Insights: AI Risk
Amid growing use, cyber threats and trust concerns have also increased
July 2026On January 27, 2026, the Bulletin of the Atomic Scientists moved the Doomsday Clock to 85 seconds to midnight. Among the reasons cited was the advancement of “disruptive technologies,” including artificial intelligence (AI). While the Doomsday Clock is a symbolic measure rather than a specific risk indicator, its inclusion of AI reflects broader public concern about the governance of emerging technologies. For the actuarial profession—built on modeling risk and uncertainty—this warrants attention.
AI is increasingly becoming an integral part of work across the insurance industry. Most consumers interact with AI tools daily, with over half of U.S. consumers now using generative AI, according to Deloitte’s 2025 Connected Consumer Survey. Yet, according to the survey, only a fraction of consumers trust organizations to use the technology responsibly. While 76% of midsize organizations are engaged in generative AI initiatives, a RelyanceAI survey shows that only about 40% of consumers worldwide trust AI outputs. That gap between usage and trust is a material concern for any profession that serves the public interest.
The promises of AI are significant, but its broadening adoption also brings complexities, exposure and risks. Managing those risks will increasingly require enterprise risk management strategies. Many organizations are already successfully using AI with strong controls in place. For the actuarial profession, long-standing focus on model validation, risk governance, and professional accountability provides a strong foundation for evaluating and managing these emerging risks.
OPERATIONAL RISK: DEVELOPMENT SPEED
Roughly four years into the mainstream application of generative AI, the pace of adoption has been remarkable. Large language models (LLMs) have moved from novelty to infrastructure. Tools such as GitHub Copilot and Anthropic’s Claude Code have been implemented across enterprises of every size with consistent results: reduced labor costs, faster development and automation of tasks that previously required teams of skilled engineers.
Microsoft CEO Satya Nadella, in a recent article, acknowledged that roughly 20%–30% of code in certain code repositories (shared digital libraries where development teams store and manage their software) now originates from AI. Software that once took months to prototype can now be scaffolded (given a basic working structure, like framing a house before the finishing work) in days. However, as AI adoption grows, so does consumer apprehension. Deloitte’s 2025 Connected Consumer Survey reports that 82% of generative AI users say the technology could be misused, up from 74% in 2024.
There are, however, operational risks associated with these gains. To comprehend the scale of this, it helps to know how modern software is built. Developers work in cycles: they write code, then submit a pull request (a formal proposal to merge their changes into the shared codebase), which other team members review before approving. Think of it as a peer review process, much like an actuarial sign-off. One recent industry benchmark report found that pull requests per developer increased by about 20% year-over-year, while incidents per pull request rose by 23.5% and change failure rates increased by roughly 30%. In other words, developers are applying more changes faster, but each change is more likely to introduce defects. The key lesson here is stark: AI can accelerate development and reduce costs, but it is not inherently more reliable than humans.
These same issues are relevant to the insurance industry because it relies on similar software development lifecycles that both benefit from and are exposed to AI. Actuaries assessing AI-related risk may want to look beyond end-user applications—such as models or chatbots—to include AI’s role in the production and development process itself.
OPERATIONAL RISK: UPTIME
Application uptime (the measure of how reliably a system remains available to its users) has long been the gold standard of operational excellence in technology. The industry benchmark is “five nines,” or 99.999% availability, which translates to roughly five minutes of downtime per year. For context, that is the kind of reliability standard one might recognize from critical infrastructure: If a policy administration system or claims portal becomes unavailable, work stops, and obligations go unmet.
Evidence suggests that outages in production environments (the live systems that real users and businesses depend on daily) are increasing. Data tracked by IsDown.app, which monitors thousands of service status pages, indicates that outages were significantly higher in 2025 than in prior years, with an upward trend since 2022.
The rise in outages is often discussed in connection with growing system complexity and the expanded use of AI-assisted development. In a study of 470 open-source GitHub pull requests, CodeRabbit found that AI-generated submissions averaged roughly 11 issues per pull request, compared with about six for human-written code.
When code is generated faster than it can be reviewed, tested and understood, especially under pressure to deploy, the risk that defects reach production may increase. As development velocity accelerates, review and validation processes often struggle to keep pace, raising the likelihood that errors reach production systems. In this way, tools designed to improve productivity can, in some cases, introduce trade-offs with system stability. Although these software development dynamics may sit outside traditional actuarial workflows, the insurance industry’s reliance on cloud-based and third-party software creates similar exposure to outages and operational disruption.
