If you manage vendor compliance, you deal with certificates of insurance every day. But it’s worth stepping back and asking: what does a COI actually do for you?
A COI is proof that an insurance policy exists. That’s it.
It confirms that at the time of issuance, the named insured held the coverages listed on the certificate. It’s a snapshot, not a contract. And that distinction matters more than most people realize.
A common scenario
A contractor you hired causes property damage at your facility. You pull up their certificate of insurance and see your company listed as the certificate holder. General liability coverage is in place with solid limits. You assume you’re covered.
Then you learn that being named as a certificate holder isn’t the same as being an additional insured on the policy. The insurer has no obligation to you. Your only path to recovery is through the contract with the contractor, and if that contract doesn’t have clear indemnification language and insurance requirements, you may be on your own.
The COI gave you a false sense of security. It told you the contractor had insurance. It didn’t tell you whether that insurance would ever work in your favor.
What a COI doesn’t do
A COI does not create a contractual obligation between you and the insured. If something goes wrong on a project and you need to make a claim, your recourse isn’t determined by the certificate. It’s determined by the contract between your organization and the vendor.
A COI also doesn’t make you an additional insured. That’s one of the most common misconceptions in vendor risk management. Being listed as a certificate holder is not the same as being endorsed onto the policy. Additional insured status requires an actual endorsement on the policy itself, and the COI alone doesn’t grant it.
And here’s another reality: a COI is a point in time document. Policies can be cancelled, modified, or allowed to lapse after the certificate is issued. Unless you have a system in place to track renewals and flag expirations, that certificate in your file could be representing coverage that no longer exists.
Why this matters for compliance teams
If your compliance program treats COIs as the finish line, you’re exposed. The certificate is the starting point. It tells you coverage was in place. But the real protection comes from three things working together:
A well written contract that clearly defines insurance requirements, liability allocation, and additional insured obligations. A valid COI that confirms those requirements are being met. And an ongoing monitoring process that ensures coverage doesn’t lapse between renewals.
Most compliance teams have the first two. It’s the third one that creates gaps. Tracking hundreds or thousands of vendor certificates manually almost guarantees that something slips through.
The bottom line
COIs are essential, but they’re informational documents, not legal instruments. They verify that insurance is in place. They don’t determine who bears responsibility when something goes wrong.
If you’re building or refining a vendor compliance program, start with the contract. Use the COI to validate. And make sure you have a process to monitor what happens after that certificate lands in your inbox.