Establishing causality requires distinguishing between statistical associations and true causation, which is challenging. Opacity refers to the black-box nature of decision-making in ML models, which limits traceability.
Unpredictability further undermines causal analysis. When training datasets are incomplete or poorly representative, models may behave reliably in some contexts but fail unexpectedly in others. Overfitting exacerbates this problem, making a model generalize poorly to new cases.
Self and continuous learning is the incremental training of an AI system while operational. A key concern here is catastrophic forgetting, where learning new patterns can interfere with the model’s existing knowledge. This makes it difficult to reconstruct how the model behaved at the time of the incident.
Implications for brokers and their clients:
- Secure tech E&O insurance to protect against claims where fault is hard to prove due to opaque AI behavior.
- Ensure policies cover model drift and continuous learning risks, including losses caused by unexpected behavior after deployment or system updates.
- Review contractual risk transfer and documentation protections with AI vendors, including coverage for failures linked to training data or model design.
Source: European Commission (March 2023). Liability regimes in the age of AI: a use-case driven analysis of the burden of proof.
Agentic AI Expands in Retail While Governance Lags Behind
New research from law firm TLT shows that 49% of top UK retailers are investing in agentic AI but only 15% have the infrastructure or contractual frameworks to do it securely.
Early uses include dynamic pricing, autonomous stock replenishment, and AI-driven payment method selection. 29% are combining agentic AI with loyalty-linked payments, and 20% are focusing exclusively on AI deployments. Only 10% are looking to support crypto payments.
Despite these plans, almost half of the retailers surveyed are unclear on liability if an AI agent makes an incorrect or unauthorized payment. The report discusses the “innovation gap”, a mismatch between technological adoption and governance, and 70% of retailers cite regulatory uncertainty as a major challenge. To address emerging fraud risks, 29% plan to deploy AI-based fraud detection systems.
Implications for brokers and their clients:
- Seek coverage that includes third-party liability and downstream impacts.
- Review policy exclusions carefully for AI-related decisions, ensuring that autonomous or semi-autonomous system behavior is not excluded.
- Expand cyber and crime coverage to include losses caused by autonomous or AI-initiated transactions, including unauthorized or erroneous payments.
Source: The Fintech Times (December 19, 2025). UK Retailers Race to Adopt ‘Agentic AI’ for Payments Despite Infrastructure and Liability Gaps.
Cannabis Reform on the Horizon as Trump Signs Executive Order
In Risk Wrap 032, we discussed the possibility that President Trump would sign an executive order directing federal agencies to expedite the rescheduling of marijuana. On December 18, the order was signed. It doesn’t legalize marijuana at the federal level, but it has far-reaching implications for the sector.
As well as rescheduling, the order focuses on plans for the Centers for Medicare and Medicaid Services to launch a pilot program to pay for treatments containing CBD, and for the Department of Health and Human Services, FDA, CMS, and NIH to develop research methodologies to inform standards of care and access. It also calls for an update on the statutory definition of “final hemp-derived cannabinoid products” after recent legislation imposed new THC thresholds on them.
The attorney general will now complete the necessary rule-making to implement the rescheduling “in the most expeditious manner” permitted under federal law. Traditionally, this process can take years, but the administration’s preference for speed could shorten the timeline. If the Attorney General issues a final rule, it could take place in early 2026. Alternatively, agencies, including the DEA, will play key roles in moving the process forward.
Implications for brokers and their clients:
- Work with insurers experienced in cannabis regulation to anticipate enforcement changes, coverage gaps, and exposure arising from rescheduling or expanded federal oversight.
- Secure product liability and professional liability coverage that reflects evolving standards for cannabis-derived products, especially as new medical and therapeutic uses emerge.
- Assess business interruption and supply chain coverage to protect against disruptions caused by regulatory delays, reclassification impacts, or changes in federal enforcement priorities.
Source: JD Supra (December 26, 2025). Trump Administration Reignites Marijuana Rescheduling.
Crypto Regulation Accelerates Across Emerging Markets
2025 brought significant changes to crypto regulation in the US and Europe. How are other jurisdictions responding to the same pressures?
In Africa, regulations started to catch up with real-world crypto use. Across the continent, regulators are focusing on stablecoin use in cross-border trade, and on operationalizing FATF-aligned AML/CFT requirements with a view to move toward data‑driven oversight of economic flows.
Sub-Saharan Africa was the third-fastest-growing crypto region in 2025. On-chain transaction volumes rose more than 50% year-over-year, with the majority of transactions under $10,000, indicating growing retail use.
South Africa implemented Travel Rule obligations in 2025 and brought many Crypto-Asset Service Providers into a licensing regime. The South African Reserve Bank is advancing policy work on stablecoins and tokenized money toward broader regulatory frameworks.
