pith. sign in

arxiv: 2606.03777 · v1 · pith:GY5IXNOJnew · submitted 2026-06-02 · 💻 cs.AI · cs.CR· q-fin.RM

From Control Boundary to Insurance Claim: Reconstructing AI-Mediated Losses Through the CER Framework

Alex Leung , Rex Zhang , Kentaroh Toyoda , SiewMei Loh This is my paper

Pith reviewed 2026-06-28 09:44 UTC · model grok-4.3

classification 💻 cs.AI cs.CRq-fin.RM
keywords AI systemsCER frameworkresidual risk transferagentic AIgenerative AIAI insuranceevidence reconstructioncontrol boundary
0
0 comments X

The pith

AI losses through generative or agentic systems require state reconstruction, not merely event reconstruction, because the system's internal state changes as it reasons and acts; the CER framework operationalizes this for insurance claim re

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that losses arising when an insured organization's AI system sits in the causal chain cannot be handled by traditional event logging alone. Instead, recovery depends on reconstructing what the system was permitted to do, what it actually executed through its sequence of reasoning and tool calls, and whether that reconstruction meets insurance standards. The CER framework addresses this by checking the control boundary for an enforceable operating envelope, the availability of retained artifacts to rebuild the state and causal chain, and the existence of placed coverage together with proof sufficient for claim recovery. This matters for organizations deploying generative or agentic AI because incidents such as prompt injection, RAG poisoning, and malicious tool outputs are now occurring, and without state-level reconstruction those losses may remain unrecoverable. The work specifies claim-grade evidence requirements and illustrates the approach with public cases including agentic database deletions and adjudicated reliance incidents.

Core claim

The central claim is that AI losses require state reconstruction rather than event reconstruction because the relevant state evolves as the system reasons, retrieves, calls tools, and acts; CER operationalizes the reconstruction problem by evaluating the control boundary, evidence from retained artifacts, and insurance response to determine whether a reconstructed loss can support claim recovery.

What carries the argument

The CER framework, which evaluates the control boundary for an enforceable operating envelope, evidence reconstruction from retained artifacts to rebuild system state and causal chain, and insurance response for coverage availability and claim-grade proof.

If this is right

  • Organizations must define and maintain an enforceable control boundary around their AI systems if they expect insurance recovery for losses.
  • Retained artifacts must allow reconstruction of the sequence of reasoning, retrieval, tool calls, and actions to meet the evidence component.
  • Specific failure modes such as prompt injection, retrieval-augmented generation poisoning, and credential misuse become assessable for coverage once state reconstruction is performed.
  • Claim-grade evidence specifications can be used to prepare documentation that insurers will accept for AI-related losses.
  • Residual risk transfer through insurance becomes feasible for agentic and generative AI deployments when all three CER components are satisfied.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Insurers may begin requiring CER-compliant logging standards as a condition of AI coverage policies.
  • Courts adjudicating AI liability could adopt state reconstruction as the standard for establishing causation instead of simple event timelines.
  • The framework could be tested on non-insurance domains such as regulatory compliance audits for AI systems.
  • Organizations without sufficient artifact retention today would need new infrastructure to make future losses insurable under this approach.

Load-bearing premise

Retained artifacts from AI systems will be sufficient to reconstruct the system state and causal chain in a manner that supports enforceable insurance claims.

What would settle it

A documented insurance claim for an AI-mediated loss where application of the CER checks produces a reconstructed state and causal chain yet the claim is still denied for lack of coverage or insufficient proof.

Figures

Figures reproduced from arXiv: 2606.03777 by Alex Leung, Kentaroh Toyoda, Rex Zhang, SiewMei Loh.