For the actuarial profession, the implications extend in two directions: First, there are the applications organizations rely on. Actuarial work can depend on a chain of third-party software platforms: policy administration systems, claims management tools, data analytics environments, cloud infrastructure and regulatory filing portals. Many of these platforms are maintained by development teams that are increasingly using AI to write and update their code. If AI-generated code degrades the reliability of any link in that chain, the downstream effects may reach actuaries, whether or not they are using generative AI tools themselves. A pricing engine that goes down during a renewal cycle, a data pipeline that corrupts inputs to a reserving model, or a regulatory portal that fails before a filing deadline—these are plausible examples of disruptions. These events directly affect the quality and timeliness of actuarial work.
The second direction in which AI-assisted software development could impact the actuarial world is through applications developed and maintained within actuaries’ own organizations. Insurers and pension administrators increasingly deliver digital products to policyholders and plan members, including online portals, mobile apps, claims submission tools and retirement calculators. If these customer-facing systems are built and maintained with AI-generated code that is hard to understand or update (even with AI assistance), uptime risk becomes reputational risk. An outage or error in a client-facing application does not just create an IT ticket, it further erodes consumer trust. For a profession that prices and manages risk on behalf of the public, the reliability of these systems is increasingly relevant to actuarial risk discussions.
The trade-off is clear: AI coding may reduce costs, but it could also degrade code comprehension and uptime. The trade-off should be assessed with the same discipline brought to any risk-return analysis.
CYBER RISKS: RISKY BUSINESS
Beyond reliability, AI-generated code may introduce or amplify cybersecurity risk. Research found that when compared to human-written code, AI-generated code was 1.88 times more likely to introduce improper password handling, 1.91 times more likely to create insecure data access points and 2.74 times more likely to introduce cross-site scripting vulnerabilities (a common attack in which malicious code is injected into websites). Adversaries can exploit predictable patterns in machine-written code or use AI themselves to probe for weaknesses at scale.
As the Patch Tuesday 2025 Year in Review shows, Microsoft patched over 1,100 Common Vulnerabilities and Exposures (CVEs, a standardized catalog of known security flaws) in 2025 alone, the second-largest year for software vulnerabilities since 2020. This growth is at least partly attributable to AI-powered detection tools, identifying flaws that previously went unidentified, such as Microsoft’s own Security Copilot, which was used to discover vulnerabilities in GRUB2, U-Boot, and Barebox. At the same time, AI’s role in generating new vulnerabilities complicates the picture. For insurers writing cyber policies, the increased risk identification directly affects frequency and, therefore, aggregate loss assumptions.
AI is not only being used to probe software vulnerabilities, it is also being used to target organizations. As AI becomes embedded in everyday operations, attackers are already leveraging it to launch hyper-personalized phishing campaigns, deploy deepfakes and develop adaptive malware that evades traditional defenses. Moody’s has noted that 2026 may bring the first signs of fully autonomous cyberattacks as organizations adopt AI without adequate safeguards. Countering these AI-driven threats requires AI-powered defenses; organizations must, in some respects, fight fire with fire. However, AI is not a silver bullet, and robust security strategies must extend beyond AI tools alone.
This concern is echoed across the cybersecurity industry, according to the State of AI Cybersecurity 2026 report. Hyper-personalized phishing is the top worry among security professionals (50%), followed by automated vulnerability exploitation (45%), with adaptive malware and deepfake voice fraud at 40% each. In short: AI appears to be contributing to a changing cyber-risk landscape.
REPUTATIONAL RISKS
Consumer sentiment presents a distinct reputational risk for financial institutions deploying AI. Trust in AI-driven recommendations is particularly fragile in financial services: A TD Bank survey found that roughly two-thirds of consumers are most comfortable when AI operates behind the scenes in functions like fraud detection, with trust dropping sharply when AI is used to make autonomous decisions on complex financial matters. For actuaries, this skepticism has direct professional implications—institutions perceived as relying too heavily on opaque AI systems risk eroding the client trust that underpins their business model. Managing that perception is increasingly part of the broader risk landscape. At the same time, many organizations are investing in AI-enabled security tools, enhanced monitoring, and stronger governance frameworks to mitigate these risks, reflecting a broader shift toward more adaptive and resilient cybersecurity strategies.
