2.4.3 Legal Accountability and Rights

In October 2025, an autonomous AI agent working for a logistics company signed a $2.3 million contract without human approval. The agent, designed to optimize shipping routes and negotiate carrier rates, interpreted market conditions as favorable and executed what it determined was an advantageous deal. The contract turned out to be terrible. The terms were onerous, the rates above market, and the company wanted to void it.

But who was liable? The company that deployed the agent? The vendor that built the software? The AI itself? The developers who designed the system but weren't in the loop when it acted?

The case entered litigation without clear answers. Legal analysts have called it the first major "agentic liability" crisis—a situation where an autonomous AI agent takes a binding legal action without human approval, and existing legal frameworks don't clearly assign responsibility. This is not a science fiction scenario. It happened. And it will happen more often as AI systems gain autonomy and the ability to act in the world without humans explicitly authorizing each step. The law is scrambling to catch up—but it is years behind.

The Liability Gap

Traditional product liability theories—design defect, manufacturing defect, failure to warn—do not map neatly onto AI systems. A car with faulty brakes represents a clear manufacturing defect. But when an AI diagnostic tool misdiagnoses a patient because it was trained on biased data, the nature of the defect is far less obvious. Is it a design defect? A data defect? An algorithmic defect? The distinctions matter legally, and the answers are not settled.

The question of who to sue is equally murky. If a physical product causes injury, the manufacturer is typically the defendant. But when an AI recommendation causes harm, liability could plausibly rest with the company that deployed the system, the vendor that sold it, the developers who built it, the data providers who supplied the training corpus, or some combination of all of them. AI systems' opacity compounds the difficulty: decisions emerge from interactions between code, data, and deployment context in ways that even the developers cannot always predict or fully explain.

This complexity can function as a liability shield. Companies claim they did not know the system would behave that way. Vendors claim they followed industry standards. Developers claim they built to specification. Everyone points fingers, and no single party is clearly responsible. Courts have not yet issued definitive rulings allocating liability for fully autonomous agent behavior, because the legal logic built around human decision-making breaks down when the decision-maker is an AI. The challenge is not simply assigning blame; it is that the existing conceptual architecture of liability law assumes a human agent at its center, and that assumption no longer reliably holds.

The Contract Problem

Organizations deploying AI agents have attempted to address the liability gap through contractual arrangements. Vendor agreements now routinely include indemnification clauses designed to allocate risk between parties: if the AI causes harm, the contract specifies who pays. But contracts operate only between their signatories. A third party harmed by an AI agent's actions—a consumer defrauded, a driver injured, a patient misdiagnosed—is not party to the vendor agreement and cannot rely on its indemnification provisions for recourse.

Even between contracting parties, these clauses are often vague or legally untested. Language like "the vendor will indemnify the deployer for any damages caused by the AI" sounds straightforward until a court must determine what "caused by" means in the context of a complex sociotechnical system where causation is distributed and emergent. The logistics company's vendor contract limits liability to the software licensing fee—$50,000—against a $2.3 million loss. The company argues the cap is unconscionable; the vendor argues it is standard industry practice. A court will eventually rule on this particular dispute, but even that ruling will not establish a broadly applicable standard. Every AI system is different, every deployment is different, and every harm is different. Case-by-case adjudication is slow, expensive, and produces inconsistent outcomes that leave the underlying accountability questions unresolved.

Many vendor contracts go further, disclaiming consequential damages, requiring arbitration, and restricting the scope of recoverable harm. These provisions may not survive judicial scrutiny when harms are severe, but they create practical barriers to accountability in the meantime—confronting potential plaintiffs with expensive litigation against defendants protected by layers of contractual insulation.

The Regulatory Patchwork

More than 1,000 bills related to AI were introduced by federal and state legislators during the 2025 legislative session. Most did not pass. Those that did created a fragmented landscape of inconsistent requirements. Some states focused on specific use cases—AI in hiring, in healthcare, in insurance underwriting, in criminal justice—while others attempted comprehensive regulation through disclosure requirements, testing mandates, liability rules, and enforcement mechanisms. The result is a patchwork in which a company's obligations depend heavily on which state it operates in and what sector it serves.

At the international level, the EU AI Act entered its phased implementation period in 2025, with obligations for general-purpose AI models taking effect in August. The Act establishes a risk-based framework: prohibited uses, high-risk systems subject to strict requirements, and lower-risk systems with lighter obligations. Companies deploying high-risk AI must conduct conformity assessments, implement risk management systems, maintain documentation, and ensure human oversight. These requirements are technically demanding and expensive to satisfy, placing disproportionate burdens on smaller companies and potentially functioning as barriers to entry that favor large incumbents.

