcome there is a chain of human decisions, and that the law's task is to locate the decision that should have been made differently and attach the consequence to whoever made it or should have controlled it. Negligence asks whose conduct fell below a standard. Strict product liability asks whose product was defective, but it still assumes a producer who designed, built, and released the thing. Vicarious liability asks who controlled the actor. In every case the law is tracing a line from a harm back to a human or an organisation that chose, or failed to choose, in a way the law can name.

Software that merely computes does not disturb this. It is an artefact with a producer and a user, and the existing categories absorb it without strain. Software that acts with economic agency disturbs it in a specific way that is worth stating precisely, because the imprecise version of this point has become a cliché and the precise version is the actual problem.

3.2 What autonomy actually breaks

The precise problem is not that an autonomous system is unpredictable, although it may be. It is that autonomy lengthens and obscures the line between a human decision and a harmful outcome to the point where the line stops doing the work the law needs it to do. When a system is given a goal and broad latitude over the means, and it composes a sequence of actions no human specified, reviewed, or anticipated, and one of those actions causes loss, the question the law wants to ask, which human decision was the wrong one, has no clean answer. The model developer made design choices many steps and many parties removed from the act. The party that wired the model into tools and authority made integration choices. The institution that deployed it set a goal and a scope. None of them chose the specific act that caused the loss, because the entire point of the system was that it would choose acts no one specified.

This is the agency gap. It is not a gap in capability and it is not, fundamentally, a gap in the statute, although the statute has one. It is a gap between how liability reasons, by tracing to a human decision, and how an autonomous system produces outcomes, by composing them without one. The gap does not mean no one is liable. It means the question of who is liable becomes expensive, slow, and uncertain to resolve exactly when an autonomous system causes the kind of loss that makes resolution urgent.

It is worth being precise about who the candidate bearers actually are, because the gap is not an absence of candidates but a surplus of them with no principled way to choose. There are at least four parties in the chain behind any deployed agent. There is the developer of the underlying model, whose design choices shape what the system tends to do but who specified none of its acts and often does not know where or how the model is deployed. There is the party that performs the orchestration: wiring the model into tools, memory, and authority, setting its scope, granting it the chequebook. There is the platform on which the agent runs and through which it reaches the world. And there is the deploying institution that set the goal and accepted the system into its operations. The legal and policy literature on agentic harm has converged on the view that responsibility should attach somewhere across that chain rather than nowhere, but converging on across the chain is not the same as deciding which link, and the practical consequence is that, absent an arrangement made in advance, every party in the chain has both a plausible argument that it is liable and a plausible argument that someone else is. That is not a vacuum. It is a contested field, and a contested field resolves slowly and expensively unless the resolution was fixed before the contest began.

3.3 Personhood is the wrong frame

A recurring proposal for closing the agency gap is to give the agent some species of legal status: a form of personhood, or a narrower notion of a legal actor that can bear duties without being a person. The intuition is understandable. If the system is acting, perhaps the system should answer for the act. This paper treats that route as a distraction from the load-bearing question, for a simple reason. A liability framework exists to ensure that loss is borne by a party who can actually bear it and whose bearing it produces the right incentives. An artefact, however much autonomy it is granted, has no assets, no incentives that the law can reach, and no capacity to make a victim whole. Granting it status does not answer the question who carries the loss. It dresses the question up. The loss is still going to be carried by a human party: the developer, the integrator, the deployer, or, through risk transfer, an insurer of one of them. The serious work is not deciding whether the agent is a person. It is deciding, in advance and on evidence, which human party stands behind the agent's acts and on what terms anyone will agree to stand behind them at all. The personhood debate is interesting. The standing-behind question is binding.

3.4 Why the contract layer does not close the gap on its own

A sophisticated reader will reach, at this point, for the obvious private remedy: contracts. The parties in the chain can simply allocate the risk among themselves by agreement. The model provider's terms disclaim. The orchestration vendor's terms disclaim. The deployment platform's terms disclaim. The deploying institution accepts what it accepts. Surely, between competent commercial parties, the loss can be allocated by contract and the gap closed without any of the apparatus this paper describes.

It cannot, for two reasons that are worth separating because they fail differently. The first is that contractual allocation among the parties in the chain does nothing for the party outside the chain, the third party or the individual who is harmed and who signed none of these agreements. Strict product liability exists precisely to give that outside party a route that does not depend on the chain's private arrangements, and the revised regime widened that route rather than narrowing it. No amount of inter-party drafting subtracts an exposure that the law confers on someone who is not a party to the drafting. The second reason is subtler and more consequential. Even among the parties in the chain, a contractual allocation is only worth the solvency and the cover behind it. A disclaimer from a counterparty that cannot pay the loss it just disclaimed onto you is not risk transfer, it is risk concentration disguised as risk transfer. The contract layer reshuffles where the loss formally sits. It does not create the capacity to absorb the loss. Only insurance does that, and insurance, as the next section establishes, will not provide the capacity without assurance. So the contract layer, far from closing the gap, ultimately routes straight back into it: every serious contractual allocation in the chain is, on inspection, an allocation to whoever holds the cover, and the cover is gated by the thing this paper is about. Contracts decide who is nominally responsible. Assurance decides whether being responsible is survivable.

