A Strategic Risk Guide for Owners, GCs, Property Teams, and Compliance Leaders

Some Construction Teams Think a COI Means They’re 100% Covered. They’re Not.

But here’s what’s really happening:

  • A vendor submits a COI that looks valid…
  • Your team checks the dates, policy numbers, maybe even the limits…
  • You greenlight them to work.

Weeks later, there’s a claim — and the insurer denies it. Why? The policy included a Labor Law exclusion. Or the COI was never updated. Or worse: it was fake.

A COI is not insurance. It’s a summary on a piece of paper. The policy is the real protection.

This is where some construction and property teams fall into a compliance trap. They treat COIs like contracts. But COIs are summaries — and sometimes dangerously incomplete ones.

In this guide, we’re going to show you exactly what a COI is, how to read an ACORD form, and why managing certificates without a platform like Jones creates unnecessary risk, legal exposure, and admin chaos.

Table of Contents

  1. What Is a COI Certificate?
  2. The ACORD 25: What It Covers (And What It Doesn’t)
  3. 7 Red Flags to Watch for on Every COI
  4. Why Policy Review Matters More Than the Certificate
  5. The Cost of Manual COI Management
  6. Why Jones Makes ACORDs Actionable
  7. Conclusion: Don’t Manage Risk Blindfolded

1. What Is a COI Certificate?

A Certificate of Insurance (COI) is a standardized document that serves as evidence of insurance coverage. It’s most commonly issued using the ACORD 25 form; the industry standard for summarizing liability insurance details.

Typically, a subcontractor, vendor, or tenant provides this document to prove:

  • They have active coverage
  • The coverage meets contractual minimums
  • Your organization is listed as an Additional Insured

Most construction and real estate teams think of a Certificate of Insurance (COI) as a proof-of-coverage document; something you collect, file, and forget.

But that’s an outdated mindset.

A COI is the tip of the compliance iceberg. And unless you know what’s underneath; exclusions, lapses, endorsements, you’re betting your project on a PDF.

The wrong COI is just as dangerous as no COI.

A COI is not a contract. It’s not a guarantee of coverage. It’s a summary page, most often formatted as an ACORD 25 form, that merely outlines the existence of one or more insurance policies as reported by a broker or agent.

The COI typically includes:

  • The name and address of the insured party
  • Coverage types (general liability, auto, umbrella, etc.)
  • Policy numbers and dates
  • Limit amounts
  • Additional insured or waiver of subrogation notes

But what it doesn’t include — and what matters most — is the fine print: the actual exclusions, endorsements, and conditions that determine whether a claim will be honored.

In short: a COI can look perfect on paper and still leave you exposed.

It’s also important to remember that COIs are unregulated summaries. They’re not reviewed or certified by the insurer. And they can be outdated, misrepresented, or even falsified.

That’s why modern compliance teams use COIs only as a starting point — not as a sign-off. True risk protection requires validating the underlying insurance policy, not just glancing at a one-page PDF.

Want a deeper breakdown of what a COI actually is — and what it’s not? Check out our Complete Business Guide to COIs.

2. The ACORD 25: What It Covers (And What It Doesn’t)

The ACORD 25 is the most widely used form to represent liability coverage in the United States.

If you’ve seen a COI before, chances are it was delivered using the ACORD 25. It is the one-page document that most teams receive as proof of insurance. But don’t let its familiarity fool you; it’s often misunderstood, misused, and misread.

Let’s break it down, field by field, to show what each section does — and doesn’t — tell you. Then, we’ll look at real-world scenarios where those gaps lead to serious risk.

Here’s what each section tells you — and more importantly, what it doesn’t.

Insured: Lists the name and address of the party providing insurance.

However, it doesn’t confirm if the insured is truly the contractor or vendor you hired.

Producer:

Shows the insurance agency or broker who issued the certificate. But it doesn’t tell you if the broker actually verified the certificate data.

Coverages:

Displays the policy type, number, effective and expiration dates, and coverage limits. What it doesn’t include are the policy terms, endorsements, or exclusions.

Certificate Holder:

Your organization or project. Still, this doesn’t mean you’re actually named in the policy.

Description of Operations:

Intended to provide notes about endorsements or job specifics. Too often, this section is blank or filled with boilerplate language.

Authorized Representative Signature:

Indicates issuance by an insurance rep. But it does not confirm that the coverage is active or accurate.

The ACORD form is designed for convenience — not completeness. Even with “Additional Insured” language typed in, it’s not binding unless the actual policy includes the proper endorsements.

Insured: Who’s Actually Covered?

