Artificial intelligence doesn’t exist in a vacuum. It runs on infrastructure that is increasingly constrained, contested and, in many cases, outside a company’s control.
That reality is starting to surface in subtle ways. Vendors are adjusting access to AI capabilities, introducing tiered usage models and quietly reshaping what customers can expect from their tools. Microsoft, for example, has already shifted features and access within its Copilot ecosystem, signaling that capacity is not unlimited.
This isn’t new. In the early days of the internet, service providers could throttle access based on demand or pricing tiers until regulation stepped in to standardize availability. AI is beginning to follow a similar trajectory but with a more complex set of constraints: power availability, data center capacity, geopolitical risk and vendor concentration.
What makes this different is how quickly AI is being embedded into core business workflows. Nearly three-quarters of organizations are already using AI to automate processes across multiple business functions. Yet most have done little to account for the business interruption risk that creates. Many enterprises treat AI as always-available infrastructure. In reality, it is capacity-constrained, vendor-dependent and vulnerable to disruption.
The next phase of AI maturity isn’t about adoption. It will be about resilience, continuity and dependency management.
The question is no longer whether work can get done without AI. It is whether businesses can operate at the speed and volume they have already committed to without it.
Many organizations have redesigned workflows around AI-enabled efficiency. Tasks that once took hours now take minutes. Teams have been streamlined, and service-level commitments have been tightened. In many cases, entire operating models assume continuous AI availability.
In practice, it doesn’t hold. Even short disruptions can expose the gap. During a recent Microsoft services outage, some organizations lost access to AI models embedded in their workflows. Employees had to manually process tasks that had been automated — slowing operations and creating backlogs almost immediately.
At a small scale, that’s manageable. At the enterprise scale, it becomes a continuity risk. Planning for AI disruption starts with a mindset shift. Most continuity planning assumes degradation: systems slow down but still function. However, AI introduces scenarios where capabilities are unavailable altogether.
When building out a business continuity plan, three things are key:
This is not fundamentally different from how organizations approached cybersecurity a decade ago. What once felt optional is now baseline.
As AI becomes embedded in core operations, the financial exposure tied to its disruption is becoming harder to ignore. This exposure does not fit neatly into existing insurance frameworks.
There are parallels to the early days of cyber risk. Before stand-alone cyber policies existed, losses were often absorbed — or disputed — across general liability, crime and fraud coverage. Insurers responded by introducing exclusions and, eventually, dedicated cyber policies.
AI risk is following a similar path, but with additional complexity. Events like the CrowdStrike outage, which affected systems globally, raised questions about business interruption coverage, with organizations pursuing claims tied to financial losses. In that case, cyber coverage was a likely entry point.
AI introduces a different layer. A disruption may not be a cyber event at all. It could be tied to power grid constraints affecting data centers, vendor-driven capacity limits, regulatory restrictions or geopolitical events. The failure is external and not necessarily malicious, which raises a fundamental question: Where does the loss sit?
For most organizations today, the answer is unclear. That uncertainty is driving early conversations around stand-alone AI coverage. While those products are still evolving, the more immediate priority is understanding where exposure exists and where it may be underinsured.
That requires translating AI dependency into financial terms. What revenue is tied to AI-enabled workflows? What contractual obligations depend on those outputs? What happens if those capabilities are unavailable?
Until those questions are addressed, the risk remains largely unquantified.
Much of this exposure is concentrated in a small number of providers. The companies building and operating large-scale AI systems, such as OpenAI and Anthropic, are making real-time decisions about how their platforms operate under constraints. Those decisions shape how every dependent organization experiences performance, access and disruption.
That includes how capacity is allocated when demand exceeds supply, which features are available at different pricing tiers, how models are trained and governed and how infrastructure is expanded or limited based on power and regulatory conditions.
These are not purely technical considerations. They are business decisions made by third parties that directly affect your operations. As a result, choosing an AI partner is a dependency decision that will shape how your business operates under both normal conditions and disruption.
Three areas to consider:
There is no universal framework for making these decisions yet. Organizations are building their approach in real time.
AI is often framed as a competitive advantage. In many cases, it is. But as it shifts from a capability to core infrastructure that is shared, constrained and subject to forces beyond any single organization’s control, the risk profile changes fundamentally.
That dependency is the risk. Enterprises don’t need to slow down adoption. The pressure to move forward is real. But they do need a clearer view of what they are building on and what happens when that foundation is under strain.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
Arti Deshpande is a senior technology solutions business partner for Brown & Brown Insurance. In this role, she empowers and enables the adoption of data, analytics and AI across the enterprise to achieve business outcomes and drive growth. She also serves as a consultant and partner to embedded data delivery, analytics, data science and business teams, leading the strategic development and implementation of AI-powered technology solutions.
Robert Stines is the chief technology and intellectual property counsel at Brown & Brown, where he leads the cybersecurity and technology solutions legal team. A former US Army military intelligence analyst, Robert brings deep specialization in cybersecurity, privacy, data protection and emerging technologies. He previously served as a partner at Smith Gambrell Russell, LLP, and holds a JD from Stetson University College of Law and an MS in cybersecurity from the University of South Florida. Robert has authored numerous articles and contributed to the ABA’s “A Practical Guide to Cyber Insurance for Businesses.”
Mike Vaughan serves as chief data officer for Brown & Brown Insurance. In this role, he strategically partners with business leaders, analytics leaders, data scientists, data analysts, data engineers and technology teammates to provide solutions that address real business challenges and opportunities in a meaningful and scalable way and is a champion for the creation of a data-driven and innovation-focused culture to enable the organization to effectively use data in decision-making and product development.
Sponsored Links
