# Insurance Deck: EdisonWatch
> Text mirror of the Edison slide deck, generated from source for AI agents and readers who can't run the interactive deck. Slides are visual; this is their copy, in order. Regenerate with deck-assets/scripts/extract-deck-content.mjs.
## 1. Title
- Cyber cover for the age of AI agents
- Every insured runs Edison's control layer; every agent action becomes auditable underwriting data. Lloyd's capacity is what we're here to secure.
- Built with
- University of Oxford
- Wayve
- Citadel Securities
- VMware
- Synopsys
Images: Edison Watch; CG Insurance; Markerstudy Group
## 2. The Exposure
- THE EXPOSURE
- Businesses are wiring agents into email, files, databases and internal systems. An agent that leaks data, is hijacked, or executes an unauthorised action is a loss event legacy cyber models don't capture.
## 3. The Incidents
- The Incidents
- Agents are already leaking data, causing havoc
- Same root cause every time - the lethal trifecta: an agent with private data, untrusted content, and a channel out. Would-be claims - data breach, business interruption, unauthorised action - that no wording yet names.
- Read more
- ChatGPT
- Apr 2023
- Google Bard
- Nov 2023
- GitHub Copilot
- Jun 2024
- Microsoft Copilot
- Aug 2024
- Slack AI
- ChatGPT Operator
- Feb 2025
- M365 Copilot
- Jun 2025
- EchoLeak
- ChatGPT Deep Research
- Sep 2025
- ShadowLeak
- Notion AI
- Jan 2026
- Claude Cowork
- agents.fail
- Simon Willison
- The Economist
Sources: https://simonwillison.net/2023/Apr/14/new-prompt-injection-attack-on-chatgpt-web-version-markdown-imag/ , https://simonwillison.net/2023/Nov/4/hacking-google-bard-from-prompt-injection-to-data-exfiltration/ , https://simonwillison.net/2024/Jun/16/github-copilot-chat-prompt-injection/ , https://simonwillison.net/2024/Aug/14/living-off-microsoft-copilot/ , https://simonwillison.net/2024/Aug/20/data-exfiltration-from-slack-ai/ , https://simonwillison.net/2025/Feb/17/chatgpt-operator-prompt-injection/ , https://www.hackthebox.com/blog/cve-2025-32711-echoleak-copilot-vulnerability , https://thehackernews.com/2025/09/shadowleak-zero-click-flaw-leaks-gmail.html , https://www.promptarmor.com/resources/notion-ai-unpatched-data-exfiltration , https://securityboulevard.com/2026/01/vulnerability-in-anthropics-claude-code-shows-up-in-cowork/ , https://agents.fail , https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ , https://www.economist.com/leaders/2025/09/25/how-to-stop-ais-lethal-trifecta
## 4. Why Unpriceable
- We bring the data.
- Price it blind
- Proposal forms only started asking about AI in 2025. Governance checkboxes.
- Lloyd's own market survey ran “in the absence of market underwriting and claims data on AI exposures”. (LMA, 2026)
- Carry it silently
- 1 in 5 saw a client suffer an AI-related loss in the past year.
- “‘Accidental’ capacity” for events “neither modelled nor priced”. (Gallagher Re, 2026)
- Exclude it
- ISO shipped standard gen-AI exclusions for 1 Jan 2026.
- AIG, Great American, W.R. Berkley filed. LLM risk is “too much of a black box”. (Mosaic)
- The Gap
## 5. The Product
- The Product
- one product
- Think seatbelt maker partnered with a motor insurer: we build the control that de-risks the policy, remunerated via a technology and data fee inside the binder.
- AI-agent loss only, written alongside existing cyber.
- Control
- Dangerous agent actions blocked before they execute.
- Data
- A live, quantified risk profile per insured.
Images: Edison product: blocked agent action; Edison product: session audit trail
## 6. Claim Scenario
- GDPR BREACH
- 15,000 customer records exposed - ICO-reportable, tariff fines
- Illustrative upper build-up ~$3.7M (components overlap, so not a straight sum). Context: IBM's global average breach is $4.44M; sub-500-employee average $3.3M (2023).
- Illustrative scenario, not a loss pick. IBM's per-record cost already includes response and lost business, so lines overlap. Anchors: IBM Cost of a Data Breach 2025 and 2023 · Coalition 2026 Cyber Claims Report · Salesloft Drift remediation pattern (Google GTIG). Record count assumed; ranges reflect anchor uncertainty.