3.5 The law is already foreclosing the easy exits

It is worth noting that the legal system, where it has moved, is moving to close the most convenient escape from the agency gap rather than to widen it. The most convenient escape would be a defence that runs: the system acted on its own, no human chose the harmful act, therefore no human is liable. Jurisdictions that have legislated on this point in the current period have moved to foreclose exactly that argument, providing that the autonomous operation of an AI system is not available as a defence to a liability claim. Read structurally, this is the same hardening seen in the previous section, arriving from a different direction. The path that would have let the agency gap function as a liability shield is being deliberately blocked. The combined message of the strict-liability relocation and the foreclosing of the autonomy defence is unambiguous: the loss from an autonomous act will land on a human party, the agency gap will not be permitted to make it disappear, and the only open questions are which party and on what evidence. Both of those open questions are answered not in the courtroom but earlier, at the root this paper is about: in the insurance and assurance arrangements made before the agent ever acts.

4. The private gate: the insurance market is forming ahead of the law

4.1 Why insurance is a gate, not a consequence

There is a load-bearing root growing beneath autonomous software that is not in any statute and is easy to overlook because it operates quietly and on its own clock: the insurance market.

The reason it is load-bearing is mechanical, not rhetorical. A serious institution does not deploy a consequential system whose downside it cannot transfer or absorb. A board does not knowingly sign off on uninsurable exposure. A lender does not finance it, and a counterparty increasingly will not transact against it. Long before a regulator inspects an autonomous system, an underwriter has already formed a view on whether the risk it carries is one the market will accept and on what terms. Insurance is therefore not a downstream consequence of AI liability. It is a gate that sits in front of deployment, and because it runs on commercial time rather than legislative time, it is frequently the gate that opens or closes first. The statute can be deferred. Exposure cannot be deferred. Something has to price it now, and something is.

4.2 What the market actually did, 2025 to 2026

The shape of this gate became visible during 2025 and 2026, and it is worth stating concretely because the concreteness is the evidence that the insurance and liability root forms ahead of the public layer, not behind it.

On one side, dedicated affirmative cover emerged. A major reinsurer that had been working on AI performance cover since 2018 carried that into a performance-guarantee product designed for the probabilistic nature of AI, structured so that claims settle quickly on measurable performance data rather than through prolonged investigation, with an explicit recognition by its own specialists that even the best model retains a non-zero probability of error or hallucination because that is in the nature of the models. In early 2026 that reinsurer's platform was extended through a partnership into AI-specific cover aimed at AI developers, with meaningful initial capacity. Separately, in April 2025, a coverholder at Lloyd's launched an affirmative AI liability policy underwritten by certain Lloyd's underwriters, built around a trigger keyed to AI underperformance: the failure of a system to perform as intended, critical errors, hallucinations, and inaccuracies leading to damages, with that coverholder positioned as a managing general agent focused specifically on AI risk and originating from a Lloyd's innovation cohort.

On the other side, and at the same time, the general market began to wall the risk off. In January 2026 optional generative-AI exclusion endorsements for commercial general liability were filed and adopted, reported as touching a large share of standard property-casualty templates, with AI exclusions moving toward the default position in general liability and large carriers seeking approval to remove AI exposure from standard policies while specialist entrants moved into the space being vacated.

The detail that matters most in that second movement is the word silent. Before the exclusions, AI risk did not generally appear in policies as a named, priced category. It was present, but implicitly, riding inside general liability and other lines written for a world without autonomous software. The industry term for risk that sits inside a policy without having been named or priced is silent exposure, and silent exposure is the thing an insurance market cannot tolerate once the risk becomes material, because it means the carrier is on the hook for a peril it never assessed and never charged for. The cyber market lived through exactly this with silent cyber: risk that accumulated invisibly inside policies until carriers were forced to make it explicit, exclude it from general lines, and re-admit it only as a named, separately underwritten product. The AI exclusions of early 2026 are the same motion, run faster. They are not the market deciding AI is uninsurable. They are the market refusing to carry AI risk silently and insisting it become explicit. Everything that follows in this paper depends on understanding that demand for explicitness, because explicitness is precisely what requires assurance: a risk cannot be named and priced unless it can first be characterised, and characterisation of an autonomous system is the assurance problem.

4.3 Exclusion and affirmation are the same hardening

It is tempting to read these two movements as opposites, the market both retreating from AI and embracing it. They are not opposites. They are the two halves of a single hardening, and seeing them as one motion is most of the analytical work of this section.

When the general market excludes a risk from standard cover, it is not refusing to bear the risk in principle. It is refusing to bear it silently and unpriced inside a policy written for something else, and it is thereby forcing the risk out of the comfortable place where no one had to look at it and into a place where it must be named, assessed, and priced on its own terms or not carried at all. When the specialist market writes affirmative cover, it is offering exactly that named, assessed, separately priced home for the risk the general market just evicted. The exclusion creates the demand the affirmation meets. Together they convert AI risk from an unexamined assumption riding inside ordinary insurance into a distinct, scrutinised, separately underwritten category. That is precisely what hardening looks like from inside an insurance market: a risk stops being implicit and becomes a thing that must be specifically shown, specifically priced, and specifically agreed to. After that conversion, deploying an autonomous system without addressing it explicitly is no longer the default. It is an exposed position the market has named and is pricing against.

