AI Governance for Small Business: Are You Covered? | donegan

Artificial intelligence has quietly become part of how small businesses run. It drafts client emails, answers customer questions, summarizes meetings, and sketches out proposals. That is a real productivity win, and we are not here to talk anyone out of it. What we want business owners to understand is that the same tools opening those doors are also opening a new category of risk, and most insurance policies were written long before any of it existed.

Here is the practical problem. When your team leans on AI without clear ground rules, a few things tend to go wrong in predictable ways. A client deliverable goes out with a confident-sounding answer that turns out to be wrong. An employee pastes sensitive customer data into a public tool, and that information is no longer fully under your control. A marketing image or block of copy borrows a little too closely from something protected. None of those are exotic, headline-grabbing failures. They are ordinary mistakes, made faster and at larger scale because a machine was involved.

Regulators have noticed. Across the country, lawmakers are moving toward expecting businesses to explain and stand behind decisions that an algorithm helped make, especially in hiring and in anything that affects a customer’s money or rights. The legal landscape is uneven and still forming, but the direction is clear: you remain responsible for the output, even when the tool came from an outside vendor. “The software did it” has never been a defense that holds up well, and it is not going to start now.

The encouraging part is that you do not need a legal department or a six-figure software budget to get ahead of this. Most of the exposure comes down to three habits. First, write a short, plain-language AI use policy, one or two pages that tells your team which tools are approved, what kinds of information should never be entered into them, and who to ask when there is a question. Second, keep a simple inventory of the tools your people actually rely on, because you cannot manage a risk you have not named. Third, build in a human review step for anything that goes to a client or affects a real decision. A person reading the work before it leaves the building catches the great majority of problems before they become claims.

Then there is the insurance question, which is where the picture gets genuinely murky. If an AI-related mistake leads to a claim, would your coverage respond? The honest answer is that it depends, and it varies more from policy to policy than almost anything else we review right now. Several lines could plausibly be in play. Your professional liability or errors and omissions coverage might respond to a flawed deliverable. Your cyber policy might respond to a data exposure. Your media coverage might respond to a copyright or defamation allegation. The trouble is that ‘might’ is doing a lot of work in those sentences, because many carriers have started adding endorsements that specifically address, limit, or exclude losses tied to AI. Some policies are silent on the subject, and silence is not the same thing as coverage.

This is the part worth slowing down on. Over the past year, the standard policy forms that sit behind most business insurance have begun adding language that lets carriers carve generative AI out of coverage that used to apply by default. That ends what the industry calls ‘silent’ coverage, where AI risks were neither named nor excluded and most people simply assumed they were covered. When that assumption meets a denial letter, the gap stops being theoretical. The fix is not complicated, but it requires actually reading the renewal rather than filing it: look for new AI-related endorsements, ask your agent in plain language what is in and what is out, and find out whether any vendor agreements give you indemnity if their tool is the source of the problem.

It helps to picture how this actually shows up in a real business. A professional services firm uses AI to draft a client report, and a fabricated statistic slips through to the client, that is a professional liability question. A small marketing shop generates an image that turns out to echo a protected work, that is a media and intellectual property question. An office assistant pastes a spreadsheet of customer records into a public chatbot to summarize it, and now sensitive data has left your control, that is a privacy and cyber question. The same tool, three different exposures, three potentially different policies, and in each case the answer to ‘are we covered’ depends on the exact language of forms most owners have never read closely. That is the heart of why AI does not map neatly onto any single existing coverage.

For a Central Texas business owner, none of this should land as a reason to unplug. AI is a tool, and like every tool your business already uses, it carries a manageable set of risks once you decide to manage them on purpose. A written policy, a short list of approved tools, a human check before work goes out, and a coverage review that treats AI as a real exposure rather than an afterthought will put you well ahead of most companies your size. The businesses that get hurt are almost always the ones that never made a decision at all, the ones where AI use just happened and nobody owned it.

At donegan, this is exactly the kind of review we are built for, because it sits right at the intersection of how a business actually operates and what the fine print actually says. We read the endorsements for a living, and we would rather walk through your professional liability, cyber, and media coverage with you now, calmly, than try to sort out where the gap was after a claim has already landed. If your team is using AI in any meaningful way, and at this point nearly every team is, that is a short conversation worth having before your next renewal.

Frequently Asked Questions

Does my general liability policy cover AI-related mistakes?

Often not. Many standard policy forms now include endorsements that limit or exclude generative AI exposures, and policies that are silent on AI do not necessarily provide coverage. The only reliable way to know is to review your specific forms and endorsements, which we are glad to do with you.

What should an AI use policy actually include?

Keep it short and readable. Spell out which AI tools are approved, what information should never be entered into them (such as customer data or confidential records), the requirement that a human review anything client-facing, and who an employee should ask when they are unsure. One or two pages is plenty for most small businesses.

Am I responsible if a third-party AI vendor’s tool causes the problem?

Generally yes. Regulators and courts have signaled that the business remains accountable for outcomes even when an outside tool produced them. Vendor agreements sometimes provide indemnity, so it is worth checking what protection, if any, your contracts give you.

Is there insurance built specifically for AI risk?

A small but growing number of carriers offer affirmative AI coverage, sometimes through technology errors and omissions, cyber, or standalone products. Whether it is right for your business depends on how you use AI and where your current policies leave gaps. That assessment is part of a normal coverage review.