.png)
There is a quiet crisis spreading through the AI startup world. Not about fundraising or product-market fit, but about insurance. It sounds boring until you realize it could kill your biggest deals and crater your company.
Mercor is a San Francisco AI startup worth $10 billion. It raised $350 million and counted Meta, OpenAI, and Anthropic among its clients. Then, in March 2026, hackers broke in through a vulnerability in a popular open-source tool that Mercor, like thousands of other AI companies, was using.
The attackers stole 4TB of data: job interview recordings, biometric data, source code, API keys, and confidential AI training data belonging to Mercor's enterprise customers. Meta immediately paused every contract it had with Mercor. Seven class-action lawsuits were filed within weeks. Thousands of contractors couldn't log hours. A $10 billion company was brought to a standstill — not by a bad product or a failed fundraise, but by an insurance and liability nightmare that nobody had adequately planned for.
Here's the critical point: Mercor didn't even get hacked directly. The attack came through a third-party tool. Yet Mercor owns the liability. That's how enterprise contracts work, and it's a preview of a much larger problem.
Think of business insurance like a safety net under a trapeze artist. For years, AI-related mistakes were quietly covered inside standard business insurance policies — not because anyone intended it, but because nobody explicitly excluded them. That changed on January 1, 2026.
The organization that writes the standard forms used in roughly 82% of U.S. business insurance policies quietly introduced two new add-ons that let insurers carve out all AI-related claims. The biggest insurance companies — Berkshire Hathaway, Chubb, Travelers, AIG, and others — immediately started filing for permission to add these exclusions to their policies. State regulators have approved over 80% of those requests.
What does this mean in plain English? Your existing business insurance very likely no longer covers you if your AI makes a mistake. If your AI product causes a customer to lose money, discriminates in a hiring decision, gives bad medical advice, or leaks confidential data, the insurer can now point to the AI exclusion and deny the claim.
And it's not just your general liability policy. These exclusions are spreading into Directors & Officers insurance (which protects your board and investors), Errors & Omissions insurance (which covers professional mistakes), and cyber insurance as well. The safety net has holes in it everywhere.
Is There Replacement Coverage? Sort Of.
A few companies are building AI-specific insurance products to fill the gap. The problem: there are currently only three meaningful providers — Armilla AI, Testudo Global, and Munich Re. All three sell through specialized wholesale channels that most ordinary business insurance brokers have never accessed.
Armilla AI, the furthest along, raised $25 million in January 2026 to grow. Its policies cover AI hallucinations causing financial loss, AI agent failures, harmful AI outputs, and regulatory investigation costs. But getting covered isn't as simple as buying a policy. Armilla's underwriters require you to prove your AI is properly governed: documented oversight policies, bias testing, model inventories, incident response plans, and evidence that a human is watching over your AI's outputs.
If you can't demonstrate that governance infrastructure, you either don't get coverage or you pay significantly more for less. For a seed or Series A startup trying to move fast, that bar is high.
The Enterprise Deal Trap
Here's where this becomes an immediate, practical problem for founders.
Large enterprise customers have always required vendors to carry insurance before signing a contract. It's standard — you've seen it in the procurement questionnaire. "Please provide a Certificate of Insurance showing $2 million in General Liability and $1 million in Professional Liability."
Now those same procurement teams are waking up to the fact that standard policies exclude AI. So they're doing one of two things.
Option 1: Requiring vendors to carry affirmative AI-specific liability coverage — a policy that explicitly covers AI mistakes, not one that simply doesn't exclude them. Coverage that barely exists and is hard to obtain.
Option 2: Requiring the vendor to contractually indemnify the enterprise, meaning you, the startup, sign a contract promising that if your AI causes the enterprise any loss, you'll pay for it out of pocket. No cap.
Most startups, desperate to close their first enterprise customers, will sign the indemnification language without fully understanding it. You're essentially writing a blank check. If your AI product causes a Fortune 500 company a significant financial loss, you're on the hook — even if your entire company is worth less than the claim.
The supply chain lesson from Mercor makes this worse. Your enterprise customer doesn't care that the vulnerability was in a third-party tool you relied on. In their contract with you, you're responsible for your full technology stack.
What This Means for Your Investors
If you have investors — or are trying to get them — this is a risk that's flying under the radar but is starting to show up in term sheets and due diligence.
Hidden liability in your revenue. Every enterprise contract you've signed with an AI indemnification clause is a contingent liability sitting on your cap table alongside your investors' equity. If something goes wrong, that liability gets paid before investors see anything.
Regulatory exposure on top. The Colorado AI Act takes effect June 30, 2026 with fines up to $20,000 per violation. California's AI rules kick in January 2027. The EU AI Act is rolling out through 2027. These regulations create liability — liability that your insurance may now explicitly exclude.
Board-level exposure. Your investors who sit on your board are protected by Directors & Officers insurance. Except D&O policies are now getting AI exclusions too. If a shareholder sues claiming that the board misrepresented the company's AI capabilities or risk posture, the D&O policy may not respond.
A 2025 survey found that 40% of limited partners were already requiring explicit AI liability clauses in their investment terms — recognition that something real has changed.
What Founders Should Do Right Now
You don't need to become an insurance expert. But you do need to treat this as a business problem, not a back-office administration task.
The Mercor crisis didn't happen because of a bad product or bad judgment. It happened because the AI industry moved faster than the infrastructure designed to support it, and insurance infrastructure is part of that. The safety net that protects businesses from mistakes has enormous, newly-created holes in it. New nets are being built, but slowly.
Until that market matures, every AI startup selling to enterprise customers is walking a tightrope with less safety net than they think they have. The founders who figure this out early — who build governance, negotiate contracts carefully, and secure whatever coverage is available — will have a real competitive advantage. The ones who find out the hard way will have a Mercor story of their own to tell.