4.4 The market is doing this now, while the public layer is soft

Notice the timing, because the timing is the point. The insurance market did not wait for the strict product liability regime to take effect on its transposition deadline. It did not wait for the preventive regulatory regime to become fully applicable. It did not wait for harmonised technical standards to be cited. It is excluding, affirming, and pricing autonomous-system risk now, in 2026, while the public layer is still being finalised, because exposure does not pause for the legislative calendar and an underwriter cannot decline to have a view on a risk that is already being written. The private root forms first because it has to. And in forming first it is making decisions, today, about what an autonomous system must demonstrate before it can be insured at all, that will be inherited by everyone who arrives after those decisions have settled. What those decisions require is the subject of the next section, and it is the centre of this paper.

5. Assurance is the precondition: no one underwrites what cannot be assured

5.1 The underwriter's question is not how good. It is how do I know

When an underwriter looks at an autonomous system, the question that determines whether a policy exists is not, in the first instance, how good is this system. It is a colder and more structural question: how do I know what this system is, how do I know it will keep being that, and what evidence travels with it that I can rely on without rebuilding the assessment myself. An underwriter cannot price what an underwriter cannot characterise. A risk that cannot be characterised is not underwritten cheaply. It is excluded, which is exactly what the general market did in section 4. The only thing that converts an excluded, uncharacterisable risk into an affirmatively covered one is the existence of credible evidence about the system that the underwriter can rely on. That evidence is assurance, and assurance, not capability, is therefore the precondition of an autonomous system being insurable, and being insurable is the precondition of it being deployable by anyone serious.

This is the load-bearing claim of the paper and it deserves to be stated without ornament. Capability determines what a system can do. Assurance determines whether anyone will agree to carry the loss when it does it. An uninsurable capability is, for a serious institution, an undeployable one. Therefore the binding constraint on autonomous economic action is not the frontier of capability. It is the frontier of what can be credibly assured, because that is the frontier of what can be underwritten, and the underwriting gate sits in front of deployment.

5.2 The stack the market is actually building: standard, audit, policy

The market has not left this abstract. The clearest evidence that assurance has become the precondition of underwriting is the emergence, in 2025 and into 2026, of an explicit stack built in exactly that order: a standard, then an independent audit against the standard, then a policy priced to the audit result.

A specialist entity formed for this purpose emerged from stealth in mid-2025 with backing that included figures from frontier AI and former enterprise security leadership, and built precisely this trifecta: a published standard for AI agents covering data and privacy, security, safety, reliability, accountability, and societal risk, developed with named legal, academic, security, and threat-modelling institutions; independent audits that test a system against that standard, including thousands of adversarial simulations designed to make the system fail, leak, or misbehave; and liability coverage priced according to how the system performs against the standard. The founders compared the standard explicitly to SOC 2, the security attestation that gave companies a portable way to signal trustworthiness to enterprise buyers without each buyer rebuilding the assessment. Through 2025 and into 2026 a sequence of AI providers and platforms were reported as certified against that standard, with named audit firms positioned as authorised assessors, and in at least one reported case the certification was the mechanism by which AI agent insurance was secured.

The shape of that stack is the entire argument of this paper made concrete. The order is not incidental. The standard comes first because an auditor cannot assess against nothing and an underwriter cannot rely on an assessment conducted against nothing. The audit comes second because a standard no one is independently tested against is a brochure, not assurance. The policy comes last because the policy is downstream of the assurance, not the source of it. Read the order again and the dependency is unmistakable: the insurability of an autonomous system rests on the audit, the audit rests on the standard, and therefore the question of whether an autonomous system can act in the economy at all resolves, in the end, to the question of what it can be credibly assured to be against a recognised reference.

5.3 The four conditions of insurability, and where autonomous systems fail them

To see why assurance is not optional but constitutive, it helps to state plainly what an underwriter actually needs in order to write a risk at all. Classical insurability has long been understood to require, in substance, four things. The risk must be definable: the insurer must be able to say what is and is not covered with enough precision to adjudicate a claim. It must be assessable: the insurer must be able to form a defensible estimate of how likely the loss is and how large. It must be sufficiently independent and poolable: many similar risks must not all fail together in a way that destroys the pool. And there must not be unmanageable moral hazard or adverse selection: the insured must not be able to relax once covered, or to know far more about the risk than the insurer and select against it.

An autonomous system, considered cold, strains all four. It is hard to define what a covered failure is when the system composes acts no one specified. It is hard to assess the probability and magnitude of failure for a system whose behaviour is emergent and shifts as the model, the prompt context, the tools, and the world change. The independence condition is fragile because many deployments may sit on a small number of shared underlying models, so a single model defect can trigger correlated losses across the whole pool at once, a structural resemblance to the systemic-correlation problem that has always made cyber catastrophe cover so difficult. And the moral-hazard and adverse-selection problems are severe, because the party deploying the agent knows vastly more about how it is configured and constrained than any underwriter can independently observe.

Read against those four conditions, the entire apparatus described in this paper resolves to a single function: it is the machinery by which an otherwise barely insurable risk is made insurable. The standard makes the risk definable. The audit makes it assessable and attacks the information asymmetry that drives adverse selection. The continuous evidence and the accountability requirement attack moral hazard by ensuring the insured cannot quietly drift from the configuration that was underwritten. The only condition the assurance stack cannot fully solve is independence, the shared-model correlation, and that is precisely why the affirmative products that have emerged are structured the way they are, around defined performance triggers and measurable, parametric-style settlement rather than open-ended liability, which is the market's way of bounding a correlated tail it cannot diversify away. None of this is incidental. It is the reconstruction, piece by piece, of the conditions under which a risk can be carried at all. Assurance is not a feature bolted onto AI insurance. Assurance is the thing that makes AI insurance possible, which is the same as saying it is the thing that makes autonomous economic action possible for any party that cannot self-insure its own catastrophic tail, which is almost every party.

