US insurance regulators are reportedly turning their attention to a fast-growing corner of the financial system: the credit risks that sit behind data centres and the AI infrastructure they increasingly power. The probe, described as an examination of how insurers assess and price exposure to these assets, comes at a moment when capital from data-centre and AI infrastructure players is playing a larger role in building out capacity—often through complex financing structures that can be difficult to map to traditional risk categories.
While the regulator has not yet issued final guidance, the direction of travel is clear enough to matter. Insurers—particularly those with large investment portfolios and long-dated liabilities—are being asked, in effect, whether their existing frameworks fully capture the specific vulnerabilities that can emerge when “infrastructure” becomes tightly coupled to technology cycles, power constraints, and concentrated customer demand. For an industry that relies on models, assumptions, and stress tests to determine how much capital it must hold, even incremental changes in methodology can ripple outward into underwriting, investment strategy, and the cost of financing for the underlying projects.
What makes this probe notable is not simply that data centres are in the spotlight. It’s that regulators appear to be focusing on the mechanics of credit risk assessment itself: how exposures are classified, how counterparties are evaluated, how collateral and cash-flow durability are treated, and how correlations are handled when multiple parts of the same ecosystem can fail together.
In other words, the question is less “Are data centres risky?” and more “Do our risk tools understand what kind of risk they are?”
A sector built on leverage—and on assumptions
Data centres have long been financed with a mix of equity and debt, but the scale and speed of recent build-outs have changed the profile of many deals. In many markets, new capacity is being developed to meet demand driven by cloud computing, enterprise digitisation, and—more recently—AI training and inference workloads. That demand is real, but it is also shaped by procurement cycles, technology adoption curves, and the economics of compute utilisation.
The financing structures used to fund these projects often rely on assumptions about occupancy rates, contracted revenue, and the stability of power costs. They may also depend on the ability to refinance debt as interest rates move or as project performance is validated over time. When those assumptions hold, returns can look attractive. When they don’t, the downside can be sharper than investors expect—especially if multiple projects are exposed to similar constraints such as grid interconnection timelines, cooling requirements, and local permitting.
For insurers, the challenge is that these exposures can show up in different forms across the balance sheet. They might be direct loans, bonds, private credit instruments, structured products, or holdings of funds that themselves invest in data-centre debt. Even when the underlying asset is “infrastructure,” the credit risk can behave more like a technology-adjacent bet: it depends on operational performance, customer concentration, and the durability of cash flows under stress.
Regulators probing credit risk rules are therefore likely to be asking whether insurers are treating these exposures consistently with their true risk drivers. If an insurer classifies a data-centre bond as “investment grade” based on initial ratings or historical performance, does it still apply the right stress scenarios when the market environment changes? If an insurer assumes that contracted revenue reduces default risk, does it account for contract terms, termination clauses, and the possibility that customers renegotiate during downturns? If collateral is present, does the valuation reflect realistic liquidation outcomes rather than optimistic appraisals?
These are not academic questions. They determine how much capital is held against potential losses, and capital is the currency that governs solvency.
Why now: AI infrastructure meets insurance regulation
The timing of the probe aligns with a broader shift in how AI infrastructure is financed. As AI workloads become a core part of corporate IT strategies, demand for compute capacity is increasingly tied to large-scale data-centre operators and specialised infrastructure providers. At the same time, the sector has attracted significant institutional capital, including from insurers seeking yield and diversification.
But diversification only works if the risks are not secretly correlated. Data centres may appear geographically spread, but they can share common vulnerabilities: power availability, regulatory permitting, supply-chain constraints for transformers and switchgear, and the macroeconomic sensitivity of refinancing markets. If credit conditions tighten, the ability to refinance can become the deciding factor between survival and restructuring.
This is where insurance regulation becomes particularly relevant. Insurers are not just investors; they are risk managers with obligations to policyholders. Their solvency frameworks are designed to ensure that even under adverse conditions, they can meet claims. If the risk models used to calculate capital requirements do not adequately represent the tail risks of data-centre exposures, regulators may see a gap between measured risk and actual risk.
The reported probe suggests that regulators want to close that gap.
How insurers typically assess credit risk—and where the blind spots can be
Most insurers use a combination of internal models, external ratings, and scenario analysis to evaluate credit risk. They also consider factors such as default probability, loss given default, exposure at default, and the expected recovery value of collateral. In theory, these tools can be adapted to almost any asset class. In practice, the quality of the output depends on the quality of the inputs and the relevance of the assumptions.