- Email-connected agent at a 200-person SME reads a poisoned message
- Injected instructions walk the CRM out through the agent's own connectors
- Exfiltration is service-side: no victim logs to scope the leak (Radware, ShadowLeak; since patched)
- Firm must assume full-CRM compromise: 15,000 customer records (illustrative assumption)
- A routine cyber claim: market average, all causes
- $116K
- Coalition 2026 claims report
- First-party
- 3 days: agent + CRM integrations suspended
- $190K-$600K
- Illustrative; conservative vs ITIC
- Business interruption
- Full-CRM exposure: 15,000 × $160 per record
- $2.4M
- IBM CODB 2025, customer PII
- GDPR / ICO liability
- Uplift where the agent was unsanctioned
- +$670K
- IBM 2025, vs low-shadow-AI orgs
- Shadow-AI uplift
- Claim Scenario
- Illustrative loss build-up for the ShadowLeak class of event, from published anchors.
Images: GDPR
## 7. The New Layer
- Every risk became an opportunity once someone built the layer to rate it. AI agents are that opportunity now - and Edison is the first layer built to feed the underwriter.
- Break-ins with stolen passwords
- Identity & MFA
- Okta
- Rated today
- Malware on laptops
- Endpoint detection
- CrowdStrike
- Network attacks
- Firewalls
- Palo Alto Networks
- AI agents acting on company data
- AI agent control layer
- Edison
- The opportunity
- Insurers already rate for MFA, EDR and firewalls. Edison is their opportunity to rate for AI agents.
## 8. Telemetry to Rating
- ↺ safer behaviour → better loss ratio → cheaper cover
- Insured Risk Profile · Edison admin console. The control that lowers the loss is the control that prices it.
- And claims settle faster - the live log is the loss adjuster.
- No AI-specific insurer prices from in-line agent telemetry today: the market rates on pre-bind audits and external litigation data. Day one: control efficacy evidenced at bind from gateway logs the underwriter audits directly - the insurer verifies, Edison does not self-certify. As experience accrues it becomes a rating input at renewal; live pricing is the end-state.
- Per-action risk classification
- every tool call, in real time
- Quantified risk profile per insured
- attempts · violations · reachable data
- Rating factors, not questionnaires
- evidenced at bind · audited at renewal
- Lower premium for safer insureds
- the thesis: better loss ratio funds the discount
- Telemetry to Rating
Images: Insured Risk Profile page in the Edison admin console
## 9. Structure & Distribution
- Product distributed to market
- ) : n.logo ? (
- An existing book to prove it in a real environment - the Lloyd's Lab is the missing piece that supplies the capacity.
- neutral
- edison
- lab
- Existing customer base
- AI augmentation platform
- Lloyd's broker
- The sandbox - the missing piece
- Suitable syndicate
- Capacity partner
- Structure & Distribution
## 10. Protection Gap
- The least-insured major peril
- Fewer than one dollar in 100 of cyber loss carries insurance.
- Cyber insurance is under 1% of global P&C premium (~$15bn market); the Geneva Association puts ~90% of cyber losses uninsured. Munich Re / Geneva Association.
- Market
## 11. Market
- Munich Re 2026
- Gartner 4Q25
- past
- future
- ghost
- cyber
- ai
- ~$15B
- ~$28B
- $25.9B
- $51.3B
- M C , ,
- M C , 606 , 640 L 640 C 606 , , L C , , C , , Z
- Market
- Two worlds - cyber insurance and AI cybersecurity - merging into one product.
Sources: https://www.munichre.com/en/insights/cyber/cyber-insurance-risks-and-trends-2026.html , https://www.gartner.com/en/newsroom/press-releases/2026-1-15-gartner-says-worldwide-ai-spending-will-total-2-point-5-trillion-dollars-in-2026
## 12. Partners
- Recommended to Lloyd's Lab by Joe Barnard, Markerstudy Group.
- CG Insurance
- Anchor partner · Lloyd's broker
- CG Insurance (Clegg Gifford) is a Lloyd's broker inside the top-3 UK MGA Markerstudy Group. Initial book from its commercial / SME clients; co-developing with Lee Welham and Toby Clegg, with Joe Barnard lining up senior Lloyd's underwriter support ahead of capacity.
- Co-developing
- Trium Cyber
- Syndicate 1322 · managing agent Asta
- Traditional cyber writers, in discussions on the approach.