Figure 1
Figure 1. Figure 1: Reconstruction-to-transfer model for the insured's AI system. C defines the permitted state, E reconstructs the actual state, and R tests whether the reconstructed loss can support an insurance response. The C dimension asks whether the AI system's permitted operating envelope was defined, technically enforced, and reviewable after the loss. Governance policies and prompts may describe a boundary, but they… view at source ↗
Figure 2
Figure 2. Figure 2: AI-specific state reconstruction layers for losses arising through the insured's AI system. The five layers shown here are a simplified visual grouping of the seven artifact families detailed in Appendix A (Table A1): the figure's bottom layer combines the output/action/business and loss/claim families, and the human/governance family is distributed across layers rather than shown separately. Section VI ma… view at source ↗
Figure 3
Figure 3. Figure 3: CER diagnostic decision path. At each dimension the "No" branch corresponds to a score of 0 and the "Yes" branch to [PITH_FULL_IMAGE:figures/full_fig_p011_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Insurance adequacy sequence within the R dimension. The lowest sub [PITH_FULL_IMAGE:figures/full_fig_p012_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: CER across the deployment lifecycle: before deployment (C), at placement/renewal (E), and post [PITH_FULL_IMAGE:figures/full_fig_p015_5.png] view at source ↗
read the original abstract

AI losses that arise through an insured organization's generative or agentic AI system require state reconstruction, not merely event reconstruction, because the relevant state changes as the system reasons, retrieves, calls tools, and acts. The relevant question is not only what loss occurred, but what the system was allowed to do, what it actually did, and whether that reconstructed loss can support insurance claim recovery. This paper addresses losses in which the insured's AI system is in the causal chain, including externally triggered failures such as prompt injection, retrieval-augmented generation (RAG) poisoning, malicious tool output, credential misuse, and data poisoning. Specifically, this paper introduces CER, a use-case-level diagnostic for AI residual risk transfer. C (control boundary) asks whether the system had an enforceable operating envelope. E (evidence reconstruction) asks whether the system state and causal chain can be reconstructed from retained artifacts. R (insurance response) asks whether the reconstructed loss is insured: whether insurance coverage is available in the market and placed for the insured, together with the proof needed to support insurance claim recovery. The paper makes three contributions: it defines the AI-specific reconstruction problem, operationalizes that problem through CER, and specifies claim-grade evidence for AI reconstruction. Public examples include the reported PocketOS and Replit agentic database-deletion incidents and Moffatt v. Air Canada as an adjudicated output/reliance case. Keywords: AI systems; CER framework; residual risk transfer; agentic AI; generative AI; AI insurance; evidence reconstruction.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper claims that AI losses mediated by an insured organization's generative or agentic AI systems require state reconstruction (not merely event reconstruction) because system state evolves through reasoning, retrieval, tool calls, and actions. It introduces the CER framework as a use-case-level diagnostic for residual risk transfer: C assesses the enforceable control boundary, E assesses whether system state and causal chain can be reconstructed from retained artifacts (e.g., logs, prompts, tool outputs), and R assesses whether the reconstructed loss is insured with supporting proof. The paper defines the AI-specific reconstruction problem, operationalizes it via CER, specifies claim-grade evidence requirements, and illustrates with examples including PocketOS, Replit agentic incidents, and Moffatt v. Air Canada.

Significance. If operationalized, the CER framework could provide a structured diagnostic linking AI system design choices to insurance coverage and claim recovery, addressing a gap in handling non-deterministic agentic behaviors like prompt injection or RAG poisoning. The emphasis on state reconstruction over event reconstruction is a useful conceptual distinction for the emerging AI insurance domain.

major comments (2)
  1. [Abstract] Abstract (E component description): The central claim that retained artifacts suffice to reconstruct the evolving system state and causal chain for enforceable insurance claims is load-bearing but unsupported; no formal sufficiency conditions, completeness criteria, or worked reconstruction examples are supplied for non-deterministic, path-dependent agentic systems where artifacts may be missing or tampered.
  2. [CER framework definition] CER framework operationalization: The paper states that CER produces claim-grade evidence but provides no derivation, mapping, or test showing how the three components interact or suffice to distinguish insured from uninsured loss paths, leaving the framework as a definitional diagnostic rather than a demonstrated method.
minor comments (1)
  1. [Abstract] The abstract and keywords list 'CER framework' as a contribution but do not clarify whether it is intended as a prescriptive checklist or an analytical lens; a brief statement on intended use would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive report, which recognizes the potential significance of the CER framework while identifying areas for clarification. We address each major comment below, maintaining the manuscript's focus as a conceptual introduction to the AI-specific reconstruction problem.

read point-by-point responses

  1. Referee: [Abstract] Abstract (E component description): The central claim that retained artifacts suffice to reconstruct the evolving system state and causal chain for enforceable insurance claims is load-bearing but unsupported; no formal sufficiency conditions, completeness criteria, or worked reconstruction examples are supplied for non-deterministic, path-dependent agentic systems where artifacts may be missing or tampered.