The top left of the ACORD form lists the “Insured” — the party carrying the insurance.

What It Tells You:

  • Legal name of the vendor, subcontractor, or tenant.
  • Contact details and address.

What It Doesn’t Tell You:

  • Whether this entity is the same name used in the contract.
  • Whether it’s a DBA (doing business as), parent company, or unrelated third party.

Example: You hire “Precision Electrical, LLC,” but the COI lists “Precision Construction Group.” Looks close — but if there’s no matching contract or endorsement, your coverage is meaningless in a dispute.

Best Practice: Always verify that the insured’s name on the ACORD form exactly matches the contracting entity. If it doesn’t, request clarification and updated documentation.

Producer: Who Issued the Certificate?

The “Producer” field identifies the broker or insurance agency that created the COI.

What It Tells You:

  • Name, phone number, and contact of the issuing broker.

What It Doesn’t Tell You:

  • Whether the broker verified any of the details.
  • Whether they’re authorized by the carrier.
  • Whether the policy is still in good standing.

Example: A broker issues a COI with policies listed, but the premium hasn’t been paid — the policy was canceled a week earlier. The ACORD form doesn’t reflect this. You’re operating with a false sense of security.

Best Practice: If a COI looks off — or hasn’t been updated — call the producer directly. A quick confirmation can prevent costly gaps.

Coverages: What’s Actually Included?

This is the “meat” of the COI — where insurance types, policy numbers, limits, and effective/expiration dates are listed.

What It Tells You:

  • Coverage types (General Liability, Auto, Umbrella, Workers’ Comp).
  • Limits (per occurrence, aggregate, etc.).
  • Policy number, effective date, expiration date.

What It Doesn’t Tell You:

  • Endorsements or modifications.
  • Exclusions that eliminate entire categories of risk.
  • Whether coverage meets your contractual requirements.

Example: A vendor lists General Liability coverage with a $2M limit — but their policy includes a residential construction exclusion. If your project is residential, the policy is essentially worthless for your use case. The COI won’t show that.

Best Practice: Always verify policy documents and endorsements, especially if your project includes high-risk factors (e.g., NY labor laws, design-build contracts, or residential work).

Certificate Holder: Who Requested the Proof?

This section is where you or your company is listed as the requesting party.

What It Tells You:

  • Your company name and address.
  • That you requested evidence of coverage.

What It Doesn’t Tell You:

  • Whether you’re listed as an Additional Insured in the actual policy.
  • Whether waivers of subrogation or other risk-shifting terms apply.
  • Whether your name appears in endorsements that confer real protection.

Example: Your company is listed as the certificate holder, but not as an Additional Insured in the policy. You assume you’re protected. A claim occurs — and the insurer denies it. The certificate holder field has zero legal standing without the proper policy language.

Best Practice: Do not confuse “Certificate Holder” with “Additional Insured.” They’re not the same. The only way to confirm you’re truly covered is to review the policy endorsements.

Description of Operations: What’s Being Insured?

This box is meant to include details about:

  • Job location or description
  • Project-specific language
  • Additional insured endorsements
  • Waivers of subrogation

What It Tells You:

  • Sometimes, it includes project names or endorsement references.
  • Occasionally shows language like “per written contract.”

What It Doesn’t Tell You:

  • Whether the endorsements are attached and enforceable.
  • Whether the policy language actually grants you coverage.

Example: The box says: “ABC Development listed as additional insured per written contract.” Sounds great — until you check the policy and there’s no blanket AI endorsement. You’re not covered.

Best Practice: Treat this section as an indication, not confirmation. If it references “per contract,” make sure that language is supported in the actual policy with a blanket AI endorsement that names your org.

Authorized Representative Signature: Who Signed This?

The form ends with the signature of the broker or issuing agent.

What It Tells You:

  • The document came from someone associated with the insurance provider.
  • The COI was not generated by the vendor themselves (hopefully).

What It Doesn’t Tell You:

  • Whether the signatory has authority to bind coverage.
  • Whether the coverage is still in place.

Example: A subcontractor fakes a COI using a template and signs it with a “broker” name. No verification, no real insurance. Your team approves the vendor, and you unknowingly take on massive liability.

Best Practice: If anything seems off — especially if it’s unsigned, has typos, or lists unknown brokers — follow up directly. And build in automated verification protocols whenever possible.

3. 7 Red Flags to Watch for on Every COI

Some teams glance at a COI to check for coverage dates, policy limits, and maybe the Additional Insured language. But that’s not enough.