HUMAN CAPITAL RISK: AI AND THE WORKFORCE
For actuaries, it appears AI is reshaping the nature of the work rather than eliminating it. The World Economic Forum projects a net gain of 78 million jobs globally by 2030, but with a critical timing mismatch between displaced and newly created roles. In practice, this likely means less time spent on routine calculations and more time devoted to judgment, interpretation and communication—the work that consumers still strongly prefer humans to do. Northwestern Mutual’s 2025 Planning & Progress study found that most Americans continue to trust financial advisors over AI tools alone.
However, expanding roles without corresponding training or resources may create risks of their own: burnout, oversight errors, and a growing gap between expectations and capabilities. A survey shows that nearly seven in ten workers who use generative AI on the job say they rely on their own tools, accessed through personal devices or accounts. This “shadow AI” trend raises significant compliance and governance concerns. As AI systems become more deeply embedded in the day-to-day work, both productivity and risks are magnified. Like a shovel, more can be done with AI, but more errors can also occur without appropriate level of controls.
THE TROJAN HORSE
When a towering wooden horse appeared at Troy’s gates in Homer’s “Iliad,” the Trojans marveled at its grandeur, never pausing to question what lurked within. AI presents a strikingly similar dilemma: Dazzled by its capabilities, we risk overlooking the creeping threat of “AI slop,” where quantity devours quality, and the noise drowns out the signal.
Glossary
Here’s a handy list of AI-related terms used in this article.
Application uptime. Measure of how reliably a system remains available to its users.
Production code. Software deployed in live environments serving end users.
Code repositories. Shared digital libraries where development teams store and manage their software.
Cross-site scripting. A common attack in which malicious code is injected into websites or web applications.
Production environments. Live systems that real users and businesses depend on daily.
Scaffolded. Given a basic working structure, like framing a house before executing the finishing work.
Pull request. Formal proposal to merge changes into the shared codebase.
Vulnerabilities. Weaknesses in software, systems or processes that may be exploited by attackers.
Common Vulnerabilities and Exposures (CVEs). A standardized catalog of known security flaws.
The output looks convincing. It may even be partly right. But partly right can create a distinct risk. In our software solutions, this partly right code can pass review, ship to production environments and be deployed into live systems. It can embed itself in decisions before anyone identifies the error.
Logical issues can cause serious problems in production, the kinds of outages that have to be reported to shareholders. A study shows that outages and incidents increased in 2025 compared to prior years, continuing an upward trend observed since 2022. While this rise coincides with the mainstream adoption of AI-assisted coding, it also reflects broader factors such as increasing system complexity and faster deployment cycles. The reputational stakes are just as high: Organizations have faced scrutiny after AI-assisted reports were found to contain fabricated citations and references. Flawed logic can propagate through dependent systems. Similarly, in the actuarial world, a bad assumption in one model can feed into another and spread. Left unchecked, this is not a minor operational risk.
Importantly, these risks are not without mitigation. Existing actuarial standards, model governance practices, and regulatory oversight frameworks provide a foundation for identifying, monitoring and managing such issues when applied rigorously to AI-enabled systems.
PROFESSIONAL SKEPTICISM IS A MUST
Our message to actuaries is simple: Engage with AI critically and with the same professional skepticism applied to any model or assumption. It is essential to understand our tools‘ limitations, not just their outputs. We should not allow the pursuit of efficiency to compromise reliability, transparency or professional integrity.
In practical terms, this may mean incorporating additional questions for the applications we depend on and the teams that build them. Ask software vendors how they govern AI-generated code. Do developers review every AI-produced change before it reaches production, or are they relying on speed over scrutiny? Ask about uptime commitments and whether failure rates have changed since AI tools were adopted.
READY FOR MORE?
The SOA’s AI Research landing page has the latest trends and reports.
The SOA’s Actuarial Intelligence Bulletin informs readers about advancements in actuarial technology.
For organizations with in-house development teams, actuaries should advocate for the same transparency. What percentage of code is AI-generated, and who is accountable when it fails? These are the same questions we would ask about any model assumption or data source. Just as an actuary would not sign off on a mortality table without understanding the underlying methodology, we should not accept AI-assisted systems without understanding how they are built, reviewed and maintained. The discipline remains the same; only the domain differs.
“Eighty-five seconds to midnight” is a powerful reminder that emerging risks deserve careful attention. As new technologies enter the profession, the challenge is to recognize both their promise and potential consequences. We are confident that actuaries are up to the task.
The authors would like to thank Corey Grigg, Shirley Song, Elena Zhang and Ken Coehlo for their contributions to the article.
Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries or the respective authors’ employers.
Copyright © 2026 by the Society of Actuaries, Chicago, Illinois.