    Authors: The manuscript does not assert that retained artifacts suffice in general; the E component is explicitly defined as an assessment of whether reconstruction from retained artifacts is feasible in a given use case. This diagnostic framing already incorporates acknowledgment of non-determinism, path-dependence, and risks such as missing or tampered artifacts. The cited public incidents (PocketOS, Replit, Moffatt v. Air Canada) function as illustrations of the problem rather than complete worked reconstructions. We agree the abstract phrasing could more precisely emphasize the diagnostic character of E and will revise it. We will also add a dedicated subsection providing sketched reconstruction steps for the examples to better demonstrate the approach without claiming formal sufficiency conditions, which lie beyond the paper's definitional scope. revision: yes

  2. Referee: [CER framework definition] CER framework operationalization: The paper states that CER produces claim-grade evidence but provides no derivation, mapping, or test showing how the three components interact or suffice to distinguish insured from uninsured loss paths, leaving the framework as a definitional diagnostic rather than a demonstrated method.

    Authors: The manuscript presents CER as a use-case-level diagnostic that operationalizes the reconstruction problem by defining the three components and specifying claim-grade evidence requirements; it does not claim to deliver a fully derived or tested method. The interactions among C, E, and R are described at a conceptual level through the framework's structure and the examples. We accept that explicit mappings or additional illustrations of how the components jointly distinguish insured versus uninsured paths would strengthen the operationalization. We will revise the CER framework section to include a tabular mapping of component interactions applied to the existing examples, while preserving the paper's character as a problem definition and framework introduction rather than an empirical validation study. revision: yes

Circularity Check

0 steps flagged

No circularity: CER is a definitional diagnostic with no derivations or self-referential reductions

full rationale

The paper presents CER as a conceptual framework that directly defines C (control boundary), E (evidence reconstruction), and R (insurance response) to operationalize the AI loss reconstruction problem. No equations, fitted parameters, quantitative predictions, or derivation chains exist. The central claim—that state reconstruction is needed for AI-mediated losses—is introduced by definition rather than derived from prior results or self-citations. The E component's reliance on retained artifacts is stated as an assumption without any reduction to inputs by construction. This is a standard non-circular definitional paper.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

Review performed on abstract only; full manuscript not available in the provided context, limiting assessment of parameters, axioms, or entities.

axioms (1)
  • domain assumption AI system state changes dynamically through reasoning, retrieval, tool calls, and actions, requiring state rather than event reconstruction.
    Explicitly stated in the abstract as the premise for the reconstruction problem.
invented entities (1)
  • CER framework no independent evidence
    purpose: Use-case-level diagnostic for AI residual risk transfer in insurance contexts
    Newly defined in the paper; no independent evidence of prior existence or validation provided in abstract.

pith-pipeline@v0.9.1-grok · 5824 in / 1287 out tokens · 23229 ms · 2026-06-28T09:44:08.446806+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

42 extracted references · 5 canonical work pages · 1 internal anchor

  1. [1]

    OWASP Top 10 for Large Language Model Applications, 2025

    OWASP Foundation. OWASP Top 10 for Large Language Model Applications, 2025

    2025

  2. [2]

    OWASP Top 10 for Agentic Applications, 2026

    OWASP Gen AI Security Project. OWASP Top 10 for Agentic Applications, 2026

    2026

  3. [3]

    OWASP Agentic Skills Top 10

    OWASP Foundation. OWASP Agentic Skills Top 10

  4. [4]

    Security Best Practices

    Model Context Protocol. Security Best Practices

  5. [5]