Here are the real signs of non-compliance:

  • Expired or Soon-to-Expire Policies
    Even a single-day lapse can leave you exposed. Automated tracking is critical.
  • No Mention of Additional Insured
    If your organization isn’t clearly listed — or if the language is vague, like “as required by contract” — your coverage may be unenforceable.
  • Generic Descriptions in the Operations Box
    When this section is left blank or filled with irrelevant language, it’s a signal the COI may not meet your project’s specific needs.
  • No Endorsement References
    ACORD forms rarely show endorsements. If you’re not reviewing the actual policy, you won’t know what’s missing.
  • Typos or Mismatched Names
    Small errors, like a misspelled company name, can nullify your legal protections.
  • Missing Auto or Umbrella Coverage
    These often go unchecked but can be essential — especially for vendors with vehicle-related tasks.
  • Unverified or Unresponsive Brokers
    If the broker can’t or won’t verify the COI, that’s a red flag that needs immediate attention.

1. Expired or Soon-to-Expire Policies

The risk: Even a one-day lapse in insurance coverage can leave your organization vulnerable to uncovered claims. Yet most teams don’t have visibility into real-time policy status.

Scenario:
A subcontractor’s general liability policy expired three days ago, but your project manager greenlit them based on an outdated COI. A jobsite accident happens that same afternoon. Now you’re exposed — and your umbrella coverage may be the only backstop.

Why this matters:
Manually tracking expiration dates across dozens (or hundreds) of vendors is error-prone. If you miss one, the consequences could include delayed projects, denied claims, or uncovered lawsuits.

Jones Solution:
Jones monitors expiration dates across your entire vendor portfolio and automates renewal reminders — ensuring no COI ever goes out of date unnoticed.

2. Missing or Vague Additional Insured Language

The risk: A vendor might provide a COI that doesn’t list your organization as an Additional Insured — or does so using vague language like “as required by contract.” Neither is reliable protection.

Scenario:
Your company is listed as a certificate holder, but there’s no explicit Additional Insured endorsement listed in the policy. A claim is filed — and denied — because you’re not actually covered under the vendor’s policy.

Why this matters:
Being listed as a certificate holder is not the same as being an Additional Insured. Without that designation in the actual policy, you have no legal recourse.

Jones Insight:
Jones validates endorsement documentation alongside the COI — ensuring your name isn’t just on the certificate, but on the policy that matters.

3. Generic Language in the Description of Operations Box

The risk: The “Description of Operations” section is supposed to clarify what’s being insured, what project is involved, and how endorsements apply. But in many cases, it’s blank or filled with generic boilerplate.

Scenario:
A vendor uploads a COI that says: “Per contract” in the description box — with no reference to your project, location, or requirements. The broker hasn’t attached any endorsements. You assume you’re protected — until a claim proves otherwise.

Why this matters:
Vague language leaves room for disputes. Insurers often default to strict interpretation — and if your project isn’t explicitly referenced, they may deny the claim.

Jones Tip:
Require specificity. Jones enforces clear, project-level data during COI submission and checks for proper documentation before marking a vendor compliant.

4. No Endorsement References or Attachments

The risk: A COI might claim “Additional Insured status applies” — but unless the policy includes the correct endorsement form, that language is meaningless.

Scenario:
A GC receives a COI that references Additional Insured status — but no CG 20 10 or CG 20 37 endorsement is attached. Later, a claim is filed, and the insurer points out that no AI coverage was ever endorsed.

Why this matters:
COIs can suggest that coverage is in place, but they don’t prove it. Endorsements — especially blanket or scheduled ones — must be reviewed directly.

What Jones Does Differently:
Jones requests and validates endorsements for every relevant line of coverage, using AI to flag missing or inadequate forms — and escalating them to humans when necessary.

5. Inconsistent or Incorrect Entity Names

The risk: If the entity listed on the COI doesn’t match the contracting party, your ability to make a claim — or enforce coverage — can be severely limited.

Scenario:
You hire “Green Field Plumbing, Inc.,” but the COI lists “Greenfield Services, LLC.” You approve it without question. Turns out, they’re separate entities — and when a claim hits, the listed company isn’t the one who performed the work. You’re out of luck.

Why this matters:
Small discrepancies can lead to big denials. Insurers aren’t obligated to honor claims involving entities not listed in the policy.

How Jones Helps:
Jones requires that vendor-submitted COIs match contractual entities — flagging mismatches automatically and requiring correction before compliance is granted.

6. Missing Lines of Coverage

The risk: Many COIs omit essential coverage types — such as Auto Liability or Umbrella/Excess — and teams don’t notice until it’s too late.