5.4 Certification is the object that travels

Step back from any single firm and watch how trust will actually move between parties once autonomous systems are common. A deploying institution does not want to re-derive an agent provider's entire safety case. A counterparty transacting with another party's agent does not want to. An insurer underwriting the deployment does not want to. An investor doing diligence on a company whose product is an autonomous system does not want to. A board approving the deployment does not want to. What every one of those parties wants is a compact, credible, portable attestation that the work was done properly against a recognised reference, so that they can rely on it without rebuilding it. The full evidentiary record stays with the party that produced the system. The attestation is the thing that crosses the table.

This is why a trust standard in this domain is not an accessory layered on top of liability and insurance. It is the connective tissue the whole structure requires and that neither the statute nor the policy supplies on its own. The strict liability regime creates a default exposure for anything that acts. The insurance market creates a demand for portable proof before it will transfer that exposure. Between the two there is a load-bearing gap, and whatever credibly fills it becomes infrastructure: not because anyone announced it as infrastructure, but because every party in the chain starts depending on it and then cannot operate without it. The portable attestation is not a nicety. It is the object on which the deployability of autonomous economic action turns.

There is a precedent worth naming for how completely an attestation of this kind can come to govern a market. The security attestation that lets one company satisfy another's trust requirements without each buyer rebuilding the assessment did not become near-mandatory in enterprise software because a law required it. It became near-mandatory because procurement, security review, and increasingly insurance all came to ask for it, and once enough parties asked, not having it stopped being a neutral state and became a disqualifying one. No statute compels it. The market does, more reliably than a statute would, because the market applies the requirement continuously and at every transaction rather than at a single compliance checkpoint. The attestation for autonomous systems is on the same trajectory, and the parties building it have said as much explicitly by reaching for that precedent by name as the model. The lesson is not that history rhymes. It is that a portable trust object, once the market starts depending on it, becomes more binding than the law it sits beside, because it is enforced by every counterparty all the time rather than by a regulator occasionally.

5.5 The shape of the attestation is being decided now

The contents of that attestation, what an assurance of an autonomous system must actually speak to, how many dimensions of behaviour it must cover, how it maps onto the strict-liability surface on one side and onto an underwriter's risk model on the other, how continuity between what was attested and what is running is maintained over time, are being decided now, in 2026, in the same soft period in which the public layer is still being finalised, by the parties already operating at this level while it is still shapeable. The early standards visible in the market are not the final settled form. They are the first instances of a reference that is hardening. When it hardens, it will be the thing both roots, the legal and the actuarial, treat as the definition of an assured autonomous system, and everyone who arrives after it hardens will inherit a shape they had no part in setting. This is the same closing dynamic the sibling argument describes for the standards root, observed here one layer in, at the root where loss is carried rather than where conduct is permitted.

6. The cyber precedent, read for the load-bearing part

6.1 The obvious reading, and the part it misses

The most useful precedent for what is happening to autonomous software is the development of cyber insurance, and it is worth reading carefully because the obvious reading is true and yet misses the part that bears the load.

The obvious reading is that cyber insurance grew from a niche curiosity into standard infrastructure that serious operation now depends on, and that AI insurance will follow the same arc from novelty to necessity. That is true. It is also not the point, because the arc is not the lesson. The lesson is what cyber insurance did to security on its way along that arc.

6.2 What cyber insurance actually did

Through the early 2020s, after a period of large ransomware losses, cyber insurers were forced to rebuild their underwriting from the ground up. They could no longer price the risk on a questionnaire and a hope. To write the cover at all they had to decide what adequate security actually was, because they would not, and commercially could not, underwrite an organisation that could not demonstrate it. Underwriting shifted from questionnaire-based to evidence-based: proof of phishing-resistant multi-factor authentication, real-time behavioural monitoring, retained logs, configuration evidence, rehearsed incident response. Documented controls came to move premiums materially at renewal in either direction.

The consequence is the load-bearing part. In deciding what they would accept as evidence of adequate security before they would bind cover, cyber insurers became, in practical effect, a private standard-setter for security, frequently ahead of the public one and more operationally consequential than it, because the public standard was advisory and the insurer's requirement was a gate. An organisation's actual security posture came to be shaped substantially by what its insurer required to write the policy. The insurer's evidence checklist became the de facto standard, not because anyone legislated it, but because the gate would not open without it and serious operation could not proceed without the gate open.

6.3 Autonomous software is at exactly this juncture, one layer in

AI insurance is now at precisely the juncture cyber insurance was at when its evidence requirements were still being decided. Underwriters are determining, right now, what they will accept as proof that an autonomous system is governed well enough to be insurable: what assurance, what continuous evidence, what attested behaviour, what demonstrated continuity between what was certified and what is actually running. Whatever they converge on becomes the de facto trust reference for the deployment side of the entire market, and it converges during the soft period, before any public standard is universally cited, set by the parties already credible enough to be in the room when underwriters decide what counts as enough.

There is a difference from the cyber case that sharpens rather than softens the point. Cyber insurance was retrofitting an evidence regime onto a security practice that already existed in mature form, however unevenly applied. Autonomous-system assurance is being defined at close to the same time as the practice it assures, which means the insurer's evidence requirement is not merely codifying an existing standard of good behaviour. It is, to a substantial degree, deciding what good behaviour for an autonomous system is, in the same motion as deciding what it will insure. The de facto standard and the practice are being set together, by whoever is operating at the level where they are being set. That is the cyber lesson read correctly and read one layer in: not that AI insurance will become infrastructure, true but trivial, but that the assurance reference the insurance market settles on will become the operative definition of a trustworthy autonomous system, and it is being settled now.