    AI 600-1: Generative Artificial Intelligence Profile, July 2024

    NIST. AI 600-1: Generative Artificial Intelligence Profile, July 2024. doi:10.6028/NIST.AI.600-1

    work page doi:10.6028/nist.ai.600-1 2024

  6. [6]

    MITRE ATLAS: Adversarial Threat Landscape for AI Systems

    MITRE. MITRE ATLAS: Adversarial Threat Landscape for AI Systems

  7. [7]

    Slattery, P. et al. The AI Risk Repository. arXiv:2408.12622, 2024

    Pith/arXiv arXiv 2024

  8. [8]

    Bagehorn, F. et al. AI Risk Atlas. arXiv:2503.05780, 2025

    arXiv 2025

  9. [9]

    Saeri, A. K. et al. Mapping AI Risk Mitigations. arXiv:2512.11931, 2025

    arXiv 2025

  10. [10]

    AI Incident Database

    Responsible AI Collaborative. AI Incident Database

  11. [11]

    AI Incidents and Hazards Monitor

    OECD.AI. AI Incidents and Hazards Monitor

  12. [12]

    The 2025 AI Index Report, 2025

    Stanford HAI. The 2025 AI Index Report, 2025

    2025

  13. [13]

    Gen AI Risks for Businesses: Exploring the Role for Insurance, 2025

    The Geneva Association. Gen AI Risks for Businesses: Exploring the Role for Insurance, 2025

    2025

  14. [14]

    AI – unintended insurance impacts and lessons from silent cyber, 2024

    Swiss Re Institute. AI – unintended insurance impacts and lessons from silent cyber, 2024

    2024

  15. [15]

    Mind the Gap: A US-focused Analysis of AI Liability Risks and the Implications for Insurance, 2024

    Munich Re. Mind the Gap: A US-focused Analysis of AI Liability Risks and the Implications for Insurance, 2024

    2024

  16. [16]

    Vanguard AI coordinated insurance structure, press release, 10 February 2026

    Chaucer Group and Armilla AI. Vanguard AI coordinated insurance structure, press release, 10 February 2026

    2026

  17. [17]

    Artificial Intelligence and Civil Liability: A European Perspective

    European Parliament. Artificial Intelligence and Civil Liability: A European Perspective. PE 776.426, 2025

    2025

  18. [18]

    Machine Learning Bill of Materials (AI/ML-BOM)

    CycloneDX. Machine Learning Bill of Materials (AI/ML-BOM)

  19. [19]

    C2PA Specifications and Content Credentials

    C2PA. C2PA Specifications and Content Credentials

  20. [20]

    aiSure: More AI Opportunity

    Munich Re. aiSure: More AI Opportunity. Less AI Risk

  21. [21]

    Mosaic partners with Munich Re aiSure: pioneering coverage for AI vendors, press release, 26 February 2026

    Mosaic Insurance. Mosaic partners with Munich Re aiSure: pioneering coverage for AI vendors, press release, 26 February 2026

    2026

  22. [22]

    Coalition Adds Deepfake Response Endorsement to its Cyber Insurance Policies Globally, 9 December 2025

    Coalition. Coalition Adds Deepfake Response Endorsement to its Cyber Insurance Policies Globally, 9 December 2025

    2025

  23. [23]

    Verisk to Roll Out New General Liability Exclusions for Generative AI Exposures, 2025

    Big I Virtual University. Verisk to Roll Out New General Liability Exclusions for Generative AI Exposures, 2025

    2025

  24. [24]

    The Insurability Frontier of AI Risk: Mapping Threats to Affirmative Coverage, Silent Exposures, and Exclusions

    Leung, A., Zhang, R., Ling, E., Toyoda, K., Loh, S. The Insurability Frontier of AI Risk: Mapping Threats to Affirmative Coverage, Silent Exposures, and Exclusions. arXiv:2605.18784 [q-fin.RM], 6 May 2026. doi:10.48550/arXiv.2605.18784

    work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2605.18784 2026

  25. [25]

