OCIF · OneCompliant Cyber Insurance Framework

Making Enterprise AI Insurable.

Traditional cyber underwriting relies on static questionnaires — but AI risk changes continuously. OneCompliant introduces runtime governance and continuous risk scoring to help organisations demonstrate control, reduce exposure, and support informed underwriting decisions.

How it works

From AI environment to insurance assessment.

AI Environment
Aegis
Runtime Controls
Continuous Risk Score
Insurance Assessment
The Gap

AI risk is changing cyber insurance — most underwriting models haven't caught up.

The insurance industry's own research is unambiguous: businesses want to insure their AI risk, but insurers struggle to supply the cover — because they cannot verify AI risk, or how a business actually governs it. That information asymmetry is the core barrier to insurability.

90%+
of businesses want insurance for Gen-AI-related risks
2 in 3
would pay at least 10% more in premiums for it
$4.7bn
projected AI insurance market by 2032

Sources: Geneva Association, "Gen AI Risks for Businesses: Exploring the role for insurance" (2025); market projection per Deloitte (2024).

Traditional cyber underwriting evaluates
  • ·  Multi-factor authentication
  • ·  Backups
  • ·  Vulnerability management
  • ·  Incident response
It rarely evaluates — and OCIF does
  • +  AI governance
  • +  AI agents & autonomy
  • +  AI data exposure
  • +  AI attack surface
  • +  AI regulatory exposure
The Framework

A repeatable instrument that closes the gap.

OCIF takes a standard cyber proposal plus a structured AI assessment and produces a defensible, comparable AI-risk rating — so an underwriter can price it, an insured can qualify for it, and both can see exactly where the risk sits and what would move it.

Measure posture

Governance maturity

Cyber, AI Governance, and Compliance scores from the controls and questionnaire — mapped to EU AI Act, NIST AI RMF, and ISO 42001.

Measure exposure

AI Attack Surface

Estate scale, data sensitivity, model types, and agentic capabilities (transactions, payments, code execution). Exposure raises risk independent of governance.

Measure verifiability

Information Asymmetry Reduction

How transparent and auditable the risk is — the single metric that most directly answers the insurer's number-one barrier.

Every assessment produces an underwriter-ready output:

Overall Risk Score & rating band (Low / Moderate / High / Severe)
Insurability rating on Berliner's nine criteria (the framework insurers use)
Recommended premium modifier across selectable bands
Underwriter recommendation — accept, conditions, remediate, or decline
Top-10 prioritised findings, tagged by risk domain
A one-page Executive Underwriting Report
Who It's For

Built for the whole placement chain.

Brokers

Prepare clients for placement

Help clients quantify and present their AI risk before going to market — for smoother, faster placements and fewer surprises at bind.

Carriers & Underwriters

Improve underwriting decisions

A structured, repeatable read on AI governance and exposure to support pricing, terms, and risk selection — and to reduce adverse selection.

Enterprises

Demonstrate AI governance maturity

Evidence your AI controls and exposure in underwriter language before seeking coverage — turning a hard-to-explain risk into a clear, improvable score.

"OCIF is not designed to replace underwriting. It's designed to help brokers and insurers understand AI risk in a structured, repeatable way."

Why OCIF

It merges what almost no one combines.

A credible AI-risk underwriting model has to speak four languages at once. OCIF is built on operator experience across all of them:

Enterprise cybersecurity

Real controls and assessment methodology from regulated-enterprise security operations.

AI governance

The OASF / OASAT framework — governance and runtime control for enterprise AI.

Regulatory compliance

EU AI Act, NIST AI RMF, ISO 42001, DORA, NIS2, GDPR — mapped, not bolted on.

Underwriting logic

Berliner insurability criteria, exposure-driven risk, premium and recommendation bands.

"Insurers can't underwrite what they can't verify. OCIF makes AI governance and exposure measurable — and the assessment scores the risk, while Aegis proves the controls are real."

The Evidence Loop

From assessment to continuous proof.

OCIF scores the risk at the point of underwriting. Aegis — OneCompliant's runtime AI governance gateway — provides the continuous, auditable monitoring an insurer can write into the policy as an ongoing condition. Together they answer the question the market keeps asking: insurable, and here's the proof.

Bring OCIF to your underwriting.

If you're an insurer, MGA, broker, or an enterprise navigating AI risk and cover, we'd welcome a direct briefing or a scoped proof of value.

OCIF is decision-support for AI-risk underwriting, not a binding quote or an actuarial rate. Premium logic is illustrative and intended to be calibrated with a carrier or actuary. Risk and insurability framing draws on Berliner (1982) and the Geneva Association (2025).