Data-centre credit risk can be unusually sensitive to operational and market variables:
1) Utilisation and occupancy dynamics
Even when a facility is built, revenue depends on how effectively it is utilised. Utilisation can be affected by customer churn, delays in customer deployments, and changes in workload demand. If an insurer’s model assumes stable occupancy based on historical averages, it may understate the risk of demand shocks.
2) Power and energy economics
Power costs are a major component of operating expenses. If electricity prices rise or if efficiency improvements lag expectations, cash flows can compress. Additionally, some facilities may face constraints related to grid capacity or backup power requirements. These factors can influence both the likelihood of default and the severity of losses.
3) Concentration risk
Many data-centre projects rely on a limited number of large customers or on a small set of tenants for a meaningful portion of revenue. Concentration risk can turn a “diversified infrastructure” portfolio into a set of correlated exposures. Regulators may be interested in whether insurers are capturing this concentration properly, especially when exposures are held through funds or structured vehicles.
4) Refinancing risk
A large share of infrastructure debt is subject to refinancing at maturity or through covenant-driven events. When credit spreads widen or liquidity dries up, refinancing can become expensive or unavailable. This can lead to defaults even if the underlying asset remains operational. If insurers focus too heavily on initial credit metrics and not enough on refinancing conditions, they may misestimate risk.
5) Technology and obsolescence
Unlike some traditional infrastructure assets, data centres can be exposed to technology shifts. Hardware generations change, cooling and power efficiency standards evolve, and customer requirements can change faster than the physical asset’s useful life. While data centres are generally long-lived, the economic value of capacity can still be affected by whether facilities remain competitive.
A regulator examining credit risk rules would likely want to know whether insurers are translating these drivers into their capital models and stress tests. The probe may also examine whether insurers are using consistent methodologies across asset types—direct loans versus bonds versus private credit funds—because differences in classification can create uneven treatment of similar risks.
The role of ratings, and the limits of “set-and-forget”
Ratings can be helpful, but they are not a complete solution. Ratings are backward-looking to a degree and can lag changes in fundamentals. They also may not fully reflect scenario-specific risks such as power-market volatility or local grid constraints. If insurers rely heavily on ratings without adjusting for forward-looking stress, regulators may view that as insufficiently prudent.
At the same time, regulators are unlikely to argue that ratings should be ignored. Instead, the probe may be aimed at ensuring that insurers treat ratings as one input among many, and that they apply additional scrutiny where the risk drivers are distinctive.
For example, an insurer might hold a bond issued by a data-centre operator with a strong initial rating. But if the operator’s business model depends on rapid expansion, and if expansion is constrained by power availability or permitting delays, the risk profile could deteriorate quickly. A robust framework would incorporate those forward-looking constraints into stress scenarios.
That is the kind of nuance regulators often seek: not just whether an asset is rated, but whether the insurer’s internal view of risk matches the asset’s real-world vulnerabilities.
Potential impact: capital requirements, risk models, and investment behaviour
If the probe leads to new guidance or supervisory expectations, the most immediate impact could be on how insurers calculate capital requirements for certain exposures. Even small changes in risk weights, model parameters, or stress-test assumptions can affect the amount of capital required to hold a given asset.
That, in turn, can influence investment decisions. Insurers may respond by:
– reducing exposure to the riskiest segments of data-centre credit, particularly where cash flows are less contracted or where refinancing risk is high;
– shifting toward structures with stronger protections, such as tighter covenants, clearer collateral coverage, or more diversified tenant bases;
– increasing due diligence on power and operational resilience, including reviewing energy contracts and backup capacity;
– favouring counterparties with demonstrated performance through multiple market cycles.
There is also a second-order effect. If insurers become more cautious, the cost of capital for data-centre projects could rise, or the availability of certain types of debt could narrow. That could slow build-outs—or redirect financing toward projects that better match the risk appetite of regulated investors.
However, there is another possibility: the probe could improve transparency and standardisation. If regulators push insurers to articulate their assumptions more clearly, the market may develop better benchmarks for data-centre credit risk. Over time, that could make it easier for high-quality projects to access capital at reasonable terms, while weaker projects face higher pricing or reduced funding.
Either way, the probe signals that the regulatory conversation is moving from broad asset-class labels toward a more granular understanding