Agentic AI Enters the Risk Register: Governing and Insuring Autonomous AI Risk in India 2026

The risks Indian corporates have learned to manage from artificial intelligence have until recently been the risks of a tool: a model that produces a wrong answer, leaks data, or embeds bias, with a human in the loop to catch and correct it. Agentic AI changes the shape of the problem. An agentic system does not merely answer; it acts. Given a goal, it can plan, call other systems, make decisions and execute steps, sometimes chaining many actions together, with the human supervising the outcome rather than approving each move. As these systems move from pilots into production across Indian enterprises, in customer operations, finance, procurement, software and risk functions themselves, they introduce a category of risk that behaves differently from anything already on the register.

The difference that matters for a risk manager is autonomy. When a system can take actions in the real world, place an order, move money, change a record, send a communication, the failure modes expand beyond a wrong output to a wrong action with downstream consequences that may be hard to reverse. An agent that misinterprets a goal, is manipulated through its inputs, or chains a sequence of individually plausible steps into a harmful outcome can cause loss before a human notices. The professional risk community has recognised this: industry forums in India have begun convening specifically on agentic AI risk management, with sessions in mid-2026 on risk appetite, mapping agentic risks and controls, and how to govern autonomous systems, signalling that this has moved from a research curiosity to a live board-level concern.

The regulatory backdrop reinforces the point. The insurance regulator's information and cybersecurity guidelines for regulated entities, and the direction in which they are being strengthened, raise the governance and minimum standards expected against emerging risks, part of a wider trend in which boards are expected to take active ownership of technology and cyber risk rather than delegating it. The principle, that autonomous and digital systems require governed controls and board-level oversight, applies just as forcefully to the corporates deploying agentic AI as to the insurers and intermediaries the guidelines bind. For the risk manager, the task is to bring this new category onto the register, govern it, and understand how it maps onto the insurance programme.

One of the hardest things about a genuinely new risk is that it does not arrive with its own neatly labelled insurance line. Agentic AI risk does not map to a single policy; it spreads across several existing lines depending on what goes wrong and who is harmed, and understanding that mapping is essential to knowing where the company is covered, where it is exposed, and where the wording may not have caught up.

The main lines an agentic AI failure can touch:

• Cyber insurance. Where an agent is compromised, manipulated through its inputs (so-called prompt injection or data poisoning), or used as a vector to access or exfiltrate data, the event looks like a cyber incident and may engage a cyber policy's first-party and third-party covers. But buyers should not assume cyber wordings, drafted around network intrusion and data breach, cleanly capture an autonomous system that was not hacked in the traditional sense but simply acted wrongly. The fit needs testing.
• Professional indemnity. Where a company uses an agentic system in delivering professional services or advice to clients and the system causes a client loss through a negligent act, error or omission, the exposure is a professional liability one. The question is whether the policy responds when the negligent act was, in effect, performed by an autonomous system rather than a named professional, and whether the wording contemplates that.
• Product liability. Where the company builds agentic AI into a product or service sold to others and a defect or malfunction causes injury or damage, the exposure shades into product liability. Software and AI have an uneasy relationship with traditional product-liability wordings, and the boundaries are being tested.
• Directors and officers liability. Where an agentic AI failure causes a significant loss and shareholders or regulators allege the board failed to govern the technology adequately, the claim lands on the directors and officers. As boards are increasingly expected to own technology and AI risk, the governance-failure exposure is real and growing.
• General third-party liability. Where an agent's action causes injury or property damage to a third party in the physical world, ordinary liability principles and cover are engaged.

The practical problem is twofold. First, gaps and overlaps: a single agentic failure might plausibly touch two or three of these lines, and the buyer needs to know which would actually respond, how they interact, and whether any exclusion leaves a hole between them. Second, wording lag: most of these policies were drafted before autonomous agents were a live exposure, so a wording may neither clearly include nor clearly exclude an agentic-AI loss, leaving the coverage uncertain exactly when certainty matters most.

The instinct when a new risk appears is to ask what policy covers it. For agentic AI that instinct is the wrong starting point, because the risk is novel enough that insurers will price and even decline it largely on the strength of the controls a company has around its autonomous systems. The insurable answer starts with governance: a company that can demonstrate it governs agentic AI well is both less exposed and far better placed to secure and rely on cover. Controls are the foundation; the policy sits on top.