6.4 Why this is not a jurisdiction story

It would be easy to read everything above as a European compliance briefing with an insurance appendix, and to conclude that an operator outside the European Union can watch from a safe distance. That conclusion does not survive contact with how the two roots actually propagate, and it is worth closing it off, because the misreading is comfortable and therefore common.

The legal root propagates by a documented mechanism. A large, wealthy, regulatorily credible market that sets a demanding rule for a general technology tends to export that rule, both directly, as other jurisdictions adopt the template rather than design their own, and indirectly, as firms operating across many markets find it cheaper to build once to the strictest applicable standard than to maintain divergent versions. Whether that effect is strong or weak in the specific case of AI is genuinely debated and this paper does not need to resolve the debate, because the insurance root propagates by a mechanism that does not depend on it at all. Insurance is global before law is. The capacity that writes large, novel technology risk is concentrated in a small number of reinsurance and specialty markets that operate across borders by construction. When those markets decide what they will require as evidence before they write autonomous-system risk, that requirement does not stop at a national boundary, because the risk does not and the capital does not. An operator in a jurisdiction with no AI statute at all still has to place its catastrophic tail somewhere, and the somewhere is a global market that is converging, now, on what it will and will not stand behind. The legal root may or may not reach a given operator through the front door of local law. The insurance root reaches every operator who cannot self-insure, through the back door of where the capital that carries their downside actually sits. There is no jurisdiction in which the question who carries the loss has a purely local answer, because the parties who ultimately carry large losses are not local. That is why this is a root and not a regional rule.

7. The continuity problem: a one-time attestation insures nothing

7.1 Why a point-in-time certificate is structurally insufficient

There is an objection that a careful reader will have been holding since section 5, and it is the right objection, so the paper takes it head on. If assurance is the precondition of underwriting, and a standard plus an audit produces an assurance, then surely the problem is solved the moment the certificate is issued. Get audited, hold the certificate, get insured. Why is this anything more than a procurement step.

The answer is that a one-time attestation of an autonomous system insures very little, and understanding why is necessary to see what the load-bearing layer actually is. A physical product, once assessed, is largely the thing it was assessed as. A pressure vessel does not rewrite itself overnight. An autonomous system does close to the opposite. Its behaviour is a function of a model that may be updated, a context that changes continuously, a tool environment that is extended, instructions that are revised, and a world it learns from or is exposed to. The revised product liability regime grasped this when it made a failure to provide needed updates a possible defect and brought post-market evolution inside the liability surface: it recognised, in law, that the relevant object is not the system as shipped but the system as running. An attestation that speaks only to the system as it was on the day of the audit is an attestation about a system that, in a meaningful sense, no longer exists by the time a loss occurs.

This is why every serious instance of the assurance stack described earlier reaches, explicitly, for continuous evidence rather than a one-time certificate, and why the underwriting question was framed in section 5 not as how do I know what this is but as how do I know it will keep being that. The first half is an audit problem. The second half is a continuity problem, and it is the harder of the two, because it cannot be solved by an event. It can only be solved by a standing relationship between the system and whatever attests to it: ongoing monitoring, drift detection, re-attestation, a maintained correspondence between what was underwritten and what is running. The insurer is not buying a fact about the past. The insurer is buying a credible expectation about the future, and only a continuous attestation can sell that.

7.2 Continuity is what makes the attestation infrastructure rather than a document

The continuity requirement is the reason the trust object cannot be a document and has to be a practice. A document is issued once and decays from the moment it is signed, because the thing it describes keeps moving. A practice that maintains the correspondence between attested and running does not decay, because its entire function is to track the movement. This distinction is not pedantic. It is the difference between a certificate, which any number of parties can produce, and infrastructure, which is defined precisely by the fact that others depend on its continuous operation and cannot operate when it stops.

It is also the reason the position this paper is describing is durable in a way a capability is not. A capability can be matched by anyone who reaches the same technical frontier, and the frontier resets every cycle. A continuous attestation relationship, by contrast, accrues exactly what capability cannot: history, accumulated correspondence, a track record of having kept the attested and the running aligned across changes, which is the only thing an underwriter or a counterparty can actually rely on when they are pricing the future rather than the past. The value of the trust object is not in any single attestation. It is in the unbroken continuity of attestation, and continuity is the one asset that cannot be acquired quickly, only accumulated, which is why being early to it is not a head start that others close but a position that compounds.

8. Identity, not capability, is what gets underwritten

8.1 The question every part of the structure is actually asking

The preceding sections have circled a single object without naming it precisely. The strict liability regime, the foreclosing of the autonomy defence, the affirmative cover, the exclusions, the standard-audit-policy stack, the insurer's evidence requirement: every one of them resolves to a demand for proof. It is worth stating exactly what they demand proof of, because the answer determines what the hardening structure actually hardens around, and that determines what it means to be operating at its root.

Begin with a distinction. There is a layer of autonomous software concerned with capability: the models, the reasoning, the tools, the orchestration of all of it into systems that act. This layer is improving very fast and, just as importantly, commoditising very fast. A capability that is scarce and impressive in one cycle is a baseline expectation in the next. Anything moving and resetting at that rate is, by construction, not where durable position or durable trust can accrue, because trust requires something that holds still long enough to be relied upon and capability does not.

