An autonomous loss does not look like a cyber loss. It does not look like an errors-and-omissions loss. It does not look like a product liability loss. It looks like all three at once, which is precisely why every legacy line ends up paying nothing.
The mistake reinsurance committees keep making is to treat AI exposure as a coverage problem — as if the right answer were a definitional appendix bolted to a 1998 cyber form. It is a morphology problem. Until you understand the shape of an autonomous loss, you cannot price it, you cannot reserve for it, and you cannot defend it. This memo walks through the three claim morphologies we currently underwrite against, what each one does to a conventional insurance tower, and the telemetry we condition coverage on.
Pattern IWrongful Action
The autonomous system performed the action it was designed to perform. The action was wrong.
This is the morphology most underwriters expect, because it maps onto the mental model of a traditional product failure: a thing did a thing, the thing caused harm, an attribution chain runs from policyholder to claimant. The intuition holds; the policy language does not.
Consider an autonomous logistics router responsible for re-pathing a fleet of last-mile vehicles around real-time congestion. The router consumes municipal traffic feeds, weather, and dispatcher overrides. A road closure data point fails to propagate from a regional API. The router re-paths three vehicles into the closed corridor; one collides with construction equipment. Property damage, two injuries, regulatory inquiry.
A general liability tower will respond to the bodily injury portion and, in most forms, exclude the operational error from the property damage. A product liability tower will look for a defect; if the model behaved exactly as trained, there is no defect — only a foreseeable edge case the operator failed to gate. The dispatcher's E&O carrier will deny on the basis that the failure was not a professional judgment: the model made the judgment. The cyber tower will deny because no security failure occurred. The autonomous-systems exposure ends up uninsured, split across deductibles, or litigated for years.
Coverage that names the action is the threshold requirement. Castra binds on a use-case basis: routing decisions, classification decisions, generation outputs, and physical actuations are each enumerated as insured operations. Defense costs trigger on first notice of a loss event matching the use-case definition, not on adjudication of which legacy carrier holds primacy.
Pattern IIMisclassification of Inputs
The autonomous system labeled an input incorrectly. A downstream action followed. The loss attaches to the action; the cause is the label.
A document-review agent at a mid-cap law firm classifies an indemnity-and-defense provision in a vendor master agreement as a standard hold-harmless clause. The provision is not standard. It assigns unlimited contractual indemnity to the firm's client, with no carve-outs for the vendor's own gross negligence. The general counsel signs. Eighteen months later the vendor settles a class action and seeks indemnity. The exposure is forty-two million dollars against a five-million cap the GC believed she had negotiated.
The firm's lawyers' professional liability tower will examine whether the attorney exercised reasonable skill. The attorney relied on the agent's output. Did she exercise reasonable skill in the choice to rely? Some forms say yes, some say no, some require a duty-to-supervise analysis that did not exist in the 2018 form being renewed. The agent's vendor will be sued in parallel; the vendor's E&O carrier will tender the defense to the firm's tower; both will deny on the basis that the other is primary. Two years of declaratory action follows. The client, meanwhile, is uninsured for the gap.
This pattern compounds because the signal of misclassification is rarely visible at the point of action. It surfaces only when the labeled input matures into a contested fact. Castra underwrites against this morphology by requiring classification-stability telemetry as a condition of bind: label distributions, confidence scores, and human-override rates streamed quarterly. A drift in any of the three triggers an off-cycle review. The premium is adjusted; the coverage is not.
The loss has a shape. The policy must match. Most policies today do not match — they were written for a world in which the actor was always identifiable and the action was always a person's.
Pattern IIISpillover into Adjacent Infrastructure
A failure in one autonomous system propagates into a system that depends on it. The downstream system fails in a way that looks unrelated. The forensic trail is long.