Policy in Nigeria is changing more gradually. Securities and AML/CFT frameworks are being used to regulate exchanges and intermediaries more systematically, while caution about monetary and FX implications remains.
In the Middle East, the focus in 2025 was on building regulatory frameworks for its rapidly expanding and increasingly institutional crypto markets. Virtual Asset Service Providers across the region face growing AML/CTF expectations, and data-driven supervision is becoming the norm.
In the UAE, regulators further operationalized mature licensing regimes for exchanges, custodians, and other crypto service providers, and tightened marketing, conduct, and market-integrity rules. They also developed stablecoin and payment-token frameworks, prioritizing payments, settlement, and tokenized finance over speculative uses.
Saudi Arabia and Qatar moved from experimentation toward clarity. Qatar introduced a more structured digital asset framework, while Saudi Arabia focused on tokenization, CBDC pilots, and decentralized finance (DeFi) innovation, signaling a gradual expansion of regulatory scope.
Implications for brokers and their clients:
- Secure coverage for cross-border operational and custody risks, particularly for firms handling stablecoins, tokenized assets, or client funds across multiple regulatory regimes.
- Review professional liability and D&O policies to ensure protection against enforcement actions, supervisory penalties, or compliance failures tied to rapidly changing crypto regulations.
- Obtain coverage for regulatory investigations and enforcement costs, including legal defense expenses arising from AML, sanctions, or market-conduct inquiries.
Source: Chainalysis (December 23, 2025). 2025 Crypto Regulatory Round-Up: What Changed and What’s Ahead.
Rising Legal Exposure as AI Becomes Embedded in Healthcare
AI has great potential for transforming healthcare in the EU, but a lack of clarity about liability has slowed its adoption. Medical AI is classified as a medical device under the Medical Device Regulation (MDR), but when the EU AI Act is introduced, it will also be treated as a high-risk AI system, heightening providers’ exposure and compliance obligations.
Providers of high-risk AI must have robust risk management plans, transparent documentation, and must use high-quality training data. Continuous monitoring and human oversight are also required.
A revised EU Product Liability Directive will soon allow patients harmed by defective AI to claim compensation regardless of fault, and caps on liability for personal injury will be removed.
Liability often extends across supply chains, meaning developers, integrators, and device manufacturers can be jointly responsible for harm. Post-deployment control adds further complexity.
Consider a scenario involving an incorrect diagnosis from an AI model within an ultrasound device. If that model underperforms due to issues with its training data, the manufacturer could be held strictly liable. However, they might seek compensation from the upstream AI provider if the error was a result of their software development process.
Legal professionals have advised firms to allocate risk within contracts, clearly define scope of use, provide detailed performance disclosures and scenario-based guidance, and bring in human judgment in where necessary.
Implications for brokers and their clients:
- Strengthening product and professional liability coverage to account for strict liability exposure under the EU Product Liability Directive, especially for AI-driven diagnostic and decision-support tools.
- Ensure policies address shared and upstream liability, covering claims that may arise from failures in training data, third-party AI components, or integrated software supplied by external vendors.
- Review coverage for post-deployment risks, including errors arising from model drift, inadequate human oversight, or failures to meet evolving regulatory and documentation requirements under the EU AI Act.
Source: Bird & Bird (September 1, 2025). Liability of Healthcare AI Providers in the EU: How to Navigate Risks in a Shifting Regulatory Ecosystem.
Trust Wallet Assures Coverage for Users Affected by $7 Million Chrome Extension Breach
In late December 2025, Trust Wallet’s Google Chrome browser extension was compromised. According to blockchain security firm SlowMist, the extension hosted malicious code that could iterate through stored wallets, prompt users for their mnemonic recovery phrases, and transmit decrypted data to a server under the threat actors’ control.
In parallel, a phishing attack was launched. Fake social media accounts directed users to a spoofed website disguised as a Trusted Wallet fix, where they were asked to enter their recovery phrases.
Most of the funds were routed to crypto exchanges, while some remain in attacker-controlled wallets. Researchers have suggested the attack may be linked to an Advanced Persistent Threat group.
In response to the incident, Trust Wallet urged all users to update to version 2.69 and warned that only official channels should be trusted for updates and communication. The company has assured it will cover loss compensation for affected users.
Implications for brokers and their clients:
- Ensure crypto custody insurance addresses scams that involve social engineering as well as direct system intrusion.
- Ensure policies cover third-party and supply-chain failures, including breaches arising from compromised extensions, app updates, or external service providers.
- Review incident response and reimbursement protections, ensuring coverage includes customer restitution, investigation costs, and regulatory or legal expenses following a large-scale security incident.
Source: Bitdefender (December 30, 2025). Trust Wallet Chrome Extension Hack Drains $7 Million in Crypto; Users Urged to Update and Protect Wallets.