- In discussion
- Partners
Images: Markerstudy Group
## 13. Team
- TEAM
- Applying AI, Cyber, Infra experience from…
- Insurance partners
- Eito Miyamura
- CEO / Member of Technical Staff
- CS @ Oxford
- Ilia Manolov
- Member of Technical Staff
- Dimitrios Karkoulis
- Senior Engineer · 20+ yrs
- University of Oxford
- Wayve
- Citadel Securities
- VMware
- Synopsys
- Toby Clegg
- CEO · Clegg Gifford
- Lee Welham
- CG Insurance / Markerstudy
- Joe Barnard
- Markerstudy Group · broker
- LinkedIn
Images: Oxford; Trium Cyber
## 14. Programme Ask
- Demo Day: a wording the market has marked up · a rating model it helped build · capacity that has seen the telemetry · pilot pipeline. Target: first risks bound H1 2027.
- Cyber underwriters
- Rating workshops: map agent behaviours to loadings a box would accept
- Wordings & claims
- Trigger language, attribution standard, the claims journey for a new peril
- Exposure management
- Event definition, accumulation RDS, aggregate structure
- Coverholder operations
- Binder mechanics, audit standards, telemetry access for the syndicate
- Wk 1
- Welcome Week + mentor match
- Wk 2-4
- Wording draft + underwriter deep-dives
- Wk 5-6
- Rating workshops (in person)
- Wk 7-8
- Accumulation pressure test
- Wk 9-10
- Capacity LOIs, pilot pipeline, Demo Day
- The 10 Weeks
- We bring the control layer, the telemetry, and an MGA ready to distribute. The Lab brings the market - and takes it the last mile to bound business.
## 15. Accumulation
- The common-mode shape is not hypothetical - it is the shape of the losses the market already fears. What the agentic version still lacks is a wording that names the peril and an accumulation model for it. Workstream 3 builds the RDS-style scenario set with the market's exposure-management mentors.
- Salesloft Drift, Aug 2025
- One compromised connector: 700+ organisations' Salesforce data taken in ~10 days (Google GTIG)
- One supplier, whole book
- EchoLeak, Jun 2025
- CVE-2025-32711: zero-click against M365 Copilot; every tenant exposed until the server-side patch
- One vuln, entire install base
- AgentFlayer, Black Hat 2025
- One injection pattern demonstrated against ChatGPT, Gemini, Salesforce Einstein, and Cursor + Jira
- One technique, many products
- Marks & Spencer, Apr 2025
- Social-engineering intrusion; ~£300m operating-profit hit, online orders suspended for weeks
- One intrusion, whole business
- Jaguar Land Rover, 2025
- ~£1.9bn loss, the most damaging cyberattack in UK history; production halted across plants
- One attack, whole operation
- Event definition
- One common vector within 72h = one event, one aggregate cap.
- Limits sized to the RDS
- Per-insured and per-event caps hold the disaster scenario within the binder's aggregate limits.
- Correlation measured
- Telemetry shows which insureds share models and connectors, per book, per week.
- Control = mitigant
- Poisoned connector quarantined fleet-wide in minutes, mid-event.
- Accumulation
## 16. Scope
- This policy responds
- Already served by existing cyber
- The peril is data security; the trigger is an agentic action - a tool call on the gateway's record. No agent action on the record, no response. Attribution is evidence, not argument.
- An agent leaks or exfiltrates data
- An agent is hijacked (prompt injection)
- An agent takes an unauthorised action
- Ransomware, network intrusion
- mature controls + cover
- Phishing & social engineering of people
- IT failure, outages, everything else cyber
- existing cyber policy
- Scope
- Complementary to the existing cyber policy, not a replacement - it prioritises the new, underserved peril. Overlap resolved in the wording (other-insurance clause, workstream 1).
## 17. Competitive Landscape
- Who
- Risk signal
- Control
- Closest analogue: active cyber. The difference is where the telemetry comes from: outside-in scans of the perimeter vs the agent's own actions, in-line, with enforcement.
- Armilla AI
- AI-liability MGA & Lloyd's coverholder; insures model underperformance + performance warranties
- Armilla
- AI performance / liability
- Pre-bind model evaluation
- None at runtime
- Exona Lab
- Systemic-AI-risk analytics engine for underwriters (Lloyd's Lab Cohort 16)
- None - analytics only
- Modelled systemic-risk quantification
- Relm Insurance
- Bermuda specialty carrier; affirmative AI-liability wordings (NOVA / PONTA / RESCA AI)
- Specialty AI-liability wordings
- Bespoke underwriting / questionnaires
- Coalition · At-Bay
- Active cyber / InsurSec: cyber policy paired with attack-surface scanning + incident response
- Coalition
- At-Bay
- Full cyber
- Outside-in perimeter & endpoint scanning
- Detect & respond, after the fact
- Edison + MGA
- In-line control of the agent itself, with the live telemetry priced into cover
- Affirmative AI-agent cover
- In-line, per-action agent telemetry
- Blocks & quarantines in-line
- Landscape
- Same ecosystem, the next layer none of them instrument. Others insure the model or scan the perimeter; only Edison prices from in-line, per-action control of the agent itself.