A credit-decisioning model at a consumer lender depends on an upstream fraud-scoring model maintained by a third-party vendor. The fraud scorer drifts after a routine retraining on a new dataset; it begins assigning materially higher fraud probabilities to a demographic subsegment. The credit decisioner consumes the fraud score as an input feature with a 0.31 weight. Over six weeks, applications from that subsegment are denied at rates well above baseline. The pattern is detected in a quarterly disparate-impact audit and reported to the CFPB. FCRA exposure follows. The lender's general liability tower excludes regulatory penalties. The cyber tower will deny because no breach occurred. The directors' and officers' policy will respond to securities-fraud claims, but not to the underlying consumer-finance exposure.
The morphology here is the dependency graph. An autonomous system inherits the failure modes of every model it consumes. A single drift event can manifest as bodily injury at one node, regulatory penalty at another, and reputational harm at a third — each at a different policy attachment point, with a different deductible, in a different policy year.
Castra requires a dependency-graph attestation at bind: every model the policyholder consumes from external sources, the operational coupling, the version cadence. Spillover claims trigger a portfolio review, not a single-policy claim review. We share concentration analytics with treaty partners quarterly so capacity providers can model correlated drift as a single peril — not as three uncorrelated lines that happened to fire in the same quarter.
CoverageWhat the Tower Actually Pays
If your organization deploys autonomous systems and renews a conventional tower in 2026, the most likely answer is nothing.
In a sample of commercial cyber renewals we reviewed in the first quarter of 2026, a majority added or strengthened AI-related exclusions. Modal exclusion language: "any actual or alleged use of artificial intelligence, machine learning systems, or autonomous decision-making technology, regardless of whether such use is direct, indirect, contributory, or causal." Read literally, this excludes coverage for any cyber incident in which a defendant uses AI in any operational capacity — which by 2026 means every defendant.
The E&O market is more selective: most forms still respond, but with sublimits on AI-related claims (typical: one to five million dollars, against towers of twenty-five million-plus). Product liability is in flux; carriers are watching the federal preemption fight over state AI acts before pricing. General liability has historically not covered "pure economic loss," and most autonomous-loss morphologies are dominated by economic loss.
The arithmetic, then: a fifty-million-dollar tower across cyber, E&O, GL, and D&O may, after exclusions and sublimits, provide a small fraction of that in actual AI-related capacity. The remainder is the protection gap.
UnderwritingWhat We Substitute
Castra binds affirmative AI liability against three telemetry hooks:
- Action audit. Read-only access to a defined audit log of decisions and actuations the insured system produces. We sample monthly. Discrepancies between intended and actual action distributions trigger inquiry.
- Classification stability. Distribution drift, confidence calibration, and human-override rate, streamed quarterly. Material drift triggers an off-cycle review and re-pricing — coverage continues uninterrupted.
- Dependency graph. A current map of upstream models, vendor APIs, and feature inputs. Updated at any material architecture change. Spillover exposure is reserved at the portfolio level.
The premium is a static base plus a coefficient computed against these three streams. The coefficient can move in either direction. A policyholder whose drift metrics improve over the policy period sees premium reduction at renewal — measurable, not promised.
CodaOn Discipline
Insurance is a discipline. Autonomous deployment is a discipline. The two have not yet learned to speak the same language. Until they do, every loss will be litigated by carriers against each other while the policyholder waits.
The shape of the loss is the actuarial truth. The policy that matches the shape is the underwriting. Everything else is theater.
Imperium per disciplinam. — Through discipline, command.
Castra Risk reviews specialty insurance towers as part of the underwriting intake process. Cohort statistics referenced in this memo are aggregated across confidential broker-supplied renewal data, anonymized at the policyholder level. Modal exclusion language is paraphrased from observed 2025–2026 cyber and E&O renewal forms; specific carrier language is not attributed.
This memo is provided for informational purposes only and does not constitute legal advice, an offer to insure, or a binder of coverage. Coverage availability and policy terms vary by jurisdiction and risk. Direct inquiries to underwriting@castrarisk.ai.