Defense for the regulatory inquiry.
Regulatory Defense covers defense and investigation cost, where insurable, arising from a formal regulatory inquiry into the insured's deployment, training, evaluation, or governance of an AI system. The line answers the EU AI Act enforcement track, the U.S. state regimes already in force, and the sector-specific AI mandates issued by FDA, FINRA, NAIC, OCR, EEOC, and the agencies still drafting them.
The form is structured so that the line does not collide with the insured's D&O tower (which covers individuals) or its existing professional indemnity tower (which excludes regulatory penalty by default). Where penalty is insurable in the law of the seat, the form responds. Where it is not, defense and investigation cost remain covered.
What we mean by a regulatory inquiry.
- EU AI Act (Reg. 2024/1689) — Articles 6, 9, 15, 26, 99
- Colorado AI Act (SB 24-205)
- New York City Local Law 144 — automated employment decision tools
- California ADMT regulations under CCPA / CPPA
- FDA Software-as-Medical-Device & PCCP-related inquiries
- FINRA / SEC inquiries into AI-driven recommendation systems
- NAIC Model Bulletin on AI systems in insurance
- EEOC, OCR, HUD — algorithmic disparate-impact inquiries
- Civil class action arising from the same facts → AI Agent E&O
- First-party model breach of warranted metric → Model Warranty
- Bodily injury & property damage → Autonomous Systems
- Individual director or officer cover → existing D&O
- Tax-, customs-, and trade-secret inquiries unrelated to AI
- Penalties where uninsurable in the law of the seat
What we answer, and where we stop.
| Regime | Defense covered | Penalty, where insurable | Standard retention | Telemetry tier |
|---|---|---|---|---|
| EU AI Act (Reg. 2024/1689)High-risk obligations — Annex III systems. | Yes | Sublimit, by law of seat | $100K | Tier S |
| Colorado AI Act (SB 24-205)High-risk deployer & developer obligations. | Yes | Yes | $50K | Tier A |
| NYC Local Law 144Bias audit requirement for AEDT. | Yes | Yes | $25K | Tier A |
| CCPA · ADMT regulationsNotice, opt-out, risk assessment. | Yes | Yes | $50K | Tier A |
| FDA SaMD & PCCP inquiries510(k), de novo, post-market change. | Yes | By referral | $100K | Tier S |
| FINRA / SEC AI inquiriesRecommendation & conflict review. | Yes | By referral | $100K | Tier S |
| NAIC Model Bulletin (state-adopted)AI in insurance — underwriting, claims. | Yes | Yes | $50K | Tier A |
| EEOC / OCR / HUD AI inquiriesDisparate-impact in employment, health, housing. | Yes | By referral | $100K | Tier S |
| Exclusion | Form reference | Buy-back available | Notes |
|---|---|---|---|
| Penalty uninsurable in law of seatWhere statute or public policy prohibits. | § 5.1 | No | Defense costs remain covered. |
| Prior known inquiryInquiry known to insured before bind. | § 5.2 | No | Retroactive date set at quote. |
| Intentional concealment of AI useWhere disclosure was required and skipped. | § 5.3 | No | Inadvertent omission remains covered. |
| Personal individual liabilityCover for individuals as named insured. | § 5.4 | No | Refer to existing D&O placement. |
| Cross-border data transfer penaltiesWhere unrelated to AI governance. | § 5.5 | By endorsement | GDPR / CCPA data-only inquiries. |
| Tax, customs, securities-non-AIInquiries outside AI-governance scope. | § 5.6 | No | Existing financial-lines placements. |
| Fines for failure to file periodic transparency reportEU AI Act Art. 50, where overdue at bind. | § 5.7 | By endorsement | Tied to evidentiary register cadence. |
What the file must contain.
This line binds against an evidentiary contract — a register of records the insured undertakes to maintain so that the file is defensible when an inquiry arrives. Castra ingests the index of these records, not the records themselves. The records remain with the insured under attorney-client privilege where applicable.
This is the line where the telemetry contract overlaps most heavily with the day-to-day compliance program. The same action audit, classification stability, and dependency graph used to underwrite the policy form the evidentiary spine when an inquiry opens. The file is built continuously, not on receipt of subpoena.
The methodology and the three instruments are described in detail on the Underwriting page.
A sample loss, worked end to end.
The audit that opened in Brussels.
A U.S. healthcare AI company served a triage model into hospital networks across Germany, the Netherlands, and Belgium. In November of the policy period the company received an audit notice from a national competent authority under Article 26 of the EU AI Act, classifying the deployment as high-risk under Annex III and requesting the risk-management file, the post-market monitoring records, and the Article 25 substantial-modification log.
The company's underlying counsel was U.S.-based and had not previously responded to an Article 26 audit. Penalty exposure under Article 99 ranged into seven figures depending on classification of the conduct. The audit also implicated GDPR through the AI Act's data-governance article, opening a parallel data-protection track that fell outside this line.
An audit is not a verdict. But the file you bring to it is.
Coverage attached under § 2.1.a from the date of the audit notice. Castra panel counsel in Brussels and Frankfurt were engaged within 72 hours; counsel from the company's existing GDPR firm handled the parallel data track outside this policy. The evidentiary register required under Annex B had been maintained continuously; the file was substantively complete on day one, with three months of Art. 25 substantial-modification entries and four quarters of high-risk classification reviews on hand.
Defense paid: $3.1M (panel counsel, technical experts, translation, on-site representation). Penalty: the matter resolved at €420K (~$455K) under Art. 99(4) — classified as a non-compliance with provider obligations, lowest of the three tiers, paid under the penalty sublimit where insurable. Total claim within limit, retention $100K applied. Renewal premium adjusted +14.2% on the regulatory-defense base; no other line in the tower was impacted.
Note. This claim example is a composite, drawn from sample patterns. It is not based on any single insured. Amounts are illustrative. EU AI Act provisions are summarised in operational shorthand; the operative text of the Regulation controls.