    Multilayer Framework for Good Cybersecurity Practices for AI, June 2023

    ENISA. Multilayer Framework for Good Cybersecurity Practices for AI, June 2023

    2023

  26. [26]

    ACM SIGOPS Operating Systems Review , volume =

    Hardy, N. The Confused Deputy. ACM SIGOPS Operating Systems Review, 22(4), 1988. doi:10.1145/54289.871709

    work page doi:10.1145/54289.871709 1988

  27. [27]

    Raji, I. D. et al. Closing the AI accountability gap. Proc. ACM FAccT 2020. doi:10.1145/3351095.3372873

    work page doi:10.1145/3351095.3372873 2020

  28. [28]

    Mökander, J. et al. Auditing large language models: a three -layered approach. AI and Ethics, 2024. doi:10.1007/s43681 - 023-00289-2

    work page doi:10.1007/s43681 2024

  29. [29]

    Regulation (EU) 2024/1689 (AI Act), Official Journal of the European Union, 12 July 2024

    European Union. Regulation (EU) 2024/1689 (AI Act), Official Journal of the European Union, 12 July 2024

    2024

  30. [30]

    Regulation (EU) 2016/679 (GDPR), Article 22, 2016

    European Union. Regulation (EU) 2016/679 (GDPR), Article 22, 2016

    2016

  31. [31]

    Model Bulletin: Use of Artificial Intelligence Systems by Insurers, adopted 4 December 2023

    NAIC. Model Bulletin: Use of Artificial Intelligence Systems by Insurers, adopted 4 December 2023

    2023

  32. [32]

    Directive (EU) 2024/2853 (revised Product Liability Directive), 2024

    European Union. Directive (EU) 2024/2853 (revised Product Liability Directive), 2024

    2024

  33. [33]

    Claude-powered AI agent's confession after deleting a firm's entire database, 29 April 2026

    The Guardian. Claude-powered AI agent's confession after deleting a firm's entire database, 29 April 2026

    2026

  34. [34]

    It took 9 seconds: tech founder outlines how rogue Claude-powered AI tool wiped entire company database and backups, 2026

    TechRadar Pro. It took 9 seconds: tech founder outlines how rogue Claude-powered AI tool wiped entire company database and backups, 2026

    2026

  35. [35]

    How a Cursor AI agent wiped PocketOS’s production database in under 10 seconds, 6 May 2026

    The New Stack. How a Cursor AI agent wiped PocketOS’s production database in under 10 seconds, 6 May 2026

    2026

  36. [36]

    Air Canada, 2024 BCCRT 149, British Columbia Civil Resolution Tribunal, 14 February 2024

    Moffatt v. Air Canada, 2024 BCCRT 149, British Columbia Civil Resolution Tribunal, 14 February 2024

    2024

  37. [37]

    BC Tribunal Confirms Companies Remain Liable for Information Provided by AI Chatbot, 29 February 2024

    American Bar Association. BC Tribunal Confirms Companies Remain Liable for Information Provided by AI Chatbot, 29 February 2024

    2024

  38. [38]

    Air Canada ordered to pay customer who was misled by airline chatbot, 16 February 2024

    The Guardian. Air Canada ordered to pay customer who was misled by airline chatbot, 16 February 2024. 25

    2024

  39. [39]

    Replit CEO apologizes after its AI agent wiped a company's code base in a test run and lied about it, 2025

    Business Insider. Replit CEO apologizes after its AI agent wiped a company's code base in a test run and lied about it, 2025

    2025

  40. [40]

    Incident 1152: LLM -Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze, Leading to Loss of Production Data, 2025

    Responsible AI Collaborative. Incident 1152: LLM -Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze, Leading to Loss of Production Data, 2025

    2025

  41. [41]

    ISO/IEC 42001:2023 – Artificial intelligence – Management system

    ISO. ISO/IEC 42001:2023 – Artificial intelligence – Management system

    2023

  42. [42]

    How we contain Claude across products

    Anthropic. How we contain Claude across products. Anthropic Engineering blog, 25 May 2026. https://www.anthropic.com/engineering/how-we-contain-claude

    2026