There is a second layer, and it is the one every part of the structure in this paper is actually reaching for. It is not concerned with what the system can do. It is concerned with whether the system is what it claims to be, whether its behaviour is accountable, whether there is continuity between what was attested and what is actually running, and whether there is an identifiable party who stands behind it and can be held. The strict liability regime is reaching for this when it asks who stands behind a defective product that acts. The autonomy-defence foreclosure is reaching for it when it refuses to let the absence of a human decision dissolve accountability. The underwriter is reaching for it when the binding question is not how good but how do I know what this is and that it will keep being it. The auditor is reaching for it when the certification attests not to capability but to whether the system behaves as represented under adversarial pressure. None of these are asking what the system can do. All of them are asking who and what it is, and whether that holds over time.

8.2 Call it the identity layer

Call that second layer the identity layer: the layer at which a system, and the practice around it, has a stable, attestable, accountable identity over time, distinct from the orchestration layer at which it merely has capability. The argument of this paper, restated in those terms, is that the insurance and liability root does not, and cannot, underwrite the orchestration layer. It underwrites the identity layer. It uses the orchestration layer's behaviour as the thing to be accounted for, and it grips the identity layer, because identity is what accountability and insurability actually require.

Figure 1. What the structure grips. Picture autonomous software as two layers. The lower, louder, faster layer is orchestration: models, reasoning, tools, agents, the machinery of acting. It improves and commoditises continuously and is where almost all attention and capital currently sit. The upper, quieter, slower layer is identity: the attestable, continuous, accountable answer to whether this system is what it claims to be and who stands behind it. The liability regime, the autonomy-defence foreclosure, the underwriting gate, and the assurance stack are not gripping the orchestration layer. They use its behaviour as the thing to be accounted for and they grip the identity layer, because that is the only layer accountability can attach to. The orchestration layer is where the technology is. The identity layer is where the loss is carried, and therefore where durable position is.

8.3 Why identity is the only layer that can be underwritten

The reason the structure grips identity rather than capability is not a preference. It is a property of insurance itself. An underwriter can only price what can be characterised and relied upon to remain characterised over the policy period. Capability cannot serve that role: it changes faster than any policy term, which is precisely why the affirmative AI products that have emerged are structured around performance against a defined expectation and measurable behaviour rather than around any capability claim, and why the assurance stack certifies process, behaviour under adversarial test, and accountability rather than how capable the system is. The structure does not grip capability because capability will not hold still long enough to be gripped. It grips the part that holds still: who built this, what was attested, is the running system the attested system, who answers when it is not. That is identity, and it is the only thing in the autonomous-software stack slow and stable enough to underwrite.

This produces the conclusion the whole paper has been moving toward. The durable position in autonomous economic action is not at the orchestration layer, even though that is where nearly all the attention and capital are, because the orchestration layer is exactly where nothing sets, because nothing there holds still long enough for a liability regime or an underwriter to grip it. The identity layer is where the structure comes to rest, because it is the only layer that can bear the weight of accountability and insurability. An entity operating at the identity layer while the reference for it is still soft is operating at the precise place the structure will set. That is the definition of being inside the structure when it hardens rather than outside it, holding a capability no one will insure, reading about the regime that priced it out.

8.4 What it means to already be operating there

To operate at the identity layer before the reference hardens is not to predict which standard the market will cite or which insurer's checklist will dominate. It is to be, already, in the present tense, the kind of thing that the strict-liability default and the underwriting gate both resolve to: a recognised account of whether an autonomous system is what it claims to be, continuous over time, mapped to the liability surface on one side and to the underwriter's evidence requirement on the other, treated as a reference rather than sold as a product. This is the root the argument of this paper has been describing since its first page: the place the loss is carried, the precondition of anything acting with economic consequence, the connective tissue between what the law makes a default exposure and what the market will agree to transfer. This is the problem Future Proof was built underneath. Not as a commentary on the insured agent but as one of the things already operating at that root while it is still soft: an AI-era trust standard held as a foundational reference, an identity layer over the orchestration layer rather than a competitor within it, the assurance the strict-liability regime assumes and does not supply and the underwriter requires and does not itself manufacture. A reader who has followed the structure will recognise the shape: a layer the statute presumes and does not build, the place the whole apparatus is reaching toward, forming now, about to set. Being there before it sets is not a claim one makes. It is a position one already holds or does not, on the day an underwriter asks how do I know what this is.

9. Implications

The reader of a paper like this is usually doing quiet research before a decision. The implications below are written for that reader, by the kind of decision they are facing. They are deliberately concrete and they remain in the register of the argument: this is what the structure does, not an offer.

For institutions

You are not waiting for AI liability to be settled. You are inside its formation period and you are likely spending it as though the open question were technical. It is not. The binding constraint on every autonomous system you deploy is not how capable it is. It is whether the loss it can cause is one anyone will agree to carry, and that question is answered before deployment, by an underwriter, on evidence, against a reference that is being set this year. The institutions that look prescient in 2028 will not be the ones whose agents were most capable. They will be the ones that were already operating to a recognised assurance reference now, while the reference was still forming, so that when it hardens it hardens around a practice they already embody rather than one they have to retrofit under deadline, against a strict-liability default and an insurance market that has already named and priced the exposure. The concrete move is not a compliance project scheduled for the year the liability regime applies. It is the adoption, now, of an assurance practice that an underwriter will recognise and a strict-liability regime will credit, because the alternative is to be the deploying party who discovers, the first time something acts and a loss lands, that the exposure attached by default and the cover never existed.