The core controls a risk manager should expect to see, and to evidence, around agentic systems:

1. An inventory and ownership of every agentic system in production. A company cannot govern what it has not catalogued. Each agentic system should be recorded with its purpose, the actions it is permitted to take, the systems it can touch, and a named owner accountable for it. An agent operating outside this inventory, so-called shadow AI deployed by a team without governance, is the clearest sign of an ungoverned exposure.
2. Bounded authority and least privilege. An agent should be able to take only the actions its task genuinely requires, with hard limits on consequential actions, moving money above a threshold, changing critical records, communicating externally, that route to a human for approval. The blast radius of a misbehaving agent is determined by the authority it was given, so constraining authority is the single most powerful control.
3. Human oversight calibrated to consequence. Not every action needs human approval, but the more irreversible or material the action, the more a human should sit in or on the loop. The control is to match the level of oversight to the stakes of the action rather than applying a blanket policy.
4. Monitoring, logging and a kill switch. Agentic systems should be observable in real time, with their actions logged, anomalies flagged, and a reliable means to halt an agent that is behaving badly before it compounds the harm. Speed of detection and intervention directly limits the loss.
5. Testing, validation and change control. Agents should be tested against adversarial inputs and edge cases before deployment and after any change, because an update can alter behaviour in ways that reintroduce risk.

These controls do double duty. They reduce the likelihood and severity of an agentic-AI loss, which is the primary aim of any risk-management strategy and the reason controls come before cover. And they are exactly what an insurer will want to see when underwriting the cyber, professional-indemnity or other lines that an agentic exposure touches, because an insurer assessing a novel risk leans heavily on the quality of the insured's governance. A company that can produce its inventory, its authority limits, its oversight model and its monitoring is a far better risk and a far more credible buyer than one that cannot. The controls are simultaneously the loss-prevention strategy and the evidence that makes the risk insurable on reasonable terms.

Bringing agentic AI risk under management is not a one-off project but an ongoing discipline, because the technology, the deployments and the threat landscape are all moving quickly. The risk manager's job is to give the risk a permanent home on the register, govern it through a clear cycle, and keep the insurance mapping current as both the exposures and the wordings evolve.

A sensible operating cycle:

Identify and classify. Maintain the inventory of agentic systems and classify each by the consequence of failure, so attention and controls concentrate on the agents that can do the most harm. A low-stakes internal assistant and an agent authorised to move money or change customer records do not warrant the same scrutiny.

Assess against appetite. Set an explicit risk appetite for autonomous action, what the company is willing to let agents do without a human, and where the line sits, and assess each system against it. This is the agentic equivalent of any risk-appetite statement and gives the board a basis to govern rather than merely observe.

Control and transfer. Apply the governance controls described above to reduce the residual risk, then decide what residual exposure to retain and what to transfer, mapping the transferable part against the cyber, professional-indemnity, product-liability and directors-and-officers lines and addressing the gaps and wording lag the mapping reveals.

Monitor and review. Because agentic systems and their risks change with each deployment and update, the register entry, the controls and the insurance mapping all need regular review rather than annual dusting. New agents, new authorities and new failure modes should trigger reassessment.

Throughout, two things keep the discipline honest. The first is board engagement: as regulators and the wider governance environment push boards to own technology and AI risk, the board should see the agentic-AI risk position, the controls and the coverage, and be able to question them, both because it is increasingly expected to and because a documented governance trail is what answers a later allegation that the board failed to oversee the technology. The second is keeping the insurance mapping current, because wordings will evolve as insurers respond to the exposure, and a coverage map that was accurate last year may not be this year.

The insurance-mapping work depends on being able to read and compare what policies actually say about emerging exposures like autonomous AI, line by line and insurer by insurer, rather than assuming. Sarvada gives commercial-insurance brokers and corporate risk teams structured, searchable access to insurer wordings and the intelligence around them, so the work of mapping a novel risk like agentic AI against real policy language, finding the gaps, overlaps and exclusions, can be done rigorously rather than from assumption. Risk teams governing agentic AI and the brokers advising them can Request Access to evaluate the platform for coverage mapping and programme design.