Scenario:
A contractor uses personal vehicles for project work, but their COI lacks Auto Liability coverage. After a traffic collision during a site run, the damages aren’t covered by the contractor’s general liability or umbrella policies — and the GC gets dragged into the lawsuit.

Why this matters:
Each line of coverage fills a specific role. If it’s missing, you may be exposed on claims involving vehicles, subcontracted work, or high-limit damages.

Jones Advantage:
The platform enforces contract-specific coverage requirements at the onboarding stage, and won’t mark vendors compliant unless all required lines are properly documented.

7. Unverified or Suspicious Brokers

The risk: A COI might look fine on the surface — but if the broker can’t be reached, doesn’t exist, or refuses to verify the policy, it could be a sign of fraud.

Scenario:
A subcontractor submits a COI issued by a no-name broker. You reach out for clarification and get no response. A few weeks later, you find out the broker never bound the policy. The vendor was uninsured the entire time.

Why this matters:
Fake or invalid COIs happen more often than most teams realize. Without verification — or a platform enforcing it — you’re working on trust, not protection.

Jones Safeguard:
Jones tracks COI sources, confirms broker legitimacy, and offers audit trails for every certificate on file — ensuring every document is traceable and defensible.

4. Why Policy Review Matters More Than the Certificate

COIs are not legally binding. They don’t amend the actual insurance contract. They’re often filled out by overworked brokers or uploaded by vendors using outdated or incorrect forms.

COIs aren’t insurance — policies are.

That’s why top compliance teams go beyond COIs. They make sure to:

  • Request and review full policy documents
  • Validate that all required endorsements are included
  • Confirm that Additional Insured language is enforceable
  • Check for high-risk exclusions like:
    • New York Labor Law exclusions
    • Residential construction carve-outs
    • Professional liability limitations

Manual policy review is tedious. But skipping it can lead to claim denials that cost hundreds of thousands — even millions.

Jones addresses this gap with end-to-end policy-level verification. This means actual review of the policy terms and endorsements, using both AI tools and expert human reviewers.

5. The Cost of Manual COI Management

If your team is still managing COIs with email and spreadsheets, you’re not managing risk — you’re inviting it.

Typical manual workflows include:

  • Emailing vendors to request updated COIs
  • Reviewing each form by hand
  • Manually entering expiration dates into spreadsheets
  • Sending calendar reminders to chase renewals
  • Losing visibility when vendors don’t respond

This results in:

  • Onboarding delays
  • Payment issues
  • Legal exposure due to expired or non-compliant COIs
  • Audit nightmares caused by disorganized records

One Jones client — a national property firm — was spending more than 40 hours a week just managing COIs. After adopting Jones:

  • COIs were auto-requested and tracked
  • Vendors uploaded directly into a secure portal
  • Dashboards provided real-time compliance visibility
  • Renewal alerts were fully automated

6. Why Jones Makes ACORDs Actionable

Jones doesn’t just collect certificates — it verifies, tracks, and operationalizes them into a compliance engine built for risk reduction.

Here’s how Jones transforms COI management:

  • Vendor Portals: Vendors submit their own certificates and track status, reducing back-and-forth and putting the responsibility where it belongs.
  • Policy Review and Endorsement Validation: Jones reviews the underlying insurance documents — not just the COI — to catch exclusions and ensure compliance.
  • Automated Tracking and Renewals: Jones alerts your team before any COI expires, so you’re never left uncovered.
  • Risk Dashboards: Compliance data rolls up into real-time dashboards so teams can see vendor status across all projects instantly.
  • Seamless Integrations: Jones connects with Procore, MRI, CMiC, Yardi, and other key systems, keeping your compliance data in sync with operations.
  • Audit-Ready Records: Every action is logged and time-stamped, creating a defensible compliance history that holds up under legal scrutiny.

Real-World Example:
A major general contractor in NYC experienced a subcontractor claim denial due to a hidden exclusion in the policy — despite having a valid COI on file. After implementing Jones, every vendor’s COI and policy is reviewed in full, eliminating blind spots and preventing costly oversights.

7. Don’t Manage Risk Blindfolded

A COI is not insurance — it’s only a summary. And even a perfect-looking ACORD form is meaningless if it doesn’t reflect the actual policy behind it.

To truly protect your organization, you need:

  • Policy-level validation
  • Continuous tracking and renewal workflows
  • Visibility across vendors and properties
  • Actionable insights tied to real-world risk

That’s what Jones delivers.

With Jones, your COI certificates stop being paperwork — and start becoming protection.

Ready to upgrade your risk strategy? Schedule a Jones demo today.