For investors

The diligence question that ages well is not whether a company's AI is impressive. Impressiveness commoditises on a schedule shorter than a holding period. The question that ages well is structural: is this company's autonomous product insurable, and is the company operating at the assurance root or merely exposed to it. A company whose product acts with economic consequence, that is treating assurance as a future event, is carrying an unpriced liability that hardens on a known schedule into a strict, no-fault regime, against an insurance market that is already excluding the risk from general cover and pricing it specifically where it covers it at all. A company that is already producing portable, recognised proof of how its systems behave holds an asset that becomes more valuable precisely as the structure hardens, because the scarcity of credible assurance rises exactly when assurance becomes the precondition of operating at all. The thing to underwrite in a portfolio is not stated capability. It is position relative to the gate that decides whether the capability can be deployed.

For operators

The most expensive misreading available to you is the one this paper has named twice: that the structure is loosening because something visible was withdrawn. The bespoke AI liability instrument was dropped and the headline read like relief. It was not relief. Liability relocated into a stricter regime and the autonomy defence is being foreclosed where legislators have moved. If you spend this period treating the open question as a capability problem to be out-engineered, you will arrive at the point where your system is good enough to deploy and discover that good enough to deploy was never the gate. The gate was assurable enough to insure, and that gate is being built now, by parties operating at the level where its evidence requirement is being decided. The operator's move is to treat assurance not as something bolted on after the system works but as the thing without which a working system cannot act, and to be producing recognised proof of behaviour now, so that hardening confirms your position instead of indicting it.

For the people inside these systems

There is a reader this paper has not yet addressed directly: the person who is not deploying, investing in, or operating an autonomous system, but who is acted upon by one. The agent that books, allocates, screens, prices, or refuses is, on the other side of the transaction, a person who was booked, allocated, screened, priced, or refused, by something with no human in the loop and, until the structure hardens, often no clear party to answer for it. This is the part of the argument where the register matters most and where it must be most honest. An assurance layer is not, finally, an instrument of commercial risk transfer. It is the thing that decides whether the autonomy that removed the human from the loop also removed the accountability. The reason to operate at the root before it hardens is not only that the position is durable. It is that the shape of the root determines whether the systems that act on people are accountable to the people they act on, or only to the parties that deployed them and the insurers who priced the deployment. That is the load the layer actually bears. Everything else in this paper is the engineering around it.

10. The insured agent, stated precisely

We can now state the central claim without metaphor and without slack.

When software acts with economic consequence, the binding question is not whether it can act. It is who carries the loss when it does, and what anyone requires as evidence before agreeing to carry it. That question is not answered in the statute. The statute, by relocating AI into a strict, no-fault product liability regime and, where legislators have moved, foreclosing the autonomy defence, has settled only the default: the loss will land on a human party and the absence of a human decision will not dissolve it. Everything that decides which party, on what terms, and at what price is settled earlier and elsewhere, at the insurance and liability root, by an underwriting gate that runs on commercial time and is hardening now.

That gate does not open on capability. It opens on assurance. No serious party underwrites, finances, or deploys an autonomous system whose behaviour cannot be credibly characterised, attested, and relied upon to remain what it was attested to be. The market has made this explicit by building, in order, a standard, an audit against it, and a policy priced to the result. The order is the argument: insurability rests on the audit, the audit rests on the standard, and therefore whether an autonomous system can act in the economy at all rests on what it can be credibly assured to be against a recognised reference. That reference is being set now, in the soft period before it hardens, by the parties already operating at the level where it is decided. When it hardens, it becomes the operative definition of a trustworthy autonomous system, and everyone who arrives after inherits a shape they had no part in setting.

There is one further point and it is the sharpest one. A soft assurance reference is not shaped by spectators. It is shaped by participants. The strict-liability surface is fixed text, but what counts as adequate assurance against it is being decided by who is already attesting at the level the market comes to expect. The underwriter's evidence requirement is being set by what underwriters are already treating as sufficient. The standard is being established by whoever is already operating it credibly. None of these is shaped by reading about autonomous software. All of them are shaped by already being a recognised account of whether an autonomous system is what it claims to be, at the moment the market decides what such an account must contain. The question the insured agent finally poses to any serious party is therefore not have you understood the liability regime. It is were you already operating at the assurance root while it was still soft, or did you arrive to be priced by it after it set.

11. Coda

The instinct, faced with software that has begun to act, is to make it better and trust that better will be enough. The argument of this paper is that the instinct is aimed at the wrong frontier. The frontier that binds is not how capable an agent can be made. It is what an agent can be credibly assured to be, because that is the frontier of what can be underwritten, and what cannot be underwritten cannot, for any serious party, be deployed. An uninsurable agent is not a powerful agent waiting for the market to catch up. It is a liability waiting for the first loss to land.

The European Union, by withdrawing the bespoke fault-based instrument and relocating AI into strict, no-fault product liability with the claimant's path eased, has fixed the default: the loss will be carried by a human party and will attach automatically. The insurance market, forming ahead of the law on its own clock, has fixed the gate: it will not transfer that loss without assurance, and it is deciding now, in a reference that is still soft, what assurance must contain. Between the default and the gate sits the only durable position in autonomous economic action, and it is not at the orchestration layer where the technology lives and nothing holds still. It is at the identity layer, the attestable, continuous, accountable answer to whether a system is what it claims to be and who stands behind it, because that is the only layer slow enough for a liability regime to grip and an underwriter to price.