Enforcement remains a separate uncertainty. The EU has demonstrated willingness to impose substantial penalties for GDPR violations, but AI regulation is newer, more technically complex, and harder to audit. Whether regulators have the technical expertise and institutional resources to effectively monitor compliance remains an open question. In the United States, the picture is further complicated by the Trump administration's December 2025 executive order proposing a uniform federal policy framework that would preempt state laws deemed inconsistent with federal policy. The order signals a preference for lighter federal regulation over the existing state-level patchwork—creating legal uncertainty for companies that do not know which rules will apply, how conflicts between state and federal standards will be resolved, or what compliance will look like in the months ahead.

The Rights Vacuum

What rights do individuals have when AI makes consequential decisions about them? In the European Union, the GDPR provides a meaningful baseline: the right to know when automated decision-making is used, the right to an explanation of how decisions are reached, the right to contest outcomes, and in some circumstances the right to opt out entirely. These protections are imperfect in their application, but they establish a recognized legal framework built around individual agency.

In the United States, the situation is fragmented by sector and jurisdiction. Credit reporting and housing carry some regulatory protections. New York City has enacted employment AI disclosure requirements. Colorado mandates that deployers of high-risk AI systems enable individuals to appeal adverse decisions. But there is no general right to know when AI is involved in decisions affecting you, no national right to explanation, and no broadly applicable mechanism for challenging algorithmic determinations.

The practical consequences are significant. If an AI system denies a loan application, the applicant may or may not be entitled to know why, depending on their location and the specific system involved. If an AI misdiagnoses a medical condition, the patient can pursue a malpractice claim, but proving that the AI was defective and that the defect caused the harm requires access to the algorithm, the training data, and expert witnesses capable of interpreting them—resources that are both expensive and routinely protected as trade secrets. If an AI wrongly identifies someone as a criminal suspect, the affected individual's ability to challenge the identification depends on jurisdiction, the system used, and whether they even know the AI was involved. For most people, in most contexts, the default remains that AI systems can make consequential decisions about their lives with no obligation of transparency, explanation, or recourse.

The Attribution Problem

Underlying all of these legal challenges is a deeper conceptual difficulty: AI fundamentally disrupts the attribution of responsibility that legal accountability depends on. Traditional law assumes identifiable agents making decisions. Liability follows from identifying who acted and whether they acted wrongfully. AI dissolves this logic in ways that expose a structural gap in legal doctrine.

Consider a medical AI that recommends a treatment that harms a patient. The doctor who accepted the recommendation acted on a tool validated by the hospital. The hospital relied on a vendor with regulatory approval. The vendor followed recognized industry standards. The developers built to specification. The data scientists used publicly available training data. The regulators assessed the system based on information the developers provided. Each actor can credibly argue they were not the proximate cause of the harm. No single party made a clearly wrongful decision. And yet the patient is injured.

This is the attribution problem: in complex sociotechnical systems, responsibility can be distributed across a chain of actors none of whom individually behaved unreasonably, yet harm still results. Courts seeking to identify the party at fault are poorly equipped to handle systemic or collective responsibility. When fault is distributed and emergent rather than concentrated in a single decision, the law often fails to assign responsibility to anyone. This is not just a legal gap but a structural incentive problem: if no one can be held accountable for distributed AI harms, the financial pressure to prevent them is correspondingly weakened. Addressing it requires either legal doctrines capable of handling collective responsibility, or liability frameworks that do not depend on proving individual fault at all.

Paths Toward Accountability

Legal scholars and policymakers are advancing several approaches to the accountability gap, each carrying distinct trade-offs.

One prominent proposal is strict liability for AI harms, modeled on product liability regimes for defective goods: deployers or developers would be liable for harm caused by AI systems regardless of whether they were individually at fault. Strict liability has the advantage of ensuring victims can recover damages and creating strong financial incentives for companies to invest in safety. Critics argue it would chill innovation by making AI deployment prohibitively risky, particularly for smaller developers who cannot absorb unpredictable liability exposure.

Algorithmic impact assessments—requiring organizations to evaluate and disclose risks before deploying high-risk systems—represent a different lever. Several jurisdictions have enacted versions of this requirement. Impact assessments can surface problems before deployment and create a public record against which outcomes can be measured, but they do not directly provide remedies when harms occur, and their quality depends heavily on the rigor and independence of whoever conducts them.

