When artificial intelligence causes harm, a deceptively simple question arises: who is responsible? An autonomous vehicle strikes a pedestrian. An AI medical diagnostic tool misidentifies a condition, delaying treatment. An AI-powered trading system executes transactions that cause significant financial losses. A generative AI tool produces defamatory content about a real person. In each case, the harm is real, but the chain of responsibility is unclear.
Traditional liability frameworks were designed for a world where human decision-making sits at the center of every harmful act. AI disrupts this model by introducing autonomous agents whose decisions may be unpredictable, unexplainable, and the product of multiple actors across the development and deployment chain. Governments, courts, and legal scholars are now grappling with how to adapt existing liability rules or create new ones to address this challenge.
The AI Liability Gap
Several characteristics of AI systems create challenges for existing liability frameworks. The opacity problem arises because many AI systems, particularly deep learning models, operate as black boxes whose decision-making processes cannot be fully explained even by their developers. This makes it difficult for plaintiffs to prove that a specific design choice or error caused the harm, a requirement in most negligence and product liability claims.
The distributed development problem reflects the reality that modern AI systems are rarely the product of a single entity. A foundation model may be developed by one company, fine-tuned by another, integrated into a product by a third, and deployed by a fourth. Each actor in this chain contributes to the system's behavior, making it difficult to attribute responsibility for harmful outcomes to any single party.
The autonomy problem emerges because AI systems make decisions that their developers did not specifically program and may not have foreseen. When an AI system causes harm through an autonomous decision, traditional fault-based liability struggles to identify whose negligence, if anyone's, caused the outcome.
The data problem recognizes that AI behavior is shaped by training data as much as by code. If a biased dataset leads to discriminatory outcomes, is the developer liable for failing to detect and correct the bias? Is the data provider liable for supplying biased data? The answer is unclear under current law.
Existing Liability Frameworks
Product Liability
Product liability law imposes liability on manufacturers for defective products that cause harm, typically without requiring the plaintiff to prove negligence. Under the EU's Product Liability Directive and similar frameworks in the US, a product is defective if it has a manufacturing defect, a design defect, or an inadequate warning.
Applying product liability to AI raises several issues. First, traditional product liability was designed for tangible goods. Whether AI software or AI-generated outputs qualify as products varies by jurisdiction. The EU has clarified that software is a product under its revised Product Liability Directive, adopted in 2024. In the US, the question remains unsettled, with courts reaching different conclusions depending on the context.
Second, defining what constitutes a defect in an AI system is challenging. AI systems inevitably produce some incorrect outputs, and the threshold at which error rates constitute a design defect is not established. A diagnostic AI that is more accurate than human doctors on average but occasionally makes errors that a human would not may or may not be considered defective.
Negligence
Negligence liability requires the plaintiff to prove that the defendant owed a duty of care, breached that duty, and the breach caused the harm. For AI systems, the key question is what standard of care applies to AI developers and deployers. Must they test for every possible harmful outcome? Must they use the most advanced explainability techniques? Must they monitor deployed systems continuously?
Courts have not yet established clear standards of care for AI development and deployment. In the absence of specific regulations, courts may look to industry standards, professional norms, and emerging best practices to define the applicable duty of care. This creates uncertainty for both plaintiffs and defendants.
Vicarious Liability
Vicarious liability holds one party responsible for the actions of another, typically in the employer-employee relationship. Some scholars have proposed extending vicarious liability principles to AI, treating AI systems as analogous to employees or agents whose principals bear responsibility for their actions. While intellectually interesting, this approach faces the fundamental objection that AI systems are not legal persons and cannot bear liability themselves, making the analogy imperfect.
The EU's AI Liability Framework
The European Union has been the most proactive jurisdiction in developing AI-specific liability rules. The proposed AI Liability Directive, working in conjunction with the revised Product Liability Directive and the AI Act, aims to create a comprehensive liability framework for AI-related harm.
The AI Liability Directive
The proposed directive addresses the evidentiary challenges that plaintiffs face in AI liability claims. It introduces a rebuttable presumption of causality: if a plaintiff demonstrates that the defendant failed to comply with an obligation under the AI Act or other relevant EU law, and the harm is the type that the obligation was designed to prevent, a causal link between the non-compliance and the AI output is presumed. The defendant can rebut this presumption by demonstrating that the non-compliance did not cause the harm.
The directive also grants plaintiffs the right to access evidence from AI providers and deployers, including technical documentation and logs, addressing the information asymmetry that makes AI liability claims particularly difficult to pursue.
The Revised Product Liability Directive
The EU's revised Product Liability Directive explicitly includes software and AI systems as products, closing a gap in the previous framework. It extends liability to cover updates and upgrades that render a previously safe product defective and addresses the situation where a product's AI component learns and adapts after being placed on the market.
Emerging Approaches in Other Jurisdictions
In the United States, AI liability is being addressed primarily through existing frameworks applied to specific sectors. The FDA regulates AI medical devices, the NHTSA oversees autonomous vehicles, and the CFPB addresses AI in consumer finance. There is no comprehensive federal AI liability law, and proposals for AI-specific liability legislation remain at early stages.
China has introduced regulations addressing liability for specific AI applications, including autonomous vehicles and AI-generated content. Its approach tends to impose strict liability on operators while requiring licensing and compliance with technical standards.
Contractual Risk Allocation
In the absence of settled legal frameworks, contractual agreements play a critical role in allocating AI liability risk. Organizations should pay close attention to indemnification provisions in AI vendor contracts, warranties regarding AI system performance and compliance, limitation of liability clauses and their enforceability, insurance requirements and coverage for AI-related claims, and representations regarding testing, bias evaluation, and regulatory compliance.
Preparing for the Evolving Landscape
Organizations developing or deploying AI systems should implement comprehensive testing and documentation practices that can demonstrate reasonable care. They should maintain detailed records of development decisions, testing results, and deployment monitoring. Insurance coverage should be reviewed to ensure it covers AI-related liabilities. Incident response plans should address AI failures specifically, including procedures for investigation, notification, and remediation.
The liability frameworks for AI are evolving rapidly, and the direction of travel is clear: toward greater accountability for AI developers and deployers. Organizations that build responsible development and deployment practices now will be better prepared for whatever liability regime emerges.