- + MGA
Images: Edison
## 18. The Lethal Trifecta
- Threat research
- AI agents with data access + untrusted content + external comms = data exfiltration
## 19. Trifecta Defence
- The gated call: egress held for approval, auto-denied on timeout
- Threat research
- Ungated, a poisoned email exfiltrates data. Gated, the leak is blocked at the point of egress.
Images: Edison approval dialog blocking an email send after the agent handled secret data
## 20. Live Exploits
- Threat Research
- Live exploits, publicly demonstrated
- Not lab hypotheticals. Working exploits against real, shipping AI products - demonstrated publicly by Edison's founder.
- linkedin
- Eito Miyamura
- @Eito_Miyamura
- We got ChatGPT to leak your private email data \u{1F480}\u{1F480}\n\nAll you need? The victim's email address.\n\nOn Wednesday, @OpenAI added full support for MCP (Model Context Protocol) tools in ChatGPT. Allowing ChatGPT to connect and read your Gmail, Calendar, Sharepoint, Notion…
- 1.5M views
- 12 Sep 2025
- Founder, edison.watch
- Perplexity Comet's AI Agent just bankrupted your company
- Exploit demo video · LinkedIn post
- 1,265 reactions
- 21 Oct 2025
- Clawdbot just injected malware into your code
- 928 reactions
- 27 Jan 2026
- Real, shipping products
- Zero-click data exfiltration
- Prompt injection in the wild
- Publicly documented
## 21. Further Reading
- Appendix
- Further reading
- blog
- notebook
- Agentic AI Disrupts Traditional Data Security
- 3 min
- Interactive visual
- Blog post
Sources: https://edisonwatch.substack.com/p/agentic-ai-disrupts-traditional-data
## 22. How Edison Works
- Server inventory & auto-quarantine
- Deterministic enforcement at the connector boundary; bypass prevention and full product detail in the slides that follow.
- Control layer
- Each attempted action is risk-classified in real time and allowed, controlled, or blocked by policy. The leak is stopped at the moment of action, not alerted after data has left.
Images: Edison server inventory with auto-quarantine and access control
## 23. The Audit Trail
- Session records: metadata only, payloads never stored
- Control layer
Images: Edison session monitoring: tool calls with status and data-access class
## 24. Stack Integration
- Policy
- tells the business what agents should do.
- Runtime control
- shows and enforces what they actually do.
- AI governance
- Policy · GRC · approved use cases
- The insured's AI agents & copilots
- Agent access
- Tool use
- Data movement
- Runtime activity
- in
- out
- Live
- Planned
- IAM
- Identity in
- SOC
- Audit logs out
- GRC
- Compliance evidence
- DLP
- Egress signals
- Where it sits
- policy in
- every agent routes through
- M4 6l5 -4l5 4
- M4 16l5 4l5 -4
Images: Edison
## 25. Shadow AI / MCP Discovery
- New extension caught on the device: add to Edison, or it stays quarantined
- Control layer
- MCP (Model Context Protocol) is the standard way agents connect to tools and data. Edison sweeps every client config on the insured's devices and inventories each MCP connector with an allow / block verdict.
Images: Edison dialog: new AI extension detected, add to Edison or auto-quarantined
## 26. Automatic Quarantine
- Admin overview: quarantined server awaiting approve / reject
- Control layer
- Shadow AI / MCP: unvetted connectors detected and quarantined before any data can leave the insured's environment.
Images: Edison admin overview: quarantine request pending approve or reject
## 27. Fleet-wide Connector Control
- The employee's view: org-approved servers, ready to use
- Control layer
- Admins approve connectors centrally in the gateway. Every device in the insured's fleet runs the same vetted set.
Images: Edison My MCPs: the employee's view of org-approved servers, ready to use
## 28. User Accountability
- Control layer
- Risky actions auto-denied or routed to a named approver. Every agent action has an accountable human owner - attribution holds when a loss is investigated.
## 29. Endpoint Deployment
- Every AI client on the device, detected & connected
- Control layer
- Single installer, guided setup. Every AI client on the device is detected and brought under the gateway - low friction, so the control actually gets deployed.
Images: Edison Watch desktop app with every AI client on the machine connected
## 30. Appendix
- Appendix