Mandatory insurance would require deployers of certain AI systems to carry liability coverage, ensuring that victims can access compensation even when the deployer lacks resources to pay. Insurance also harnesses market mechanisms to price risk, theoretically creating financial incentives for safer deployment. The limitation is that insurers currently lack the actuarial data to accurately price novel AI risks, making this approach more viable as the field matures than as an immediate solution.

Expanding individual rights operates on a different axis than liability rules. Rather than determining who pays after harm occurs, rights frameworks—giving people the right to know when AI is used, to receive explanations, to contest adverse outcomes, and to opt out of certain systems—aim to empower individuals to identify and challenge problematic AI before harms compound. The EU AI Act and Colorado's high-risk AI law represent steps in this direction, though both depend on individuals knowing their rights and having realistic means to exercise them.

Finally, international harmonization seeks to develop shared global standards that prevent regulatory arbitrage and ensure consistent protections across borders. The appeal is clear, but national interests, industrial policy priorities, and competing governance philosophies make consensus elusive. Progress in this area is more likely to be incremental than transformative, and near-term reliance on it as a primary solution would be optimistic.

Each approach addresses part of the problem while leaving other parts unresolved. The fundamental tension runs deeper than any single solution can fix. If the law establishes that AI agents cannot create binding obligations without explicit human authorization, this limits the utility of autonomous systems in ways that impede legitimate commercial uses. If AI agents are recognized as capable of acting with legal authority, the resulting liability exposure becomes difficult to manage and predict. What the law must eventually produce is some hybrid framework—one that preserves the utility of autonomous AI while creating clear accountability mechanisms and meaningful individual rights. That framework does not yet exist.

The Legal Landscape in 2026

Legal experts are converging on a forecast that 2026 will be a pivotal year for AI accountability. The first major agentic liability case is already moving through courts, and similar disputes are accumulating. Product liability suits involving AI are increasing as plaintiffs' attorneys develop expertise in algorithmic harms; defendants in cases involving biased hiring tools, faulty medical diagnostics, discriminatory credit decisions, and autonomous vehicle accidents face growing legal exposure. The Mobley v. Workday class certification signals courts' willingness to allow collective actions against AI systems that harm large groups, and more class actions are expected to follow.

Regulatory enforcement is also scaling. The EU is expected to impose its first major fines under the AI Act, establishing what penalties look like in practice and testing the political durability of the regulatory framework. U.S. states are beginning to enforce the AI laws passed in 2025, even as the federal executive order creates uncertainty about whether state-level rules will survive preemption challenges. Federal agencies are issuing sector-specific guidance, though comprehensive federal legislation remains politically unlikely in the near term.

Despite this activity, definitive legal clarity will remain elusive. The technology is evolving faster than courts can adjudicate cases or legislatures can respond to outcomes. Each court ruling addresses specific facts and creates precedent that may not transfer cleanly to the next generation of systems. The most realistic expectation for the near term is more litigation, more regulation, and more uncertainty—with companies facing growing legal risk, individuals gaining some rights unevenly across jurisdictions, and the foundational questions of accountability remaining only partially resolved.

Key Takeaways

The liability gap is structural. Traditional legal frameworks built around human decision-makers struggle to assign responsibility when AI systems cause harm. The complexity of these systems—distributed across developers, vendors, deployers, and data providers—can function as a liability shield, with no single party clearly accountable.
Contracts address only part of the problem. Vendor indemnification agreements can allocate risk between contracting parties but offer no protection to third parties harmed by AI agents. Liability caps and disclaimer provisions create additional barriers to accountability.
Regulation is fragmented and uncertain. The EU AI Act provides the most comprehensive framework to date, but enforcement is still untested. In the United States, a patchwork of state laws operates under federal preemption uncertainty following the December 2025 executive order.
Individual rights vary dramatically by jurisdiction. EU residents have baseline protections around automated decision-making under the GDPR. Most people in the United States have no general right to know when AI affects decisions about them, no right to explanation, and limited practical recourse.
The attribution problem is conceptually deep. When responsibility is distributed across a complex sociotechnical system, no individual actor may have behaved wrongfully, yet harm still occurs. Legal systems designed to identify a single wrongdoer are poorly suited to handle systemic or collective fault.
No single solution is sufficient. Strict liability, impact assessments, mandatory insurance, rights expansion, and international harmonization each address aspects of the problem while introducing new complications. All require political will that has so far been inadequate to the scale of the challenge.

Sources:

Last updated: 2026-02-25