There is a version of being early that is just speed. This is the other kind. To be early to a hardening assurance root is not to predict which standard wins or which underwriter's checklist prevails. It is to already be one of the things both the regime and the market resolve to when they ask, before anything is allowed to act, how do we know what this is and who carries it when it is wrong. When the root sets, it does not record who understood it. It records who was already operating at it. The only question this paper finally asks is whether, on the day an underwriter looks at an agent and asks who stands behind this, the answer is a position you already hold or a question you are hearing for the first time.

References and Notes

The following are real, public, verifiable sources. Dates and market structure in this paper were grounded against current sources in 2026. Where a mechanism or attribution was contested between sources, the paper states the structural truth and does not cement the contested detail.

Directive (EU) 2024/2853 of the European Parliament and of the Council on liability for defective products, repealing Council Directive 85/374/EEC. Published in the Official Journal of the European Union, 18 November 2024. Transposition deadline 9 December 2026; applies to products placed on the market or put into service after that date. Expressly includes software, AI systems, and digital manufacturing files within the definition of a product; retains strict, no-fault liability; introduces disclosure duties and rebuttable presumptions of defectiveness or causation in cases of technical or scientific complexity.

Proposal for a Directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (the Artificial Intelligence Liability Directive), COM(2022) 496, 28 September 2022. Withdrawal signalled in the European Commission Work Programme 2025, published 11 February 2025, with the stated reason of no foreseeable agreement; confirmed scrapped during 2025. See the European Parliament Legislative Train Schedule entry for the AI Liability Directive and contemporaneous analysis (IAPP; Bird and Bird; Baker McKenzie; Oxford Law Blogs; Verfassungsblog).

Munich Re, aiSure, AI performance-guarantee insurance. Munich Re publicly dates its work on AI insurance to 2018; aiSure is structured to reflect the probabilistic nature of AI and to settle on measurable performance data. In early 2026 a partnership with Mosaic Insurance introduced AI-specific cover for AI developers drawing on the aiSure platform with meaningful initial capacity. Sources: Munich Re aiSure materials; Reinsurance News; Insurance Business; contemporaneous reporting, February 2026.

Armilla Insurance Services, Coverholder at Lloyd's: affirmative AI Liability Insurance launched 30 April 2025, underwritten by certain underwriters at Lloyd's including Chaucer, with a trigger keyed to AI underperformance (failure to perform as intended, critical errors, hallucinations, inaccuracies leading to damages). Originated from a Lloyd's Lab cohort. Sources: Armilla; PR Newswire; CDO Magazine; Reinsurance News.

Generative-AI exclusion endorsements for commercial general liability filed and adopted with effect from 1 January 2026, reported as applicable across a large share of standard property-casualty templates, with AI exclusions trending toward the default position in general liability and specialist entrants moving into the space being vacated by standard carriers. Sources: contemporaneous insurance trade and analyst reporting, 2025 to 2026.

The Artificial Intelligence Underwriting Company (AIUC): emerged from stealth in mid-2025 with a seed round led by NFDG, backers including figures from frontier AI and former enterprise security leadership. AIUC-1 is a published standard for AI agents covering data and privacy, security, safety, reliability, accountability, and societal risk, developed with named legal, academic, security, and threat-modelling institutions, explicitly likened by its founders to SOC 2. The model combines a standard, independent adversarial audit, and liability coverage priced to performance. Reported certifications of AI providers and platforms through 2025 to 2026, with named audit firms as authorised assessors. Sources: aiuc.com; Fortune; Reinsurance News; GlobeNewswire; vendor newsrooms.

Cyber insurance underwriting practice: the shift, through the early 2020s, from questionnaire-based to evidence-based underwriting following large ransomware losses, requiring demonstrable controls (phishing-resistant multi-factor authentication, behavioural monitoring, logging, rehearsed incident response) as a precondition of cover, with documented controls materially affecting premium at renewal. Sources: cyber insurance underwriting and broker analyses, 2025 to 2026; public cybersecurity insurance toolkits.

The agentic-liability literature on the agency gap, the supply-chain attribution of responsibility (model developer, orchestration operator, deployment platform, deploying enterprise), the personhood and legal-actor debate, and the foreclosing of the autonomous-operation defence in jurisdictions that have legislated on the point. Sources: Clifford Chance; Squire Patton Boggs; Baker Botts; Institute for Law and AI; and reporting on state-level provisions effective from 1 January 2026 barring autonomous operation as a liability defence.

The emergence of agent payment and interoperability protocols (agent payments, agent-to-agent, model context, and commerce protocols) and analysis of agentic AI reshaping payments, including the International Monetary Fund's 2026 work on the subject. Sources: IMF eLibrary, 2026; contemporaneous technical and legal reporting.

A note on method. This is a reference paper, not a legal or actuarial opinion. Specific products, capacities, and certification milestones cited here are illustrative of a market structure and may evolve; the structural argument, that assurance has become the precondition of underwriting autonomous economic action and that the assurance reference is forming now and hardening soon, does not depend on any single product or date and is robust to that movement. Readers making compliance, underwriting, or investment decisions should consult the adopted instruments and current market filings directly.

Future Proof Intelligence . Research . No. IX . MMXXVI